Akamai Guardicore Segmentation CTI

Threat Information

Role	Attacker, Scanner
Services Targeted	SSH
Tags	System File Modification Scheduled Task Creation HTTP Outgoing Connection DNS Query Access Suspicious Domain Download and Execute 8 Shell Commands Successful SSH Login Port 22 Scan Log Tampering Networking Operation SSH Download File Download and Allow Execution
Associated Attack Servers	91.189.88.142 91.189.91.38 91.189.91.39 139.99.123.196 162.159.135.232 162.159.138.232 212.192.241.163

Basic Information

IP Address	2.56.57.215
Domain	-
ISP	Legaco Networks B.V.
Country	United States
WHOIS	Created Date	-
	Updated Date	-
	Organization	-

First seen in Akamai Guardicore Segmentation	2021-12-21
Last seen in Akamai Guardicore Segmentation	2022-01-04

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List	Successful SSH Login
A possibly malicious Networking Operation was detected 2 times	Networking Operation
System file /etc/resolv.conf was modified 16 times	System File Modification
Process /usr/bin/apt-get attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com	DNS Query
Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.security.ubuntu.com and security.ubuntu.com	DNS Query
Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.91.38:80	Outgoing Connection
Process /usr/bin/apt-get generated outgoing network traffic to: 91.189.88.152:80	Outgoing Connection
Process /usr/bin/apt-get attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com	DNS Query
Process /usr/bin/apt-get generated outgoing network traffic to: 91.189.88.152:80	Outgoing Connection
The file /usr/share/doc/curl was downloaded and granted execution privileges
System file /etc/ld.so.cache~ was modified 36 times	System File Modification
Process /usr/bin/wget generated outgoing network traffic to: 212.192.241.163:80 2 times	Outgoing Connection
The file /tmp/.../keep-alive was downloaded and granted execution privileges 2 times	Download and Allow Execution
The file /tmp/.../scn was downloaded and granted execution privileges 2 times	Download and Allow Execution
The file /tmp/.../start was downloaded and granted execution privileges 2 times
The file /tmp/.../psc was downloaded and granted execution privileges 2 times	Download and Allow Execution
The file /tmp/.../miner.zip was downloaded and granted execution privileges
The file /tmp/.../check was downloaded and granted execution privileges	Download and Allow Execution
The file /tmp/.../install was downloaded and granted execution privileges	Download and Allow Execution
The file /tmp/.../cron was downloaded and executed 7 times	Download and Execute
The file /usr/bin/curl was downloaded and executed 7 times	Download and Execute
Process /bin/bash attempted to access domains: discord.com 3 times	DNS Query
The file /tmp/.../syst3md was downloaded and executed 28 times	Download and Execute
Process /tmp/.../syst3md generated outgoing network traffic to: 139.99.123.196:443	Outgoing Connection
Process /tmp/.../syst3md attempted to access suspicious domains: ip-139-99-123.net	Access Suspicious Domain Outgoing Connection
Process /bin/bash generated outgoing network traffic to: 162.159.135.232:443	Outgoing Connection
/tmp/.nwk was downloaded	Download File
History File Tampering detected from /bin/cat on the following logs: /root/.bash_history 2 times	Log Tampering
Process /usr/bin/curl generated outgoing network traffic to: 212.192.241.163:80	Outgoing Connection
The file /tmp/.nwk/ps was downloaded and executed	Download and Execute
Process /tmp/.nwk/ps generated outgoing network traffic to: 192.168.0.10:22, 192.168.0.11:22, 192.168.0.12:22, 192.168.0.13:22, 192.168.0.14:22, 192.168.0.15:22, 192.168.0.16:22, 192.168.0.17:22, 192.168.0.18:22, 192.168.0.19:22, 192.168.0.1:22, 192.168.0.20:22, 192.168.0.21:22, 192.168.0.22:22, 192.168.0.23:22, 192.168.0.24:22, 192.168.0.25:22, 192.168.0.26:22, 192.168.0.27:22, 192.168.0.28:22, 192.168.0.29:22, 192.168.0.2:22, 192.168.0.30:22, 192.168.0.31:22, 192.168.0.32:22, 192.168.0.33:22, 192.168.0.34:22, 192.168.0.35:22, 192.168.0.36:22, 192.168.0.37:22, 192.168.0.38:22, 192.168.0.39:22, 192.168.0.3:22, 192.168.0.40:22, 192.168.0.41:22, 192.168.0.42:22, 192.168.0.43:22, 192.168.0.44:22, 192.168.0.45:22, 192.168.0.46:22, 192.168.0.47:22, 192.168.0.48:22, 192.168.0.49:22, 192.168.0.4:22, 192.168.0.50:22, 192.168.0.51:22, 192.168.0.52:22, 192.168.0.53:22, 192.168.0.54:22, 192.168.0.55:22, 192.168.0.56:22, 192.168.0.57:22, 192.168.0.58:22, 192.168.0.59:22, 192.168.0.5:22, 192.168.0.60:22, 192.168.0.61:22, 192.168.0.62:22, 192.168.0.63:22, 192.168.0.64:22, 192.168.0.65:22, 192.168.0.66:22, 192.168.0.67:22, 192.168.0.68:22, 192.168.0.69:22, 192.168.0.6:22, 192.168.0.70:22, 192.168.0.71:22, 192.168.0.72:22, 192.168.0.73:22, 192.168.0.74:22, 192.168.0.75:22, 192.168.0.76:22, 192.168.0.77:22, 192.168.0.78:22, 192.168.0.79:22, 192.168.0.7:22, 192.168.0.80:22, 192.168.0.81:22, 192.168.0.82:22, 192.168.0.83:22, 192.168.0.84:22, 192.168.0.85:22, 192.168.0.86:22, 192.168.0.87:22, 192.168.0.88:22, 192.168.0.89:22, 192.168.0.8:22, 192.168.0.90:22, 192.168.0.91:22, 192.168.0.92:22 and 192.168.0.9:22
Process /tmp/.nwk/ps scanned port 22 on 92 IP Addresses	Port 22 Scan
Connection was closed due to timeout

Akamai Security Intelligence Group

Guardicore CENTRA

Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

Threat Information

Basic Information

Attack Flow