A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
Name 911 | |
First seen in Guardicore Centra | 2020-04-07 |
Last seen in Guardicore Centra | 2020-08-18 |
The 911 (Nine-One-One) campaign is one deploying a known Mirai variant named Sora. Active since the beginning of April 2020, the campaign has been targeting IoT devices for at least four months. The Sora variant, according to recent reports, exploits remote code exeuction and authentication bypass vulnerabilities in Huawei and Dasan GPON routers, respectively. Another characteristic of this variant is its XOR encryption key, the value 0xDEDEFBAF. Each string in the malware process is decrypted in memory using this key, and is immediately encrypted again to avoid memory-based detection. The name of this botnet campaign is derived from the deployed malware binaries – “911”, with an extension that corresponds to the victim’s architecture. | |
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Source IPs
Attack Flow
Breached Services | SSH |
Tags | Package Install SSH Outgoing Connection Access Suspicious Domain Successful SSH Login |
Incident Summary
A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List | Successful SSH Login |
A possibly malicious Package Install was detected | Package Install |
Process /bin/bash generated outgoing network traffic to: 45.95.168.152:80 | Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: quilounges.com | Outgoing Connection Access Suspicious Domain |
Connection was closed due to timeout |