Приветствую, произошел странный момент с моим сервером, я поднял на нам CS сервер и забыл про него напрочь, поставил сеть на сканирование, как итог я получил блокировку. Но интересный момент в том, что блокировка была выдана не за сканирование, а потому что мелкософт нашел что на xxx.xxx.xxx.xxx:5555/uNg3 хостится CS. Это получается они постоянно мониторят сеть и выискивают на кого пожаловаться? Было ли у вас такое и как защитится от подобного? Мне не доводилось с таким сталкиваться ни разу
Attacks on Microsoft and Fortra Software and Customers by Your Organization's IP Addresses
Dear Abuse and Legal Teams:
We are communicating with you on behalf of Microsoft Corporation ("Microsoft"), a limited liability company incorporated under the laws of the State of Washington and having its offices at One Microsoft Way, Redmond, Washington 98052, United States of America, and Fortra LLC ("Fortra"), a limited liability company organized under the laws of the State of Delaware and having its offices at 11095 Viking Drive, Suite 100, Eden Prairie, Minnesota 55344, United States of America, to:
notify you of illegal activity from the IP addresses outlined at the end of this message, hosted by your company, which is causing a widespread attack on, and severe business disruption and injury to, Microsoft, Fortra, and their respective customers, (the "Attacks"), as well as constituting an infringement of Fortra's and Microsoft's intellectual property rights (the "Infringements"); and
request that your company take the necessary steps to cease the Infringements and stop further illegal Attacks from happening, as per your legal obligations detailed herein below.
We also request that your abuse team immediately forward this communication to your company's legal team.
Microsoft and Fortra have conducted a detailed investigation and detected a pattern of IP addresses hosted by your company acting as command-and-control infrastructure for the malicious, trademark and copyright infringing use of illegal versions of software known as "Cobalt Strike".
During the Attacks, illegal activity is conducted through these IP addresses by delivering malicious commands to and receiving stolen information from victim computers running Microsoft's Windows operating system. The malicious and unlawful versions of Cobalt Strike controlled through these IP addresses are used to target victims with ransomware (i.e., Conti and Lockbit), resulting in extortion of funds and theft of sensitive information, intrusion into victims' computers and networks, surveillance of the victims, and obfuscation of the cybercriminals' activity. In these ways, the Attacks emanating from the IP addresses hosted by your company are causing severe business disruption and injury to Microsoft, Fortra, and their respective customers, including victims in sensitive industries such as healthcare, and individual consumers.
As regards the Infringements, the malicious and unlawful versions of Cobalt Strike software infringe on Fortra's copyright by literally copying the entirety of its copyrighted Cobalt Strike "team server" code in a cracked, unauthorized version used for malicious purposes. The infringement involves unauthorized copying of executable code for all of the Cobalt Strike team server's web server, beacon and configuration features and functionality, including all of Fortra's creative and original method implementations, interfaces, parameters, variables, arrays, data types, operators, and objects. Further, the content hosted at the IP addresses referred to herein violates the law as it contains malicious code including unauthorized use of Fortra's "Cobalt Strike" trademark and both Microsoft's and Fortra's copyrighted code.
The Attacks and the Infringements from your company's infrastructure are ongoing. It is also foreseeable that if your customers carrying out these Infringements and illegal Attacks over the identified IP addresses are permitted to continue to use your company's infrastructure in the future, Microsoft, Fortra, and their respective customers will as a result be subject to continued serious injury.
Set forth below are the malicious Cobalt Strike command and control IP addresses identified as being hosted by your company. We are also providing you with the relevant details regarding these IP addresses, including evidence of illegal activity, date and time information, and other indicators. This notification letter is sent to you to inform you of the illegal activity taking place at these IP addresses and to enable you to fully identify the illegal activity and customers associated with the traffic.
The Attacks and the Infringements, as outlined above, violate the law and your company's terms of use.
We urge your company to review its terms of use for violations by your customers carrying out the Attacks and the Infringements and to exercise its rights to stop the illegal network activity, in order to mitigate the injury to Microsoft, Fortra, and their respective customers, and for Microsoft's, Fortra's, and their respective customers' benefit.
The illegal activity from the IP addresses violates the law as they are used to control the malicious versions of stolen Cobalt Strike; and thus, commits several criminal offenses including illegal access, illegal interception, data interference, misuse of devices, computer-related forgery, and computer-related fraud. The malicious, illegal versions of Cobalt Strike command and control software hosted at the IP addresses is also engaged in fraudulent conduct, extortion, and theft of funds, which is illegal under the laws of all jurisdictions, while also infringing our intellectual property rights.
This letter is an official notification under the laws implementing Article 14 of the EU e-Commerce Directive 2000/31/EC and other analogous laws in your jurisdiction, in line with Article 6 of the Digital Services Act – Regulation 2022/2065, thus providing your company with actual knowledge of the illegal activity. Please be advised that the law requires your company, as a hosting provider, to act against the illegal activity upon receiving this notice to remove or, at the least, to disable access to the illegal information or illegal activity. Under the foregoing legislation a hosting provider, such as your company, can be held liable for the illegal activity originating from your infrastructure unless you act expeditiously to disable the illegal activity upon receiving this notice. Under the foregoing legislation a hosting provider, such as your company, may avoid liability for the illegal activity originating from their infrastructure if they act expeditiously to remove or disable the illegal activity once obtaining knowledge or awareness of it, as well as to prevent the illegal activity.
Because the Attacks and the Infringements originate from IP addresses hosted by your company, and for which your company is responsible, Microsoft and Fortra respectfully request that your company:
take immediate steps to remove or disable access to the infringing content and disable the illegal activity carried out through the IP addresses listed below,
cease providing services to any existing customer enabling them to use these IPs to carry out the Infringement and the Attacks,
ensure that any ultimate customer is not allowed to reestablish these IP addresses at your company or maintain any future presence on your company's network in order to carry out similar Infringement and Attacks, and
preserve for evidence purposes the content and traffic data for these servers, as well as the user's control panel, for a period of 6 months.
After having taken the necessary steps, Microsoft and Fortra also request that your company immediately notify the customers to cease any illegal activity originating from your infrastructure in the future. As the identified servers do not have any public facing websites, it is impossible for Microsoft or Fortra to contact your customers directly.
As you know, failure to comply with this request to take action against illegal content and/or illegal activity may result in your company's liability for the prejudice Microsoft, Fortra and their customers are bound to suffer as a result. Consequently, Microsoft and Fortra look forward to collaborating with your company to reach a full and accurate understanding of the Infringements and the Attacks and their source, and to take all necessary and appropriate steps to ensure that no further illegal activity occurs; as well as to protect Microsoft, Fortra, and their respective customers from any future harm and the associated damage that these Infringements and Attacks have caused or may cause.
Please feel free to contact us with any questions or concerns.
Microsoft Corporation
Fortra, LLC
Domain N/A
IP xxx.xxx.xxx.xxx
Port 5555
URL hxxp://xxx.xxx.xxx.xxx:5555/uNg3
Last seen September 11, 2023 7:59 UTC
Autonomous System Number 0
Beacon Sha256 ceb35a...e
Watermark 98...4321
Dear Abuse and Legal Teams:
We are communicating with you on behalf of Microsoft Corporation ("Microsoft"), a limited liability company incorporated under the laws of the State of Washington and having its offices at One Microsoft Way, Redmond, Washington 98052, United States of America, and Fortra LLC ("Fortra"), a limited liability company organized under the laws of the State of Delaware and having its offices at 11095 Viking Drive, Suite 100, Eden Prairie, Minnesota 55344, United States of America, to:
notify you of illegal activity from the IP addresses outlined at the end of this message, hosted by your company, which is causing a widespread attack on, and severe business disruption and injury to, Microsoft, Fortra, and their respective customers, (the "Attacks"), as well as constituting an infringement of Fortra's and Microsoft's intellectual property rights (the "Infringements"); and
request that your company take the necessary steps to cease the Infringements and stop further illegal Attacks from happening, as per your legal obligations detailed herein below.
We also request that your abuse team immediately forward this communication to your company's legal team.
Microsoft and Fortra have conducted a detailed investigation and detected a pattern of IP addresses hosted by your company acting as command-and-control infrastructure for the malicious, trademark and copyright infringing use of illegal versions of software known as "Cobalt Strike".
During the Attacks, illegal activity is conducted through these IP addresses by delivering malicious commands to and receiving stolen information from victim computers running Microsoft's Windows operating system. The malicious and unlawful versions of Cobalt Strike controlled through these IP addresses are used to target victims with ransomware (i.e., Conti and Lockbit), resulting in extortion of funds and theft of sensitive information, intrusion into victims' computers and networks, surveillance of the victims, and obfuscation of the cybercriminals' activity. In these ways, the Attacks emanating from the IP addresses hosted by your company are causing severe business disruption and injury to Microsoft, Fortra, and their respective customers, including victims in sensitive industries such as healthcare, and individual consumers.
As regards the Infringements, the malicious and unlawful versions of Cobalt Strike software infringe on Fortra's copyright by literally copying the entirety of its copyrighted Cobalt Strike "team server" code in a cracked, unauthorized version used for malicious purposes. The infringement involves unauthorized copying of executable code for all of the Cobalt Strike team server's web server, beacon and configuration features and functionality, including all of Fortra's creative and original method implementations, interfaces, parameters, variables, arrays, data types, operators, and objects. Further, the content hosted at the IP addresses referred to herein violates the law as it contains malicious code including unauthorized use of Fortra's "Cobalt Strike" trademark and both Microsoft's and Fortra's copyrighted code.
The Attacks and the Infringements from your company's infrastructure are ongoing. It is also foreseeable that if your customers carrying out these Infringements and illegal Attacks over the identified IP addresses are permitted to continue to use your company's infrastructure in the future, Microsoft, Fortra, and their respective customers will as a result be subject to continued serious injury.
Set forth below are the malicious Cobalt Strike command and control IP addresses identified as being hosted by your company. We are also providing you with the relevant details regarding these IP addresses, including evidence of illegal activity, date and time information, and other indicators. This notification letter is sent to you to inform you of the illegal activity taking place at these IP addresses and to enable you to fully identify the illegal activity and customers associated with the traffic.
The Attacks and the Infringements, as outlined above, violate the law and your company's terms of use.
We urge your company to review its terms of use for violations by your customers carrying out the Attacks and the Infringements and to exercise its rights to stop the illegal network activity, in order to mitigate the injury to Microsoft, Fortra, and their respective customers, and for Microsoft's, Fortra's, and their respective customers' benefit.
The illegal activity from the IP addresses violates the law as they are used to control the malicious versions of stolen Cobalt Strike; and thus, commits several criminal offenses including illegal access, illegal interception, data interference, misuse of devices, computer-related forgery, and computer-related fraud. The malicious, illegal versions of Cobalt Strike command and control software hosted at the IP addresses is also engaged in fraudulent conduct, extortion, and theft of funds, which is illegal under the laws of all jurisdictions, while also infringing our intellectual property rights.
This letter is an official notification under the laws implementing Article 14 of the EU e-Commerce Directive 2000/31/EC and other analogous laws in your jurisdiction, in line with Article 6 of the Digital Services Act – Regulation 2022/2065, thus providing your company with actual knowledge of the illegal activity. Please be advised that the law requires your company, as a hosting provider, to act against the illegal activity upon receiving this notice to remove or, at the least, to disable access to the illegal information or illegal activity. Under the foregoing legislation a hosting provider, such as your company, can be held liable for the illegal activity originating from your infrastructure unless you act expeditiously to disable the illegal activity upon receiving this notice. Under the foregoing legislation a hosting provider, such as your company, may avoid liability for the illegal activity originating from their infrastructure if they act expeditiously to remove or disable the illegal activity once obtaining knowledge or awareness of it, as well as to prevent the illegal activity.
Because the Attacks and the Infringements originate from IP addresses hosted by your company, and for which your company is responsible, Microsoft and Fortra respectfully request that your company:
take immediate steps to remove or disable access to the infringing content and disable the illegal activity carried out through the IP addresses listed below,
cease providing services to any existing customer enabling them to use these IPs to carry out the Infringement and the Attacks,
ensure that any ultimate customer is not allowed to reestablish these IP addresses at your company or maintain any future presence on your company's network in order to carry out similar Infringement and Attacks, and
preserve for evidence purposes the content and traffic data for these servers, as well as the user's control panel, for a period of 6 months.
After having taken the necessary steps, Microsoft and Fortra also request that your company immediately notify the customers to cease any illegal activity originating from your infrastructure in the future. As the identified servers do not have any public facing websites, it is impossible for Microsoft or Fortra to contact your customers directly.
As you know, failure to comply with this request to take action against illegal content and/or illegal activity may result in your company's liability for the prejudice Microsoft, Fortra and their customers are bound to suffer as a result. Consequently, Microsoft and Fortra look forward to collaborating with your company to reach a full and accurate understanding of the Infringements and the Attacks and their source, and to take all necessary and appropriate steps to ensure that no further illegal activity occurs; as well as to protect Microsoft, Fortra, and their respective customers from any future harm and the associated damage that these Infringements and Attacks have caused or may cause.
Please feel free to contact us with any questions or concerns.
Microsoft Corporation
Fortra, LLC
Domain N/A
IP xxx.xxx.xxx.xxx
Port 5555
URL hxxp://xxx.xxx.xxx.xxx:5555/uNg3
Last seen September 11, 2023 7:59 UTC
Autonomous System Number 0
Beacon Sha256 ceb35a...e
Watermark 98...4321
