Sign up to save your podcasts
Or
Share The Equinix Attack: Understanding Ransomware Behavior
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Equinix Attack: Understanding Ransomware Behavior
According to the United State's Cybersecurity and Infrastructure Security Agency (CISA), the number of ransomware attacks around the world has increased, and the Computer Emergency Response Team (US-Cert) states that this sort of breach hits a target every 14 seconds.
As stated in the above September 9, 2020 status report, **Equinix was internally compromised with ransomware**. To provide some context, we're talking about an American multinational company that holds multiple data centers in the Americas, Europe and Asia, with an increasing-over-the-years NASDAQ stock value.
And to show you just how big this company's digital fingerprint is, we sought an overview of their assets by entering the domain name equinix.com into Surfacebrowser. The output looked like this:
But as you may know, they're not the only large business being targeted. There's a huge economy behind ransomware that makes these activities very profitable for criminals. Usually, everything starts with an in-depth malicious asset discovery.
The Equinix attack
According to an unknown source that reported to BleepingComputer, this attack was perpetrated by the infamous **Netwalker ransomware**.
Despite this claim, we haven't found any official statements about it. The source also shared that there was a message sent to Equinix with the usual ransom note as well as a screenshot listing the stolen assets.
The more sound theory regarding the possible entry point of this attack states that there were multiple remote desktop protocol (RDP) instances running at the time. There's even a test in the previously mentioned blog post that shows multiple listening RDP servers within Equinix's different public IP spaces.
While we'll confirm this in a few moments, it's still hard to say that this was the actual attack vector used by the ransomware creators. We'll show you why, by giving you some information to analyze so you can draw your own conclusions.
To analyze Equinix's digital assets, we can extract the whole set of autonomous systems (ASN) by doing an ASN lookup filtered by the company's name. Below you'll see the list of all registered ASN at the different regional internet registries (RIR's).
Taking for granted that the actual description is correct (as this could be forged in case they're trying to obscure something), the amount of ASNs and total number of IP range sizes they advertised makes the quest for internal-only IP ranges quite difficult when the actual customer space is so large.
For this you'll need to rely on certain additional characteristics such as reverse DNS (rDNS) records, DNS records holding names that give clues about internal border-ish infrastructure, and the like; the vector we found is, at the very least, tricky.
Despite all this, we're linking related information from a past blog, in case you want to know more about how to find IP addresses owned by a company.
Now we're using Surfacebrowser again—to find not only the company's IP space but also those addresses that have actually been seen with the TCP3389 port open (which corresponds to the standard Microsoft RDP port).
In this SQL Explorer query, we're doing the following:
Getting all IP addresses, hostnames pointing to those IP addresses, reverse pointer records that these IP addresses point to plus the correspondent ASN that's announcing them.
Getting all IP addresses that match "Equinix, Inc." as the nominated ASN Owner.
Getting all IP addresses with a history of opened TCP ports number 3389 (RDP default port).
Results as follows:
As you can see, multiple results match the mentioned criteria. Yet it's quite probable that this is the way they were entered (although a piece of this puzzle remains unseen).
To help us dig a little deeper, let's cover a few basics on what ransomware is, how it operates and how to deal with such attacks if you ever find yourself compromised.
The ransomware ecosystem
While ransomware attacks are nothing new, their inc...
View all episodes
By SecurityTrailsAccording to the United State's Cybersecurity and Infrastructure Security Agency (CISA), the number of ransomware attacks around the world has increased, and the Computer Emergency Response Team (US-Cert) states that this sort of breach hits a target every 14 seconds.
As stated in the above September 9, 2020 status report, **Equinix was internally compromised with ransomware**. To provide some context, we're talking about an American multinational company that holds multiple data centers in the Americas, Europe and Asia, with an increasing-over-the-years NASDAQ stock value.
And to show you just how big this company's digital fingerprint is, we sought an overview of their assets by entering the domain name equinix.com into Surfacebrowser. The output looked like this:
But as you may know, they're not the only large business being targeted. There's a huge economy behind ransomware that makes these activities very profitable for criminals. Usually, everything starts with an in-depth malicious asset discovery.
The Equinix attack
According to an unknown source that reported to BleepingComputer, this attack was perpetrated by the infamous **Netwalker ransomware**.
Despite this claim, we haven't found any official statements about it. The source also shared that there was a message sent to Equinix with the usual ransom note as well as a screenshot listing the stolen assets.
The more sound theory regarding the possible entry point of this attack states that there were multiple remote desktop protocol (RDP) instances running at the time. There's even a test in the previously mentioned blog post that shows multiple listening RDP servers within Equinix's different public IP spaces.
While we'll confirm this in a few moments, it's still hard to say that this was the actual attack vector used by the ransomware creators. We'll show you why, by giving you some information to analyze so you can draw your own conclusions.
To analyze Equinix's digital assets, we can extract the whole set of autonomous systems (ASN) by doing an ASN lookup filtered by the company's name. Below you'll see the list of all registered ASN at the different regional internet registries (RIR's).
Taking for granted that the actual description is correct (as this could be forged in case they're trying to obscure something), the amount of ASNs and total number of IP range sizes they advertised makes the quest for internal-only IP ranges quite difficult when the actual customer space is so large.
For this you'll need to rely on certain additional characteristics such as reverse DNS (rDNS) records, DNS records holding names that give clues about internal border-ish infrastructure, and the like; the vector we found is, at the very least, tricky.
Despite all this, we're linking related information from a past blog, in case you want to know more about how to find IP addresses owned by a company.
Now we're using Surfacebrowser again—to find not only the company's IP space but also those addresses that have actually been seen with the TCP3389 port open (which corresponds to the standard Microsoft RDP port).
In this SQL Explorer query, we're doing the following:
Getting all IP addresses, hostnames pointing to those IP addresses, reverse pointer records that these IP addresses point to plus the correspondent ASN that's announcing them.
Getting all IP addresses that match "Equinix, Inc." as the nominated ASN Owner.
Getting all IP addresses with a history of opened TCP ports number 3389 (RDP default port).
Results as follows:
As you can see, multiple results match the mentioned criteria. Yet it's quite probable that this is the way they were entered (although a piece of this puzzle remains unseen).
To help us dig a little deeper, let's cover a few basics on what ransomware is, how it operates and how to deal with such attacks if you ever find yourself compromised.
The ransomware ecosystem
While ransomware attacks are nothing new, their inc...