Recently an attack based on booby trapped web servers was blocked by Microsoft through seizure of some of the known server names used in this attack. This attack analysis was focused to defend US midterm elections which will take place on November of 2018.
Here are the booby trapped web servers seized by Microsoft:
name IP address date updated
------------------------------------------------------------------------
adfs-senate.email 157.56.161.162 17/08/2018
adfs-senate.services 157.56.161.162 17/08/2018
hudsonorg-my-sharepoint.com 157.56.161.162 14/08/2018
my-iri.org 157.56.161.162 16/08/2018
office365-onedrive.com 157.56.161.162 14/08/2018
senate.group 157.56.161.162 17/08/2018
------------------------------------------------------------------------
Of course 157.56.161.162 is an IP adress belonging to Microsoft,
and they will get all the traffic of machines trapped by this attack before August the 14th.
This attack, from Microsoft analysis, looks like it could be attributed to the criminal group APT28.
But some information is now missing for other countries who could be other targets of this attack campaign either directly or indirectly to later attack the United States through the usual connection laundering technic.
It would be interesting to detect the machines on which an attack was successfull everywhere in the world. For this analysis to be successful, the easiest way consists in entering within the Egress filtering rules of Internet firewalls rules of the form (at the top of Egress filtering group):
deny ip any <IP_address_of_booby_trapped_web_server> 255.255.255.255 log
for the 6 servers identified by Microsoft.
And for this investigation we need the IP address attributed to these booby trapped web servers just before the seizure and update by Microsoft.
How may we quickly obtain what these criminals' IP addresses were before August the 14th within the international WHOIS database?
