This time our billing system is being attacked via a DDOS intended for resource exhaustion.

Hence our billing system is working a little bit slower than usual right now, we are working on it.

First the spam attacks, now this. This type of thing always tends to happen when are running specials.

Current list of shame -- will update later, these are the first ones we have looked on and verified to have inordinate amounts of requests.
192.3.79.119
138.128.29.216
104.227.27.126
45.128.24.10
192.156.217.46
45.129.124.62
2.59.21.247
45.145.56.38
45.92.247.200
193.23.245.97
45.87.248.196

UPDATE -- LIST OF ALL MANUALLY CHECKED IPs

Once subnets based on this list were blocked it ended. The whois details are rather interesting and point to a competiting seedbox provider. This seedbox provider also has IPv4 renting business. Some are straight under them, some are on their personal names, and some are just a generic probably holding for the IPv4 addresses. Very few have rDNS setup, those which have looks like spammy or are related to a larger hosting business interestingly enough. Almost all of them are housed at Leaseweb, where this competitors production servers reside almost solely at. Quite frankly, everything seems to be pointing towards them.

138.128.29.216
104.227.27.126
45.128.24.10
192.156.217.46
45.129.124.62
2.59.21.247
45.145.56.38
45.92.247.200
193.23.245.97
45.87.248.196
45.152.196.223
45.135.36.199
193.8.215.249
85.209.130.146
85.209.130.39
193.8.215.216
193.8.215.71
193.8.56.151
193.8.94.149
193.8.94.54
194.33.29.91
195.158.192.129
209.127.127.61
209.127.146.215
2.56.101.185
2.56.101.207
2.56.101.59
2.56.101.87
45.129.124.208
45.130.255.148
45.130.255.224
45.130.255.23
45.131.212.253
45.131.213.163
45.131.213.87
45.134.187.218
45.134.187.47
45.135.36.164
45.135.36.4
45.135.36.66
45.136.228.18
45.136.231.69
45.137.60.50
45.137.63.215
45.137.80.60
45.142.28.19
45.142.28.250
45.142.28.49
45.142.28.97
45.146.89.167
45.146.89.230
45.146.89.53
45.152.208.53
45.154.244.124
45.154.244.185
45.154.56.161
45.154.56.222
45.86.15.135
45.86.15.169
45.86.15.93
45.92.247.188
45.92.247.20
45.92.247.70
45.94.47.34
84.21.188.10
85.209.129.204
85.209.130.208
104.144.10.98
104.227.145.106
138.128.40.171
144.168.216.145
185.126.66.222
185.164.56.13
185.99.96.182
185.99.96.244
192.166.153.103
192.186.151.162
192.198.103.180
193.23.253.234
193.23.253.6
193.23.253.66
193.8.138.137
193.8.138.22
193.8.231.195
45.130.60.12
45.130.60.168
45.130.60.229
45.130.60.248
45.131.212.253
45.86.15.137
45.86.15.98
45.87.248.214
45.87.248.222
45.87.248.58
84.21.188.4


UPDATE 2

Those behind this stopped promptly communicating with us once we pointed out they were behind this. The competiting provider is Rapid Seedbox. We were willing to give them the benefit of the doubt, but they stopped responding to any communication. Their initial response was unexpectedly swift and quick, but once it was obvious everything points to them -- zero responses.
You can verify this yourself by whois'ng some of the IPs, here are examples pointing directly to Rapid Seedbox: 45.145.56.38, 185.99.96.244, 185.164.56.13 and 185.126.66.222.

One of the owners of Rapid Seedbox is "[PRIVACY PROTECTION]", many of these subnets are owned by "[PRIVACY PROTECTION]". Googling this name yields many interesting abuse db results, with multiple claims of "hacking gmail", ie. probably bruteforcing passwords like on this attack.
Other owner is named only one of the subnets as i can see. [PRIVACY PROTECTION] is named on multiple ones.
Almost none have rDNS set as of few hours ago. Almost all IPs are hosted at Leaseweb, where Rapid Seedbox has their servers.

Giving them the benefit of the doubt we did not immediately release this, it could've been their whole network is compromised. However, if they stopped communicating and their supposedly 15 people full time staff neither responds, while they pride themselves on super fast help support response time -- It smells fishy.

Normal attack like this, done by botnet and compromised systems would not be so blatantly obvious. Ssomeone with access to a lot of subnets and can spin up on them a lot of VMs at will has to be done behind this. Normal attacks are typically globally spread etc. and typically all IPs have set reverse dns, most have major ISP IP ownership etc. But all of these are fake sounding names, mostly linked to this "greatworktogether" group, and few of the subnets with very similar style of information are clearly linked to Rapid Seedbox.

To best of our knowledge at this moment, no customer accounts were compromised.

We would like to be wrong, as we've just had lengthy negotiations if we would supply servers to them. First contact they asked if we would sell Pulsed Media to them, but that was a very firm no. We proceeded to converse if vice-versa was possible but did not find common ground. After which we started looking for opportunities to work together, by us supplying to them servers. That neither proceeded anywhere.

There is total of 5977 suspicious IPs but we have to make sure no legitimate user IPs ended up on that list before releasing this whole list.

All of the relevant and important subnets are on the above list. Here are the /24 subnets:
104.144.10.0/24
104.227.145.0/24
104.227.27.0/24
138.128.29.0/24
138.128.40.0/24
144.168.216.0/24
185.126.66.0/24
185.164.56.0/24
185.99.96.0/24
192.156.217.0/24
192.166.153.0/24
192.186.151.0/24
192.198.103.0/24
192.3.79.0/24
193.23.245.0/24
193.23.253.0/24
193.8.138.0/24
193.8.215.0/24
193.8.231.0/24
193.8.56.0/24
193.8.94.0/24
194.33.29.0/24
195.158.192.0/24
209.127.127.0/24
209.127.146.0/24
2.56.101.0/24
2.59.21.0/24
45.128.24.0/24
45.129.124.0/24
45.130.255.0/24
45.130.60.0/24
45.131.212.0/24
45.131.213.0/24
45.134.187.0/24
45.135.36.0/24
45.136.228.0/24
45.136.231.0/24
45.137.60.0/24
45.137.63.0/24
45.137.80.0/24
45.142.28.0/24
45.145.56.0/24
45.146.89.0/24
45.152.196.0/24
45.152.208.0/24
45.154.244.0/24
45.154.56.0/24
45.86.15.0/24
45.87.248.0/24
45.92.247.0/24
45.94.47.0/24
84.21.188.0/24
85.209.129.0/24
85.209.130.0/24

To block these subnets just add them to your firewall as is, or without /24 and subnet 255.255.255.0

We have not moved to block these IPs on our production servers as there could be actual seedbox end users on these subnets and we would not like to be punishing Rapid Seedbox's customers.

We do not know yet if there is relation to the spam attacks lately as well.

If you have any relevant information, please do contact us.

UPDATE 3: Got a response from Rapid Seedbox very soon after releasing last update. Investigation continues.

UPDATE 4:  Rapid Seedbox says all of these IPs are connected to single customer, and requested personal information for privacy to be removed from earlier update. These names has now been changed to [PRIVACY PROTECTION].

UPDATE 5: Rapid Seedbox response was that 1 customer was behind this, and they have disabled access to pulsedmedia.com on their proxies.  -- A proxy service? That's all the information they gave us.

Further, this attack had some email addresses correct, infact many accounts got failed login attempts from these. How did these attackers have any idea what addresses to try? By random chance it's very difficult to get even 1 hit by randomly trying, nevermind in the hundreds. A lot of them are fairly (think decade old) billing profiles too. That makes us think that the attacker has some seedbox niche email address database to try upon.

In any case, we are still going through the list of these targets, and will reset some people's billing profile passwords to be on the safe side. It's quite a bit of manual work as we do not want to just blanket reset everybody's, but manually look at each of the profiles rather and add them to a list so we may contact them if needed. We want to emphasize that we have no evidence of any compromised account so far. To best our knowledge from looking at the logs, zero accounts were compromised.

Make your own conclusions on this.



Monday, May 4, 2020

« Back