China -Rogue Country / Internet Terrorism

inetnum: 223.240.0.0 – 223.247.255.255
netname: CHINANET-AH
descr: CHINANET Anhui province network
descr: Data Communication Division
descr: China Telecom
country: CN
inetnum:
netname: CMNET
descr: China Mobile Communications Corporation
descr: Mobile Communications Network Operator in China
descr: Internet Service Provider in China
country: CN
inetnum: 222.222.0.0 – 222.223.255.255
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
inetnum: 115.236.87.40 – 115.236.87.47
netname: ZHEJIANG-TUXUN-LTD
country: CN
descr: Zhejiang Tuxun LTD
descr:
admin-c: HM771-AP
tech-c: CH122-AP
mnt-irt: IRT-CHINANET-ZJ
status: ASSIGNED NON-PORTABLE
inetnum: 221.236.0.0 – 221.237.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
inetnum: 120.192.0.0 – 120.255.255.255
netname: CMNET
descr: China Mobile Communications Corporation
descr: Mobile Communications Network Operator in China
descr: Internet Service Provider in China
country: CN
org: ORG-CM1-AP

Many of these IP Addresses started to be detected on 4/6/18

Above are the current Networks that we want North America to keep an eye on. We have been watching thousands of IP’s from this BOTNET hacking systems, causing malicious traffic and attacks.

A very interesting thing found is that it appears that 2 search engines look like they are actually working together with the BOTNET. Tracking has found that some of these are operated by actual users and not bots. These systems will be marked as possible controllers when found.

Another interesting thing is that these new bots appears to be micromanaged. This meaning that they each have their own individual tasks to carry out. Where as previously I would see the same bot do many tasks against the attacked system. I figure that this micromanaging of the bots abilities is a way for these botnets and hackers in bypassing certain automated firewalls and filtering systems.

ENABLED BLOCKING

When these IP Addresses were blocked they increase in attack frequency as well as also the BotNet looks for other Bots in their network that are not blocked. This is when we then noticed that now we have BOTs in Australia and United Kingdom that are part of this same BOTNET now attacking and trying to penetrate systems.

WHAT THEY ATTACK

The services that they attack are RDP(Remote Desktop), FTP, Email (SMTP, IMAP, POP3), and Websites.

1) RDP – These IP Addresses are endlessly using dictionary attacks to try to gain  access to control a system for their own malicious activities.

2) EMAIL – We have noticed that after they scan websites and find email addresses even fake ones then they try to break into these accounts.

When they get account access they spam the local user as well as send out all kinds spam, as well as malicious content to infect users.

We have also noticed that they tend to hack IMAP more often then POP3 access.

3) WEBSITES – Their is many reason why they are attacking websites.

* They like to deface websites and push their own corrupt and terrorist propaganda. distribute their own viruses and malware to infect unsuspecting users, and install tracking and information theft software.

* They try hacking the website platforms as well to try to get root access to a Server by  infecting a website with tools that allow them to upload files and gain remote access to your site and bypassing all Authentication Processes. Once they bypass this they typically create new user names with Admin Access and then gain control of the server and able to do what ever they want.

Some of the things we have found when they do gain access. They may install their own web server software so that they can distribute files as well as connect the newly overtaken machine into their botnet. This also at times prevents a basic user from seeing that they have been hacked, However many times they completely lock out the owner of the system by changing their passwords as well. They typically also use the compromised systems to do other malicious activities as well as information theft.

**ABUSIVE IP’s with the most Traffic**

223.241.247.6 <- Affiliated to a BOTNET

222.223.217.34 <- Affiliated to a BOTNET

115.236.87.42 <- Affiliated to a BOTNET **AFTER TD

120.203.25.58 <- Affiliated to a BOTNET **AFTER TD

120.209.71.14 <- Affiliated to a BOTNET **AFTER TD

221.237.208.10 <- Affiliated to a BOTNET **AFTER TD

123.172.215.62 <- AU Address that started attacking after block

added – 4/23/19

222.186.150.193 – Hacking WordPress Sites and trying to upload files.

****************************************************************************************************