Threat Advisory: Suspicious Scanning Activity

November 7, 2018

Details

Herjavec Group has detected significant malicious scanning attempts across multiple client environments, including entertainment, finance and legal organizations. These scans, mostly targeting web applications and other external facing devices, do not appear to be targeted in nature but rather part of a general, large scale attempt to discover vulnerabilities within networks. Herjavec Group has observed several IPs scanning new clients daily, and increasing in intensity. The types of scans observed from the IP addresses below include (but are not limited to): Adobe ColdFusion, Apache Struts, XSS, directory traversal, and various remote code execution vulnerabilities.   Exploitation of vulnerabilities identified by these scans could allow attackers to gain remote access to and take control of your environment. No known compromises have been observed or communicated to date.

Technical Indicators

IP Addresses 206.189.201.149 Registered in the US 185.232.64.0/24 Registered in Romania 167.114.41.148 Registered in Ottawa, Leased in Taiwan 18.217.172.191 Registered in the US  

Recommendations

Due to the prevalence and aggressiveness of the scanning activity, Herjavec Group recommends blocking the IP addresses above. Any outbound connections to these IP addresses should be investigated for signs of compromise.   Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group. CONNECT WITH US