Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
ConnectWise ScreenConnect Exploit
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Lawrence Cruciana" data-source="post: 8118" data-attributes="member: 1717"><p>For the ISAO, we have some extensive network traffic monitoring capabilities deployed and have found a common set of SourceIPs responsible for much of the footprinting activity that has has been targeted against locating vulnerable ScreenConnect servers. Our observations have been in lock-step with the observations posted on reddit in r/msp - same source blocks doing the scanning. I've provided this list below for reference, since I've not seen any specific technical data in this forum. This morning, the pattern changed and we now see new source netblocks in the mix:</p><p></p><p>198.74.56.0/24</p><p>192.155.88[.]231</p><p>138.197.15[.]3</p><p>45.79.163[.]53</p><p></p><p>Baseline list from r/msp</p><p>Malicious IPs targeting SC Servers:</p><p>45.66.228[.]0/22</p><p>45.89.244[.]0/22</p><p>91.92.240[.]0/20</p><p>93.123.39[.]0/24</p><p>93.123.40[.]0/21</p><p>93.123.48[.]0/20</p><p>93.123.64[.]0/22</p><p>94.156.0[.]0/21</p><p>94.156.8[.]0/24</p><p>94.156.64[.]0/20</p><p>94.156.80[.]0/21</p><p>147.78.100[.]0/22</p><p>185.216.68[.]0/22</p></blockquote><p></p>
[QUOTE="Lawrence Cruciana, post: 8118, member: 1717"] For the ISAO, we have some extensive network traffic monitoring capabilities deployed and have found a common set of SourceIPs responsible for much of the footprinting activity that has has been targeted against locating vulnerable ScreenConnect servers. Our observations have been in lock-step with the observations posted on reddit in r/msp - same source blocks doing the scanning. I've provided this list below for reference, since I've not seen any specific technical data in this forum. This morning, the pattern changed and we now see new source netblocks in the mix: 198.74.56.0/24 192.155.88[.]231 138.197.15[.]3 45.79.163[.]53 Baseline list from r/msp Malicious IPs targeting SC Servers: 45.66.228[.]0/22 45.89.244[.]0/22 91.92.240[.]0/20 93.123.39[.]0/24 93.123.40[.]0/21 93.123.48[.]0/20 93.123.64[.]0/22 94.156.0[.]0/21 94.156.8[.]0/24 94.156.64[.]0/20 94.156.80[.]0/21 147.78.100[.]0/22 185.216.68[.]0/22 [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
ConnectWise ScreenConnect Exploit
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu