Andreas Lohrum 🇪🇺🇺🇦 6x(💉) NAFOMay 24, 2024
BrianKrebs

Just published the second-longest blog post in my 14 year career as an independent reporter.

This story is the result of a ridiculous amount of research. I hope you like it, because I learned tons reporting this, and there needs to be a broader conversation about some of the issues raised by this research. The lede:

Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

Stark Industries Solutions: An Iron Hammer in the Cloud – Krebs on Security

May 23, 2024 at 11:38pmWeb
Show threadBrianKrebsMay 23, 2024

BTW if it teases the story more, the first longest story I wrote was the one about the unveiling of the authors of the Mirai DDoS malware

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

Who is Anna-Senpai, the Mirai Worm Author? – Krebs on Security

Show threadBrianKrebsMay 24, 2024

Just added a very interesting wrinkle from the DNS guru Doug Madory over at Kentik, regarding the top sources and destinations for Stark Industries' traffic:

Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark's network.

"Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477)," Madory said. "Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran."

Show threadBrianKrebsMay 25, 2024

Malwarebytes has published a writeup on an extensive campaign that targets corporate users with malicious ads. Among the sites used as lures are fake Wall Street Journal and CNN websites that tell visitors they're required to install a WSJ or CNN-branded browser extension.

tl;dr: A key domain used in this campaign is hosted at Stark Industries Solutions.

https://www.threatdown.com/blog/corporate-users-targeted-via-malicious-ads-and-modals/

Corporate users targeted via malicious ads and modals - ThreatDown by Malwarebytes

As many people know, popular websites often display a dialog window when you first visit them. This could be a paywall to read an article, a notice about cookies, or maybe a friendly message asking…

ThreatDown by Malwarebytes
Show threadBrianKrebsMay 25, 2024

It has been brought to my attention that I left two important details about Stark out of my story.

1) Stark's contact details with RIPE, which manages Internet address space for Europe, the Middle East and Central Asia, include a choice "leet" designation and possibly a dig at RIPE: "SICK1337-RIPE"

Also, I can't believe I forgot to include the bit of movie trivia (I thought it was obvious): In the Marvel storyline, the head of Stark Industries, Tony, was an international arms dealer. Funny enough, Ivan Neculiti, or his brother Yuri who also runs Stark/PQ Hosting, consistently used the email address [email protected].

Show threadBrianKrebsMay 25, 2024
BTW this was just posted by the pro-Russian DDoS group NoName, wherein they rub it in that people in Europe are just now figuring out that they've been launching DDoS from hosting providers in Europe, not in Russia.
Show threadS.R.3May 25, 2024
@briankrebs we are at war. We are under attack. We need to act accordingly. Today!
Show threadDavid BramianMay 25, 2024
@briankrebs right, glory to Russian script kiddies. Like to see them try to fab a semiconductor device
Show threadEel-on-MolluskMay 25, 2024
@davbram @briankrebs why fab when you can just import through Armenia
Show threadDavid BramianMay 25, 2024

@red0ran @briankrebs
why build a botnet when you can just threaten people with guns to click where you want them to

Edit: because glory!

Show threadVessOnSecurityMay 25, 2024
@briankrebs NoName and KillNet are just script kiddies. I don't know why people are paying any attention to them...
Show threadBrianKrebsMay 25, 2024
@bontchev I paid attention to them because the networks supporting them are also doing a lot more bad stuff than ddos vs UA.
Show threadVessOnSecurityMay 25, 2024
@briankrebs Yeah, they provide Facebook access to Iran, LOL.
Show threadJames M.May 26, 2024
@briankrebs their apparent tendency to boast could perhaps be used to bait them, especially given their apparent immaturity too?
Show threadRoyans TharakanMay 25, 2024
@briankrebs - yea. I was wondering why u didn't mention tony@stark as well. I assumed that was obvious to everyone reading and so there was no point mentioning it. But I can see that there may be folks who may not realize :)
Show threadRichard "RichiH" HartmannMay 25, 2024

@briankrebs the "-RIPE" is a mandatory suffix. The required format is

Char+ Num+ -RIPE

You can select the first two largely without restrictions as long as they're not already taken.

Show threadBrianKrebsMay 25, 2024
@RichiH Kind of seems like given the context, there is contempt in that name. As in, if RIPE actually knew whether any of the data in its database was real or made up, we wouldn't be able to operate the way we do among them.
Show threadRichard "RichiH" HartmannMay 25, 2024

@briankrebs my gut based on RIPE knowledge is no, and "sick elite" might be a non-native's speaker idea of a cool name.

I don't have half the context you do though, not actively arguing against your interpretation, just giving context from an area I happen to know a lot about.

Show threadStefan SchmidtMay 25, 2024
@RichiH @briankrebs It is not. The -RIPE is customary but optional. See my personal one ‘ZAP’. Happy Towelday btw.
Show threadStefan SchmidtMay 25, 2024
@RichiH @briankrebs I originally looked into this because i felt ‘ZAP-RIPE’ was maybe giving the wrong message
Show threadRichard "RichiH" HartmannMay 25, 2024
@zaphodb @briankrebs maybe that changed again? I am positive it was changed to require the suffix in the early 10s.
Show threadStefan SchmidtMay 25, 2024
@RichiH might have. Mine is from “created: 2008-11-07T11:00:36Z”
Show threadStefan SchmidtMay 25, 2024
@RichiH i think at some point the source attribute was introduced, might make sense to have it optional from then
Show threadRichard "RichiH" HartmannMay 25, 2024
@zaphodb oh, I thought yours was more recent. The change to require the suffix was more 2010 or so
Show threadSystem AdminihaterMay 25, 2024
@briankrebs The easiest way to get them shut down is probably just to make Disney aware of the IP theft. Domain would be gone in hours. :)
Show threadSystem AdminihaterMay 25, 2024
@briankrebs I haven't seen 1337 since the BBS days.. 1995?
Show threadJonMay 28, 2024
@briankrebs Another point of data: Up to Sept. 2023 the PayPal merchant was "PQ.Hosting [email protected]". In Oct. 2023 or thereabouts it switched to "Stark Industries Solutions LTD [email protected]". As of March/April 2023 it seems their access to PayPal was cut off; I'm guessing due to sanctions.
Show threadJonMay 28, 2024
@briankrebs Arg, morning brain. Correction: As of March/April 2024...
Show threadṫẎℭỚ◎ᾔ ṫ◎ℳMay 25, 2024
@briankrebs Stark Industries Solutions how original same as the fictional multi-national conglomerate appearing in comic books by Marvel Comics.
Show threadBrianKrebsMay 25, 2024
@TycoonTom Yes, but you missed "arms dealer"
Show threadṫẎℭỚ◎ᾔ ṫ◎ℳMay 26, 2024

@briankrebs A thread on Twitter X from Troy Hunt Just wondering if you have anymore info on pcTattletale?

https://techcrunch.com/2024/05/22/spyware-found-on-hotel-check-in-computers/

EXCLUSIVE: Spyware found on US hotel check-in computers

The check-in computers at several hotels around the U.S. are running a remote access app, which is leaking screenshots of guest information to the internet.

TechCrunch
Show threadCheapPontoonMay 25, 2024
@briankrebs
I, home user, Chrome, just had a pop-up redirect when I went to IMDB.com telling me to install. WTF no way. I killed the tab and tried the url again, no pop-up.
Show threadṫẎℭỚ◎ᾔ ṫ◎ℳMay 24, 2024
@briankrebs What does 'NoName057(16)' mean?
Show threadSecurityByAndrewMay 23, 2024
@briankrebs I remember that Mirai story!
Show threadthesaigoneerMay 23, 2024
@briankrebs Might be long, but an impressive piece of investigative journalism!
Show threadSeán FenianMay 24, 2024
@briankrebs "Stark Industries". Would it be overly suspicious of me to wonder if there's an Elmu connection?
Show threadBill TschumyMay 24, 2024
@briankrebs You did put a lot of effort into that. Thanks for disseminating it.
Show threadBillMay 25, 2024
@briankrebs I read it last night. Fantastic reporting, a lot to take in. Your usual meticulous research. Good stuff.
Show threadTaran RampersadMay 25, 2024
@briankrebs That's some impressive investigative #journalism
Show threadStefan Baur 8 * 💉May 25, 2024
@briankrebs @HonkHase
Show threadSevorisMay 29, 2024
@briankrebs I have to ask: how come that Constella has intelligence on the passwords used by email addresses? Wouldn‘t leaking the password be bad opsec for the people running these accounts?
Show threadBrianKrebsMay 29, 2024
@Sevoris Because in many cases, they are indexing data from breaches in which the cleartext password was available, or that maps to a hash that is known.