Watering Hole Attacks

Overview

The FBI assesses a group of malicious cyber actors—likely located in Iran—use Virtual Private Server infrastructure hosted in the United States to compromise government, corporate, and academic computer networks based in the Middle East, Europe and the United States. This infrastructure is used in conjunction with identified malicious domains to support a broad cyber campaign which likely includes the use of e-mail spear phishing, social engineering, and malicious Web sites (“watering hole attack”). These cyber actors almost certainly have been involved in this activity since at least early 2015. Through a combination of FBI and private sector analysis, it is likely the actors involved with this activity are located in Iran. At least some victim information from this cyber activity transits US-based infrastructure to IP addresses located in Iran. At least one identified malicious domain was registered by a presumed Iranian national connected to a physical address in Tehran, Iran. The majority of the victims were located in Middle Eastern countries known to be traditional adversaries of the Iranian regime.

Technical Details

Below is a list of IP addresses and domain names associated with this cyber activity. Activity related to these IPs and domains detected on a network should be considered an indication of compromise (IOC) requiring mitigation.

104.200.128.126
104.200.128.161
104.200.128.173
104.200.128.183
104.200.128.184
104.200.128.185
104.200.128.187
104.200.128.195
104.200.128.196
104.200.128.198
104.200.128.205
104.200.128.206
104.200.128.208
104.200.128.209
104.200.128.48
104.200.128.58
104.200.128.64
104.200.128.71
107.181.160.138
107.181.160.178
107.181.160.179
107.181.160.194
107.181.160.195
107.181.161.141
107.181.174.21
107.181.174.232
107.181.174.241
141.105.70.235
141.105.70.236
141.105.70.237
141.105.70.238
141.105.70.239
141.105.70.240
141.105.70.241
141.105.70.242
141.105.70.243
141.105.70.244
141.105.70.245
141.105.70.246
141.105.70.247
141.105.70.248
141.105.70.249
141.105.70.250
144.168.45.126
146.0.73.107
146.0.73.108
146.0.73.109
146.0.73.110
146.0.73.111
146.0.73.112
146.0.73.113
146.0.73.114
173.244.173.10
173.244.173.11
173.244.173.12
173.244.173.13
173.244.173.14
206.221.181.253
209.51.199.112
209.51.199.113
209.51.199.114
209.51.199.115
209.51.199.116
209.51.199.117
209.51.199.118
31.192.105.15
31.192.105.16
31.192.105.17
38.130.75.20
66.55.152.164
68.232.180.122
91.218.247.157
91.218.247.158
91.218.247.160
91.218.247.161
91.218.247.162
91.218.247.165
91.218.247.166
91.218.247.167
91.218.247.168
91.218.247.169
91.218.247.170
91.218.247.173
91.218.247.180
91.218.247.181
91.218.247.182
91.218.247.183
cloud-analyzer.com
1e100.tech
1m100.tech
ads-youtube.net
ads-youtube.online
ads-youtube.tech
akamai.press
akamaitechnology.com
akamaitechnology.tech
alkamaihd.com
alkamaihd.net
azurewebsites.tech
banat48.org
big-windowss.com
britishnews.press
broadcast-microsoft.tech
cachevideo.com
cachevideo.online
cachevideo.xyz
chromeupdates.online
chromium.online
cissco.net
clalit.press
cloudflare.news
cloudflare.site
cloudflare-analyse.com
cloudflare-analyse.xyz
cloudflare-statics.com
cloudmicrosoft.net
cortana-search.com
digicert.online
digicert.space
digicert.xyz
dnsserv.host
elasticbeanstalk.tech
fbcdn.bid
fbexternal-a.press
fbexternal-a.pw
fb-nameserver.com
fbstatic-a.space
fbstatic-a.xyz
fbstatic-akamaihd.com
fb-statics.com
fb-statics.info
fdgdsg.xyz
f-tqn.com
githubapp.online
githubapp.tech
githubusecontent.tech
gmailtagmanager.com
google-api-analyse.com
google-api-update.com
hamedia.xyz
hotseller.info
intel-api.com
intelchip.org
ipresolver.org
javaupdator.com
jguery.net
jguery.online
js.jguery.online
kernel4windows.in
labs-cloudfront.com
mcafee-analyzer.com
mcafeemonitoring.com
mcafee-monitoring.com
microsoft-ds.com
microsoft-security.host
microsoftserver.org
microsoft-tool.com
micro-windows.in
mpmicrosoft.com
mssqlupdate.com
mswordupdate15.com
mswordupdate16.com
mswordupdate17.com
myservers.site
mywindows24.in
nameserver.win
nasr.xyz
newsfeeds-microsoft.press
nsserver.host
officeapps-live.com
officeapps-live.net
officeapps-live.org
onlinewebcam.press
outlook360.net
outlook360.org
owa-microsoft.online
patch7-windows.com
patch8-windows.com
patchthiswindows.com
qoldenlines.net
sdlc-esd-oracle.online
sharepoint-microsoft.co
sphotos-b.bid
sphotos-b.pw
ssl-gstatic.net
ssl-gstatic.online
static.news
symcd.site
symcd.xyz
tehila.co
tehila.global
tehila.info
tehila.press
trendmicro.tech
twiter-statics.com
twiter-statics.info
un-webmail.com
updatedrivers.org
walla.press
win-api.com
windefender.org
windowkernel.com
windowkernel14.com
windows-10patch.in
windows24-kernel.in
windows-api.com
windows-drive20.com
windows-india.in
windowskernel.com
windowskernel.in
windows-kernel.in
windowskernel.net
windowskernel14.com
windowslayer.in
windowssup.in
windowsupup.com
winfeedback.net
win-update.com
winupdate64.com
winupdate64.net
winupdate64.org
winupdate64.us
win-updates.com

Recommended Mitigations

Precautionary measures to mitigate this activity are:

  • Prepare an incident response plan to be rapidly implemented in case of a cyber intrusion.
  • Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected servers and software that processes Internet data such as Web browsers, browser plugins, and document readers.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Implement application whitelisting to block execution of malware, or at least block execution of files from TEMP directories where most malware attempts to execute from.

Leave a Reply

Your email address will not be published. Required fields are marked *