Overall things have been steady over the past few days. We are still seeing EvilOSX and Drupal vulnerabilities being exploited. IN addition Necurs activity has increased and is significantly expanded. We have reported some suspicious CDN activity as well as some targeted malware infections that appear to be nation state activity.
Most of the Drupal based activity is cryptocurrency mining operations but there have been some targeted reports of direct attacks from North Korea using these same methods but they are a rarity. We are seeing Criminal Click Through activity as well and the usual scanning and automation attempts. It is apparent that SamSam is also active and being exploited in the healthcare sector.
Recent Security News
Office365 Targeting - We have seen an uptick in Office 365 "Synching Failed" messages. You can clearly tell it's not from Microsoft when links are to compromised servers. Keep an eye out for this type of activity. See activity below.
Additional alerts have been sent to Jigsaw Security customers.
Recent Security Events
Office 365 Message Sync Messages - This activity continues and is being used to track those that click the links in the email which then targets the users for additional attacks. Event: 28786
Adsense Activity - Seeing lots of ad tracking from Adsense domains. Event: None (Blocked/Sinkholed)
Network Time Protocol Windows Daemon getEndptFromIoCtx Denial of Service - Which is covered in CVS-2016-9312 - We are seeing this activity from 51[.]15[.]13[.]124.
NetCore and Remote Command Execution Attacks - We are still seeing router based attacks from 2 IP's Event: Historical
IOCS:
51[.]15[.]13[.]124