Hack of Polish Financial Supervision Authority and Polish banks
A couple of days back the financial sector in Poland was shocked by the news that the Polish financial supervision authority was hacked and was used as an attack vector to get access to other (mostly Polish) banks.
This is a very short summary with some IOCs (Indicator of Compromise) that you can use to check your logs and verify if you are affected.
Note that most of this information is composed from information found at
- (english) https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/
- (polish) https://niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/
All credit goes to the authors of those posts. I merely merged the info from both posts (and you no longer had to go through Google Translate to read the Polish post).
Note that you can also get the IOCs in an easy accessible format via the OSINT feed of botvrij.eu. If you have a local MISP instance you can subscribe to the botvrij.eu OSINT feed (at no cost). Feel free to contact me if you need help setting up MISP and integrate it in your incident management workflow. Also see MISP EcoSystem – Threat Intelligence, VMRay, MISP. The UUID for this event is 58998603-c66c-49a0-a485-1689c0a8ab16.
Preparation, Delivery, Exploitation and Actions on Objective
- So far there is no evidence that funds of customers of any bank are (or were) at risk
- The attackers (ab)used the trust banks -and their employees- put in the supervision authority
- Protection rules set forward for the banks were not fully applied by the regulator
- The server side attack was made possible because of a not patched vulnerability in JBOSS (stored XSS) and inserted malicious javascript code, this code was then sent to the clients visiting the website
- It’s uncertain if for example CSP would have prevented this attack : “but considering the attack vector and the careful preparation of the attack they would have to be able to work around – modifying, removing CSP or load malicious code from the KNF website”
- There was a similar event (but no claims that it is related to this attack) against the ComisiĆ³n Nacional Bancaria y de Valores, Mexican financial authority
- The infection of the visitors only took place if the source IP was in the target list (see Target list subnet below)
- Remarkably, the same malicious software was also found at victims that were not in the target list
- The attack exploited vulnerabilities in browser plugins Silverlight and Flash
- Once the malware was injected, it downloaded its final payload from other servers
- Was there a link with other attacks? (info from Polish post) Apparently, the software used is very similar to that used in the SWIFT attack in 2016. A word of warning though. Malware is often developed with the use of libraries. These libraries are shared and reused. Seeing the same characteristics in malware does not mean that it is the same group that conducted he attack. Also, the goal of the so-called SWIFT attackers was financial theft, with the current available information this was not the case for this attack.
- So what was the goal of the attackers?
- There was no financial gain as no funds were stolen
- Was it theft of financial or personal data?
- Financial data (transactions, history) can also be very (more?) valuable
Indication of infection
Web requests
Check your web proxy logs for
knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js
or
http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11
Other potential malicious URLs included in knf.gov.pl website (check if these requests show up in your web proxy logs)
sap.misapor.ch sap.misapor.ch/vishop/view.jsp?pagenum=1 www.eye-watch.in www.eye-watch.in/design/fancybox/Pnf.action
or
http://sap.misapor.ch/vishop/view.jsp?pagenum=1 https://www.eye-watch.in/design/fancybox/Pnf.action
C2 IPs
C2 IP addresses
1.215.228.230 107.190.190.21 116.168.107.32 120.107.163.79 125.214.195.17 129.221.254.13 131.11.224.116 140.112.14.16 169.45.142.150 17.61.46.70 18.200.16.237 182.45.75.93 196.29.166.218 203.66.57.237 203.67.31.17 204.136.221.47 206.94.195.86 21.190.190.107 218.224.125.66 32.107.168.116 36.61.131.78 47.221.136.204 59.120.19.101 59.173.0.74 59.43.86.123 70.46.61.17 82.144.131.5 86.195.94.206 93.75.45.182
Target list subnet
Only client IPs belonging to these subnets were infected.
10497 | 138.220.0.0 | 138.220.0.0/16 | US | arin | | WORLDBANK - The World Bank Group, US 7734 | 142.205.240.0 | 142.205.240.0/23 | CA | arin | | TDBANK - Toronto Dominion Bank, CA 50432 | 147.114.44.0 | 147.114.44.0/23 | GB | arin | | RBS-GBM-UKSTAFF , GB 15107 | 148.244.42.0 | 148.244.42.0/24 | MX | lacnic | | Grupo Financiero Bancomer, MX 15107 | 148.244.50.0 | 148.244.50.0/24 | MX | lacnic | | Grupo Financiero Bancomer, MX 15107 | 148.244.51.0 | 148.244.51.0/24 | MX | lacnic | | Grupo Financiero Bancomer, MX 21054 | 155.136.0.0 | 155.136.0.0/16 | GB | ripencc | | RBSG-UK-AS Edinburgh, GB 21054 | 155.136.80.0 | 155.136.80.0/24 | GB | ripencc | | RBSG-UK-AS Edinburgh, GB 2824 | 160.83.72.0 | 160.83.72.0/24 | US | arin | | DB-NA-1 - Deutsche Bank, US 2824 | 160.83.73.0 | 160.83.73.0/24 | US | arin | | DB-NA-1 - Deutsche Bank, US 24055 | 160.83.96.0 | 160.83.96.0/24 | US | arin | | DB-APAC-IN-AS Deutsche Bank AG-India Internet AS, IN 24055 | 160.83.97.0 | 160.83.97.0/24 | US | arin | | DB-APAC-IN-AS Deutsche Bank AG-India Internet AS, IN 10497 | 164.114.0.0 | 164.114.0.0/16 | US | arin | | WORLDBANK - The World Bank Group, US 13169 | 167.202.201.0 | 167.202.201.0/24 | NL | arin | | , NL 40375 | 167.222.220.0 | 167.222.220.0/24 | US | arin | | MELLON-EXTRANET-A - Mellon Bank, US 19038 | 168.165.202.0 | 168.165.202.0/24 | MX | lacnic | | SCOTIABANK INVERLAT SA, MX 3147 | 170.135.0.0 | 170.135.0.0/16 | US | arin | | US-BANCORP - U.S. BANCORP, US 2134 | 170.169.127.0 | 170.169.127.0/24 | MX | lacnic | | GSVNET-AS GS Virtual Network Produban, ES 11911 | 170.61.236.0 | 170.61.236.0/24 | US | arin | | BANKOFNEWYORK-AS - The Bank of New York Mellon Corporation, US 11911 | 170.61.237.0 | 170.61.237.0/24 | US | arin | | BANKOFNEWYORK-AS - The Bank of New York Mellon Corporation, US 11993 | 170.66.0.0 | 170.66.0.0/16 | BR | lacnic | | BANCO DO BRASIL S.A., BR 10420 | 170.70.0.0 | 170.70.0.0/16 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.18.0 | 170.70.18.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.21.0 | 170.70.21.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.3.0 | 170.70.3.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.36.0 | 170.70.36.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.38.0 | 170.70.38.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.41.0 | 170.70.41.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.6.0 | 170.70.6.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.73.0 | 170.70.73.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.9.0 | 170.70.9.0/24 | MX | lacnic | | Banco de Mexico, MX 10420 | 170.70.92.0 | 170.70.92.0/24 | MX | lacnic | | Banco de Mexico, MX 10794 | 171.159.192.0 | 171.159.192.0/20 | US | arin | | BANKAMERICA - Bank of America, US 10794 | 171.159.48.0 | 171.159.48.0/23 | US | arin | | BANKAMERICA - Bank of America, US 10794 | 171.161.128.0 | 171.161.128.0/18 | US | arin | | BANKAMERICA - Bank of America, US 10794 | 171.192.0.0 | 171.192.0.0/20 | US | arin | | BANKAMERICA - Bank of America, US 131143 | 175.184.246.0 | 175.184.246.0/24 | TW | apnic | 2010-02-01 | CHINATRUST-AS-TW Chinatrust Commercial Bank, TW 52798 | 177.66.196.0 | 177.66.196.0/24 | BR | lacnic | 2012-11-28 | BANCO BTG PACTUAL S.A., BR 20681 | 185.16.140.0 | 185.16.140.0/22 | DK | ripencc | 2013-01-22 | SAXOBANK , DK 60810 | 185.25.108.0 | 185.25.108.0/24 | PL | ripencc | 2013-05-03 | ATMEL , PL 204244 | 185.49.30.0 | 185.49.30.0/24 | PL | ripencc | 2014-02-26 | GLNET-AS , PL 14259 | 190.196.0.0 | 190.196.0.0/24 | CL | lacnic | 2007-07-02 | Gtd Internet S.A., CL 3738 | 192.250.56.0 | 192.250.56.0/23 | US | arin | | SSB-ASN - State Street Bank and Trust Company, US 3738 | 192.250.98.0 | 192.250.98.0/23 | US | arin | | SSB-ASN - State Street Bank and Trust Company, US 24756 | 193.0.242.0 | 193.0.242.0/24 | PL | ripencc | 2002-08-07 | LUKAS-BANK-AS , PL 197220 | 193.104.239.0 | 193.104.239.0/24 | PL | ripencc | 2010-08-10 | IDEABANK , PL 196999 | 193.105.248.0 | 193.105.248.0/24 | PL | ripencc | 2010-03-25 | FMBANK , PL 20705 | 193.108.72.0 | 193.108.72.0/23 | GB | ripencc | 2001-05-11 | HSBC-UK , GB 31528 | 193.16.107.0 | 193.16.107.0/24 | PL | ripencc | 2004-06-07 | BOSBANK-AS , PL 15694 | 193.200.233.0 | 193.200.233.0/24 | PL | ripencc | 2007-06-06 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 35179 | 193.239.56.0 | 193.239.56.0/22 | PL | ripencc | 2005-06-16 | PROVIDER-WROCLAW ul. Nabycinska 19, PL 41776 | 193.36.183.0 | 193.36.183.0/24 | PL | ripencc | 2006-10-10 | SYGMABANK-AS , PL 9085 | 193.42.211.0 | 193.42.211.0/24 | PL | ripencc | 2005-01-04 | SUPERMEDIA-AS , PL 57170 | 193.8.57.0 | 193.8.57.0/24 | PL | ripencc | 2011-08-10 | ZATM-AS , PL 5588 | 193.84.159.0 | 193.84.159.0/24 | CZ | ripencc | | GTSCE GTS Central Europe / Antel Germany, CZ 29536 | 194.146.120.0 | 194.146.120.0/24 | PL | ripencc | 2003-10-06 | EUROBANK-AS , PL 3308 | 194.255.0.0 | 194.255.0.0/16 | DK | ripencc | | TELIANET-DENMARK , DK 34891 | 194.30.179.0 | 194.30.179.0/24 | PL | ripencc | 2005-04-25 | UM-WARSZAWA-AS pl. Bankowy 3/5, PL 35796 | 194.79.40.0 | 194.79.40.0/22 | RS | ripencc | 2005-10-19 | NBS , RS 31614 | 195.128.0.0 | 195.128.0.0/22 | DE | ripencc | 2004-06-17 | ECB-AS , DE 39095 | 195.142.247.0 | 195.142.247.0/24 | TR | ripencc | | VAKIFBANK-AS , TR 57367 | 195.167.159.0 | 195.167.159.0/24 | PL | ripencc | | ECO-ATMAN-PL ECO-ATMAN-PL, PL 24723 | 195.238.184.0 | 195.238.184.0/22 | PL | ripencc | 2006-06-26 | ATMAN-OFFICE-INTERNET-AS ATMAN, PL 39066 | 195.78.252.0 | 195.78.252.0/24 | UA | ripencc | 2005-12-06 | KREDOBANKUA-AS , UA 15694 | 195.85.227.0 | 195.85.227.0/24 | PL | ripencc | 2003-06-25 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 12877 | 195.85.249.0 | 195.85.249.0/24 | PL | ripencc | 2003-07-08 | RBPL-AS Raiffeisen Bank Polska S.A., PL 4563 | 198.74.176.0 | 198.74.176.0/24 | US | arin | | BTMU-AMERICA - The Bank of Tokyo-Mitsubishi UFJ, US 394841 | 199.197.16.0 | 199.197.16.0/20 | US | arin | | CBKASN - CoBank, US 22276 | 199.27.240.0 | 199.27.240.0/24 | US | arin | 2010-09-03 | BANKUNITED - BankUnited NA, US 26582 | 199.79.165.0 | 199.79.165.0/24 | US | arin | | IADB-NETWORKS - The Inter-American Development Bank, US 27989 | 200.1.175.0 | 200.1.175.0/24 | CO | lacnic | | BANCOLOMBIA S.A, CO 27853 | 200.10.0.0 | 200.10.0.0/24 | CL | lacnic | | Administradora BANCHILE de Fondos Mutuos, CL 27952 | 200.10.182.0 | 200.10.182.0/24 | CL | lacnic | | Banco Central de Chile, CL 28074 | 200.11.31.0 | 200.11.31.0/24 | SV | lacnic | 2009-08-04 | Banco Azteca El Salvador, SV 262214 | 200.124.125.0 | 200.124.125.0/24 | CO | lacnic | 2012-01-20 | BANCO DE BOGOTA, CO 17249 | 200.13.124.0 | 200.13.124.0/24 | MX | lacnic | | BURSATEC, S.A. DE C.V., MX 14259 | 200.14.138.0 | 200.14.138.0/24 | CL | lacnic | | Gtd Internet S.A., CL 28586 | 200.155.87.0 | 200.155.87.0/24 | BR | lacnic | 2004-11-04 | BANCO BRADESCO SA, BR 6495 | 200.16.40.0 | 200.16.40.0/24 | MX | lacnic | | HSBC Mexico, S.A., Institucion de Banca Multiple, Grupo Financiero HSBC, MX 6495 | 200.16.54.0 | 200.16.54.0/24 | MX | lacnic | | HSBC Mexico, S.A., Institucion de Banca Multiple, Grupo Financiero HSBC, MX 15256 | 200.196.144.0 | 200.196.144.0/20 | BR | lacnic | 2000-05-16 | Itau Unibanco S.A., BR 22055 | 200.218.213.0 | 200.218.213.0/24 | BR | lacnic | 2003-05-02 | Banco Central do Brasil, BR 26620 | 200.23.76.0 | 200.23.76.0/24 | MX | lacnic | | BANCA AFIRME, S.A., MX 6429 | 200.27.96.0 | 200.27.96.0/19 | CL | lacnic | 2001-04-19 | Telmex Chile Internet S.A., CL 27957 | 200.3.1.0 | 200.3.1.0/24 | VE | lacnic | | Banco Mercantil C.A., S.A.C.A.-S.A.I.C.A, VE 28070 | 200.3.147.0 | 200.3.147.0/24 | CO | lacnic | 2009-07-22 | Banco Colpatria Red Multibanca Colpatria S.A., CO 28102 | 200.3.242.0 | 200.3.242.0/24 | PE | lacnic | 2009-12-01 | Banco Azteca Peru, PE 8048 | 200.35.133.0 | 200.35.133.0/24 | VE | lacnic | 2000-06-08 | CANTV Servicios, Venezuela, VE 21980 | 200.35.142.0 | 200.35.142.0/23 | VE | lacnic | 2000-06-08 | Dayco Telecom, C.A., VE 6147 | 200.37.0.0 | 200.37.0.0/19 | PE | lacnic | | Telefonica del Peru S.A.A., PE 6147 | 200.4.192.0 | 200.4.192.0/19 | PE | lacnic | | Telefonica del Peru S.A.A., PE 27725 | 200.55.152.0 | 200.55.152.0/21 | CU | lacnic | 2002-12-09 | Empresa de Telecomunicaciones de Cuba, S.A., CU 28059 | 200.9.111.0 | 200.9.111.0/24 | CL | lacnic | | Banco Hipotecario de Fomento, CL 11172 | 201.131.120.0 | 201.131.120.0/24 | MX | lacnic | 2010-07-16 | Alestra, S. de R.L. de C.V., MX 27989 | 201.221.124.0 | 201.221.124.0/24 | CO | lacnic | 2012-10-22 | BANCOLOMBIA S.A, CO 262247 | 201.221.126.0 | 201.221.126.0/24 | DO | lacnic | 2012-10-26 | Banco Popular Dominicano, DO 24396 | 202.127.170.0 | 202.127.170.0/24 | HK | apnic | 2005-04-15 | BOC-AS-HK Bank Of China(Hong Kong) Limited, HK 17802 | 202.43.140.0 | 202.43.140.0/24 | AU | apnic | 2003-11-17 | MACQUARIE-BANK-AS-AP Macquarie Bank, AU 18421 | 202.6.104.0 | 202.6.104.0/23 | TW | apnic | 2004-03-09 | TAISHINBANK-AS-T Taishin International Bank, TW 45535 | 203.170.25.0 | 203.170.25.0/24 | IN | apnic | 2008-11-26 | AXP-NET-AS-AP American Express Banking Corp., IN 17436 | 203.171.210.0 | 203.171.210.0/23 | IN | apnic | 2008-12-15 | ICICIBANK-AS ICICIBANK Ltd, Banking, Mumbai, IN 45541 | 203.201.58.0 | 203.201.58.0/24 | VN | apnic | 2009-01-23 | BIDV-AS-VN Bank for Investment and Development of VietNam, VN 17802 | 203.210.68.0 | 203.210.68.0/24 | AU | apnic | 2006-04-19 | MACQUARIE-BANK-AS-AP Macquarie Bank, AU 17592 | 203.235.72.0 | 203.235.72.0/24 | KR | apnic | | IBK-AS-KR Industrial Bank of Korea, KR 17436 | 203.27.235.0 | 203.27.235.0/24 | IN | apnic | 2005-05-25 | ICICIBANK-AS ICICIBANK Ltd, Banking, Mumbai, IN 13441 | 205.210.223.0 | 205.210.223.0/24 | CA | arin | | SCOTIABANK - Bank of Nova Scotia, CA 26618 | 207.248.104.0 | 207.248.104.0/24 | MX | lacnic | | Banco Interacciones, S.A., Institucion de Banca Multiple, Grupo Financiero Interacciones, MX 25762 | 208.5.220.0 | 208.5.220.0/24 | US | arin | | BOCUSA - BANK OF CHINA, NY BRANCH, US 10185 | 211.32.31.0 | 211.32.31.0/24 | KR | apnic | | HNB-AS Hana Bank Co., KR 16365 | 212.149.32.0 | 212.149.32.0/19 | DE | ripencc | 2001-03-09 | COMMERZBANK DE-60261 Frankfurt, DE 13042 | 212.39.192.0 | 212.39.192.0/19 | AT | ripencc | 2000-10-03 | ASN-OENB-AT , AT 8904 | 212.40.192.0 | 212.40.192.0/20 | RU | ripencc | | BANK_OF_RUSSIA CBRF Autonomous System, RU 15694 | 212.91.12.0 | 212.91.12.0/24 | PL | ripencc | 2008-05-20 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 15694 | 212.91.13.0 | 212.91.13.0/24 | PL | ripencc | 2008-05-20 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 15694 | 212.91.16.0 | 212.91.16.0/20 | PL | ripencc | 2008-05-20 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 39330 | 212.91.22.0 | 212.91.22.0/23 | PL | ripencc | 2008-05-20 | ARMASAN-AS , PL 57367 | 212.91.26.0 | 212.91.26.0/24 | PL | ripencc | 2008-05-20 | ECO-ATMAN-PL ECO-ATMAN-PL, PL 15694 | 212.91.4.0 | 212.91.4.0/22 | PL | ripencc | 2008-05-20 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 12483 | 212.93.55.0 | 212.93.55.0/24 | DK | ripencc | | Aarhus Denmark, DK 201489 | 213.189.32.0 | 213.189.32.0/24 | PL | ripencc | 2010-01-08 | HECTOR-SA , PL 201592 | 213.189.40.0 | 213.189.40.0/24 | PL | ripencc | 2010-01-08 | GTU_SA , PL 24757 | 213.55.64.0 | 213.55.64.0/21 | ET | afrinic | 2000-10-12 | EthioNet-AS, ET 26380 | 216.119.215.0 | 216.119.215.0/24 | US | arin | 2003-01-02 | MASTER-7-AS - MasterCard Technologies LLC, US 30346 | 216.83.80.0 | 216.83.80.0/24 | US | arin | 2003-09-16 | TBD - Sumitomo Mitsui Banking Corporation, US 197155 | 217.149.240.0 | 217.149.240.0/24 | PL | ripencc | 2004-06-15 | ARTNET , PL 12794 | 217.169.192.0 | 217.169.192.0/22 | TR | ripencc | 2001-03-27 | AKNET-AKBANK , TR 15694 | 217.17.32.0 | 217.17.32.0/20 | PL | ripencc | 2000-09-13 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 15694 | 46.229.144.0 | 46.229.144.0/20 | PL | ripencc | 2011-02-17 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 24723 | 46.229.158.0 | 46.229.158.0/24 | PL | ripencc | 2011-02-17 | ATMAN-OFFICE-INTERNET-AS ATMAN, PL 24723 | 46.229.159.0 | 46.229.159.0/24 | PL | ripencc | 2011-02-17 | ATMAN-OFFICE-INTERNET-AS ATMAN, PL 16539 | 50.203.36.0 | 50.203.36.0/24 | US | arin | 2010-10-21 | MERCANTILCB - Mercantil Commercebank, N.A., US 23291 | 63.78.207.0 | 63.78.207.0/24 | US | arin | | FLAGSTAR-BANK-US - Flagstar Bank, US 36464 | 74.118.216.0 | 74.118.216.0/24 | US | arin | 2009-10-16 | RABOBANK-AMERICAS-NYW - Rabobank International, US 24748 | 77.79.192.0 | 77.79.192.0/24 | PL | ripencc | 2007-03-14 | ATMAN-POLAND-AS ATMAN_s Poland Autonomous System, PL 197474 | 77.79.230.0 | 77.79.230.0/23 | PL | ripencc | 2007-03-14 | ASECUREX , PL 35179 | 79.110.192.0 | 79.110.192.0/20 | PL | ripencc | 2008-06-10 | PROVIDER-WROCLAW ul. Nabycinska 19, PL 35179 | 79.110.193.0 | 79.110.193.0/24 | PL | ripencc | 2008-06-10 | PROVIDER-WROCLAW ul. Nabycinska 19, PL 35179 | 79.110.206.0 | 79.110.206.0/23 | PL | ripencc | 2008-06-10 | PROVIDER-WROCLAW ul. Nabycinska 19, PL 5617 | 80.48.0.0 | 80.48.0.0/14 | PL | ripencc | 2001-12-18 | TPNET , PL 60813 | 81.90.96.0 | 81.90.96.0/24 | ES | ripencc | 2002-07-03 | BSABADELL , ES 15694 | 85.232.224.0 | 85.232.224.0/19 | PL | ripencc | 2005-04-15 | ATMAN-ISP-AS ATMAN_s ISP Autonomous System, PL 197431 | 85.232.225.0 | 85.232.225.0/24 | PL | ripencc | 2005-04-15 | GEMIUS-NETWORK , PL 15810 | 89.107.183.0 | 89.107.183.0/24 | ES | ripencc | 2006-05-12 | BBVA-AS Spain, ES 39632 | 91.208.26.0 | 91.208.26.0/24 | EE | ripencc | 2008-07-04 | EESTIPANK (Bank of Estonia), EE 20705 | 91.214.4.0 | 91.214.4.0/23 | GB | ripencc | 2009-05-06 | HSBC-UK , GB 197124 | 91.226.117.0 | 91.226.117.0/24 | PL | ripencc | 2011-04-20 | INVESTBANK-AS , PL 9016 | 91.228.112.0 | 91.228.112.0/24 | PL | ripencc | 2011-05-27 | KBS-BANK-AS , PL 34891 | 91.237.138.0 | 91.237.138.0/23 | PL | ripencc | 2012-03-26 | UM-WARSZAWA-AS pl. Bankowy 3/5, PL 58077 | 91.238.78.0 | 91.238.78.0/24 | PL | ripencc | 2012-04-10 | ESBANK-AS , PL 39603 | 94.254.128.0 | 94.254.128.0/20 | PL | ripencc | 2008-10-07 | P4NET P4 UMTS operator in Poland, PL
first of all, thanks for your information regarding to Polish banks security issue.
I have a question about above IPs list marked as infected. how do you know that these IPs are infected ? are theses IPs extracted from C2 ?
if these IPs are extracted from KNF web log, I think all of IPs can not be infected by exploit toolkit if the devices connected to KNF are patched for silver light or flash.
i just wonder about it
The “C2 IP addresses” are addresses used for communication of the malware.
Thank you for sharing this informative post!