I received a report from one of our security monitoring systems about one of our probes (#17846) - https://atlas.ripe.net/probes/17846/ which appears to be infected with Tinba:
Security incident #1 - Tinba infection
Involved internal Hosts:
atlas-probe.cc.biu.ac.il 132.70.248.150 spotted since
2016-06-30
23:58:54 till 2016-07-01 05:01:20
Malicious activities found:
Tinba infection
related indication of compromise:
Communication with CnC
192.112.36.4
192.203.230.10
192.228.79.201
192.33.4.12
192.36.148.17
193.0.14.129
198.41.0.4
198.97.190.53
199.7.83.42
199.7.91.13
202.12.27.33
Should we be worried? Thanks, Hank
FYI: the addresses are those of the root name servers. On Tue, Jul 5, 2016 at 2:15 PM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
I received a report from one of our security monitoring systems about one of our probes (#17846) - https://atlas.ripe.net/probes/17846/ which appears to be infected with Tinba:
Security incident #1 - Tinba infection
Involved internal Hosts:
atlas-probe.cc.biu.ac.il 132.70.248.150 spotted since
2016-06-30
23:58:54 till 2016-07-01 05:01:20
Malicious activities found:
Tinba infection
related indication of compromise:
Communication with CnC
192.112.36.4
192.203.230.10
192.228.79.201
192.33.4.12
192.36.148.17
193.0.14.129
198.41.0.4
198.97.190.53
199.7.83.42
199.7.91.13
202.12.27.33
Should we be worried?
Thanks,
Hank
On Tue, Jul 05, 2016 at 03:15:19PM +0300, Hank Nussbacher wrote:
Should we be worried?
yes, about the selection of IoC. -Peter
I am positive tinba cannot run on the probes. So either that IDS is brain damaged or some joker made a UDM that acts like tinba or both. What Marc said: the 'CnC' appears to be at the root name servers. Queue conspiracy theory ..... Daniel On 5.07.16 14:15 , Hank Nussbacher wrote:
I received a report from one of our security monitoring systems about one of our probes (#17846) - https://atlas.ripe.net/probes/17846/ which appears to be infected with Tinba:
Security incident #1 - Tinba infection
Involved internal Hosts:
atlas-probe.cc.biu.ac.il 132.70.248.150 spotted since
2016-06-30
23:58:54 till 2016-07-01 05:01:20
Malicious activities found:
Tinba infection
related indication of compromise:
Communication with CnC
192.112.36.4
192.203.230.10
192.228.79.201
192.33.4.12
192.36.148.17
193.0.14.129
198.41.0.4
198.97.190.53
199.7.83.42
199.7.91.13
202.12.27.33
Should we be worried?
Thanks,
Hank
On 06/07/2016 09:56, Daniel Karrenberg wrote: It is indeed a FP. There was a collision between variant of Tinba DGA and legit domain - thinksquare.net. As you can see it the below link, a lot of malwares samples communicated with thinksquare.net on the exact same day. https://www.virustotal.com/en/domain/thinksquare.net/information/ -Hank
I am positive tinba cannot run on the probes.
So either that IDS is brain damaged or some joker made a UDM that acts like tinba or both. What Marc said: the 'CnC' appears to be at the root name servers. Queue conspiracy theory .....
Daniel
On 5.07.16 14:15 , Hank Nussbacher wrote:
I received a report from one of our security monitoring systems about one of our probes (#17846) - https://atlas.ripe.net/probes/17846/ which appears to be infected with Tinba:
Security incident #1 - Tinba infection Involved internal Hosts: atlas-probe.cc.biu.ac.il 132.70.248.150 spotted since 2016-06-30 23:58:54 till 2016-07-01 05:01:20 Malicious activities found: Tinba infection related indication of compromise: Communication with CnC 192.112.36.4 192.203.230.10 192.228.79.201 192.33.4.12 192.36.148.17 193.0.14.129 198.41.0.4 198.97.190.53 199.7.83.42 199.7.91.13 202.12.27.33
Should we be worried?
Thanks,
Hank
participants (4)
-
Daniel Karrenberg -
Hank Nussbacher -
Mark Santcroos -
Peter Koch