Akamai Guardicore Segmentation CTI

Threat Information

Role	Attacker
Services Targeted	SSH
Tags	Scheduled Task Creation Download Operation HTTP Outgoing Connection 2 Shell Commands Access Suspicious Domain Download and Execute Successful SSH Login SSH Download File Download and Allow Execution
Connect Back Servers	202.110.187.205

Basic Information

IP Address	62.24.124.51
Domain	-
ISP	Telkom
Country	Kenya
WHOIS	Created Date	-
	Updated Date	-
	Organization	-

First seen in Akamai Guardicore Segmentation	2022-02-04
Last seen in Akamai Guardicore Segmentation	2022-02-04

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List	Successful SSH Login
A possibly malicious Download Operation was detected 4 times	Download Operation
Process /usr/bin/wget generated outgoing network traffic to: 202.110.187.205:80 2 times	Outgoing Connection
Process /usr/bin/wget attempted to access suspicious domains: gowiden.com 2 times	Access Suspicious Domain Outgoing Connection
Process /usr/local/bin/dash generated outgoing network traffic to: 202.110.187.205:80	Outgoing Connection
Process /usr/local/bin/dash attempted to access suspicious domains: gowiden.com	Access Suspicious Domain Outgoing Connection
Process /usr/local/bin/dash generated outgoing network traffic to: 202.110.187.205:80	Outgoing Connection
Process /usr/local/bin/dash attempted to access suspicious domains: gowiden.com	Access Suspicious Domain Outgoing Connection
Process /usr/bin/wget generated outgoing network traffic to: 202.110.187.205:80 3 times	Outgoing Connection
Process /usr/bin/wget attempted to access suspicious domains: gowiden.com 3 times	Access Suspicious Domain Outgoing Connection
Process /usr/bin/wget generated outgoing network traffic to: 202.110.187.205:80 2 times	Outgoing Connection
Process /usr/bin/wget attempted to access suspicious domains: gowiden.com 2 times	Access Suspicious Domain Outgoing Connection
Process /usr/local/bin/dash generated outgoing network traffic to: 202.110.187.205:80	Outgoing Connection
Process /usr/local/bin/dash attempted to access suspicious domains: gowiden.com	Access Suspicious Domain Outgoing Connection
The file /root/pty was downloaded and executed 8 times	Download and Execute
The file /root/irq0 was downloaded and granted execution privileges	Download and Allow Execution
Process /usr/local/bin/dash generated outgoing network traffic to: 202.110.187.205:80	Outgoing Connection
Process /usr/local/bin/dash attempted to access suspicious domains: gowiden.com	Access Suspicious Domain Outgoing Connection
The file /root/irq1 was downloaded and granted execution privileges	Download and Allow Execution
Process /usr/local/bin/dash generated outgoing network traffic to: 202.110.187.205:80 2 times	Outgoing Connection
Process /usr/local/bin/dash attempted to access suspicious domains: gowiden.com 2 times	Access Suspicious Domain Outgoing Connection
Process /usr/bin/wget generated outgoing network traffic to: 202.110.187.205:80	Outgoing Connection
Process /usr/bin/wget attempted to access suspicious domains: gowiden.com	Access Suspicious Domain Outgoing Connection
The file /var/tmp/pty was downloaded and executed	Download and Execute
Connection was closed due to user inactivity

Akamai Security Intelligence Group

Guardicore CENTRA

Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

Threat Information

Basic Information

Attack Flow