PHISHING INFRASTRUCTURE IMPERSONATING CYBERSECURITY VENDORS/VPN PROVIDERS

Date: 10/29/2024

Severity: Medium

Summary

The report on "Phishing Infrastructure Impersonating Cybersecurity Vendors/VPN Providers" reveals a malicious campaign that targets users by impersonating well-known cybersecurity and VPN companies. The campaign features root domains named after various vendors and includes previously reported phishing incidents. Registered between June 26 and October 8, 2024, these domains have been hosted on seven unique IP addresses over the past month. Currently, most of these sites are displaying "503 service unavailable" or "internal server error" messages, indicating potential disruption in their operations.

Indicators of Compromise (IOC) List

URL/Domains

ciscoweblink.com

vpnciscoweb.com

web-cisco.com

vpncisco.com

panel-cisco.com

ciscolinkweb.com

fortivpnlink.com

linkwebcisco.com

ciscolinkacc.com

webpaloalto.com

logonlink.com

webvpnpaloalto.com

ciscoacclink.com

logonpointportal.com

logonprotect.com

pointlogin.com

vpnpalaolto.com

analytics.ciscolinkacc.com

bi.ciscolinkacc.com

data.ciscolinkacc.com

insight.ciscolinkacc.com

c2nyrc6g5xqkq374.ciscolinkweb.com

cloak2b3dyro7qca.ciscolinkweb.com

dashboard.ciscolinkweb.com

www.ciscolinkweb.com

9hdqcobrcdutceyr.ciscoweblink.com

ebay.ciscoweblink.com

insight.ciscoweblink.com

ecf77kfp6np8ghpf.fortivpnlink.com

www.fortivpnlink.com

ssl.logonlink.com

www.logonlink.com

www.logonpointportal.com

airflow.pointlogin.com

kafka.pointlogin.com

www.pointlogin.com

kafka.vpncisco.com

kafka-ui.vpncisco.com

www.vpncisco.com

www.www.vpncisco.com

www.www.www.vpncisco.com

www.vpnciscoweb.com

m.vpnpalaolto.com

yt9pbgt05d2eibmq.vpnpalaolto.com

ety6i1og4unmve3m.vpnpaloalto.com

azoeajykidojkesr.web-cisco.com

report.web-cisco.com

airflow.webpaloalto.com

3bp4klbi6goov7am.webvpnpaloalto.com

airflow.webvpnpaloalto.com

www.webvpnpaloalto.com

IP Address

147.45.125.120

185.219.7.201

94.159.100.245

94.232.249.246

103.136.150.88

185.219.7.204

212.192.13.136

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1

userdomainname like "ciscoweblink.com" or url like "ciscoweblink.com" or userdomainname like "vpnciscoweb.com" or url like "vpnciscoweb.com" or userdomainname like "web-cisco.com" or url like "web-cisco.com" or userdomainname like "vpncisco.com" or url like "vpncisco.com" or userdomainname like "panel-cisco.com" or url like "panel-cisco.com" or userdomainname like "ciscolinkweb.com" or url like "ciscolinkweb.com" or userdomainname like "fortivpnlink.com" or url like "fortivpnlink.com" or userdomainname like "linkwebcisco.com" or url like "linkwebcisco.com" or userdomainname like "ciscolinkacc.com" or url like "ciscolinkacc.com" or userdomainname like "webpaloalto.com" or url like "webpaloalto.com" or userdomainname like "logonlink.com" or url like "logonlink.com" or userdomainname like "webvpnpaloalto.com" or url like "webvpnpaloalto.com" or userdomainname like "ciscoacclink.com" or url like "ciscoacclink.com" or userdomainname like "logonpointportal.com" or url like "logonpointportal.com" or userdomainname like "logonprotect.com" or url like "logonprotect.com" or userdomainname like "pointlogin.com" or url like "pointlogin.com" or userdomainname like "vpnpalaolto.com" or url like "vpnpalaolto.com" or userdomainname like "analytics.ciscolinkacc.com" or url like "analytics.ciscolinkacc.com" or userdomainname like "bi.ciscolinkacc.com" or url like "bi.ciscolinkacc.com" or userdomainname like "data.ciscolinkacc.com" or url like "data.ciscolinkacc.com" or userdomainname like "insight.ciscolinkacc.com" or url like "insight.ciscolinkacc.com" or userdomainname like "c2nyrc6g5xqkq374.ciscolinkweb.com" or url like "c2nyrc6g5xqkq374.ciscolinkweb.com" or userdomainname like "cloak2b3dyro7qca.ciscolinkweb.com" or url like "cloak2b3dyro7qca.ciscolinkweb.com" or userdomainname like "dashboard.ciscolinkweb.com" or url like "dashboard.ciscolinkweb.com" or userdomainname like "www.ciscolinkweb.com" or url like "www.ciscolinkweb.com" or userdomainname like "9hdqcobrcdutceyr.ciscoweblink.com" or url like "9hdqcobrcdutceyr.ciscoweblink.com" or userdomainname like "ebay.ciscoweblink.com" or url like "ebay.ciscoweblink.com" or userdomainname like "insight.ciscoweblink.com" or url like "insight.ciscoweblink.com" or userdomainname like "ecf77kfp6np8ghpf.fortivpnlink.com" or url like "ecf77kfp6np8ghpf.fortivpnlink.com" or userdomainname like "www.fortivpnlink.com" or url like "www.fortivpnlink.com" or userdomainname like "ssl.logonlink.com" or url like "ssl.logonlink.com" or userdomainname like "www.logonlink.com" or url like "www.logonlink.com" or userdomainname like "www.logonpointportal.com" or url like "www.logonpointportal.com" or userdomainname like "airflow.pointlogin.com" or url like "airflow.pointlogin.com" or userdomainname like "kafka.pointlogin.com" or url like "kafka.pointlogin.com" or userdomainname like "www.pointlogin.com" or url like "www.pointlogin.com" or userdomainname like "kafka.vpncisco.com" or url like "kafka.vpncisco.com" or userdomainname like "kafka-ui.vpncisco.com" or url like "kafka-ui.vpncisco.com" or userdomainname like "www.vpncisco.com" or url like "www.vpncisco.com" or userdomainname like "www.www.vpncisco.com" or url like "www.www.vpncisco.com" or userdomainname like "www.www.www.vpncisco.com" or url like "www.www.www.vpncisco.com" or userdomainname like "www.vpnciscoweb.com" or url like "www.vpnciscoweb.com" or userdomainname like "m.vpnpalaolto.com" or url like "m.vpnpalaolto.com" or userdomainname like "yt9pbgt05d2eibmq.vpnpalaolto.com" or url like "yt9pbgt05d2eibmq.vpnpalaolto.com" or userdomainname like "ety6i1og4unmve3m.vpnpaloalto.com" or url like "ety6i1og4unmve3m.vpnpaloalto.com" or userdomainname like "azoeajykidojkesr.web-cisco.com" or url like "azoeajykidojkesr.web-cisco.com" or userdomainname like "report.web-cisco.com" or userdomainname like "airflow.webpaloalto.com" or url like "airflow.webpaloalto.com" or userdomainname like "3bp4klbi6goov7am.webvpnpaloalto.com" or url like "3bp4klbi6goov7am.webvpnpaloalto.com" or userdomainname like "airflow.webvpnpaloalto.com" or url like "www.webvpnpaloalto.com"

Detection Query 2

dstipaddress IN ("147.45.125.120","185.219.7.201","94.159.100.245","94.232.249.246","103.136.150.88","185.219.7.204","212.192.13.136") or ipaddress IN ("147.45.125.120","185.219.7.201","94.159.100.245","94.232.249.246","103.136.150.88","185.219.7.204","212.192.13.136") or publicipaddress IN ("147.45.125.120","185.219.7.201","94.159.100.245","94.232.249.246","103.136.150.88","185.219.7.204","212.192.13.136") or srcipaddress IN ("147.45.125.120","185.219.7.201","94.159.100.245","94.232.249.246","103.136.150.88","185.219.7.204","212.192.13.136")

Reference:

https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-28-IOCs-for-phising-campaign.txt

PHISHING INFRASTRUCTURE IMPERSONATING CYBERSECURITY VENDORS/VPN PROVIDERS

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

PHISHING INFRASTRUCTURE IMPERSONATING CYBERSECURITY VENDORS/VPN PROVIDERS

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments