dicembre 2020 – Caria Giovanni

Quanti threat in un giorno accadono ad una famiglia che usa mobile, laptop, smart tv ecc?

E’ sempre stata una risposta a cui ho voluto dare una forma precisa.

In particolar modo questa ricercam si basa sui threat ricevuti da una famiglia normale navigando semplicemente browser + app.

Per capirlo ho installato una semplice distro come Nethserver a casa di alcuni amici che usano la tecnologia puramente per email, navigare e social media.

Nethserver si presta bene per questo, facile da installare e configurare, funzioni di firewall, ips, threatshield.

Configurazione:

Firewall
Configurazione standard traffico verso e da internet allowed bloccando solo smb, rpc e simili, in modo da non diventare una honeypot ma concentrandosi sul traffico app e browser

IPS
Nethserver ha un modulo per installare suricata e alcune rules che usano IoC da abuseipdb e alienvault.
Configurato in modo da bloccare solo malware,compromised,malicious dns e le regole DShield

Threatshield
Altro modulo scaricabile e di facile installazione configurato con IP blacklist e DNS blacklist direttamente da url, senza creare una repo personale, (dns blacklist repo non aggiornata da circa 5 mesi). La confgiurazione usata non bloccava nessun inoltro li registrava semplicemente

DNS usati
Ho usato i dns di cloudflare e quad9 per avere un altro layer di filtraggio.

Ogni client (pc,laptop,mobile,smartv) + stato configurato in statico in modo da usare il nethserver come gateway

Una volta configurato e sicuri che tutto funzionasse in modo decente, sono state eseguite prove su malicious website e ip in blocco per vedere il comportamento, tutto ok.

L’esperimento è durato circa 2 mesi e i risultati sono stati tragicomici.

Infatti abbiamo una media di 1.000 threat registrati nella mattinata che diventano circa 8.000 threat verso le 23 dello stesso giorno.

Ma di che tipo sono questi threat?
Qui la parte interessante

La maggior parte delle “threat” proviene dai tracker dei siti blasonati:

Qui siamo intorno al 37,14% di threat ratio secondo Threatshield.

Andando a vedere i log notiamo che i siti “malevoli” intesi come dropper di trojan o malware sono circa lo 0,2% della settimana.
Il resto sono come vediamo tracker di social e di google.

Tutti noi sappiamo di esser feed per questi colossi e questo articolo non fa altro che concretizzare quanto abbiamo sempre pensato e saputo senza dati alla mano.
Quindi è possibile togliersi dallo sfamare i leviatani? Penso di si e sarà materia del prossimo esperimento che combinerà blocchi e datanoise.

A huge and aggressive maladvertisement campaign and in some case scam hit Italy and Europe generally. Is quite aggressive (3 email every 25 minutes) and the body of email contain template for other phishing attempts. No malware find right now but account manipolation. – Often u can see reply to a rambler and gmail addressess. Behind everything seem a domain called affpartners.com (nothing on it) and that domain use efty.com as hosting provider.

Alienvault OTX IoC

phishing campaign

NORTON
Your norton security subscrioption has expired
newsletter.cqmp00oqiy@vuwdqproq.com
message id: o4034Xhrzx5377554szzs20607lLH1092AnAW20.6.GRB6489466924@affpartners.com
ds9v@vuwdqproq.com-o4034Xhrzx5377554szzs20607lLH1092AnAW20 (c4034enzBG5377554ZoHe20607hpE1092epcX20.mail.126.com. 185.144.28.169
vuwdqproq.com (vuwdqproq.com. [185.144.28.169])

https://storage.googleapis.com/akesel/akesel.html#/rd/c4034mMWxM5377554DGPc20607QPL1092BGrU20https://track.clickbooth.com/c/aff?lid=1060626&subid2=tsh38xfhwts3https://oneoftfew.com/us-nor-3/?3bff1af67ee107bbf1e5ef35c3b73175http://findout.eu.com/rd/c4034mMWxM5377554DGPc20607QPL1092BGrU20https://daddygangz.com/0/2/3958/2f63ad45de268c48daa6b505401b5dbb/16/20-4034/5377554-20607-1092

AMAZON
Attn Please: Your [A.M.A.Z.O.N]🎁 Reward Has Arrived This Month.. No.421525
newsletter.97323@agiuvdbcxdirh.com
newsletter@onmicrosoft.com
195.123.242.77
REPLY TO: wendzichmartin@gmail.com
LINK https://storage.googleapis.com/akesel/akesel.html#/rd/c4044XZOpr10842428rlXH187165Qtm1097rTQo440
https://theshoppsurvey.com/visitor_us/index_14_d.php?device_name=Desktop&browser_name=Firefox&language=en-US&city=Milledgeville&clickid=7aec6h98wp29zfa5&campaign=104&user_id=1&clickcost=0&lander=614&time=1608491772&browser_version=78&device_model=Desktop&device_brand=Desktop&resolution=800×600&os_name=Linux%20x86_64&os_version=Unknown&country=United%20States&country_code=US&isp=Total%20Server%20Solutions%20L.L.C.&ip=173.0.77.85&user_agent=Mozilla/5.0%20(X11;%20Linux%20x86_64;%20rv:78.0)%20Gecko/20100101%20Firefox/78.0&lpkey=16cd08354916209572&target=amz&device=DESKTOP&country=US&ts=Unknown&uclick=h98wp2bg&uclickhash=h98wp2bg-h98wp29z-2twj-xsbl-j68n-fvqn-fvwh-a3d32d#
mediadkim.com (mediadkim.com. [88.218.190.197])
https://storage.googleapis.com/akesel/akesel.html#/rd/c4041XhzyW10842428NYGG187165QAT1098LoKY146
https://coffeegirlss.com/ele-bill/?9ad8a778799345e143a308033669647f

MCAFEE
Your McAfee™Total Protection Subscription Has Expired⚠️🚨⚠️Your Device is Infected With (𝟎𝟕) Trojan viruses
newsletter.e4mxypthgn@mediadkim.com
o4039qBJBz10842428Iogu187165PGS1098ORAP53.1.JNS9348638198@affpartners.com
newsletter.e4mxypthgn@mediadkim.com
wendzichmartin@gmail.com
o6nh@mediadkim.com-o4039qBJBz10842428Iogu187165PGS1098ORAP53 (c4039oKSyA10842428cmfO187165BNX1098SECl53.mail.126.com. 88.218.190.197)
mediadkim.com (mediadkim.com. [88.218.190.197])
https://storage.googleapis.com/akesel/akesel.html#/rd/c4039EmdEV10842428LjzW187165UWO1098tKSL53
newsletter.u12fnsshmw@wcyrjlszoo.com
https://storage.googleapis.com/akesel/akesel.html#/rd/c4011ramuE1468993WRiY46151SDX811PGaQ356
findout.eu.com
smart102944@gmail.com
vnfe@wcyrjlszoo.com-o4011wqGDR1468993kptl46151YeT811OnMr356 (c4011fcgVM1468993rwuF46151FjB811djYt356.mail.126.com. 208.82.117.158)
wcyrjlszoo.com (wcyrjlszoo.com. [208.82.117.158])

https://oneoftfew.com/us-mcf-3/?32566afac6e0b25cf9a4ec402c99d005

WIFI
Best WiFi Booster on the Market Now 50% OFF
newsletter.0almgiwm3y@qrksjrjppkam.com
yv3j@qrksjrjppkam.com-o4043WQhsD10842428xcig187165ChZ1219AukI21 (c4043QFMAw10842428hfDy187165RyC1219NGnw21.mail.126.com. 195.123.212.46)
qrksjrjppkam.com (qrksjrjppkam.com. [195.123.212.46])
reply to: jeletaturik@rambler.ru
https://storage.googleapis.com/akesel/akesel.html#/rd/c4043jZicV10842428uTaI187165DoO1219OfGx21
https://deals.ultrawifiplus.com/blog/4?affID=304&C1=202084&C2=cbde4dcd1f3ae528e748fc55a0c2ae26&C3=27352&C4=350394&C5=&click_id=0c0f4c3744cc47b49466dce2a3206bf1?affID=304&C1=202084&C2=cbde4dcd1f3ae528e748fc55a0c2ae26&C3=27352&C4=350394&C5=&click_id=0c0f4c3744cc47b49466dce2a3206bf1

UPS
We have been trying to reach you – Please respond!
affpartners
o4040MygEc10842428NMyd187165xDg857iSgX2.5.LPP2153812447@affpartners.com
wendzichmartin@gmail.com
newsletter.31984@ikealcmavhpk.com
ikealcmavhpk.com (ikealcmavhpk.com. [89.33.193.139])
https://storage.googleapis.com/akesel/akesel.html#/rd/c4040dIdxj10842428kMmu187165VFe857Ybzs2
https://surveyandrewards.com/?e5f92c885b58a6386c7bb89a2de7405a

SOMEONE TRIED TO LOG INT0 YOUR ACCOUNT!
newsletter.4xja5k0wb9@cdbxuzzlgfhh.com
o4000vLGKz10842428BGLZ187165gGP1259UsMV228.2.TTC2071431369@affpartners.com
net_dns1@hotmail.com, net_dns100@hotmail.com, mediapub.supp@gmail.com, maillistafind@gmail.com, AnnaL.Logue@hotmail.com, sdloek@163.com, sdloek@yeah.net, ezoidl@126.com, sa0ri.k.1202@gmail.com, ish000464@gmail.com, fasfafgg@gmail.com, cmayeda61@gmail.com, sierrans016@gmail.com, dujjjjjjjj@gmail.com, wearesonsofredemption@gmail.com, fstianheng@gmail.com, marymcdaniel947@gmail.com, mdutra1909@gmail.com, alexerkuko8@gmail.com, michel.ducoeur@gmail.com, allrandomcat1999@gmail.com, karay214@gmail.com, eefjediep@gmail.com, transfert.franck@gmail.com, mandagode21@gmail.com, regenaemberley170@gmail.com, vallielobregat02@gmail.com
nhhz@cdbxuzzlgfhh.com-o4000vLGKz10842428BGLZ187165gGP1259UsMV228 (c4000NSVrx10842428PcDj187165JHv1259upPm228.mail.126.com. 139.59.125.178)
cdbxuzzlgfhh.com (cdbxuzzlgfhh.com. [139.59.125.178])

Stop Overpaying for Electricity! – Heres How’
newsletter.f32oe4gzcc@mediadkim.com
jeletaturik@rambler.ru
3jga@mediadkim.com-o4041HnwSs10842428IYQE187165ayF1098Quso146 (c4041EHfYq10842428beyq187165qBg1098oeWg146.mail.126.com. 88.218.190.197)
mediadkim.com (mediadkim.com. [88.218.190.197])
https://storage.googleapis.com/akesel/akesel.html#/rd/c4041XhzyW10842428NYGG187165QAT1098LoKY146

MCAFEE
Your McAfee™Total Protection Subscription Has Expired⚠️🚨⚠️Your Device is Infected With (𝟎𝟕) Trojan viruses
newsletter.e4mxypthgn@mediadkim.com
o4039qBJBz10842428Iogu187165PGS1098ORAP53.1.JNS9348638198@affpartners.com
newsletter.e4mxypthgn@mediadkim.com
wendzichmartin@gmail.com
o6nh@mediadkim.com-o4039qBJBz10842428Iogu187165PGS1098ORAP53 (c4039oKSyA10842428cmfO187165BNX1098SECl53.mail.126.com. 88.218.190.197)
mediadkim.com (mediadkim.com. [88.218.190.197])
https://storage.googleapis.com/akesel/akesel.html#/rd/c4039EmdEV10842428LjzW187165UWO1098tKSL53

You have been selected
newsletter.81734@reading-cursors.com
affpartners.com
wendzichmartin@gmail.com
0snc@reading-cursors.com-o4026lWPMX10842428pGFK187165Plr873jGQt312 (c4026EbxWd10842428MaGA187165QwY873xQng312.mail.126.com. 176.114.8.23)
reading-cursors.com (reading-cursors.com. [176.114.8.23])
https://storage.googleapis.com/akesel/akesel.html#/rd/c4026cWeZy10842428RkHT187165knl873tvuO312

CapitalOne
Your personalized reward is here
newsletter.xi58fasptm@mediadkim.com
https://storage.googleapis.com/akesel/akesel.html#/rd/c4023DFZFC10842428bUCO187165kzD1098eRaR392
affpartners.com
jeletaturik@rambler.ru
e0r5@mediadkim.com-o4023hWFFJ10842428Zmnj187165Qqy1098LYJD392 (c4023olUfb10842428GSxG187165SUF1098rPek392.mail.126.com. 88.218.190.197)
mediadkim.com (mediadkim.com. [88.218.190.197])

STATE FARM
Congrats! Here’s your State Farm Reward for
newsletter.51760@mediadkim.com
https://storage.googleapis.com/akesel/akesel.html#/rd/c4021Tbokq10842428sVbt187165yMD1098iQmD394
affpartners.com
smart102944@gmail.com
odk5@mediadkim.com-o4021bojMW10842428BYQa187165EUO1098xtIU394 (c4021LplYt10842428PufG187165oFh1098eryN394.mail.126.com. 88.218.190.197)
mediadkim.com (mediadkim.com. [88.218.190.197])
https://storage.googleapis.com/akesel/akesel.html#/rd/c4026cWeZy10842428RkHT187165knl873tvuO312

PAYMENT CODE
— check_your_account▶️▶️PAYOUT_VERIFICATION
newsletter.s1ueqc9mnp@nedmppiilnld.com
https://storage.googleapis.com/akesel/akesel.html#/rd/c4013pNLAk10842428YZJf187165PAx773QZIZ403
affpartners.com
jeletaturik@rambler.ru
ysov@nedmppiilnld.com-o4013fbWrZ10842428UJCL187165MTj773YKnO403 (c4013SmjlW10842428RsRG187165QZk773dSRT403.mail.126.com. 208.71.171.201)
nedmppiilnld.com (nedmppiilnld.com. [208.71.171.201])
https://www.ragingbullslotscampaign.com/landing/starter350/?affid=8939,t=RBCU6b5a436aa4602e285a4ed279a825b6a0,ycid=27,yaid=4395,ybid=715020

LOG INTO YOUR ACCOUNT 2
newsletter.qerl5a7mh0@a2ecommerce.com
affpartners.com
net_dns1@hotmail.com, net_dns100@hotmail.com, mediapub.supp@gmail.com, maillistafind@gmail.com, AnnaL.Logue@hotmail.com, sdloek@163.com, sdloek@yeah.net, ezoidl@126.com, sa0ri.k.1202@gmail.com, ish000464@gmail.com, fasfafgg@gmail.com, cmayeda61@gmail.com, sierrans016@gmail.com, dujjjjjjjj@gmail.com, wearesonsofredemption@gmail.com, fstianheng@gmail.com, marymcdaniel947@gmail.com, mdutra1909@gmail.com, alexerkuko8@gmail.com, michel.ducoeur@gmail.com, allrandomcat1999@gmail.com, karay214@gmail.com, eefjediep@gmail.com, transfert.franck@gmail.com, mandagode21@gmail.com, regenaemberley170@gmail.com, vallielobregat02@gmail.com
a2ecommerce.com (a2ecommerce.com. [45.148.9.197])

Mese: dicembre 2020

Quante minacce in famiglia in un giorno?

Malicious powershell script uninstall antivirus

Maladvertisement huge campaign and scam

Havelsan leaks?