Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-09-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Odd Persistent Password Bruteforcing

Published: 2014-09-07
Last Updated: 2014-09-07 23:43:02 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

This isn't something new, but I think it is often overlooked: "slow and low" password brute forcing.

One of the daily reports I like to look at is password brute force attempts. more or less "forever", A few networks stick out in these daily reports. The password brute force attempts are not particularly agressive, with usually less then 10 attempts per day from any particular IP address. The other odd thing is that the accounts being brute forced don't exist, which a heave focus on "@hotmail.com" accounts. 

By far the most agressive network is 193.201.224.0/22,"Besthosting" in the Ukraine, followed by an other Ukraining network, 91.207.7.0/24 (Steephost). 

The top brute forced domains:

    gmail.com
    outlook.com
    zfymail.com <- this domain is associated with many bots/spam messages.
    hotmail.com

The intend isn't perfectly clear as the accounts don't exist, and the attempts are not very aggressive (maybe to avoid getting locked out?). 

Anybody observing similar attacks and able to figure out what they are after?

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: brute force ukraine
6 comment(s)
Diary Archives