Indicators of Malicious Activity and Recommendations for Impacted Organizations - Hunting pulse

SUMMARY :

A comprehensive investigation has uncovered numerous indicators of malicious activity related to a specific incident. Organizations are urged to scrutinize their logs for signs of compromise using the provided Indicators of Compromise (IOCs). The analysis reveals that legitimate Drift integration traffic should originate from a set of known source IPs owned and operated by Drift. Any successfully authenticated connections using Drift tokens from IP addresses not listed in the official document should be treated as suspicious and potentially malicious. The findings include a list of confirmed malicious IP addresses and suspicious User-Agent strings (See reference). While these IPs are confirmed malicious, some may generate noise since they are associated with Tor exit nodes. Organizations are advised to consider any traffic from these IPs to a Drift integration with a successfully authenticated Drift connection as malicious

OPENCTI LABELS :

authentication,drift integration,user-agent strings,network traffic,supplychain


AI COMMENTARY :




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Indicators of Malicious Activity and Recommendations for Impacted Organizations - Hunting pulse