|
According to recent research conducted by DNS Threat Researcher Dancho Danchev, the National Security Agency (NSA) seemingly runs a free VPN domain portfolio to lure malicious users and learn more about their Internet activities.
Here is an overview of the key findings and additional enrichment conducted with WhoisXML API’s intelligence tools and Maltego:
Danchev obtained a list of domains related to the NSA-operated free VPN services. The said list contained 24 domains used to identify related web properties that could hint at ties to potential threat actors or malicious campaigns. A portion of these 24 domains are:
The full list of the domains is available for download here.
Over the course of the in-depth investigation, 22 registrant email addresses linked to the NSA-owned free VPN services were identified. Using the registrant email addresses as search terms for Maltego research using the WhoisXML API Reverse WHOIS Search transform, we obtained 174 related domains. That means the domains’ WHOIS records shared the registrant email addresses. Examples of the connected domains include:
A bulk WHOIS lookup for the 174 email domains revealed the following:
A bulk malware check using Threat Intelligence Platform API, meanwhile, showed that two of the 174 domains connected to the registrant email addresses were dubbed “dangerous” on various threat sources. These are cnairs[.]com and avxz[.]com.
A bulk DNS lookup performed on the 174 domains revealed that 98 currently resolved to IP addresses, which could mean they are in use. It may be best for individuals and organizations alike to avoid connections to and from these 98 IP addresses due to their connection to domains related to an ongoing malicious campaign. Examples of these IP addresses are:
All of the web properties mentioned in this post could pose varying levels of risk to individuals and organizations that knowingly or unknowingly have dealings with or grant system or network access to them. And avoiding them may be a worthy endeavor, given their potential connection to an ongoing malicious campaign.
If you are a security researcher working on the same or a similar investigation, talk to us by filling out this form. We can share resources like the complete list of web properties possibly related to the ongoing campaign.
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byVerisign