Akamai Guardicore Segmentation CTI

Threat Information

Role	Attacker, Scanner
Services Targeted	SCP SSH
Tags	Port 1234 Scan 8 Shell Commands SSH Listening SCP Port 80 Scan Port 8080 Scan Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File Outgoing Connection
Associated Attack Servers	123.132.238.210 124.223.14.100 152.242.43.89

Basic Information

IP Address	3.145.189.99
Domain	-
ISP	Amazon.com
Country	United States
WHOIS	Created Date	-
	Updated Date	-
	Organization	-

First seen in Akamai Guardicore Segmentation	2022-08-17
Last seen in Akamai Guardicore Segmentation	2022-09-15

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List	Successful SSH Login
/dev/shm/ifconfig was downloaded	Download File
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 9 times	Successful SSH Login
/tmp/ifconfig was downloaded	Download File
./ifconfig was downloaded	Download File
/var/tmp/ifconfig was downloaded	Download File
A possibly malicious Superuser Operation was detected 2 times	Superuser Operation
The file /root/ifconfig was downloaded and executed 5 times	Download and Execute
The file /root/apache2 was downloaded and executed 96 times	Download and Execute
Process /root/apache2 scanned port 1234 on 26 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
Process /root/apache2 scanned port 1234 on 32 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
Process /root/apache2 scanned port 1234 on 27 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
Process /root/apache2 scanned port 80 on 26 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
Process /root/apache2 scanned port 8080 on 26 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses	Port 1234 Scan
Process /bin/bash scanned port 1234 on 26 IP Addresses	Port 1234 Scan
Process /root/apache2 generated outgoing network traffic to: 1.1.1.1:443, 1.220.98.197:1234, 101.140.251.122:80, 101.140.251.122:8080, 103.15.195.227:80, 103.15.195.227:8080, 103.54.53.33:80, 103.54.53.33:8080, 108.234.87.134:80, 117.38.142.37:80, 117.38.142.37:8080, 120.224.34.31:1234, 120.236.78.194:1234, 120.31.133.162:1234, 123.132.238.210:1234, 124.223.14.100:1234, 139.26.85.85:80, 139.26.85.85:8080, 142.250.190.68:443, 154.162.186.248:80, 154.162.186.248:8080, 156.171.191.27:80, 156.171.191.27:8080, 161.107.113.34:1234, 161.73.200.19:80, 161.73.200.19:8080, 172.67.133.228:443, 176.146.202.70:80, 182.224.177.56:1234, 183.213.26.13:1234, 185.210.144.122:1234, 190.60.239.44:1234, 191.242.188.103:1234, 194.223.73.17:80, 194.223.73.17:8080, 196.238.91.233:80, 196.238.91.233:8080, 197.117.142.237:80, 204.150.112.235:80, 204.150.112.235:8080, 205.173.249.136:80, 205.173.249.136:8080, 206.189.25.255:1234, 207.140.145.90:80, 207.140.145.90:8080, 212.57.36.20:1234, 220.125.42.174:80, 220.125.42.174:8080, 220.243.148.80:1234, 222.103.98.58:1234, 223.171.91.127:1234, 223.171.91.191:1234, 241.253.58.214:80, 241.253.58.214:8080, 242.208.199.11:80, 242.208.199.11:8080, 242.82.245.13:80, 242.82.245.13:8080, 25.227.222.41:80, 25.227.222.41:8080, 29.104.162.221:80, 29.104.162.221:8080, 39.175.68.100:1234, 42.179.124.229:80, 42.179.124.229:8080, 49.106.30.78:80, 49.106.30.78:8080, 50.92.137.190:80, 50.92.137.190:8080, 51.75.146.174:443, 54.209.34.14:80, 54.209.34.14:8080, 60.168.41.210:80, 60.168.41.210:8080, 61.84.162.66:1234, 65.43.45.93:80, 65.43.45.93:8080, 76.158.202.118:80, 77.130.47.200:80, 8.8.4.4:443, 8.8.8.8:443, 80.99.94.173:80, 80.99.94.173:8080, 82.149.112.170:1234, 82.66.5.84:1234, 85.105.82.39:1234, 93.176.229.145:1234, 98.12.76.66:80 and 98.12.76.66:8080	Outgoing Connection
Process /root/apache2 started listening on ports: 1234, 8088 and 8180	Listening
Process /root/apache2 scanned port 80 on 32 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
Process /root/apache2 scanned port 80 on 27 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
Process /root/apache2 scanned port 8080 on 32 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
Process /root/apache2 scanned port 8080 on 27 IP Addresses	Port 1234 Scan Port 80 Scan Port 8080 Scan
The file /usr/bin/free was downloaded and executed	Download and Execute
The file /usr/bin/uptime was downloaded and executed 2 times	Download and Execute
The file /usr/local/bin/dash was downloaded and executed	Download and Execute
Connection was closed due to timeout

Associated Files

/var/tmp/ifconfig	SHA256: 003fc3b1c6259d744b011cde32a47e8cb0b00708ebec1465839b9c14279bc70b	262144 bytes
/var/tmp/ifconfig	SHA256: 1a44fca7624fff41bb0115d35ece06c6b145c23503b4e50eddc373c148b94a1d	720896 bytes
/var/tmp/ifconfig	SHA256: 1b40245f21f1cb845b7fdf2428315166a8b1d8d5e1e42cd290cd8e479ed61ad7	2129920 bytes
/var/tmp/ifconfig	SHA256: 2aacc3f6c14a2bd120ce9f7cab7af1f4d3e207bea33d56f02a14f75613a7930c	786432 bytes
/var/tmp/ifconfig	SHA256: 331f1ead3df8fed58ccf68da781f34b2f228a5c37f3bb245b836a4b49b1cf269	557056 bytes
/var/tmp/ifconfig	SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05	655360 bytes
/var/tmp/ifconfig	SHA256: 550307921085269ac7b53b3492fbffd8dc7bb9deaee1b26d433b3ebb40282384	2195456 bytes
/root/ifconfig	SHA256: 60cc0b454c5174dc5ec389859f0890a7ac0733c005f894083585a4274b71de5b	2719744 bytes

Akamai Security Intelligence Group

Guardicore CENTRA

Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

Threat Information

Basic Information

Attack Flow

Associated Files