Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit (II)

Published: 2021-07-23
Last Updated: 2021-07-23 12:52:02 UTC
by Yee Ching Tok (Version: 1)
0 comment(s)

Today’s diary revisits hunting for dodgy domains via Hurricane Electric's BGP Toolkit [1]. This was previously done in an earlier diary [2], and I plan to do this occasionally to share potential or identified threats so that readers can be aware of them.

I selected the IP address block of 209.58.160.0/20 this time, partly also due to a significant number of hits on my DShield sensor from this IP address block. An entry immediately caught my attention, and stood out due to the recent Akamai outage as mentioned by Johannes [3]. With reference to Figure 1, there was a site “akammai.com” lurking amongst the plethora of many other websites that was hosted on the same IP address.

Figure 1: “akammai.com” Hosted on 209.58.163[.]95

A closer inspection on the site showed a “Hello world” post, and did not display any other noticeable features (as shown in Figure 2).

Figure 2: Screenshot of “akammai.com”

As of now, the site appears to be pretty harmless. However, the domain name is quite close to the actual Akamai domain name (akamai.com). Depending on the true owner of the domain name “akammai.com”, the site could very well be repurposed and used by cybercriminals or red teams for their phishing campaigns. This is especially so due to the recent Akamai outage, or perhaps in a future unforeseen outage related to Akamai. It would be worthwhile to be wary of such domain names, particularly more so if they do not have any relation to the original site but yet bear such a close resemblance.

Indicators of Compromise (IOCs):
hxxp://akammai[.]com
209.58.163[.]95

References:
[1] https://bgp.he.net/
[2] https://isc.sans.edu/diary/27456
[3] https://isc.sans.edu/diary/27660

-----------
Yee Ching Tok, ISC Handler
Personal Site
Twitter

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Lost in the Cloud: Akamai DNS Outage
Jul 22nd 2021
22 hours ago by Johannes (0 comments)

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
1 day ago by Johannes (0 comments)

Summer of SAM - incorrect permissions on Windows 10/11 hives
Jul 20th 2021
3 days ago by Bojan (0 comments)

New Windows Print Spooler Vulnerability - CVE-2021-34481
Jul 19th 2021
4 days ago by Rick (0 comments)

Video: CyberChef BASE85 Decoding
Jul 18th 2021
5 days ago by DidierStevens (0 comments)

BASE85 Decoding With base64dump.py
Jul 17th 2021
6 days ago by DidierStevens (0 comments)

Multiple BaseXX Obfuscations
Jul 16th 2021
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 month ago by Rick (0 replies)

API port data
created Apr 25th 2021
2 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
3 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
4 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
4 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
1 week ago by Johannes (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
4 months ago by DidierStevens (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
2 weeks ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)

Qakbot infection with Cobalt Strike
Mar 3rd 2021
4 months ago by Brad (0 comments)