Upload File

industry security notice - gov.uk · this industry security notice (isn) is issued for guidance...

  • Home
  • Documents
  • Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre
27
1 Industry Security Notice Number 2017/02 Subject: DEFENCE INDUSTRY WARP CANNEL STATE NOTIFICATION Introduction This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre (NCSC) Report NCSC-Ops/09/17 (attached) concerning the Global Targeting of Enterprises via Managed Service Providers. Any positive matches found should be reported to the MOD Point of Contact below. Issue MODCERT Notification of CANNEL State Increase MODCERT are raising the CANNEL State to HEIGHTENED in response to reporting issued by the NCSC (NCSC Report NCSC-Ops/09-17: The Global targeting of Enterprises via Managed Service Providers and NCSC Report NCSC-Ops/07/17: APT10 Infrastructure Update). The below Directive is worded for internal MoD action and as such, you are not mandated to carry out the actions; however it is recommended that you run the enclosed IOCs and incorporate into your network monitoring system where you are able to do so. Any positive matches found on MoD related infrastructure should be reported via your WARP to MODCERT as soon as possible. Any positive matches found on networks that are not related to MoD in any way should be reported to the NCSC. MoD Directive MODCERT are raising the CANNEL state across MoD to HEIGHTENED with effect from 041300ZAPR17 in response to receipt of the following: A. NCSC report NCSC-Ops/09-17: The Global targeting of Enterprises via Managed Service Providers. B. NCSC report NCSC-Ops/07/17: APT10 Infrastructure Update.

Upload: others

Post on 19-May-2020

9 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

1

Industry Security Notice

Number 2017/02

Subject: DEFENCE INDUSTRY WARP CANNEL STATE NOTIFICATION Introduction This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre (NCSC) Report NCSC-Ops/09/17 (attached) concerning the Global Targeting of Enterprises via Managed Service Providers. Any positive matches found should be reported to the MOD Point of Contact below. Issue MODCERT Notification of CANNEL State Increase MODCERT are raising the CANNEL State to HEIGHTENED in response to reporting issued by the NCSC (NCSC Report NCSC-Ops/09-17: The Global targeting of Enterprises via Managed Service Providers and NCSC Report NCSC-Ops/07/17: APT10 Infrastructure Update). The below Directive is worded for internal MoD action and as such, you are not mandated to carry out the actions; however it is recommended that you run the enclosed IOCs and incorporate into your network monitoring system where you are able to do so. Any positive matches found on MoD related infrastructure should be reported via your WARP to MODCERT as soon as possible. Any positive matches found on networks that are not related to MoD in any way should be reported to the NCSC. MoD Directive “MODCERT are raising the CANNEL state across MoD to HEIGHTENED with effect from 041300ZAPR17 in response to receipt of the following:

A. NCSC report NCSC-Ops/09-17: The Global targeting of Enterprises via Managed Service Providers. B. NCSC report NCSC-Ops/07/17: APT10 Infrastructure Update.

Page 2: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

2

This increase will be in place until further notice. WARPs are requested to implement the following clauses across their TLB as per Appendix 4 to Annex A of JSP 440: CANNEL State Response Measures: M1: As per normal WARP escalation procedures within their relevant TLB. SA-7: IOCs at Enclosure 1 (attached) are to be run across system(s) historically back as far as is feasible and incorporated into any ongoing network monitoring solutions. Any positive results are to be fed back to MODCERT as soon as practicable. It is recommended that you continue to run the IOCs regularly, as far as is practical for the system. If any system owner is unable to carry out these actions, or engage with any partner required in order to do so, this information should also be fed back to MODCERT.” Supplementary Information “NCSC have released a report advising of targeting of major international MSPs from a cyber threat actor (known in open source as APT10 or STONE PANDA), since at least May 2016. NCSC assess that the ultimate targets are customers of these MSPs. The activity observed by NCSC likely represents only a small proportion of the malicious activity and work is ongoing across both MoD and NCSC to determine additional information. Any compromise could affect government, MSP or industry supply chains. As soon as more information is available, additional MODCERT products will be released.” Action by Industry It is recommended that you run the enclosed IOCs and incorporate into your network monitoring system where you are able to do so. Any positive matches found on MoD related infrastructure should be reported via your WARP to MODCERT as soon as possible. Any positive matches found on networks that are not related to MoD in any way should be reported to the National Cyber Security Centre (NCSC)

Validity / Expiry Date Until further notice

MOD Point of Contact Details: JCU MODCERT Co-ordination Centre, GOSCC Mil: 94396 7678 SSS: 9298 4396 5885 - Civ: 01225 847678

Page 3: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

3

Page 4: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

4

• Collaboration between the NCSC, PwC and BAE has led to the discovery of a sustained and global cyber campaign • A known cyber actor using previously documented intrusion tools has targeted major international Managed Service Providers (MSPs) since at least May 2016 • We assess the ultimate targets are customers of these MSPs • The activity we are aware of likely represents only a small proportion of the total malicious activity; we are still working to establish the scale of the activity • Compromises could affect government or industry supply chains; we will update our assessment when more information becomes available • We have no evidence to suggest these actors are targeting the general public or SMEs What is the threat? Working closely with industry partners in the Cyber Incident Response Scheme (CIR) we have become aware of ongoing targeted attacks against global Managed Service Providers by a hostile actor. The information provided in this document should be sufficient to understand the issue and to support you in any necessary mitigation activity. We will continue to update our technical indicators and guidance as our investigation, with industry and our international partners, continues. Where can I get details? We have published on our Cyber-security Information Sharing Partnership (CISP) a consolidated technical assessment along with indicators of compromise that can be used to help aid detection. This note provides more general guidance for managing the risks from a Managed Service Provider. Public authorities and CNI sectors with existing NCSC contacts should approach them if they have any further questions. What does my Managed Service Provider know? We have notified all members of the Managed Service Provider Information Exchange (MSPIE) and all Managed Service Providers on CISP have access to our technical information. If your MSP is not a member of the MSPIE or CISP, you should encourage them to join to gain access to this information. How do I know if I’m affected? To understand if you are affected there are some activities you need to carry out, and some topics that need discussing in an open dialogue with your MSPs. You may deploy the indicators we have published on CISP on your network monitoring solution. However, since these attacks are specifically targeted against MSPs, you should make sure that your MSP has deployed the indicators on their monitoring solution. Pay particular attention to any network connectivity with your MSPs, such as VPN termination. Any detection from those indicators should be thoroughly investigated and any malicious activity reported to [email protected]. You should review your independent audit logs to determine if any suspicious activity has taken place on your systems in the context of your MSP’s access.

mailto:[email protected]
Page 5: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

5

You should contact your MSP and discuss their response to these attacks, including whether and how you have been affected. You should ensure that your MSPs are doing everything necessary to investigate whether they have been compromised and what effect any such compromise has had on their customers. Do not accept assertions from your provider, but instead demand evidence. Should I change MSP? This should depend on their response to your enquiries. It is unlikely that any MSP today is in a significantly better position than any others. The way they respond to the incident, how they help you investigate any potential impact on your systems and data and their willingness to work with you on remediation and future uplifts in the security of their service to you should be part of your determination of your long-term relationship with your provider. MSPs who are unwilling to work closely with customers or unwilling to share information with you should be treated with extreme caution. What else should I be doing? This campaign provides a useful reminder that an organisation’s entire supply chain needs to be managed and that organisations cannot outsource their risk. Managed Service Providers are particularly attractive to attackers because they often have highly privileged access to systems and data. As part of your procurement, you should have ensured that your service providers all manage their security to a level broadly equivalent to that you would expect from your internal functions. This incident provides a useful impetus to revisit those discussions. If your MSP uses cloud services as part of their delivery, or is effectively a cloud service provider to you, you should ensure that you understand how that affects the security of your data and systems, and the cloud security principles (https://www.ncsc.gov.uk/guidance/cloud-security-collection) should help. If your MSP has administrative rights over infrastructure or services that process personal data, you must assess the security against the bulk personal data protection principles (https://www.ncsc.gov.uk/guidance/protecting-bulk-personal-data-introduction). The same principles apply if your MSP operates on your behalf a service which processes personal data. You should understand what model your MSP uses to manage your infrastructure and services. The NCSC system administration guidance (https://www.ncsc.gov.uk/guidance/systems-administration-architectures) provides a structure to help you understand the various risks. If your MSP uses one of the more risky models, you should demand that they fix this immediately and in this case it would be prudent to undertake a detailed investigation to look for compromise (and not just for this specific series of attacks). As well as the technical architecture used, you should understand their personnel security policies, operational restrictions placed on the people who perform day-to-day activities in your MSP, how they store and manage access to your key credentials and how they monitor and manage audit for their customer system accesses. You should also understand how your MSP ensures separation between their customers, ensuring that compromise of one does not allow compromise of all. As part of that assessment, you should consider how the MSP’s own corporate network may bring

https://www.ncsc.gov.uk/guidance/cloud-security-collection
https://www.ncsc.gov.uk/guidance/protecting-bulk-personal-data-introduction
https://www.ncsc.gov.uk/guidance/systems-administration-architectures
Page 6: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

6

risk to your systems and data and how they manage that on your behalf. Your MSP’s corporate network should be separated from the infrastructure used to provide service to you. You should ensure that you have monitoring and audit that is independent of your MSP. This is critical for security monitoring and management, but also for contractual enforcement and investigations of both cyber (e.g. this campaign) and non-cyber (e.g. insider-led data theft) incidents. An organisation that has engaged an MSP (or outsourced a service function in another way) without maintaining some independent monitoring is unlikely to be able to manage their risk effectively. Finally, as a general framework to help conversations with providers, the 10 steps to cybersecurity (https://www.ncsc.gov.uk/guidance/10-steps-cyber-security) may be useful.

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security
Page 7: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

7

Enclosure 1

Domain IP Resolution First seen Last Seen 2014.zzux.com 61.97.241.239 01/12/2016 current apple.ikwb.com Parked domain 01/12/2016 current availability.justdied.com 83.217.26.203 01/12/2016 25/12/2016 availability.justdied.com 185.117.88.124 25/12/2016 19/01/2017 availability.justdied.com Parked domain 19/01/2017 current back.jungleheart.com 86.106.102.3 01/12/2016 27/12/2016 back.jungleheart.com 109.248.222.85 27/12/2016 19/01/2017 back.jungleheart.com Parked domain 19/01/2017 current balance1.wikaba.com 86.106.102.3 01/12/2016 27/12/2016 balance1.wikaba.com 109.248.222.85 27/12/2016 current be.mrslove.com Parked domain 01/12/2016 26/12/2016 be.mrslove.com 109.248.222.85 26/12/2016 26/12/2016 be.mrslove.com Parked domain 26/12/2016 current cia.ezua.com 61.97.241.239 01/12/2016 current cia.toh.info 61.97.241.239 01/12/2016 current cnnews.mylftv.com 110.10.176.181 01/12/2016 27/12/2016 cnnews.mylftv.com Parked domain 27/12/2016 28/02/2017 cnnews.mylftv.com Parked domain 28/02/2017 current commons.onedumb.com 185.117.88.124 01/12/2016 26/12/2016 commons.onedumb.com 109.248.222.85 26/12/2016 19/01/2017 commons.onedumb.com Parked domain 19/01/2017 current contract.4mydomain.com 78.153.151.222 01/12/2016 current contractus.qpoe.com 78.153.151.222 01/12/2016 26/12/2016 contractus.qpoe.com Parked domain 26/12/2016 current ctldl.windowsupdate.authorizeddns.org 185.133.40.63 01/12/2016 26/12/2016 ctldl.windowsupdate.authorizeddns.org Parked domain 26/12/2016 current ctldl.windowsupdate.dnset.com 185.133.40.63 01/12/2016 26/12/2016 ctldl.windowsupdate.dnset.com Parked domain 26/12/2016 current ctldl.windowsupdate.x24hr.com Parked domain 26/12/2016 current de.onmypc.info 86.106.102.3 01/12/2016 26/12/2016 de.onmypc.info 109.248.222.85 26/12/2016 19/01/2017 de.onmypc.info Parked domain 19/01/2017 current download.windowsupdate.authorizeddns.org 185.133.40.63 01/12/2016 26/12/2016 download.windowsupdate.authorizeddns.org Parked domain 26/12/2016 current download.windowsupdate.dnset.com 185.133.40.63 01/12/2016 26/12/2016 download.windowsupdate.dnset.com Parked domain 26/12/2016 current download.windowsupdate.itsaol.com 185.133.40.63 01/12/2016 25/12/2016 download.windowsupdate.itsaol.com Parked domain 25/12/2016 current download.windowsupdate.x24hr.com Parked domain 26/12/2016 current ea.onmypc.info 86.106.102.3 01/12/2016 26/12/2016 ea.onmypc.info 109.248.222.85 26/12/2016 19/01/2017 ea.onmypc.info Parked domain 19/01/2017 current eu.acmetoy.com 86.106.102.3 01/12/2016 27/12/2016

Page 8: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

8

eu.acmetoy.com 109.248.222.85 27/12/2016 19/01/2017 eu.acmetoy.com Parked domain 19/01/2017 current eu.wha.la 86.106.102.3 01/12/2016 26/12/2016 eu.wha.la 109.248.222.85 26/12/2016 19/01/2017 eu.wha.la Parked domain 19/01/2017 current feed.jungleheart.com 78.153.151.222 01/12/2016 current file.zzux.com 185.14.185.189 01/12/2016 current findme.epac.to 61.97.241.239 01/12/2016 current fr.wikaba.com 86.106.102.3 01/12/2016 26/12/2016 fr.wikaba.com 185.117.88.124 26/12/2016 26/12/2016 fr.wikaba.com 109.248.222.85 26/12/2016 19/01/2017 fr.wikaba.com Parked domain 19/01/2017 current ftp.2014.zzux.com 61.97.241.239 01/12/2016 current ftp.cia.toh.info 61.97.241.239 01/12/2016 current ftp.iphone.vizvaz.com 61.97.241.239 01/12/2016 current ftp.jimin.mymom.info 61.97.241.239 01/12/2016 current ftp.malware.dsmtp.com 61.97.241.239 01/12/2016 current ftp.server1.proxydns.com 185.117.88.124 01/12/2016 26/12/2016 ftp.server1.proxydns.com 109.248.222.85 26/12/2016 26/12/2016 ftp.server1.proxydns.com Parked domain 26/12/2016 current ftp.usa.itsaol.com 61.97.241.239 01/12/2016 current fuck.ikwb.com 78.153.149.130 01/12/2016 27/12/2016 fuck.ikwb.com Parked domain 27/12/2016 28/02/2017 fuck.ikwb.com Parked domain 28/02/2017 current globalnews.wikaba.com 78.153.151.222 01/12/2016 current helpus.ddns.info 95.183.52.57 01/12/2016 current home.trickip.org 185.117.88.78 01/12/2016 current iphone.vizvaz.com 61.97.241.239 01/12/2016 current ipv4.windowsupdate.dnset.com 185.133.40.63 01/12/2016 26/12/2016 ipv4.windowsupdate.dnset.com Parked domain 26/12/2016 current ipv4.windowsupdate.x24hr.com Parked domain 26/12/2016 current jcie.mofa.ns01.info 86.106.102.3 01/12/2016 27/12/2016 jcie.mofa.ns01.info 109.248.222.85 27/12/2016 19/01/2017 jcie.mofa.ns01.info Parked domain 19/01/2017 current jimin.mymom.info 61.97.241.239 01/12/2016 current kikimusic.sellclassics.com 185.117.88.78 01/12/2016 current latestnews.organiccrap.com 78.153.151.222 01/12/2016 current maffc.mrface.com 185.117.88.124 01/12/2016 26/12/2016 maffc.mrface.com 109.248.222.85 26/12/2016 19/01/2017 maffc.mrface.com Parked domain 19/01/2017 current malware.dsmtp.com 61.97.241.239 01/12/2016 current mediapath.organiccrap.com 185.117.88.124 01/12/2016 26/12/2016 mediapath.organiccrap.com 109.248.222.85 26/12/2016 19/01/2017 mediapath.organiccrap.com Parked domain 19/01/2017 current microsoft.got-game.org 185.117.88.78 01/12/2016 07/02/2017 microsoft.got-game.org 95.47.156.86 07/02/2017 14/02/2017

Page 9: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

9

microsoft.got-game.org 103.208.86.129 14/02/2017 16/02/2017 microsoft.got-game.org 109.237.111.175 16/02/2017 22/02/2017 microsoft.got-game.org 103.208.86.129 22/02/2017 22/02/2017 microsoft.got-game.org 185.117.88.78 22/02/2017 22/02/2017 microsoft.got-game.org 95.47.156.86 22/02/2017 28/02/2017 microsoft.got-game.org Parked domain 28/02/2017 current microsoftmirror.mrbasic.com 78.153.151.222 01/12/2016 25/12/2016 microsoftmirror.mrbasic.com Parked domain 25/12/2016 current microsoft.mrface.com 185.117.88.78 01/12/2016 current microsoftmusic.itemdb.com 185.133.40.63 01/12/2016 25/12/2016 microsoftmusic.itemdb.com Parked domain 25/12/2016 current micrsoftware.dsmtp.com 61.97.241.239 01/12/2016 current mircsoft.compress.to 175.126.148.108 01/12/2016 current mmy.ddns.us 86.106.102.3 01/12/2016 26/12/2016 mmy.ddns.us 185.117.88.124 26/12/2016 26/12/2016 mmy.ddns.us 109.248.222.85 26/12/2016 19/01/2017 mmy.ddns.us Parked domain 19/01/2017 current mofa.ns01.info 86.106.102.3 01/12/2016 27/12/2016 mofa.ns01.info 109.248.222.85 27/12/2016 19/01/2017 mofa.ns01.info Parked domain 19/01/2017 current mseupdate.ourhobby.com 185.133.40.63 01/12/2016 25/12/2016 mseupdate.ourhobby.com Parked domain 25/12/2016 current msg.ezua.com 86.106.102.3 01/12/2016 current nmrx.mrbonus.com 78.153.151.222 01/12/2016 current nsa.mefound.com 61.97.241.239 01/12/2016 current nttdata.otzo.com Parked domain 01/12/2016 current nz.compress.to 86.106.102.3 01/12/2016 26/12/2016 nz.compress.to 109.248.222.85 26/12/2016 19/01/2017 nz.compress.to Parked domain 19/01/2017 current peopleinfodata.3-a.net 185.117.88.78 01/12/2016 current products.almostmy.com 86.106.102.3 01/12/2016 27/12/2016 products.almostmy.com 109.248.222.85 27/12/2016 current products.serveuser.com 83.217.26.203 01/12/2016 25/12/2016 products.serveuser.com 185.117.88.124 25/12/2016 19/01/2017 products.serveuser.com Parked domain 19/01/2017 current referred.gr8domain.biz 78.153.151.222 01/12/2016 14/12/2016 referred.gr8domain.biz 109.237.108.202 14/12/2016 25/12/2016 referred.gr8domain.biz Parked domain 25/12/2016 current sdmsg.onmypc.org 86.106.102.3 01/12/2016 27/12/2016 sdmsg.onmypc.org 109.248.222.85 27/12/2016 19/01/2017 sdmsg.onmypc.org Parked domain 19/01/2017 current send.mofa.ns01.info 86.106.102.3 01/12/2016 27/12/2016 send.mofa.ns01.info 109.248.222.85 27/12/2016 19/01/2017 send.mofa.ns01.info Parked domain 19/01/2017 current server1.proxydns.com 185.117.88.124 01/12/2016 26/12/2016 server1.proxydns.com 109.248.222.85 26/12/2016 19/01/2017

Page 10: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

10

server1.proxydns.com Parked domain 19/01/2017 current se.toythieves.com 86.106.102.3 01/12/2016 26/12/2016 se.toythieves.com 109.248.222.85 26/12/2016 19/01/2017 se.toythieves.com Parked domain 19/01/2017 current singed.otzo.com 86.106.102.3 01/12/2016 current sstday.jkub.com 86.106.102.3 01/12/2016 27/12/2016 sstday.jkub.com 109.248.222.85 27/12/2016 19/01/2017 sstday.jkub.com Parked domain 19/01/2017 current tfa.longmusic.com 61.97.241.239 01/12/2016 current tophost.dynamicdns.co.uk 78.153.149.130 01/12/2016 27/12/2016 tophost.dynamicdns.co.uk Parked domain 27/12/2016 28/02/2017 tophost.dynamicdns.co.uk Parked domain 28/02/2017 current uk.dynamicdns.org.uk 86.106.102.3 01/12/2016 26/12/2016 uk.dynamicdns.org.uk 109.248.222.85 26/12/2016 19/01/2017 uk.dynamicdns.org.uk Parked domain 19/01/2017 current un.ddns.info 86.106.102.3 01/12/2016 27/12/2016 un.ddns.info 109.248.222.85 27/12/2016 19/01/2017 un.ddns.info Parked domain 19/01/2017 current un.dnsrd.com 86.106.102.3 01/12/2016 27/12/2016 un.dnsrd.com 109.248.222.85 27/12/2016 19/01/2017 un.dnsrd.com Parked domain 19/01/2017 current usa.itsaol.com 61.97.241.239 01/12/2016 current v4.windowsupdate.authorizeddns.org 185.133.40.63 01/12/2016 26/12/2016 v4.windowsupdate.authorizeddns.org Parked domain 26/12/2016 current v4.windowsupdate.dnset.com 185.133.40.63 01/12/2016 26/12/2016 v4.windowsupdate.dnset.com Parked domain 26/12/2016 current v4.windowsupdate.itsaol.com 185.133.40.63 01/12/2016 25/12/2016 v4.windowsupdate.itsaol.com Parked domain 25/12/2016 current v4.windowsupdate.x24hr.com Parked domain 26/12/2016 current windowsupdate.acmetoy.com 185.133.40.63 01/12/2016 26/12/2016 windowsupdate.acmetoy.com Parked domain 26/12/2016 current windowsupdate.authorizeddns.net 185.133.40.63 01/12/2016 25/12/2016 windowsupdate.authorizeddns.net Parked domain 25/12/2016 current windowsupdate.authorizeddns.org 185.133.40.63 01/12/2016 26/12/2016 windowsupdate.authorizeddns.org Parked domain 26/12/2016 current windowsupdate.dnset.com 185.133.40.63 01/12/2016 26/12/2016 windowsupdate.dnset.com Parked domain 26/12/2016 current windowsupdate.itsaol.com 185.133.40.63 01/12/2016 25/12/2016 windowsupdate.itsaol.com Parked domain 25/12/2016 current windowsupdate.x24hr.com Parked domain 26/12/2016 current www.2014.zzux.com 61.97.241.239 01/12/2016 current www.cia.toh.info 61.97.241.239 01/12/2016 current www.findme.epac.to 61.97.241.239 01/12/2016 current www.iphone.vizvaz.com 61.97.241.239 01/12/2016 current www.micrsoftware.dsmtp.com 61.97.241.239 01/12/2016 current www.server1.proxydns.com 185.117.88.124 01/12/2016 26/12/2016

Page 11: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

11

www.server1.proxydns.com 109.248.222.85 26/12/2016 19/01/2017 www.server1.proxydns.com Parked domain 19/01/2017 current www.twsslpopservupro.dynssl.com 185.117.88.78 01/12/2016 current

Possible additional Stone Panda domains and associated IP addresses Domains IP Address First Seen Last Seen

abc.wikaba.com 78.153.151.222 12/09/2016 09/03/2017 ad.getfond.info 83.217.26.203 09/12/2016 09/12/2016 ad.getfond.info 31.184.197.215 13/12/2016 28/12/2016 ad.getfond.info 185.117.88.124 28/12/2016 09/03/2017 additional.sexidude.com 109.248.222.85 27/12/2016 20/01/2017 announcements.toythieves.com 109.248.222.85 26/12/2016 20/01/2017 appledownload.ourhobby.com 185.117.88.82 22/02/2017 03/03/2017 appleimages.itemdb.com 78.153.151.222 02/01/2017 09/03/2017 appleimages.longmusic.com 185.117.88.82 05/01/2017 03/03/2017 applemirror.organiccrap.com 185.117.88.124 21/02/2017 21/02/2017 applemirror.organiccrap.com 185.117.88.82 10/01/2017 23/02/2017 applemirror.squirly.info 109.237.108.150 12/02/2017 12/02/2017 applemusic.isasecret.com 185.117.88.82 09/01/2017 12/01/2017 applemusic.itemdb.com 185.117.88.82 06/02/2017 06/02/2017 applemusic.itemdb.com 78.153.149.130 12/02/2017 12/02/2017 applemusic.wikaba.com 185.117.88.82 22/02/2017 03/03/2017 applemusic.xxuz.com 109.237.108.150 12/02/2017 12/02/2017 applemusic.zzux.com 185.117.88.82 22/02/2017 03/03/2017 appleupdate.itemdb.com 185.117.88.82 03/02/2017 03/02/2017 asfzx.x24hr.com 109.248.222.85 26/12/2016 20/01/2017 availab.wikaba.com 185.117.88.124 25/12/2016 25/12/2016 availab.wikaba.com 185.117.88.124 26/12/2016 20/01/2017 availability.justdied.com 185.117.88.124 25/12/2016 20/01/2017 back.jungleheart.com 109.248.222.85 27/12/2016 20/01/2017 back.mofa.dynamic-dns.net 109.248.222.85 27/12/2016 20/01/2017 bak.ignorelist.com 109.248.222.85 29/12/2016 19/01/2017 bak.un.dnsrd.com 109.248.222.85 27/12/2016 20/01/2017 balance1.wikaba.com 109.248.222.85 27/12/2016 09/03/2017 be.mrslove.com 109.248.222.85 26/12/2016 26/12/2016 bexm.cleansite.biz 78.153.151.222 09/12/2016 09/03/2017 bezu.itemdb.com 78.153.151.222 09/12/2016 09/03/2017 blaaaaaaaaaaaa.windowsupdate.3-a.net 78.153.151.222 01/03/2017 01/03/2017 brand.fartit.com 109.248.222.85 26/12/2016 20/01/2017 bulletproof.squirly.info 109.248.222.85 26/12/2016 20/01/2017 center.shenajou.com 109.237.111.175 28/02/2017 28/02/2017 civilwar123.authorizeddns.org 109.248.222.85 27/12/2016 20/01/2017 civilwar520.onmypc.org 109.248.222.85 27/12/2016 20/01/2017 cnnews.mylftv.com 78.153.149.130 09/12/2016 28/12/2016 commissioner.shenajou.com 109.237.111.175 27/02/2017 27/02/2017 commons.onedumb.com 109.248.222.85 26/12/2016 19/01/2017

Page 12: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

12

contactus.myddns.com 78.153.151.222 24/02/2017 09/03/2017 contactus.onmypc.us 78.153.151.222 24/02/2017 09/03/2017 contract.4mydomain.com 78.153.151.222 24/02/2017 09/03/2017 contractus.qpoe.com 78.153.151.222 09/12/2016 27/12/2016 contractus.zzux.com 78.153.151.222 09/12/2016 09/03/2017 ctldl.microsoftupdate.qhigh.com 185.133.40.63 28/02/2017 01/03/2017 ctldl.windowsupdate.authorizeddns.us 78.153.149.130 01/03/2017 01/03/2017 ctldl.windowsupdate.dnset.com 185.133.40.63 14/12/2016 14/12/2016 ctldl.windowsupdate.ezua.com 109.237.108.202 24/12/2016 24/12/2016 ctldl.windowsupdate.ezua.com 78.153.151.222 11/01/2017 04/03/2017 ctldl.windowsupdate.itsaol.com 185.133.40.63 24/12/2016 24/12/2016 ctldl.windowsupdate.organiccrap.com 185.117.88.82 09/01/2017 12/01/2017 ctldl.windowsupdate.x24hr.com 78.153.151.222 24/12/2016 24/12/2016 de.onmypc.info 109.248.222.85 26/12/2016 20/01/2017 dec.seyesb.acmetoy.com 109.248.222.85 27/12/2016 20/01/2017 details.squirly.info 185.117.88.124 25/12/2016 20/01/2017 development.shenajou.com 83.217.26.203 16/02/2017 16/02/2017 development.shenajou.com 109.237.111.175 28/02/2017 28/02/2017 digsby.ourhobby.com 78.153.151.222 09/12/2016 09/03/2017 disruptive.https443.net 109.248.222.85 26/12/2016 20/01/2017 document.shenajou.com 211.110.17.209 20/12/2016 20/12/2016 document.shenajou.com 109.237.111.175 28/02/2017 28/02/2017 download.windowsupdate.x24hr.com 78.153.151.222 14/12/2016 24/12/2016 ea.onmypc.info 109.248.222.85 26/12/2016 20/01/2017 ehshiroshima.mylftv.com 185.117.88.78 09/12/2016 09/03/2017 eric-averyanov.wha.la 109.248.222.85 26/12/2016 26/12/2016 eu.acmetoy.com 109.248.222.85 27/12/2016 20/01/2017 eu.wha.la 109.248.222.85 26/12/2016 26/12/2016 feed.jungleheart.com 78.153.151.222 09/12/2016 09/03/2017 fire.mrface.com 109.248.222.85 26/12/2016 26/12/2016 fr.wikaba.com 185.117.88.124 26/12/2016 26/12/2016 fr.wikaba.com 109.248.222.85 26/12/2016 20/01/2017 ftp.additional.sexidude.com 109.248.222.85 27/12/2016 20/01/2017 ftp.announcements.toythieves.com 109.248.222.85 26/12/2016 20/01/2017 ftp.appledownload.ourhobby.com 185.117.88.82 22/02/2017 03/03/2017 ftp.appleimages.itemdb.com 78.153.151.222 02/01/2017 09/03/2017 ftp.appleimages.longmusic.com 185.117.88.82 22/02/2017 03/03/2017 ftp.appleimages.organiccrap.com 185.117.88.82 05/01/2017 05/01/2017 ftp.applemirror.organiccrap.com 185.117.88.124 21/02/2017 21/02/2017 ftp.applemirror.organiccrap.com 185.117.88.82 10/01/2017 23/02/2017 ftp.applemirror.squirly.info 109.237.108.150 12/02/2017 12/02/2017 ftp.applemusic.isasecret.com 185.117.88.82 09/01/2017 12/01/2017 ftp.applemusic.itemdb.com 185.117.88.82 06/02/2017 06/02/2017 ftp.applemusic.itemdb.com 78.153.149.130 12/02/2017 12/02/2017 ftp.applemusic.wikaba.com 185.117.88.82 22/02/2017 03/03/2017 ftp.applemusic.xxuz.com 109.237.108.150 12/02/2017 12/02/2017

Page 13: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

13

ftp.applemusic.zzux.com 185.117.88.82 22/02/2017 03/03/2017 ftp.appleupdate.itemdb.com 185.117.88.82 03/02/2017 03/02/2017 ftp.asfzx.x24hr.com 109.248.222.85 26/12/2016 20/01/2017 ftp.availab.wikaba.com 185.117.88.124 25/12/2016 20/01/2017 ftp.availability.justdied.com 185.117.88.124 26/12/2016 20/01/2017 ftp.back.jungleheart.com 109.248.222.85 27/12/2016 20/01/2017 ftp.balance1.wikaba.com 109.248.222.85 27/12/2016 09/03/2017 ftp.be.mrslove.com 109.248.222.85 26/12/2016 26/12/2016 ftp.brand.fartit.com 109.248.222.85 26/12/2016 20/01/2017 ftp.bulletproof.squirly.info 109.248.222.85 26/12/2016 20/01/2017 ftp.civilwar123.authorizeddns.org 109.248.222.85 27/12/2016 20/01/2017 ftp.civilwar520.onmypc.org 109.248.222.85 27/12/2016 20/01/2017 ftp.cnnews.mylftv.com 78.153.149.130 09/12/2016 28/12/2016 ftp.commons.onedumb.com 109.248.222.85 26/12/2016 19/01/2017 ftp.contractus.qpoe.com 78.153.151.222 09/12/2016 27/12/2016 ftp.de.onmypc.info 109.248.222.85 26/12/2016 20/01/2017 ftp.details.squirly.info 185.117.88.124 25/12/2016 20/01/2017 ftp.disruptive.https443.net 109.248.222.85 26/12/2016 20/01/2017 ftp.ea.onmypc.info 109.248.222.85 26/12/2016 20/01/2017 ftp.ehshiroshima.mylftv.com 185.117.88.78 12/09/2016 09/03/2017 ftp.eric-averyanov.wha.la 109.248.222.85 26/12/2016 26/12/2016 ftp.eu.acmetoy.com 109.248.222.85 27/12/2016 20/01/2017 ftp.eu.wha.la 109.248.222.85 26/12/2016 26/12/2016 ftp.fire.mrface.com 109.248.222.85 26/12/2016 26/12/2016 ftp.fr.wikaba.com 185.117.88.124 26/12/2016 26/12/2016 ftp.fr.wikaba.com 109.248.222.85 26/12/2016 20/01/2017 ftp.fuck.ikwb.com 78.153.149.130 12/09/2016 27/12/2016 ftp.generat.almostmy.com 31.184.197.215 25/12/2016 09/03/2017 ftp.hii.qhigh.com 109.248.222.85 26/12/2016 26/12/2016 ftp.innocent-isayev.sexidude.com 109.248.222.85 26/12/2016 09/03/2017 ftp.invoices.sexxxy.biz 185.117.88.124 25/12/2016 20/01/2017 ftp.itlans.isasecret.com 185.117.88.124 25/12/2016 20/01/2017 ftp.itunesdownload.jkub.com 185.117.88.82 18/01/2017 05/02/2017 ftp.itunesdownload.wikaba.com 185.117.88.82 22/02/2017 03/03/2017 ftp.itunesimages.itemdb.com 185.117.88.82 05/01/2017 05/01/2017 ftp.itunesimages.itsaol.com 185.117.88.82 14/02/2017 14/02/2017 ftp.itunesimages.qpoe.com 185.117.88.82 24/02/2017 09/03/2017 ftp.itunesmirror.fartit.com 185.117.88.124 26/02/2017 26/02/2017 ftp.itunesmirror.fartit.com 185.117.88.82 19/01/2017 27/02/2017 ftp.itunesmirror.itsaol.com 185.117.88.82 03/02/2017 03/02/2017 ftp.itunesmusic.ikwb.com 185.117.88.82 03/02/2017 03/02/2017 ftp.itunesmusic.jetos.com 185.117.88.82 05/01/2017 05/01/2017 ftp.itunesmusic.jkub.com 185.117.88.82 03/02/2017 03/02/2017 ftp.itunesmusic.zzux.com 185.117.88.82 22/02/2017 22/02/2017 ftp.itunesupdate.itsaol.com 185.117.88.82 23/02/2017 23/02/2017 ftp.itunesupdates.organiccrap.com 185.117.88.78 24/02/2017 09/03/2017

Page 14: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

14

ftp.key.zzux.com 78.153.149.130 09/12/2016 28/12/2016 ftp.knowledge.sellclassics.com 109.248.222.85 26/12/2016 20/01/2017 ftp.lan.dynssl.com 31.184.197.215 27/12/2016 09/03/2017 ftp.latestnews.epac.to 78.153.151.222 09/12/2016 09/03/2017 ftp.latestnews.organiccrap.com 78.153.151.222 12/09/2016 09/03/2017 ftp.macfee.mrface.com 78.153.149.130 09/12/2016 28/12/2016 ftp.maffc.mrface.com 109.248.222.85 26/12/2016 19/01/2017 ftp.mason.vizvaz.com 109.248.222.85 26/12/2016 20/01/2017 ftp.mediapath.organiccrap.com 109.248.222.85 26/12/2016 19/01/2017 ftp.microsoft.got-game.org 95.47.156.86 07/02/2017 07/02/2017 ftp.microsoft.got-game.org 103.208.86.129 14/02/2017 14/02/2017 ftp.microsoft.got-game.org 109.237.111.175 16/02/2017 16/02/2017 ftp.microsoft.mrface.com 185.117.88.78 24/02/2017 09/03/2017 ftp.microsoftimages.organiccrap.com 185.117.88.82 05/01/2017 05/01/2017 ftp.microsoftmusic.mrbasic.com 185.117.88.82 23/02/2017 03/03/2017 ftp.microsoftqckmanager.pcanywhere.net 95.47.156.86 24/02/2017 09/03/2017 ftp.microsoftupdate.mrbasic.com 185.117.88.82 27/12/2016 27/12/2016 ftp.microsoftupdate.qhigh.com 185.133.40.63 27/12/2016 05/02/2017 ftp.mmy.ddns.us 185.117.88.124 26/12/2016 26/12/2016 ftp.mmy.ddns.us 109.248.222.85 26/12/2016 20/01/2017 ftp.mod.jetos.com 109.248.222.85 27/12/2016 19/01/2017 ftp.mofa.dynamic-dns.net 109.248.222.85 27/12/2016 20/01/2017 ftp.mofa.ns01.info 109.248.222.85 27/12/2016 20/01/2017 ftp.moscowdic.trickip.org 109.237.111.175 24/02/2017 09/03/2017 ftp.musicfile.ikwb.com 185.117.88.124 25/12/2016 20/01/2017 ftp.na.americanunfinished.com 109.248.222.85 26/12/2016 20/01/2017 ftp.newsdata.jkub.com 185.117.88.124 25/12/2016 25/12/2016 ftp.no.authorizeddns.org 109.248.222.85 26/12/2016 20/01/2017 ftp.nt.mynumber.org 109.248.222.85 26/12/2016 20/01/2017 ftp.nz.compress.to 109.248.222.85 26/12/2016 20/01/2017 ftp.ol.almostmy.com 109.248.222.85 26/12/2016 26/12/2016 ftp.oracleupdate.dns04.com 185.117.88.82 22/02/2017 22/02/2017 ftp.portal.mrface.com 185.117.88.124 25/12/2016 20/01/2017 ftp.portal.sendsmtp.com 109.248.222.85 27/12/2016 20/01/2017 ftp.portalser.dynamic-dns.net 31.184.197.215 22/12/2016 09/03/2017 ftp.praskovya-matveyeva.mefound.com 109.248.222.85 26/12/2016 09/03/2017 ftp.praskovya-ulyanova.dumb1.com 109.248.222.85 26/12/2016 09/03/2017 ftp.products.almostmy.com 109.248.222.85 27/12/2016 09/03/2017 ftp.products.cleansite.us 109.248.222.85 26/12/2016 20/01/2017 ftp.products.serveuser.com 185.117.88.124 25/12/2016 20/01/2017 ftp.purchase.lflinkup.org 109.248.222.85 26/12/2016 20/01/2017 ftp.recent.dns-stuff.com 185.117.88.124 25/12/2016 20/01/2017 ftp.recent.fartit.com 31.184.197.215 25/12/2016 09/03/2017 ftp.referred.gr8domain.biz 109.237.108.202 14/12/2016 26/12/2016 ftp.referred.yourtrap.com 109.248.222.85 27/12/2016 20/01/2017 ftp.register.ourhobby.com 185.117.88.124 25/12/2016 20/01/2017

Page 15: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

15

ftp.registration2.instanthq.com 109.248.222.85 27/12/2016 09/03/2017 ftp.registrations.4pu.com 185.117.88.124 25/12/2016 20/01/2017 ftp.registrations.organiccrap.com 109.248.222.85 27/12/2016 20/01/2017 ftp.remeberdata.iownyour.org 109.237.111.175 24/02/2017 09/03/2017 ftp.reserveds.onedumb.com 31.184.197.215 22/12/2016 09/03/2017 ftp.rethem.almostmy.com 109.248.222.85 26/12/2016 20/01/2017 ftp.sdmsg.onmypc.org 109.248.222.85 27/12/2016 20/01/2017 ftp.se.toythieves.com 109.248.222.85 26/12/2016 20/01/2017 ftp.senseye.ikwb.com 109.248.222.85 27/12/2016 09/03/2017 ftp.septdlluckysystem.jungleheart.com 185.117.88.78 12/09/2016 09/03/2017 ftp.seraphim-yurieva.justdied.com 109.248.222.85 26/12/2016 09/03/2017 ftp.serv.justdied.com 185.117.88.124 25/12/2016 20/01/2017 ftp.server1.proxydns.com 109.248.222.85 26/12/2016 20/01/2017 ftp.seyesb.acmetoy.com 109.248.222.85 27/12/2016 20/01/2017 ftp.shugiin.jkub.com 109.248.222.85 27/12/2016 20/01/2017 ftp.sstday.jkub.com 109.248.222.85 27/12/2016 20/01/2017 ftp.support1.mrface.com 109.248.222.85 27/12/2016 09/03/2017 ftp.svc.dynssl.com 109.248.222.85 27/12/2016 19/01/2017 ftp.synssl.dnset.com 109.248.222.85 27/12/2016 20/01/2017 ftp.tamraj.fartit.com 185.117.88.124 22/12/2016 22/12/2016 ftp.tamraj.fartit.com 31.184.197.215 22/12/2016 09/03/2017 ftp.ticket.instanthq.com 185.117.88.124 27/12/2016 09/03/2017 ftp.tophost.dynamicdns.co.uk 78.153.149.130 12/09/2016 28/12/2016 ftp.transfer.lflinkup.org 109.248.222.85 27/12/2016 20/01/2017 ftp.transfer.vizvaz.com 185.117.88.124 25/12/2016 20/01/2017 ftp.ugreen.itemdb.com 185.117.88.124 22/12/2016 22/12/2016 ftp.ugreen.itemdb.com 31.184.197.215 22/12/2016 09/03/2017 ftp.uk.dynamicdns.org.uk 109.248.222.85 26/12/2016 20/01/2017 ftp.un.ddns.info 109.248.222.85 27/12/2016 20/01/2017 ftp.un.dnsrd.com 109.248.222.85 27/12/2016 19/01/2017 ftp.well.itsaol.com 109.248.222.85 26/12/2016 26/12/2016 ftp.windowfile.itemdb.com 185.117.88.124 25/12/2016 25/12/2016 ftp.windowsimages.itemdb.com 185.117.88.82 15/01/2017 15/01/2017 ftp.windowsmirrors.vizvaz.com 109.237.108.202 26/12/2016 26/12/2016 ftp.windowsmirrors.vizvaz.com 185.133.40.63 26/12/2016 06/03/2017 ftp.windowsmirrors.vizvaz.com 109.237.108.150 05/03/2017 09/03/2017 ftp.windowsupdate.2waky.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.2waky.com 78.153.149.130 03/01/2017 09/03/2017 ftp.windowsupdate.3-a.net 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.3-a.net 78.153.151.222 26/12/2016 09/03/2017 ftp.windowsupdate.authorizeddns.us 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.authorizeddns.us 78.153.149.130 01/03/2017 09/03/2017 ftp.windowsupdate.dns05.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.dns05.com 185.133.40.63 26/12/2016 09/03/2017 ftp.windowsupdate.esmtp.biz 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.esmtp.biz 109.237.108.150 26/12/2016 09/03/2017

Page 16: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

16

ftp.windowsupdate.ezua.com 78.153.151.222 26/12/2016 09/03/2017 ftp.windowsupdate.fartit.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.fartit.com 78.153.149.130 03/01/2017 09/03/2017 ftp.windowsupdate.gettrials.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.gettrials.com 78.153.151.222 26/12/2016 09/03/2017 ftp.windowsupdate.instanthq.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.instanthq.com 109.237.108.150 26/12/2016 09/03/2017 ftp.windowsupdate.jungleheart.com 78.153.149.130 03/01/2017 09/03/2017 ftp.windowsupdate.lflink.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.lflink.com 78.153.151.222 26/12/2016 05/02/2017 ftp.windowsupdate.mrface.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.mrface.com 185.133.40.63 26/12/2016 05/02/2017 ftp.windowsupdate.mylftv.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.mylftv.com 185.133.40.63 26/12/2016 09/03/2017 ftp.windowsupdate.rebatesrule.net 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.rebatesrule.net 78.153.151.222 26/12/2016 05/02/2017 ftp.windowsupdate.sellclassics.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.sellclassics.com 109.237.108.150 26/12/2016 09/03/2017 ftp.windowsupdate.serveusers.com 109.237.108.202 21/12/2016 21/12/2016 ftp.windowsupdate.serveusers.com 109.237.108.150 26/12/2016 09/03/2017 ftp.yandexr.sellclassics.com 185.117.88.124 22/12/2016 22/12/2016 ftp.yandexr.sellclassics.com 31.184.197.215 22/12/2016 09/03/2017 fuck.ikwb.com 78.153.149.130 09/12/2016 27/12/2016 generat.almostmy.com 31.184.197.215 25/12/2016 09/03/2017 gifuonlineshopping.mynumber.org 185.117.88.78 24/02/2017 09/03/2017 glicense.shenajou.com 109.237.111.175 27/02/2017 27/02/2017 globalnews.wikaba.com 78.153.151.222 09/12/2016 09/03/2017 hii.qhigh.com 109.248.222.85 26/12/2016 26/12/2016 home.trickip.org 185.117.88.78 24/02/2017 09/03/2017 ibmmsg.strangled.net 109.248.222.85 29/12/2016 19/01/2017 innocent-isayev.sexidude.com 109.248.222.85 26/12/2016 09/03/2017 innov-tec.com.ua 109.237.108.150 09/12/2016 29/12/2016 innov-tec.com.ua 81.176.239.56 05/01/2017 05/01/2017 interpreter.shenajou.com 109.237.111.175 28/02/2017 02/03/2017 invoices.sexxxy.biz 185.117.88.124 25/12/2016 20/01/2017 ipv4.microsoftupdate.mrbasic.com 185.117.88.82 11/01/2017 11/01/2017 ipv4.windowsupdate.3-a.net 78.153.151.222 01/03/2017 01/03/2017 ipv4.windowsupdate.dnset.com 185.133.40.63 14/12/2016 14/12/2016 ipv4.windowsupdate.ezua.com 109.237.108.202 24/12/2016 24/12/2016 ipv4.windowsupdate.ezua.com 78.153.151.222 12/01/2017 04/03/2017 ipv4.windowsupdate.fartit.com 78.153.149.130 01/03/2017 01/03/2017 ipv4.windowsupdate.itsaol.com 185.133.40.63 24/12/2016 24/12/2016 ipv4.windowsupdate.lflink.com 78.153.151.222 01/03/2017 01/03/2017 ipv4.windowsupdate.mylftv.com 185.133.40.63 01/03/2017 01/03/2017 ipv4.windowsupdate.x24hr.com 78.153.151.222 24/12/2016 24/12/2016 itlans.isasecret.com 185.117.88.124 25/12/2016 20/01/2017

Page 17: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

17

itunesdownload.jkub.com 185.117.88.82 05/02/2017 05/02/2017 itunesdownload.vizvaz.com 185.117.88.82 18/01/2017 18/01/2017 itunesdownload.wikaba.com 185.117.88.82 22/02/2017 03/03/2017 itunesimages.itemdb.com 185.117.88.82 05/01/2017 05/01/2017 itunesimages.itsaol.com 185.117.88.82 14/02/2017 14/02/2017 itunesmirror.fartit.com 185.117.88.124 26/02/2017 26/02/2017 itunesmirror.fartit.com 185.117.88.82 19/01/2017 27/02/2017 itunesmirror.itsaol.com 185.117.88.82 03/02/2017 03/02/2017 itunesmusic.ikwb.com 185.117.88.82 03/02/2017 03/02/2017 itunesmusic.jetos.com 185.117.88.82 05/01/2017 05/01/2017 itunesmusic.jkub.com 185.117.88.82 03/02/2017 03/02/2017 itunesmusic.zzux.com 185.117.88.82 22/02/2017 22/02/2017 itunesupdate.itsaol.com 185.117.88.82 23/02/2017 23/02/2017 itunesupdates.organiccrap.com 185.117.88.78 24/02/2017 09/03/2017 jcie.mofa.ns01.info 109.248.222.85 27/12/2016 20/01/2017 jpstarmarket.serveusers.com 185.117.88.78 24/02/2017 09/03/2017 key.zzux.com 78.153.149.130 12/09/2016 28/12/2016 kikimusic.sellclassics.com 185.117.88.78 24/02/2017 09/03/2017 kmd.crabdance.com 109.248.222.85 29/12/2016 17/01/2017 knowledge.sellclassics.com 109.248.222.85 26/12/2016 20/01/2017 kxsbwappupdate.dhcp.biz 185.117.88.78 24/02/2017 09/03/2017 kztmusiclnk.dnsrd.com 185.117.88.78 24/02/2017 09/03/2017 lan.dynssl.com 31.184.197.215 27/12/2016 09/03/2017 latestnews.epac.to 78.153.151.222 09/12/2016 09/03/2017 latestnews.organiccrap.com 78.153.151.222 09/12/2016 09/03/2017 license.shenajou.com 83.217.26.203 11/02/2017 11/02/2017 license.shenajou.com 109.237.111.175 28/02/2017 28/02/2017 macfee.mrface.com 78.153.149.130 09/12/2016 28/12/2016 maffc.mrface.com 109.248.222.85 26/12/2016 19/01/2017 mason.vizvaz.com 109.248.222.85 26/12/2016 20/01/2017 mediapath.organiccrap.com 185.117.88.124 12/10/2016 10/12/2016 mediapath.organiccrap.com 109.248.222.85 26/12/2016 19/01/2017 microhome.wikaba.com 185.117.88.78 24/02/2017 09/03/2017 microsoft.got-game.org 109.237.111.175 16/02/2017 16/02/2017 microsoft.got-game.org 103.208.86.129 14/02/2017 22/02/2017 microsoft.got-game.org 185.117.88.78 22/02/2017 22/02/2017 microsoft.got-game.org 95.47.156.86 07/02/2017 01/03/2017 microsoft.mrface.com 185.117.88.78 24/02/2017 09/03/2017 microsoftempowering.sendsmtp.com 103.208.86.129 24/02/2017 09/03/2017 microsoftgetstarted.sexidude.com 103.208.86.129 24/02/2017 09/03/2017 microsoftimages.organiccrap.com 185.117.88.82 05/01/2017 05/01/2017 microsoftmusic.mrbasic.com 185.117.88.82 23/02/2017 03/03/2017 microsoftqckmanager.pcanywhere.net 95.47.156.86 07/02/2017 09/03/2017 microsoftupdate.mrbasic.com 185.117.88.82 27/12/2016 27/12/2016 microsoftupdate.qhigh.com 185.133.40.63 27/12/2016 01/03/2017 mmy.ddns.us 185.117.88.124 26/12/2016 26/12/2016

Page 18: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

18

mmy.ddns.us 109.248.222.85 26/12/2016 20/01/2017 mobile.2waky.com 78.153.151.222 09/12/2016 09/03/2017 mod.jetos.com 109.248.222.85 27/12/2016 20/01/2017 mofa.dynamic-dns.net 109.248.222.85 27/12/2016 20/01/2017 mofa.ns01.info 109.248.222.85 27/12/2016 20/01/2017 moscowstdsupdate.toythieves.com 103.208.86.129 24/02/2017 09/03/2017 mrsloveaqx.mrslove.com 78.153.151.222 09/12/2016 09/03/2017 music.cleansite.us 78.153.151.222 24/02/2017 09/03/2017 musicfile.ikwb.com 185.117.88.124 25/12/2016 25/12/2016 musicfile.ikwb.com 185.117.88.124 10/01/2017 20/01/2017 musiclinker.jkub.com 185.117.88.78 24/02/2017 09/03/2017 mx.yetrula.eu 103.208.86.129 07/02/2017 08/02/2017 mytwhomeinst.sendsmtp.com 95.47.156.86 07/02/2017 09/03/2017 na.americanunfinished.com 109.248.222.85 26/12/2016 20/01/2017 newsdata.jkub.com 185.117.88.124 25/12/2016 25/12/2016 newsfile.toythieves.com 103.208.86.129 24/02/2017 09/03/2017 newsreport.justdied.com 78.153.151.222 12/09/2016 09/03/2017 nezwq.ezua.com 78.153.151.222 09/12/2016 09/03/2017 nmrx.mrbonus.com 78.153.151.222 09/12/2016 09/03/2017 no.authorizeddns.org 109.248.222.85 26/12/2016 20/01/2017 nt.mynumber.org 109.248.222.85 26/12/2016 20/01/2017 nz.compress.to 109.248.222.85 26/12/2016 20/01/2017 ol.almostmy.com 109.248.222.85 26/12/2016 26/12/2016 oracleupdate.dns04.com 185.117.88.82 22/02/2017 22/02/2017 peopleinfodata.3-a.net 185.117.88.78 24/02/2017 09/03/2017 portal.mrface.com 185.117.88.124 25/12/2016 20/01/2017 portal.sendsmtp.com 109.248.222.85 27/12/2016 20/01/2017 portalser.dynamic-dns.net 31.184.197.215 22/12/2016 09/03/2017 praskovya-matveyeva.mefound.com 109.248.222.85 26/12/2016 09/03/2017 praskovya-ulyanova.dumb1.com 109.248.222.85 26/12/2016 09/03/2017 products.almostmy.com 109.248.222.85 27/12/2016 09/03/2017 products.cleansite.us 109.248.222.85 26/12/2016 20/01/2017 products.serveuser.com 185.117.88.124 25/12/2016 20/01/2017 program.acmetoy.com 78.153.151.222 09/12/2016 09/03/2017 purchase.lflinkup.org 109.248.222.85 26/12/2016 20/01/2017 rain.orctldl.windowsupdate.authorizeddns.us 78.153.149.130 27/02/2017 27/02/2017 read.xxuz.com 95.47.156.86 07/02/2017 09/03/2017 recent.dns-stuff.com 185.117.88.124 25/12/2016 20/01/2017 recent.fartit.com 31.184.197.215 25/12/2016 09/03/2017 referred.gr8domain.biz 109.237.108.202 14/12/2016 26/12/2016 referred.yourtrap.com 109.248.222.85 27/12/2016 20/01/2017 register.ourhobby.com 185.117.88.124 25/12/2016 20/01/2017 registration2.instanthq.com 109.248.222.85 27/12/2016 09/03/2017 registrations.4pu.com 185.117.88.124 25/12/2016 20/01/2017 registrations.organiccrap.com 109.248.222.85 27/12/2016 20/01/2017 reserveds.onedumb.com 31.184.197.215 22/12/2016 09/03/2017

Page 19: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

19

rethem.almostmy.com 109.248.222.85 26/12/2016 20/01/2017 sc.weboot.info 83.217.26.203 12/12/2016 12/12/2016 sc.weboot.info 31.184.197.215 15/12/2016 27/12/2016 sc.weboot.info 185.117.88.124 30/12/2016 05/03/2017 sdmsg.onmypc.org 109.248.222.85 27/12/2016 20/01/2017 se.toythieves.com 109.248.222.85 26/12/2016 20/01/2017 secertnews.mrbasic.com 78.153.151.222 09/12/2016 09/03/2017 send.mofa.ns01.info 109.248.222.85 27/12/2016 20/01/2017 sendmsg.jumpingcrab.com 109.248.222.85 28/12/2016 19/01/2017 senseye.ikwb.com 109.248.222.85 27/12/2016 09/03/2017 septdlluckysystem.jungleheart.com 185.117.88.78 12/09/2016 09/03/2017 seraphim-yurieva.justdied.com 109.248.222.85 26/12/2016 09/03/2017 serv.justdied.com 185.117.88.124 25/12/2016 20/01/2017 server1.proxydns.com 109.248.222.85 26/12/2016 20/01/2017 seyesb.acmetoy.com 109.248.222.85 27/12/2016 20/01/2017 shugiin.jkub.com 109.248.222.85 27/12/2016 20/01/2017 sstday.jkub.com 109.248.222.85 27/12/2016 20/01/2017 stone.jumpingcrab.com 109.248.222.85 28/12/2016 19/01/2017 support1.mrface.com 109.248.222.85 27/12/2016 09/03/2017 svc.dynssl.com 109.248.222.85 27/12/2016 19/01/2017 synssl.dnset.com 109.248.222.85 27/12/2016 20/01/2017 taipeifoodsite.ocry.com 185.117.88.78 24/02/2017 09/03/2017 tamraj.fartit.com 185.117.88.124 22/12/2016 22/12/2016 tamraj.fartit.com 31.184.197.215 22/12/2016 09/03/2017 ticket.instanthq.com 185.117.88.124 27/12/2016 09/03/2017 tophost.dynamicdns.co.uk 78.153.149.130 09/12/2016 28/12/2016 transfer.lflinkup.org 109.248.222.85 27/12/2016 20/01/2017 transfer.vizvaz.com 185.117.88.124 25/12/2016 20/01/2017 travelyokogawafz.fartit.com 185.117.88.78 24/02/2017 09/03/2017 twmusic.proxydns.com 185.117.88.78 24/02/2017 09/03/2017 twpeoplemusicsite.my03.com 185.117.88.78 24/02/2017 09/03/2017 twtravelinfomation.toythieves.com 185.117.88.78 24/02/2017 09/03/2017 twx.mynumber.org 78.153.151.222 09/12/2016 09/03/2017 ugreen.itemdb.com 185.117.88.124 22/12/2016 22/12/2016 ugreen.itemdb.com 31.184.197.215 22/12/2016 09/03/2017 uk.dynamicdns.org.uk 109.248.222.85 26/12/2016 20/01/2017 un.ddns.info 109.248.222.85 27/12/2016 20/01/2017 un.dnsrd.com 109.248.222.85 27/12/2016 20/01/2017 updates.itsaol.com 185.117.88.124 18/01/2017 18/01/2017 v4.microsoftupdate.mrbasic.com 185.117.88.82 12/01/2017 04/03/2017 v4.windowsupdate.itsaol.com 185.133.40.63 24/12/2016 24/12/2016 v4.windowsupdate.x24hr.com 78.153.151.222 24/12/2016 24/12/2016 wcxh.mynetav.net 78.153.151.222 09/12/2016 09/03/2017 well.itsaol.com 109.248.222.85 26/12/2016 26/12/2016 windowfile.itemdb.com 185.117.88.124 25/12/2016 25/12/2016 windowsimages.itemdb.com 185.117.88.82 15/01/2017 15/01/2017

Page 20: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

20

windowsmirrors.vizvaz.com 109.237.108.202 26/12/2016 26/12/2016 windowsmirrors.vizvaz.com 185.133.40.63 26/12/2016 06/03/2017 windowsmirrors.vizvaz.com 109.237.108.150 05/03/2017 09/03/2017 windowsupdate.2waky.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.2waky.com 78.153.149.130 03/01/2017 09/03/2017 windowsupdate.3-a.net 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.3-a.net 78.153.151.222 26/12/2016 09/03/2017 windowsupdate.authorizeddns.org 185.133.40.63 14/12/2016 14/12/2016 windowsupdate.authorizeddns.us 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.authorizeddns.us 78.153.149.130 01/03/2017 09/03/2017 windowsupdate.dedgesuite.net 185.133.40.63 11/02/2017 28/02/2017 windowsupdate.dns05.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.dns05.com 185.133.40.63 26/12/2016 09/03/2017 windowsupdate.dnset.com 185.133.40.63 14/12/2016 14/12/2016 windowsupdate.esmtp.biz 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.esmtp.biz 109.237.108.150 26/12/2016 09/03/2017 windowsupdate.ezua.com 78.153.151.222 26/12/2016 09/03/2017 windowsupdate.fartit.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.fartit.com 78.153.149.130 03/01/2017 09/03/2017 windowsupdate.gettrials.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.gettrials.com 78.153.151.222 26/12/2016 09/03/2017 windowsupdate.instanthq.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.instanthq.com 109.237.108.150 26/12/2016 09/03/2017 windowsupdate.jungleheart.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.jungleheart.com 78.153.149.130 03/01/2017 09/03/2017 windowsupdate.lflink.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.lflink.com 78.153.151.222 26/12/2016 01/03/2017 windowsupdate.mrface.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.mrface.com 185.133.40.63 26/12/2016 01/03/2017 windowsupdate.mylftv.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.mylftv.com 185.133.40.63 26/12/2016 09/03/2017 windowsupdate.organiccrap.com 185.117.88.82 09/01/2017 12/01/2017 windowsupdate.rebatesrule.net 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.rebatesrule.net 78.153.151.222 26/12/2016 05/02/2017 windowsupdate.sellclassics.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.sellclassics.com 109.237.108.150 26/12/2016 09/03/2017 windowsupdate.serveusers.com 109.237.108.202 21/12/2016 21/12/2016 windowsupdate.serveusers.com 109.237.108.150 26/12/2016 09/03/2017 windowsupdate.wcwname.com 109.237.108.202 28/02/2017 28/02/2017 www.additional.sexidude.com 109.248.222.85 27/12/2016 20/01/2017 www.announcements.toythieves.com 109.248.222.85 26/12/2016 20/01/2017 www.appledownload.ourhobby.com 185.117.88.82 22/02/2017 03/03/2017 www.appleimages.itemdb.com 78.153.151.222 02/01/2017 09/03/2017 www.appleimages.longmusic.com 185.117.88.82 22/02/2017 03/03/2017 www.appleimages.organiccrap.com 185.117.88.82 05/01/2017 05/01/2017 www.applemirror.organiccrap.com 185.117.88.124 21/02/2017 21/02/2017

Page 21: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

21

www.applemirror.organiccrap.com 185.117.88.82 10/01/2017 23/02/2017 www.applemirror.squirly.info 109.237.108.150 12/02/2017 12/02/2017 www.applemusic.isasecret.com 185.117.88.82 09/01/2017 12/01/2017 www.applemusic.itemdb.com 185.117.88.82 06/02/2017 06/02/2017 www.applemusic.itemdb.com 78.153.149.130 12/02/2017 12/02/2017 www.applemusic.wikaba.com 185.117.88.82 22/02/2017 03/03/2017 www.applemusic.xxuz.com 109.237.108.150 12/02/2017 12/02/2017 www.applemusic.zzux.com 185.117.88.82 22/02/2017 03/03/2017 www.appleupdate.itemdb.com 185.117.88.82 03/02/2017 03/02/2017 www.appleupdateurl.2waky.com 103.208.86.129 24/02/2017 09/03/2017 www.asfzx.x24hr.com 109.248.222.85 26/12/2016 20/01/2017 www.availab.wikaba.com 185.117.88.124 25/12/2016 20/01/2017 www.availability.justdied.com 185.117.88.124 25/12/2016 20/01/2017 www.babymusicsitetr.mymom.info 185.117.88.78 24/02/2017 09/03/2017 www.back.jungleheart.com 109.248.222.85 27/12/2016 20/01/2017 www.balance1.wikaba.com 109.248.222.85 27/12/2016 09/03/2017 www.be.mrslove.com 109.248.222.85 26/12/2016 26/12/2016 www.billing.organiccrap.com 185.117.88.124 24/12/2016 24/12/2016 www.brand.fartit.com 109.248.222.85 26/12/2016 20/01/2017 www.bulletproof.squirly.info 109.248.222.85 26/12/2016 20/01/2017 www.civilwar123.authorizeddns.org 109.248.222.85 27/12/2016 20/01/2017 www.civilwar520.onmypc.org 109.248.222.85 27/12/2016 20/01/2017 www.cnnews.mylftv.com 78.153.149.130 09/12/2016 28/12/2016 www.commons.onedumb.com 109.248.222.85 26/12/2016 19/01/2017 www.contractus.qpoe.com 78.153.151.222 09/12/2016 27/12/2016 www.corp-dnsonline.itsaol.com 103.208.86.129 24/02/2017 09/03/2017 www.cress.mynetav.net 109.237.111.175 24/02/2017 09/03/2017 www.dasonews.youdontcare.com 185.117.88.78 24/02/2017 09/03/2017 www.daughter.vizvaz.com 67.205.132.17 03/01/2017 01/03/2017 www.de.onmypc.info 109.248.222.85 26/12/2016 20/01/2017 www.details.squirly.info 185.117.88.124 25/12/2016 20/01/2017 www.disruptive.https443.net 109.248.222.85 26/12/2016 20/01/2017 www.dns-hinettw.25u.com 95.47.156.86 07/02/2017 09/03/2017 www.ea.onmypc.info 109.248.222.85 26/12/2016 20/01/2017 www.ehshiroshima.mylftv.com 185.117.88.78 09/12/2016 09/03/2017 www.eric-averyanov.wha.la 109.248.222.85 26/12/2016 26/12/2016 www.eu.acmetoy.com 109.248.222.85 27/12/2016 20/01/2017 www.eu.wha.la 109.248.222.85 26/12/2016 26/12/2016 www.extraordinary.dynamic-dns.net 95.47.156.86 15/02/2017 15/02/2017 www.extraordinary.dynamic-dns.net 67.205.132.17 15/02/2017 20/02/2017 www.fire.mrface.com 109.248.222.85 26/12/2016 26/12/2016 www.firstnews.jkub.com 185.117.88.124 17/01/2017 17/01/2017 www.fr.wikaba.com 185.117.88.124 26/12/2016 26/12/2016 www.fr.wikaba.com 109.248.222.85 26/12/2016 20/01/2017 www.freegamecenter.onedumb.com 67.205.132.17 24/02/2017 09/03/2017 www.fuck.ikwb.com 78.153.149.130 08/12/2016 27/12/2016

Page 22: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

22

www.generat.almostmy.com 31.184.197.215 25/12/2016 09/03/2017 www.grammar.jkub.com 109.237.111.175 24/02/2017 24/02/2017 www.hii.qhigh.com 109.248.222.85 26/12/2016 26/12/2016 www.innocent-isayev.sexidude.com 109.248.222.85 26/12/2016 09/03/2017 www.invoices.sexxxy.biz 185.117.88.124 25/12/2016 20/01/2017 www.itlans.isasecret.com 185.117.88.124 25/12/2016 20/01/2017 www.itunesdownload.jkub.com 185.117.88.82 05/02/2017 05/02/2017 www.itunesdownload.vizvaz.com 185.117.88.82 18/01/2017 18/01/2017 www.itunesdownload.wikaba.com 185.117.88.82 22/02/2017 03/03/2017 www.itunesimages.itemdb.com 185.117.88.82 05/01/2017 05/01/2017 www.itunesimages.itsaol.com 185.117.88.82 14/02/2017 14/02/2017 www.itunesimages.qpoe.com 185.117.88.82 24/02/2017 24/02/2017 www.itunesimages.qpoe.com 185.117.88.82 24/02/2017 09/03/2017 www.itunesmirror.fartit.com 185.117.88.124 26/02/2017 26/02/2017 www.itunesmirror.fartit.com 185.117.88.82 19/01/2017 27/02/2017 www.itunesmirror.itsaol.com 185.117.88.82 03/02/2017 03/02/2017 www.itunesmusic.ikwb.com 185.117.88.82 03/02/2017 03/02/2017 www.itunesmusic.jetos.com 185.117.88.82 05/01/2017 05/01/2017 www.itunesmusic.jkub.com 185.117.88.82 03/02/2017 03/02/2017 www.itunesmusic.zzux.com 185.117.88.82 22/02/2017 22/02/2017 www.itunesupdate.itsaol.com 185.117.88.82 23/02/2017 23/02/2017 www.itunesupdates.organiccrap.com 185.117.88.78 24/02/2017 09/03/2017 www.jpnewslogs.sendsmtp.com 109.237.111.175 18/12/2016 09/03/2017 www.key.zzux.com 78.153.149.130 09/12/2016 28/12/2016 www.knowledge.sellclassics.com 109.248.222.85 26/12/2016 20/01/2017 www.lan.dynssl.com 31.184.197.215 27/12/2016 09/03/2017 www.latestnews.epac.to 78.153.151.222 09/12/2016 09/03/2017 www.latestnews.organiccrap.com 78.153.151.222 09/12/2016 09/03/2017 www.macfee.mrface.com 78.153.149.130 12/09/2016 28/12/2016 www.maffc.mrface.com 109.248.222.85 26/12/2016 19/01/2017 www.mason.vizvaz.com 109.248.222.85 26/12/2016 20/01/2017 www.mediapath.organiccrap.com 109.248.222.85 26/12/2016 19/01/2017 www.microsoft.got-game.org 109.237.111.175 16/02/2017 16/02/2017 www.microsoft.got-game.org 103.208.86.129 14/02/2017 22/02/2017 www.microsoft.got-game.org 185.117.88.78 22/02/2017 22/02/2017 www.microsoft.got-game.org 95.47.156.86 07/02/2017 01/03/2017 www.microsoft.mrface.com 185.117.88.78 24/02/2017 09/03/2017 www.microsoftempowering.sendsmtp.com 103.208.86.129 24/02/2017 09/03/2017 www.microsoftgetstarted.sexidude.com 103.208.86.129 24/02/2017 09/03/2017 www.microsoftimages.organiccrap.com 185.117.88.82 05/01/2017 05/01/2017 www.microsoftmusic.mrbasic.com 185.117.88.82 23/02/2017 03/03/2017 www.microsoftqckmanager.pcanywhere.net 95.47.156.86 07/02/2017 09/03/2017 www.microsoftupdate.mrbasic.com 185.117.88.82 27/12/2016 27/12/2016 www.microsoftupdate.qhigh.com 185.133.40.63 27/12/2016 05/02/2017 www.mmy.ddns.us 185.117.88.124 26/12/2016 26/12/2016 www.mmy.ddns.us 109.248.222.85 26/12/2016 20/01/2017

Page 23: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

23

www.mod.jetos.com 109.248.222.85 27/12/2016 19/01/2017 www.mofa.dynamic-dns.net 109.248.222.85 27/12/2016 20/01/2017 www.mofa.ns01.info 109.248.222.85 27/12/2016 20/01/2017 www.moonnightthse.zyns.com 103.208.86.129 24/02/2017 09/03/2017 www.moscowdic.trickip.org 109.237.111.175 24/02/2017 09/03/2017 www.moscowstdsupdate.toythieves.com 103.208.86.129 24/02/2017 09/03/2017 www.musicfile.ikwb.com 185.117.88.124 25/12/2016 20/01/2017 www.mytwhomeinst.sendsmtp.com 95.47.156.86 07/02/2017 09/03/2017 www.na.americanunfinished.com 109.248.222.85 26/12/2016 20/01/2017 www.networkjpnzee.mynetav.org 109.237.111.175 24/02/2017 09/03/2017 www.newcityoforward.rebatesrule.net 185.117.88.78 24/02/2017 09/03/2017 www.newsdata.jkub.com 185.117.88.124 25/12/2016 25/12/2016 www.newsfile.toythieves.com 103.208.86.129 24/02/2017 24/02/2017 www.newsfile.toythieves.com 103.208.86.129 24/02/2017 09/03/2017 www.no.authorizeddns.org 109.248.222.85 26/12/2016 20/01/2017 www.nt.mynumber.org 109.248.222.85 26/12/2016 20/01/2017 www.nuisance.serveusers.com 67.205.132.17 24/02/2017 24/02/2017 www.nuisance.serveusers.com 109.237.111.175 26/02/2017 26/02/2017 www.nz.compress.to 109.248.222.85 26/12/2016 20/01/2017 www.ol.almostmy.com 109.248.222.85 26/12/2016 26/12/2016 www.onlinednsserver.sendsmtp.com 67.205.132.17 24/02/2017 09/03/2017 www.oracleupdate.dns04.com 185.117.88.82 22/02/2017 22/02/2017 www.pepper.sexxxy.biz 109.237.111.175 24/02/2017 09/03/2017 www.portal.mrface.com 185.117.88.124 25/12/2016 20/01/2017 www.portal.sendsmtp.com 109.248.222.85 27/12/2016 20/01/2017 www.portalser.dynamic-dns.net 31.184.197.215 22/12/2016 09/03/2017 www.praskovya-matveyeva.mefound.com 109.248.222.85 26/12/2016 09/03/2017 www.praskovya-ulyanova.dumb1.com 109.248.222.85 26/12/2016 09/03/2017 www.products.almostmy.com 109.248.222.85 27/12/2016 09/03/2017 www.products.cleansite.us 109.248.222.85 26/12/2016 20/01/2017 www.products.serveuser.com 185.117.88.124 25/12/2016 20/01/2017 www.purchase.lflinkup.org 109.248.222.85 26/12/2016 20/01/2017 www.read.xxuz.com 95.47.156.86 07/02/2017 09/03/2017 www.recent.dns-stuff.com 185.117.88.124 25/12/2016 20/01/2017 www.recent.fartit.com 31.184.197.215 25/12/2016 09/03/2017 www.redflower.isasecret.com 109.237.111.175 24/02/2017 09/03/2017 www.referred.gr8domain.biz 109.237.108.202 14/12/2016 26/12/2016 www.referred.yourtrap.com 109.248.222.85 27/12/2016 20/01/2017 www.register.ourhobby.com 185.117.88.124 25/12/2016 20/01/2017 www.registration2.instanthq.com 109.248.222.85 27/12/2016 09/03/2017 www.registrations.4pu.com 185.117.88.124 25/12/2016 20/01/2017 www.registrations.organiccrap.com 109.248.222.85 27/12/2016 20/01/2017 www.remeberdata.iownyour.org 109.237.111.175 24/02/2017 09/03/2017 www.reserveds.onedumb.com 31.184.197.215 22/12/2016 09/03/2017 www.rethem.almostmy.com 109.248.222.85 26/12/2016 20/01/2017 www.sdmsg.onmypc.org 109.248.222.85 27/12/2016 20/01/2017

Page 24: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

24

www.se.toythieves.com 109.248.222.85 26/12/2016 20/01/2017 www.senseye.ikwb.com 109.248.222.85 27/12/2016 09/03/2017 www.septdlluckysystem.jungleheart.com 185.117.88.78 09/12/2016 09/03/2017 www.seraphim-yurieva.justdied.com 109.248.222.85 26/12/2016 09/03/2017 www.serv.justdied.com 185.117.88.124 25/12/2016 20/01/2017 www.server1.proxydns.com 109.248.222.85 26/12/2016 20/01/2017 www.seyesb.acmetoy.com 109.248.222.85 27/12/2016 20/01/2017 www.shugiin.jkub.com 109.248.222.85 27/12/2016 19/01/2017 www.sojourner.mypicture.info 185.117.88.78 24/02/2017 09/03/2017 www.sstday.jkub.com 109.248.222.85 27/12/2016 20/01/2017 www.support1.mrface.com 109.248.222.85 27/12/2016 09/03/2017 www.svc.dynssl.com 109.248.222.85 27/12/2016 20/01/2017 www.synssl.dnset.com 109.248.222.85 27/12/2016 20/01/2017 www.tamraj.fartit.com 185.117.88.124 22/12/2016 22/12/2016 www.tamraj.fartit.com 31.184.197.215 22/12/2016 09/03/2017 www.ticket.instanthq.com 185.117.88.124 27/12/2016 09/03/2017 www.tophost.dynamicdns.co.uk 78.153.149.130 09/12/2016 28/12/2016 www.transfer.lflinkup.org 109.248.222.85 27/12/2016 20/01/2017 www.transfer.vizvaz.com 185.117.88.124 25/12/2016 20/01/2017 www.twsslpopservupro.dynssl.com 185.117.88.78 24/02/2017 09/03/2017 www.ugreen.itemdb.com 185.117.88.124 22/12/2016 22/12/2016 www.ugreen.itemdb.com 31.184.197.215 22/12/2016 09/03/2017 www.uk.dynamicdns.org.uk 109.248.222.85 26/12/2016 20/01/2017 www.un.ddns.info 109.248.222.85 27/12/2016 20/01/2017 www.un.dnsrd.com 109.248.222.85 27/12/2016 20/01/2017 www.usliveupdateonline.ygto.com 109.237.111.175 24/02/2017 09/03/2017 www.well.itsaol.com 109.248.222.85 26/12/2016 26/12/2016 www.windowfile.itemdb.com 185.117.88.124 25/12/2016 25/12/2016 www.windowsimages.itemdb.com 185.117.88.82 15/01/2017 15/01/2017 www.windowsmirrors.vizvaz.com 109.237.108.202 26/12/2016 26/12/2016 www.windowsmirrors.vizvaz.com 185.133.40.63 26/12/2016 05/02/2017 www.windowsmirrors.vizvaz.com 109.237.108.150 05/03/2017 05/03/2017 www.windowsupdate.2waky.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.2waky.com 78.153.149.130 03/01/2017 09/03/2017 www.windowsupdate.3-a.net 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.3-a.net 78.153.151.222 26/12/2016 09/03/2017 www.windowsupdate.authorizeddns.us 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.authorizeddns.us 78.153.149.130 03/01/2017 30/01/2017 www.windowsupdate.authorizeddns.us 78.153.149.130 24/02/2017 09/03/2017 www.windowsupdate.dns05.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.dns05.com 185.133.40.63 26/12/2016 09/03/2017 www.windowsupdate.esmtp.biz 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.esmtp.biz 109.237.108.150 26/12/2016 09/03/2017 www.windowsupdate.ezua.com 78.153.151.222 26/12/2016 09/03/2017 www.windowsupdate.fartit.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.fartit.com 78.153.149.130 03/01/2017 09/03/2017

Page 25: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

25

www.windowsupdate.gettrials.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.gettrials.com 78.153.151.222 26/12/2016 09/03/2017 www.windowsupdate.instanthq.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.instanthq.com 109.237.108.150 26/12/2016 09/03/2017 www.windowsupdate.jungleheart.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.jungleheart.com 78.153.149.130 03/01/2017 09/03/2017 www.windowsupdate.lflink.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.lflink.com 78.153.151.222 26/12/2016 05/02/2017 www.windowsupdate.mrface.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.mrface.com 185.133.40.63 26/12/2016 05/02/2017 www.windowsupdate.mylftv.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.mylftv.com 185.133.40.63 26/12/2016 09/03/2017 www.windowsupdate.organiccrap.com 185.117.88.82 09/01/2017 12/01/2017 www.windowsupdate.rebatesrule.net 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.rebatesrule.net 78.153.151.222 26/12/2016 05/02/2017 www.windowsupdate.sellclassics.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.sellclassics.com 109.237.108.150 26/12/2016 09/03/2017 www.windowsupdate.serveusers.com 109.237.108.202 21/12/2016 21/12/2016 www.windowsupdate.serveusers.com 109.237.108.150 26/12/2016 09/03/2017 www.yandexr.sellclassics.com 185.117.88.124 22/12/2016 22/12/2016 www.yandexr.sellclassics.com 31.184.197.215 22/12/2016 09/03/2017 www.yokohamajpinstaz.mrbonus.com 185.117.88.78 24/02/2017 09/03/2017 yandexr.sellclassics.com 185.117.88.124 22/12/2016 22/12/2016 yandexr.sellclassics.com 31.184.197.215 22/12/2016 09/03/2017 yfrfyhf.youdontcare.com 78.153.151.222 09/12/2016 09/03/2017 zero.pcanywhere.net 78.153.151.222 09/12/2016 09/03/2017

File names: AVK.dll AVK.exe Vba32ar.dll

Fuzzy hashes: 3072:S+tlA2WLOd21DqeH6o2SbTK1ov55xx82m2PK1oRgIh:S+VaU21Dq/BSbTKA8PCJ

384:ihQNEsZLpdT8VyreQrxCdd5EV37h4bU8wz3Iyf+VZsFFLRuAspcI8oo39L:S9UT8Vq5Ud03ybCIDZwFN1U8o0 768:Ga74qxW588yzTaq/nYkZIsKF/Ia5QaYuIzQchjtA5TykeovEDln7+qniYwP0:VSVyzffYkZi/IaDYljtAkkeN6kwP0

IP addresses: 23.89.193.34 23.252.105.137 31.184.197.215 31.184.197.227 31.184.198.23 31.184.198.38 37.235.52.18 45.62.112.161

Page 26: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

26

46.108.39.134 52.76.51.54 61.97.241.239 67.205.132.17 78.153.149.130 78.153.151.222 81.176.239.56 83.217.26.203 86.106.102.3 89.34.237.11 95.47.156.86 95.183.52.57 95.183.53.49 103.208.86.129 107.181.160.109 109.237.108.150 109.237.108.202 109.237.111.175 109.248.222.85 110.10.176.181 123.1.186.28 138.68.19.47 144.168.45.116 151.101.100.73 151.236.20.16 151.236.23.159 158.255.208.61 158.255.208.170 158.255.208.189 160.202.163.79 160.202.163.81 160.202.163.82 160.202.163.91 162.248.242.115 169.239.128.143 175.126.148.108 175.126.148.111 185.14.185.189 185.117.88.77 185.117.88.78 185.117.88.81 185.117.88.82 185.117.88.124 185.133.40.63 185.141.25.33 211.110.17.209

Page 27: Industry Security Notice - gov.uk · This Industry Security Notice (ISN) is issued for guidance purposes and should be read in conjunction with the National Cyber Security Centre

27

MD5 Hashes: 410774441b39165380ecb50598d7a799 7007b54e7e3f84844086d5320806788e fa78bbacb80a44861f02d6db0778d3da

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\runcccccc

SHA1 Hashes: 902bc8d561bb57ea14aa86349bb94fefb19369ad 9cb4b3df9514c5fbe9e2aef048e480bf79e6f8bd b822fa075a0000b7a9e245db2b5e0f79337186bb SHA 256 Hashes: 77d99b4750dfa2c8283dd0f29efed97f563ec981b20d91b4cf08d47985ba3b96

ca119725c2cef7baad0690d82b770c25ff64c7e7f1fc9e0e65c91d20151cd204 cc3c04ab360912c43dba33f724d89b7baf084d4d78ed675145790981fe4a61cd


Building Industry Fairness (Security of Payment) Bill · PDF fileBuilding Industry Fairness (Security of ... Building Industry Fairness (Security of Payment) ... (retention account)

SECURITY INDUSTRY AUTHORITY - gov.uk · Chair Security Industry Authority Ian Todd Chief Executive Security Industry Authority. 4 | SIA Annual Report and Accounts 2018/19 The Security

PRIVATE SECURITY INDUSTRY REGULATORY AUTHORITY · 2018. 12. 9. · 44 No.34072 GOVERNMENT GAZETTE, 11 MARCH 2011 BOARD NOTICE 45 OF 2011 PRIVATE SECURITY INDUSTRY REGULATORY AUTHORITY

Overview & Industry Coordination of EPRI IntelliGrid & Security … ·  · 2012-09-05Overview & Industry Coordination of EPRI IntelliGrid & Security Research ... security, scalability

IMPORTANT NOTICE REGARDING INDEPENDENT AGENT AND …oakbrookwalk.com/docs/OAKBRO~1.pdf · 2012-02-27 · FLORIDA IMPORTANT NOTICE ... an industry leading software security provider

20140217 Industry Security Notice ISN 2014 01 Updated April 2014 U

U.S. CONTRACT SECURITY INDUSTRY - Security Guard …mechanicgroup.com/assets/White_Paper_2013.pdf · U.S. CONTRACT SECURITY INDUSTRY Also known as: Security Guard Industry MARKET

Regulations made under the Private Security Industry ... · PDF filePrivate Security Industry Regulation Act, ... REGULATIONS MADE UNDER THE PRIVATE SECURITY INDUSTRY REGULATION ACT,

Greening of the Industry Panel: Security Industry Association

Industry Trendsin Information Security

Payment Card Industry Data Security Standards · Payment Card Industry Data Security Standards. ... Payment Card Industry Data Security Standard ... remediation and reporting

Payment Card Industry Data Security Standard (PCI-DSS) Guide€¦ · Payment Card Industry Data Security Standard (PCI-DSS) ... The Payment Card Industry Data Security Standard

Kent Security of Naples NLRA Notice

U.S. CONTRACT SECURITY INDUSTRY

Year Industry ID Description Notice Count

PRE QUALIFICATION NOTICE FOR SECURITY SERVICES

Convergence' in the security industry – definitions ... · ‘Convergence’ in the security industry – definitions, ... The use of the term convergence in the security industry

Private Security Industry Report - FICCIficci.in/spdocument/23012/Private Security Industry Report.pdf · The private security sector has emerged as a major industry by virtue of

2014 Security industry landscape

GOVERNMENT NOTICE DEPARTMENT OFTRADE AND INDUSTRY

Estonian Security Industry

Security industry overview

Security Industry Report

Homeland Security Overview for Bill McCoy, Chair National Security Industry Leadership Council [email protected] CouncilReview National Security Industry

Equality and Diversity in the Private Security Industry€¦ · Equality and Diversity in the Private Security Industry Security Industry Authority ... Equality and Diversity in the

Industry Security Notice · 2014-04-04 · Industry Security Notice Number 2014/01 Subject: Government Security Classification Scheme Introduction: 1. This Industry Security Notice

Security industry pov_ibm_cavanna_2015

Academy Mortgage Corporation Notice of Security Incident

Thrift Savings Plan Security Notice

Security Industry

Personnel Security Management Office for Industry … Update.pdf · Personnel Security Management Office for Industry ... Functions of Personnel Security Management Office for Industry

Cyber security industry trends

Financial Industry Security

Data Security The Best Data Security In The Industry

Private Security Industry Regulations