Exposing FBI's Most Wanted Cybercriminals - "JabberZeuS" Crew - An OSINT Analysis

This summary is not available. Please click here to view the post.

Exposing the Guccifer 2.0 "GRU-Connected" Enterprise - An OSINT Analysis

Dear blog readers,

I wanted to take the time and effort and elaborate more on the so called Guccifer 2.0 enterprise which basically represent a single lone hacker who basically made a high-profile Web site compromise and actually launched a social media account behind it for the purpose of communicating the purpose of attacking and actually making the information publicly accessible online for free.

In this post I'll provide actionable intelligence on the Guccifer 2.0 enterprise which basically represent a single lone hacker that actually distributed a high-profile data leak and build a social media account behind it.

Sample Personal URLs: https://guccifer2.wordpress.com; https://twitter.com/GUCCIFER_2

Sample personal email: Guccifer20@aol.fr

Sample IPs known to have been involved in the campaign: 95.13.15.34; 95.130.9.198; 212.117.164.35; 95.211.168.139

Sample VPN service provider which was used by the Guccifer 2.0 enterprise:

hxxp://ns1.vpn-service.us - 176.9.89.229 - Email: sec.service@mail.ru

hxxp://ns2.vpn-service.us - 85.17.139.9

hxxp://ns3.vpn-service.us - 212.117.164.35

hxxp://ns1.vpn-service.us - 212.32.234.134

hxxp://ns2.vpn-service.us - 37.48.92.139

hxxp://ns3.vpn-service.us - 193.161.87.105

Sample screenshots of conversation with the Guccifer 2.0 enterprise:

Stay tuned!

Exposing FBI's Most Wanted Cybercriminals - Iran's Mabna Hackers - An OSINT Analysis

Dear blog readers,

I've decided to share some of the actionable intelligence that I have at my disposal regarding the FBI's Most Wanted Iran-based Mabna Hackers which I originally outlined in my second release of the "A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team" where you can also obtain a copy of the first release entitled "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran" in terms of catching up in terms of what Iran-based hackers and hacking groups are up to up to present day with the research report basically representing one of the most comprehensive and in-depth publicly accessible report on Iran's hacking scene.

Sample screenshots of Mabna Institute including the associated Web sites where the information is offered:

Sample phishing URLs known to have been involved in the campaign:

ezvpn.mskcc.saea.ga    

library.asu.saea.ga    

library.lehigh.saea.ga    

moodle.ucl.ac.saea.ga    

saea.ga    

unex.learn.saea.ga    

unomaha.on.saea.ga    

www.uvic.saea.ga

catalog.lib.usm.edu.seae.tk

elearning.uky.edu.seae.tk

www.aladin.wrlc.org.seae.tk

alexandria.rice.ulibr.ga

cmich.ulibr.ga

columbia.ulibr.ga

edu.edu.libt.cf

ezproxy-authcate.lib.monash.ulibr.ga

login.revproxy.brown.edu.edu.libt.cf

ezproxy-authcate.monash.lib.ulibr.ga

ezproxy-f.deakin.au.ulibr.ga

lib.dundee.ac.uk.ulibr.ga

cas.usherbrooke.ca.cavc.tk

catalog.lib.ksu.edu.cavc.tk

isa.epfl.ch.cavc.tk

login.vcu.edu.cavc.tk

www.med.unc.edu.cavc.tk

cas.iu.edu.cavc.tk

ltuvpn.latrobe.edu.au.reactivation.in

passport.pitt.edu.reactivation.in

edu.login.revproxy.brown.edu.libt.cf

shibboleth.nyu.edu.reactivation.in

login.revproxy.brown.edu.login.revproxy.brown.edu.libt.cf

weblogin.pennkey.upenn.edu.reactivation.in

webmail.reactivation.in

www.ezlibproxy1.ntu.edu.sg.reactivation.in

www.ezpa.library.ualberta.ca.reactivation.in

www.lib.just.edu.jo.reactivation.in

www.passport.pitt.edu.reactivation.in

shib.ncsu.ulibr.cf/

www.shibboleth.nyu.edu.reactivation.in

www.weblogin.pennkey.upenn.edu.reactivation.in

ezlibproxy1.ntu.edu.sg.reactivation.in

login.revproxy.brown.edu.libt.cf

weblogin.umich.edu.lib2.ml

catalog.sju.edu.mncr.tk

ezpa.library.ualberta.ca.reactivation.in

lib.just.edu.jo.reactivation.in

login.ezproxy.lib.purdue.edu.reactivation.in

login.libproxy.temple.shibboleth2.uchicago.ulibr.cf

shib.ncsu.shibboleth2.uchicago.ulibr.cf

shibboleth2.uchicago.shibboleth2.uchicago.ulibr.cf

singlesignon.gwu.shibboleth2.uchicago.ulibr.cf

webauth.ox.ac.uk.shibboleth2.uchicago.ulibr.cf

edu.libt.cf

login.libproxy.temple.ulibr.cf

shib.ncsu.ulibr.cf

singlesignon.gwu.ulibr.cf

webauth.ox.ac.uk.ulibr.cf

library.cornell.ulibr.ga

login.ezproxy.gsu.ulibr.ga

shibboleth2.uchicago.ulibr.cf

login.library.nyu.ulibr.ga

mail.ulibr.ga

webcat.lib.unc.ulibr.ga

www.ulibr.ga

www.alexandria.rice.ulibr.ga

www.cmich.ulibr.ga

www.columbia.ulibr.ga

www.ezproxy-authcate.lib.monash.ulibr.ga

www.ezproxy-authcate.monash.lib.ulibr.ga

www.ezproxy-f.deakin.au.ulibr.ga

www.lib.dundee.ac.uk.ulibr.ga

www.library.cornell.ulibr.ga

www.login.ezproxy.gsu.ulibr.ga

www.login.library.nyu.ulibr.ga

auth.berkeley.edu.libna.ml

sso.lib.uts.edu.au.libna.ml

bb.uvm.edu.cvre.tk

cline.lib.nau.edu.cvre.tk

illiad.lib.binghamton.edu.cvre.tk

libcat.smu.edu.cvre.tk

login.brandeis.edu.cvre.tk

msim.cvre.tk

libcat.library.qut.nsae.ml

www.webcat.lib.unc.ulibr.ga

Sample domains known to have been involved in the campaign:

mlibo.ml

blibo.ga

azll.cf

azlll.cf

lzll.cf

jlll.cf

elll.cf

lllib.cf

tsll.cf

ulll.tk

tlll.cf

libt.ga

libk.ga

libf.ga

libe.ga

liba.gq

libver.ml

ntll.tk

ills.cf

vtll.cf

clll.tk

stll.tk

llii.xyz

lill.pro

eduv.icu

univ.red

unir.cf

unir.gq

unisv.xyz

unir.ml

unin.icu

unie.ml

unip.gq

unie.ga

unip.cf

nimc.ga

nimc.ml

savantaz.cf

unie.gq

unip.ga

unip.ml

unir.ga

untc.me

jhbn.me

unts.me

uncr.me

lib-service.com

unvc.me

untf.me

nimc.cf

anvc.me

ebookfafa.com

nicn.gq

untc.ir

librarylog.in

llli.nl

lllf.nl

libg.tk

ttil.nl

llil.nl

lliv.nl

llit.site

flil.cf

e-library.me

cill.ml

fill.cf

libm.ga

eill.cf

llib.cf

eill.ga

nuec.cf

illl.cf

cnen.cf

aill.nl

eill.nl

mlib.cf

ulll.cf

nlll.cf

clll.nl

llii.cf

etll.cf

1edu.in

aill.cf

atna.cf

atti.cf

aztt.tk

cave.gq

ccli.cf

cnma.cf

cntt.cf

crll.tk

csll.cf

ctll.tk

cvnc.ga

cvve.cf

czll.tk

cztt.tk

euca.cf

euce.in

ezll.tk

ezplog.in

ezproxy.tk

eztt.tk

flll.cf

iell.tk

iull.tk

izll.tk

lett.cf

lib1.bid

lib1.pw

libb.ga

libe.ml

libg.cf

libg.ga

libg.gq

libloan.xyz

libnicinfo.xyz

libraryme.ir

libt.ml

libu.gq

lill.gq

llbt.tk

llib.ga

llic.cf

llic.tk

llil.cf

llit.cf

lliv.tk

llse.cf

ncll.tk

ncnc.cf

nctt.tk

necr.ga

nika.ga

nsae.ml

nuec.ml

rill.cf

rnva.cf

rtll.tk

sctt.cf

shibboleth.link

sitl.tk

slli.cf

till.cf

titt.cf

uill.cf

uitt.tk

ulibe.ml

ulibr.ga

umlib.ml

umll.tk

uni-lb.com

unll.tk

utll.tk

vsre.cf

web2lib.info

xill.tk

zedviros.ir

zill.cf 

Sample IPs known to have been involved in the campaign:

103.241.3.91

104.152.168.23

107.180.57.7

107.180.58.47

138.201.17.56

144.217.120.73

144.76.189.80

162.218.237.3

167.114.103.215

173.254.239.2

176.31.33.115

178.33.115.10

184.95.37.90

185.105.185.22

185.28.21.83

185.55.227.104

185.86.180.250

188.40.34.186

193.70.117.250

195.154.102.75

198.252.106.149

198.91.81.5

199.204.187.164

31.220.20.111

66.70.197.208

78.46.77.105

79.175.181.11

82.102.15.215

87.98.249.207

88.99.139.8

88.99.160.209

88.99.40.240

88.99.69.4

93.174.95.64

94.76.204.201

136.243.145.233

136.243.198.45

141.8.224.221

148.251.116.93

148.251.12.172

162.218.237.31

167.114.13.164

172.246.144.34

173.254.239.217

6.31.33.115

176.31.33.116

176.9.188.235

85.28.21.83

185.28.21.95

192.169.82.134

198.27.68.142

198.91.81.51

45.35.33.126

46.4.91.26

5.135.123.163

5.196.194.234

51.254.198.131

51.254.21.142

79.175.181.118

88.99.128.229

88.99.139.88

88.99.69.49

3.174.95.64

Stay tuned!