Blog

Intel® AMT related port attacks on the rise and hits close to home

It comes at no surprise attacks on ports related to Intel® AMT have risen after the recent disclosure of an escalation of privilege vulnerability in Intel® Active Management Technology (AMT) that can allow an unprivileged attacker to gain control of the manageability interface of the affected servers. This exploit has been dubbed “Silent Bob is Silent” and is shocking in its simplicity to perform.  Intel has published a full mitigation guide to disable the attack vector until a permanent solution is in place. Per Intel® documentation, the affected ports to monitor are 16992, 16993, 16994, 16995, 623, and 664. So, …

Read More

Latest firmware update for Amcrest cameras results in constant connection to cloud servers even for non-cloud customers

I recently updated the firmware of my Amcrest IP2M-841 and  IP3M-943 cameras to the latest version. Afterward I began noticing a constant connection to three separate, unknown servers. I found this odd as I had not seen these connections prior to the firmware update.  Performing a simple DNS lookup for each yielded the following: ec2-52-90-88-253.compute-1.amazonaws.com ec2-107-23-233-106.compute-1.amazonaws.com ec2-52-91-65-92.compute-1.amazonaws.com This clearly shows that all three servers are hosted on Amazon AWS.  Unfortunately this tells  us nothing about who is using Amazon’s infrastructure to talk to my cameras. So to investigate further, I went directly to ec2-52-90-88-253.compute-1.amazonaws.com in the browser, noting to use HTTPS since …

Read More

Another look into no-reverse-dns-configured.com’s troubled past

I previously reported on no-reverse-dns-configured.com and the current and previous owners.  But what about the February 2016 botnet attacks? Who was the owner when the domain name was invoked in those attacks? According to DomainTools, the owner of no-reverse-dns-configured.com in February 2016 was Slawek Modrzejewski.  Slawek was original owner of the domain name since it was first registered in 11/15/2015. On 4/9/2016, the registration for no-reverse-dns-configured.com was dropped by GoDaddy.  Five days later, the registration was picked up by SouthNames Inc. (NamePal.com) with an anonymous owner protected by United Privacy Corp, which is based in Belize. In addition to the number WHOIS record updates for …

Read More

Hall of Shame updated with known IP addresses with PTR records going to no-reverse-dns-configured.com

The Hall of Shame has been updated with a list of known IP addresses with PTR records going to no-reverse-dns-configured.com. I have found the following IP addresses in my syslog with PTR records going to no-reverse-dns-configured.com.  80.82.65.66 was previously discussed due to the sheer volume of attacks. All IP addresses are managed by Quasi Networks LTD, per the RIPE  Database lookup. Source IP count Protocol 80.82.65.66 20489 TCP 80.82.79.104 91 TCP 80.82.70.134 11 TCP & UDP 80.82.78.188 11 TCP 89.248.171.40 7 UDP 80.82.65.204 4 UDP 80.82.70.2 3 UDP 89.248.162.142 2 TCP 89.248.170.224 2 TCP 89.248.172.90 2 TCP 80.82.65.199 1 TCP 89.248.160.192 1 TCP …

Read More