CERT Warning

[DjM]

Someone just forwarded an e-mail warning from CERT. The e-mail reads as follows:

US-CERT has received a report today, indicating that extensive attacks and system compromises (exploit unknown at this time) have originated from the following IP addresses.

200.128/16
200.222.216.133
200.149.99.228

Very little technical detail is available at this time. US-CERT requests that each recipient check your logs from 1 Jan 05 to present. Provide US-CERT or Control Systems Center your results either positive or negative.

Preliminary analysis indicates that the activity initiated from these IPs appear to have been made by a group rather than an individual. More than 526 exploit attempts have been noted. The attacks seem to have targeted specific IPs, not ranges of IPs. Only servers were attacked. No desktop machines were observed to be scanned or targeted for attack. Initial attacks were automated, followed by manual hands-on attacks. All of the attacked servers were running a Microsoft Windows Operating System and at least one was fully patched when compromised.

Please disseminate to your owner operators ASAP so US-CERT can judge the national impact of these compromised systems.

Please review any contact with the above systems through logs, fw's, and IDS's and report back through the ISAC or directly to US-CERT or me directly at david.n.sanders@dhs.gov. I cannot stress enough the seriousness of these attacks. Response teams have been deployed to deal with system compromises from NCSD.
best regards,

David N Sanders
Director, Control Systems Center
National Cyber Security Division
Department of Homeleand Security
703-915-8769
703-235-5193

Now I checked CERT (I still am) and couldn't find anything, so I thought I'd check here to see if anyone has got any info on this or if it's just a Hoax.

Cheers:

[zencoder]

A cursory glance at us-cert.gov shows nothing. Digging a bit through the official Dept. of Homeland Security site doesn't show any Control Systems Center, nor a Director David N Sanders. A google of 'control systems center site:dhs.gov' returns -0- hits, and a search for Sanders at same doesn't return a David N Sanders.

It's some sort of hoax, joke(?), or spam, I'd bet. It could still be legit, I'm not the first person to not have known of the existence of an organization within the US federal gov't (hehe), but I'd question the source that forwarded it to you. I haven't bothered to check the phone numbers via a reverse lookup. I'm on the CERT mailing list, and this is unfamiliar to me.

If anything, it is a social engineering/spam-smurf attack against the email box of david.n.snaders@dhs.gov ...which makes it elementary but ingenious inmy book. Send out an official looking message, asking for tons of log's to be sent to an email address of some prominent official who you want to bog down...

/* edit for my sh!tty grammar */

[nihil]

Looks like a hoax........................

526 exploit attempts....................chickenfeed!

Uruguay??????????????

c'mon

[DjM]

Originally posted here by zencoder
A cursory glance at us-cert-gov shows nothing. Digging a bit through the official Dept. of Homeland Security doesn't show an Control Systems Center, nor a Director David N Sanders. A google of control systems center site:dhs.gov returns -0- hits, and a search for Sanders at same doesn't return a David N Sanders.

It's some sort of hoax, bs, or spam, I'd bet. It could still be legit, I'm not the first person to now have known of the existence of an organization within the US federal gov't (hehe), but I'd question the source that forwarded it to you. I haven't bothered to check the phone numbers via a reverse lookup. I'm on the CERT mailing list, and this is unfamiliar to me.

If anything, it is a social engineering/spam-smurf attack against the email box of david.n.snaders@dhs.gov ...which makes it elementary but ingenious inmy book. Send out an official looking message, asking for tons of log's to be sent to an email address of some prominent official who you want to bog down...

My source said he copied it directly from here:

https://us-cert.esportals.net/member...partmentP=2135

Now I am not a member so I can't log-in to verify.

Cheers:

[nihil]

I don't think that security alerts of that nature come out on secure sites, it would kind of defeat the object would it not?

On the other hand, as it cannot be readily verified or otherwise?.....................

EDIT:

Department of Homeland Security, National Cyber Security Division

Mr. Sanders is the Director of the Critical Infrastructure Protection and Cyber Security within the Department of Homeland Security, National Cyber Security Division. The National Cyber Security Division provides for 24 x 7 cyber security functions, including conducting cyberspace analysis, issuing alerts and warning, improving information sharing, responding to major incidents, and aiding in national-level recovery efforts.

Most recently Mr. Sanders was the founder and President of the information security firm Securicon. He served as an executive level consultant to some of the largest corporate and government agencies in the world on matters of information security and risk management. Previously, Mr. Sanders was the Senior Security Consultant for Riptech, Inc. until its acquisition by Symantec Corporation.

Mr. Sanders spent 20 years in the United States Army and served in a variety of assignments including Infantry, Armor, tactical and strategic satellite, and with the National Command Authority.

David.N.Sanders@dhs.gov

Office: 703-915-8769

[zencoder]

It may be an internal request. Upon following the link and being greeted by:
[size=large]ATTENTION:[/size]
This is a restricted system.
Unauthorized use of this system is prohibited.

and seeing Secure Portal User Login at the top, I don't think this is intended for mass distribution. I don't know if its a major problem that it's out, but then I could be wrong. Anyone bother to see where those IP's are from? I don' recognize the 200. octet.

[nihil]

Montivideo, Uruguay

[morganlefay]

200.122.216.133 =Brazil
telmar.net.br

???
MLF

[nihil]

Yes, it is Brasil,

new whois tool

This is what CIAC have to say:

Real warnings about viruses and other network problems are issued by computer security response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending team using PGP

No digital signature?

[chsh]

Hey, it must be boring at CERT, maybe that's just a joke internal only type thing that they write up just for kicks.
Or it could be real and you're not supposed to be sending it around.