NoName057(16) are targeting the UK today, so I shall start monitoring them and naming their targets and attack types.
Their targeting: https://raw.githubusercontent.com/GossiTheDog/Monitoring/main/NoName/targets_2023_12_07_11am.txt
Currently:
pa.eastcambs.gov.uk
politics.leics.gov.uk
www.liverpool.gov.uk
www.mil.be
www.bollington-tc.gov.uk
www.cranbrooktowncouncil.gov.uk
cert.be
my.swiftcard.org.uk
www.monarchie.be
www.premier.be
www.david-clarinval.be
www.dekamer.be
www.senaat.be
#threatintel #noname
Their targeting: https://raw.githubusercontent.com/GossiTheDog/Monitoring/main/NoName/targets_2023_12_07_11am.txt
Currently:
pa.eastcambs.gov.uk
politics.leics.gov.uk
www.liverpool.gov.uk
www.mil.be
www.bollington-tc.gov.uk
www.cranbrooktowncouncil.gov.uk
cert.be
my.swiftcard.org.uk
www.monarchie.be
www.premier.be
www.david-clarinval.be
www.dekamer.be
www.senaat.be
#threatintel #noname
Kevin Beaumont
•Kevin Beaumont
•Kevin Beaumont
•I just had a quick workflow play, I think I can do it.
#threatintel
Kevin Beaumont
•Kevin Beaumont
•Tracking Russia’s NoName057[16] attempts to DDoS UK public services
Kevin Beaumont (DoublePulsar)Kevin Beaumont
•cts21.czechtrade.cz
www.mzv.cz
klient.czechtrade.cz
www.czechtrade.cz
exporters.czechtrade.cz
www.dpp.cz
www.pse.cz
www.moneta.cz
api.moneta.cz
www.rzp.cz
www.senat.cz
pspen.psp.cz
www.vlada.cz
www.mvcr.cz
www.financnisprava.cz
www.policie.cz
www.prg.aero
gate.prg.aero
newfids.prg.aero
ftp.prg.aero
fids.prg.aero
idc-portal-tas.prg.aero
Target list: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_08_10am.txt
#precrime #threatintel
Kevin Beaumont
•Kevin Beaumont
•Kevin Beaumont
•www.mtc.government.bg
www.port-varna.bg
port-burgas.bg
www.parliament.bg
customs.bg
bulbankonline.bg
dskbank.bg
www.dskdirect.bg
www.bnb.bg
www.procreditbank.bg
probanking.procreditbank.bg
www.ccbank.bg
www.fibank.bg
my.fibank.bg
testiam-idsext.customs.bg
ids.customs.bg
www.government.bg
www.president.bg
Target list: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_11_11am.txt
Kevin Beaumont
•www.horiba-mira.com
www.rotork.com
www.lcia.org
southendairport.com
www.stortinget.no
ruter.no
www.autopass.no
www.boreal.no
www.sj.no
bpsnord.no
ferde.no
www.nor-way.no
dskbank.bg
www.bnb.bg
probanking.procreditbank.bg
my.fibank.bg
testiam-idsext.customs.bg
www.government.bg
www.president.bg
www.rishisunak.com
Target list: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_11_3pm.txt
Kevin Beaumont
•Kevin Beaumont
•www.energy-community.org
www.zaporizhstal.com
uges.com.ua
portal.bank.gov.ua
cvp.tax.gov.ua
ssu.gov.ua
bank.gov.ua
kyiv.tax.gov.ua
www.umcc-titanium.com
smtp.energy-community.org
velta-ua.com
www.ztoe.com.ua
ztmc.zp.ua
mcs.energy-community.org
academy.ssu.gov.ua
mgate.energy-community.org
www.ztr.ua
uhe.gov.ua
smtp2.energy-community.org
tax.gov.ua
stockmarket.gov.ua
wvp.tax.gov.ua
www.mev.gov.ua
Target list: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
Kevin Beaumont
•www.europarl.europa.eu
www.mil.be
cert.be
www.monarchie.be
www.premier.be
www.david-clarinval.be
www.dekamer.be
www.senaat.be
www.ecb.europa.eu
www.consilium.europa.eu
curia.europa.eu
www.eesc.europa.eu
www.europol.europa.eu
www.ebrd.com
mobilite-mobiliteit.brussels
idp.belgiantrain.be
www.belgiantrain.be
www.bruxelles.be
www.stib-mivb.be
Target list: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
Kevin Beaumont
•They photoshopped ebrd being offline. https://www.ebrd.com/what-we-do/war-on-ukraine
#threatintel
Kevin Beaumont
•Some new targets this morning:
www.vfgh.gv.at
immobilien.oebb.at
www.ris.bka.gv.at
www.railtours.oebb.at
bcc.oebb.at
authportal.oebb.at
www.oebb.at
www.e-steiermark.com
www.bmeia.gv.at
presse.oebb.at
bahnhofcitywienwest.oebb.at
shop.oebb.at
serviceline.oebb.at
presse-oebb.at
tsprodsam.oebb.at
apa.at
www.kelag.at
Target list: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
Kevin Beaumont
•Targets:
www.sundsvallshamn.se
www.norrtag.se
www.vasttrafik.se
login.vasttrafik.se
www.polisen.se
www.msb.se
login.msb.se
www.transportstyrelsen.se
www.digg.se
www.sjofartsverket.se
international.stockholm.se
goteborg.se
malmo.se
www.uppsala.se
www.linkoping.se
www.orebro.se
www.vasteras.se
www.eskilstuna.se
www.vgregion.se
Target list and config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
I have all of NoName's targeting in Excel if data needed.
Kevin Beaumont
•Kevin Beaumont
•Kevin Beaumont
•Their target list:
www.giorgiameloni.it
www.porto.trieste.it
port.taranto.it
www.sinfomar.it
amat.cloud.eleagol.it
www.sienamobilita.it
www.gtt.to.it
www.ctmcagliari.it
actv.avmspa.it
telematicoprova.adm.gov.it
richiestamodifiche.adm.gov.it
iampe.adm.gov.it
telematico.adm.gov.it
www.consob.it
www.assosim.it
www.agcm.it
Target list and config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_21_10am.txt
#threatintel
Kevin Beaumont
•www.hsl.fi
portofhanko.fi
www.kyberturvallisuuskeskus.fi
www.expressbus.fi
www.ssvoy.fi
virtuaali.vayla.fi
sso.vayla.fi
extranet.vayla.fi
www.traficom.fi
extidpevaluointi.traficom.fi
extidptesti.traficom.fi
ikkuna.traficom.fi
eservices.traficom.fi
paarautatieasema.fi
www.ely-keskus.fi
www.op.fi
www.suomenpankki.fi
www.vero.fi
www.a-katsastus.fi
Target list and config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_22_11am.txt #threatintel
Kevin Beaumont
•Kevin Beaumont
•www.hsl.fi
portofhanko.fi
www.edi.admin.ch
www.sob.ch
www.kyberturvallisuuskeskus.fi
www.expressbus.fi
www.ssvoy.fi
virtuaali.vayla.fi
sso.vayla.fi
extranet.vayla.fi
www.traficom.fi
extidpevaluointi.traficom.fi
extidptesti.traficom.fi
ikkuna.traficom.fi
paarautatieasema.fi
www.op.fi
www.suomenpankki.fi
www.hotelleriesuisse.ch
Config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_22_8pm.txt #threatintel
Kevin Beaumont
•I think it is state sponsored operation as they’re trying to meet targets and look busy.. they make even cyber hacktivism boring. I imagine David Brent is the office manager, doing an OKR dance.
#threatintel
Kevin Beaumont
•www.vfgh.gv.at
www.ris.bka.gv.at
pa.eastcambs.gov.uk
politics.leics.gov.uk
www.a1.group
www.e-steiermark.com
www.liverpool.gov.uk
www.bmeia.gv.at
www.oesterreich.gv.at
www.oebag.gv.at
apa.at
www.cranbrooktowncouncil.gov.uk
www.wymetro.com
travelsouthyorkshire.com
mytsy.travelsouthyorkshire.com
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_23_1pm.txt
#threatintel
Kevin Beaumont
•www.porto.trieste.it
port.taranto.it
www.sinfomar.it
www.norrtag.se
www.vasttrafik.se
login.vasttrafik.se
www.assosim.it
www.transportstyrelsen.se
www.digg.se
www.sjofartsverket.se
international.stockholm.se
goteborg.se
malmo.se
www.uppsala.se
www.orebro.se
www.vasteras.se
www.eskilstuna.se
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_24_6pm.txt
#threatintel
Kevin Beaumont
•Netherlands and Iceland, includes a bike shed.
over.gvb.nl
www.haestirettur.is
www.althingi.is
www.isavia.is
www.cert.is
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.ov-nl.nl
www.maa.nl
www.rijkswaterstaat.nl
www.bngbank.nl
www.snsbank.nl
mijn.belastingdienst.nl
services.belastingdienst.nl
bft-plein.bureauft.nl
9292.nl
www.macbike.nl
a-bike.nl
bikecity.nl
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_25_4pm.txt
Kevin Beaumont
•Kevin Beaumont
•www.siauliai-airport.com
avia.lt
www.adrem.lt
www.linava.lt
autobusustotis.lt
www.vv.lt
elpako.lt
eismoinfo.lt
www.klaipedatransport.lt
www.kvt.lt
www.ollex.lt
nlbus.lt
www.veza.lt
lakd.lt
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
tavo.cgates.lt
init.lt
sso.init.lt
www.balticum.lt
www.manobalticum.lt
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_26_1pm.txt
#threatintel
Kevin Beaumont
•The infrastructure is on prem.
#NoName don't have much bandwidth as Ddosia is small, what they rely on is webapps failing over under stress.
Each campaign NoName run has a unique ID - when they find an easily downable target, they save the target campaign details and rerun it in the future over and over again on different days to make themselves appear busy.
Kevin Beaumont
•www.mfcr.cz
www.army.cz
aobp.cz
www.mpsv.cz
www.penize.cz
www.cssz.cz
mmr.gov.cz
www.kdpcr.cz
www.alv-cr.cz
www.egap.cz
www.kbp.cz
www.komora.cz
uohs.gov.cz
www.soud.cz
www.nku.cz
www.justice.cz
www.nkcr.cz
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_27_10am.txt
#threatintel
Kevin Beaumont
•Kevin Beaumont
•Targets:
pa.eastcambs.gov.uk
www.merlinscottassociates.co.uk
politics.leics.gov.uk
www.liverpool.gov.uk
www.britishchambers.org.uk
www.cranbrooktowncouncil.gov.uk
www.wymetro.com
my.swiftcard.org.uk
ukfinanceproducationb2c.b2clogin.com
www.moneyhelper.org.uk
www.northlinkferries.co.uk
www.justice.gov.uk
www.cbi.org.uk
www.scottishchambers.org.uk
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_28_10am.txt
#threatintel
Kevin Beaumont
•Kevin Beaumont
•Kevin Beaumont
•They went behind Cloudflare as this is the 4th time, but they left their web server on Zen Internet exposed to everybody - so the attackers are still targeting that. It’s in the spreadsheet screenshot above.
V is for...
•But long/short is, they know, as does the IT company whose Zen reseller account server it’s on know.
But they all decided to go home for Christmas and leave it outstanding.
Not my dad’s pub… 🤦🏻♂️
Kevin Beaumont
•www.kyberturvallisuuskeskus.fi
www.traficom.fi
extidpevaluointi.traficom.fi
extidptesti.traficom.fi
ikkuna.traficom.fi
extidp.traficom.fi
www.op.fi
www.suomenpankki.fi
www.tilastokeskus.fi
tem.fi
valtioneuvosto.fi
www.autotuojat.fi
intermin.fi
www.defmin.fi
helsinki.chamber.fi
www.wtc.fi
kauppakamari.fi
korkeinoikeus.fi
vnk.fi
arbitration.fi
paaomasijoittajat.fi
Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel
Kevin Beaumont
•www.adrem.lt
www.vv.lt
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.bngbank.nl
services.belastingdienst.nl
www.kvt.lt
9292.nl
a-bike.nl
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.manobalticum.lt
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_30_4pm.txt
#threatintel
Kevin Beaumont
•www.army.cz
www.liverpool.gov.uk
www.cranbrooktowncouncil.gov.uk
my.swiftcard.org.uk
ukfinanceproducationb2c.b2clogin.com
www.moneyhelper.org.uk
aobp.cz
www.kdpcr.cz
www.alv-cr.cz
www.egap.cz
www.kbp.cz
www.komora.cz
www.nku.cz
www.nkcr.cz
www.justice.gov.uk
www.cbi.org.uk
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_31_3pm.txt
Kevin Beaumont
•Kevin Beaumont
•www.hsl.fi
www.kyberturvallisuuskeskus.fi
virtuaali.vayla.fi
extranet.vayla.fi
www.traficom.fi
extidpevaluointi.traficom.fi
extidptesti.traficom.fi
ikkuna.traficom.fi
www.op.fi
www.suomenpankki.fi
www.tilastokeskus.fi
helsinki.chamber.fi
kauppakamari.fi
arbitration.fi
paaomasijoittajat.fi
Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
Kevin Beaumont
•www.giorgiameloni.it
www.porto.trieste.it
port.taranto.it
www.sinfomar.it
amat.cloud.eleagol.it
www.sienamobilita.it
www.gtt.to.it
www.ctmcagliari.it
www.trentinotrasporti.it
telematicoprova.adm.gov.it
richiestamodifiche.adm.gov.it
iampe.adm.gov.it
telematico.adm.gov.it
www.consob.it
www.assosim.it
www.agcm.it
Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel
Kevin Beaumont
•www.trentinotrasporti.it
www.skm.pkp.pl
epuap.gov.pl
ebok.gkpge.pl
metro.waw.pl
www.sejm.gov.pl
plusbank.pl
plusbank24.pl
www.pekao.com.pl
pfrventures.pl
www.pfrtfi.pl
www.rbinternational.com.pl
www.port.gdynia.pl
www.pkobp.sponsorpanel.pl
www.pekao-fs.com.pl
nbp.newamsterdam.pl
cert.pionier.gov.pl
kghm.com
polskieradio24.pl
Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel
Kevin Beaumont
•www.lamoncloa.gob.es
www.casareal.es
www.puertos.es
mpt.gob.es
www.isdefe.es
www.mjusticia.gob.es
www.tribunalconstitucional.es
sede.ine.gob.es
www.abanca.com
www.bancocooperativo.es
www.cajaruralgranada.es
www.grupocajarural.es
www.ine.es
www.metromadrid.es
www.metrovalencia.es
www.turgranada.es
metropolitanogranada.es
www.incibe.es
www.emtvalencia.es
www.transportepublico.es
Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel
Kevin Beaumont
•They're starting with Ukraine, they will announce some of these.
Botnet config is long today: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_10_10am.txt
#threatintel
Kevin Beaumont
•Kevin Beaumont
•Kevin Beaumont
•Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_10_11am.txt
#threatintel
Kevin Beaumont
•www.adrem.lt
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.manobalticum.lt
www.ld.lt
www.ergo.lt
www.compensa.lt
www.if.lt
www.bta.lt
www.gjensidige.lt
www.pzu.lt
lrkt.lt
www.lvat.lt
www.nksc.lt
www.tietoevry.com
Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel
Kevin Beaumont
•myyk.inges.ee
tenders.blrt.ee
pasts.lv
www.evr.ee
marketplace.e-resident.gov.ee
www.saeima.lv
epp.energia.ee
www.mk.gov.lv
cert.lv
express.pasts.lv
www.tallinn.ee
www.nordica.ee
saraksti.rigassatiksme.lv
www.autoosta.lv
nasdaqbaltic.com
www.citadele.lv
www.rietumu.com
www.edoks.lv
www.mnt.ee
pilet.ee
www.ecaa.ee
company.inbox.lv
www.chamber.lv
#threatintel
Kevin Beaumont
•www.bzst.de
e-accounting.talanx.com
www.hamburger-feuerkasse.de
www.kyberturvallisuuskeskus.fi
www.mvg.de
www.rmv.de
www.vgn.de
www.balm.bund.de
www.op.fi
www.suomenpankki.fi
www.dortmund.de
www.bremen.de
www.rostock.de
www.bielefeld.de
kauppakamari.fi
energia.fi
www.tek.fi
oikeus.fi
www.kuntaliitto.fi
www.kuluttajariita.fi
Botnet config, 329 lines: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel
Kevin Beaumont
•www.mtb.ua
accordbank.com.ua
www.adrem.lt
credit-agricole.ua
online.credit-agricole.ua
corpexpreprod.credit-agricole.ua
capluspro.credit-agricole.ua
premium.credit-agricole.ua
cabinet.credit-agricole.ua
www.pravex.com.ua
online.pravex.ua
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.compensa.lt
www.if.lt
www.bta.lt
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_14_3pm.txt
#threatintel
Kevin Beaumont
•Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_15_2pm.txt
#threatintel
Kevin Beaumont
•Config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_15_3pm.txt
#threatintel
Kevin Beaumont
•www.deutschebahn.com
deutschlandticket.de
www.nordwestbahn.de
www.bundeskanzler.de
www.bmz.de
www.bundesfinanzministerium.de
www.afs-bund.de
www.mvg.de
www.rmv.de
www.vgn.de
www.spd.de
abo.bahn.de
www.bvl.de
www.dslv.org
www.dachser.com
www.bafin.de
portal.mvp.bafin.de
www.dbschenker.com
www.hellmann.com
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_16_8pm.txt
#threatintel
Kevin Beaumont
•Today, with the protection of Latvia, they DDoS'd Czech, Switzerland and Belgium.
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_17_6pm.txt
#threatintel
Kevin Beaumont
•#threatintel
Several Federal Administration websites disrupted temporarily by DDoS attack
www.admin.chKevin Beaumont
•myyk.inges.ee
marketplace.e-resident.gov.ee
epp.energia.ee
www.tallinn.ee
www.nordica.ee
www.sob.ch
www.post.ch
www.gva.ch
airport-grenchen.ch
www.bernairport.ch
engadin-airport.ch
peoples.ch
www.geneve.com
www.stadt-zuerich.ch
www.myswitzerland.com
www.postauto.ch
www.zvv.ch
www.mnt.ee
pilet.ee
lengmatta-davos.ch
alpenhof-davos.ch
www.davos-pischa.ch
europe-davos.ch
kajakallas.ee
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_18_11am.txt
#threatintel
Kevin Beaumont
•cvp.tax.gov.ua
kyiv.tax.gov.ua
tax.gov.ua
wvp.tax.gov.ua
www.vtg.admin.ch
www.swisshelicopter.ch
www.bs.ch
ekonto.egov.bs.ch
www.lausanne.ch
www.montreux.ch
www.stadt.sg.ch
www.bellinzona.ch
www.stadt-schaffhausen.ch
www.swissprivatebankers.com
www.juliusbaer.com
www.swissbanking.ch
www.geneve-finance.ch
www.nw.ch
www.stans.ch
www.buochs.ch
zir.tax.gov.ua
map.tax.gov.ua
ca.tax.gov.ua
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_19_3pm.txt
#threatintel
Kevin Beaumont
•Fs in the chat.
#threatintel
Kevin Beaumont
•They have published a new version of the client, and require all the users (about 10k) to redownload and reinstall - as such, their DDoS effectiveness will suck for a while.
New C2 server is 94.140.115.64 on port 80 - same ISP as before, Nano.lv in Latvia.
#threatintel
Kevin Beaumont
•Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_19_9pm.txt
NoName changes - Pastebin.com
PastebinKevin Beaumont
•Kevin Beaumont
•Kevin Beaumont
•No botnet config dump as it’s offline.
#threatintel
Kevin Beaumont
•Kevin Beaumont
•IP is 94.131.97.202 and hardcoded into client again - ISP https://stark-industries.solutions/ - registered in London https://find-and-update.company-information.service.gov.uk/company/13906017
They have only a fraction of hosts checking in so far, let's nuke from orbit. #threatintel
NoName changes 20/01/2024 - Pastebin.com
PastebinKevin Beaumont
•www.adrem.lt
www.credit-agricole.com
eurolines.fr
www.star.fr
www.lignesdazur.com
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.compensa.lt
www.if.lt
www.bta.lt
auth-aode.edf.fr
www.orano.group
www.enercoop.fr
mon-espace.enercoop.fr
C2 server: 94.131.97.202 (UK company)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_20_3pm.txt
#threatintel
Kevin Beaumont
•pa.eastcambs.gov.uk
politics.leics.gov.uk
www.liverpool.gov.uk
over.gvb.nl
www.cranbrooktowncouncil.gov.uk
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.bngbank.nl
services.belastingdienst.nl
my.swiftcard.org.uk
ukfinanceproducationb2c.b2clogin.com
www.moneyhelper.org.uk
9292.nl
a-bike.nl
www.justice.gov.uk
www.cbi.org.uk
C2 server: 94.131.97.202 (UK front company, Czech location)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_21_11am.txt
#threatintel
Kevin Beaumont
•Kevin Beaumont
•Kevin Beaumont
•E.g. I've attached the report for liverpool.gov.uk just now, which shows as down - but it's actually available.
The net effect is an audience of tens of thousands on Telegram cheering on nothing.
Another example is "Swift card authorization" shown on the list. That sounds bad, right? They mean a bus card.
#threatintel
Kevin Beaumont
•Kevin Beaumont
•Kevin Beaumont
•New client info: https://pastebin.com/6xHh4n8B
New C2: 193.233.193.240 (Huize Telecom in Hong Kong)
dnsc.ro
gov.ro
www.presidency.ro
www.mae.ro
www.mapn.ro
www.cdep.ro
sts.ro
www.senat.ro
www.mai.gov.ro
mmuncii.ro
www.olgutavasilescu.ro
www.baneasa-airport.ro
www.metrorex.ro
www.pmb.ro
www.mt.ro
www.mfinante.gov.ro
www.mdlpa.ro
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_22_10am.txt
NoName Ddosia new client info - 22/01/2024 - Pastebin.com
PastebinKevin Beaumont
•New client again, info: https://pastebin.com/Ukckmgf8
New C2: 89.105.201.91 (Novoserve)
gov.ro
www.presidency.ro
www.mae.ro
sts.ro
mmuncii.ro
www.bnro.ro
www.bvb.ro
www.scj.ro
www.ccr.ro
www.just.ro
mobile.telekom.ro
www.gts.ro
www.orange.ro
www.petrom.ro
www.omvpetrom.com
www.kmginternational.com
www.rompetrol.com
www.omv.ro
molromania.ro
www.roviniete.ro
#threatintel
NoName Ddosia new client info - 23/01/2024 - Pastebin.com
PastebinKevin Beaumont
•#threatintel
Kevin Beaumont
•First version crashed on start
https://pastebin.com/nP7bTR9v
New C2: 5.44.42.29 (GIR Network)
#threatintel
NoName changes 23/01/2024 - update 2 - Pastebin.com
PastebinKevin Beaumont
•C2: 5.44.42.29 (GIR Network)
www.skm.pkp.pl
epuap.gov.pl
metro.waw.pl
www.sejm.gov.pl
www.prezydent.pl
www.sn.pl
www.senat.gov.pl
polskieradio24.pl
banie.pl
pyrzyce.um.gov.pl
www.mysliborz.pl
kozielice.pl
lipiany.pl
trzcinsko-zdroj.pl
przelewice.pl
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_24_10am.txt
#threatintel
Kevin Beaumont
•C2: 5.44.42.29 (GIR Network)
valtioneuvosto.fi
eureennormandie.fr
www.aude.fr
www.laregion.fr
www.bordeaux.fr
www.haute-saone.gouv.fr
www.poitiers.fr
www.vienne.gouv.fr
www.lehavre.fr
www.igares.com
www.gers.gouv.fr
vaalit.fi
www.finlex.fi
www.otakantaa.fi
www.aanestyspaikat.fi
www.pekkahaavisto.com
haavisto2024.fi
www.alexstubb.fi
ollirehn2024.fi
www.aaltola2024.fi
liandersson.fi
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_25_6pm.txt
#threatintel
Kevin Beaumont
•NoName Ddosia new client info - 26/01/2024 - Pastebin.com
PastebinKevin Beaumont
•C2: 195.35.19.138 (Hostinger)
supo.fi
www.eduskunta.fi
www.op.fi
www.suomenpankki.fi
www.tilastokeskus.fi
helsinki.chamber.fi
kauppakamari.fi
arbitration.fi
paaomasijoittajat.fi
www.finlex.fi
www.otakantaa.fi
www.nouvelle-aquitaine.fr
www.le64.fr
www.landes.fr
www.pau.fr
www.haute-garonne.fr
www.hautespyrenees.fr
metropole.toulouse.fr
www.tarbes.fr
www.tarn.gouv.fr
www.fine.fi
www.finanssiala.fi
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_26_6pm.txt
#threatintel
Kevin Beaumont
•C2: 195.35.19.138 (Hostinger, Brazil)
www.bzst.de
www.nordwestbahn.de
polizei.thueringen.de
www.polizei-nds.de
tca.holding.talanx.com
e-accounting.talanx.com
www.hamburger-feuerkasse.de
www.zoll.de
www.afs-bund.de
www.mvg.de
www.rmv.de
www.vgn.de
www.balm.bund.de
frankfurt.de
www.dortmund.de
www.bremen.de
www.darmstadt.de
www.rostock.de
www.bielefeld.de
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_27_3pm.txt
#threatintel
Kevin Beaumont
•C2: 195.35.19.138 (Hostinger, Brazil)
As part of "NATIONAL DEFENCE HACKATHON" alongside groups 22С, SKILLNET, CyberDragon, Federal Legion, People's Cyber Army, PHOENIX.
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_28_11am.txt
#threatintel
Kevin Beaumont
•https://pastebin.com/tCaArzYp
#threatintel
NoName Ddosia new client info - 29/01/2024 - Pastebin.com
PastebinKevin Beaumont
•New C2: 185.255.123.84 (tinhat.se, physically in Nigeria)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_29_1pm.txt
#threatintel
Kevin Beaumont
•C2: 185.255.123.84 (tinhat.se, physically in Nigeria)
www.gvb.nl
www.government.nl
www.rijksoverheid.nl
www.houseofrepresentatives.nl
www.portofamsterdam.com
www.groningen-seaports.com
www.thpa.gr
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.maa.nl
www.lelystadairport.nl
www.rijkswaterstaat.nl
www.vlaardingen.nl
www.yme.gr
ministryofjustice.gr
www.cecl.gr
www.aia.gr
www.minoan.gr
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_30_9pm.txt
#threatintel
Kevin Beaumont
•C2: 185.255.123.84 (tinhat.se, physically in Nigeria)
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_31_5pm.txt
Kevin Beaumont
•https://gist.github.com/GossiTheDog/dedcb8c68218782a735394f366d58658
#threatintel
NoName Ddosia new client info - 31-01-2024
GistKevin Beaumont
•#threatintel
NoName Ddosia new client info - 01-02-2024
GistKevin Beaumont
•New C2: 188.116.20.254 - ROKO Networks Ltd - abuse@iroko.net
www.kyberturvallisuuskeskus.fi
www.op.fi
www.suomenpankki.fi
kauppakamari.fi
www.hel.fi
oikeus.fi
www.kuntaliitto.fi
www.kuluttajariita.fi
www.patriagroup.com
www.insta.fi
millog.fi
securemail.millog.fi
akerarctic.fi
www.unikie.com
odoo15.unikie.com
people.unikie.com
support.unikie.com
www.espoo.fi
www.vantaa.fi
www.turku.fi
www.tampere.fi
#threatintel
Kevin Beaumont
•NoName Ddosia new client info - 02-02-2024
GistKevin Beaumont
•New C2: 45.89.55.4 - Stark Industries Solutions
www.traficom.fi
extidpevaluointi.traficom.fi
arbitration.fi
energia.fi
www.tek.fi
www.businessfinland.fi
www.fine.fi
www.finanssiala.fi
www.jyvaskyla.fi
www.kuopio.fi
www.pori.fi
www.lappeenranta.fi
www.vaasa.fi
www.kotka.fi
www.porvoo.fi
www.lahti.fi
www.danskebank.fi
www.handelsbanken.fi
www.saastopankki.fi
www.ombudsman.fi
www.forex.fi
ek.fi
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_02_4pm.txt
#threatintel
Kevin Beaumont
•New #NoName #Ddosia client file hashes and C2:
https://gist.github.com/GossiTheDog/e3360ed34b57d377b40dc2fba7f689a5
NoName Ddosia new client info - 04-02-2024
GistKevin Beaumont
•New C2: 193.233.193.90 -huize.asia, Hong Kong
www.bourgognefranchecomte.fr
www.normandie.fr
www.grandest.fr
www.insee.fr
www.iledefrance.fr
www.paysdelaloire.fr
www.isula.corsica
www.auvergnerhonealpes.fr
www.bretagne.bzh
www.regionguadeloupe.fr
www.hautsdefrance.fr
regionreunion.com
www.maregionsud.fr
www.ctguyane.fr
Botnet config:
https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_04_11pm.txt
#threatintel
Kevin Beaumont
•C2: 193.233.193.90 -huize.asia, Hong Kong
sede.agenciatributaria.gob.es
www.lamoncloa.gob.es
www.cert.fnmt.es
www.tribunalconstitucional.es
www.bde.es
www.metrovalencia.es
www.policia.es
www.interior.gob.es
www.granada.org
metropolitanogranada.es
administracion.gob.es
www.incibe.es
www.ccn.cni.es
www.transportepublico.es
www.balearia.com
grupooesia.com
www.babelgroup.com
www.oneseq.es
s2grupo.es
unitel-tc.com
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_05.txt
#threatintel
Kevin Beaumont
•This is part of a common theme where they try to use the ping and traceroute option to try to prove a site is offline, to mislead people.
#threatintel
Kevin Beaumont
•https://gist.github.com/GossiTheDog/e56ffe64b9ecdbbc51d33d9e4bf67869
Russian branded version has been mothballed.
NoName Ddosia new client info - 06-02-2024
GistKevin Beaumont
•New C2 185.234.66.126 - pq.hosting, Netherlands
www.mapa.gob.es
amaco.es
armada.defensa.gob.es
ejercitodelaire.defensa.gob.es
www.asambleamurcia.es
www.oepm.es
parlamentodenavarra.es
www.jgpa.es
www.euskadi.eus
www.legebiltzarra.eus
www.gobiernodecanarias.org
www.parcan.es
www.carm.es
scpc.gov.ua
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_06_1pm.txt
Kevin Beaumont
•https://gist.github.com/GossiTheDog/6988b27da07e9d8ec1ca6bec5d06033a
Russian branded version is back.
No, this isn't nor was it ever running on toothbrushes.
#threatintel
NoName Ddosia new client info - 07-02-2024
GistKevin Beaumont
•New C2 45.136.199.235 - IROKO Networks, Romania
www.cimsa.com
www.jomipsa.com
www.fecsa.net
www.aecid.es
www.amec.es
www.alimentacion.es
www.tussam.es
www.metro-sevilla.es
www.emtmalaga.es
www.vitrasa.es
alicante.vectalia.es
www.tgcomes.es
titsa.com
www.bilbao.eus
www.metrobilbao.eus
www.emtpalma.cat
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_07_4pm.txt
#threatintel
Kevin Beaumont
•https://gist.github.com/GossiTheDog/27e65024c71a94f1a06913b8fe74c9fd
#threatintel
NoName Ddosia new client info - 08-02-2024
GistKevin Beaumont
•New C2 83.217.9.33 - iptk.ru, Turkey
www.sedigas.es
www.camaramadrid.es
tab.es
www.cofides.es
www.aecarretera.com
www.tranviasdezaragoza.es
www.vitoria-gasteiz.org
metrotenerife.com
www.valenciaport.com
www.portdebarcelona.cat
www.bilbaoport.eus
www.apba.es
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_08_10am.txt
#threatintel
Kevin Beaumont
•https://gist.github.com/GossiTheDog/9243528c7055b4b2d05e5daa9d03a83c
NoName Ddosia new client info - 08-02-2024 - round two
GistKevin Beaumont
•https://gist.github.com/GossiTheDog/56673d225f9d91f68cf68666084e3c2f
(Yes, they're on their 3rd new client today alone)
#threatintel
NoName Ddosia new client info - 08-02-2024 - round three
GistKevin Beaumont
•https://gist.github.com/GossiTheDog/f8cbf0039b5463851f61009cea377f20
Yes, they're on their fourth client update today as all their nodes keep getting lost :(
#threatintel
NoName Ddosia new client info - 08-02-2024 - round four
GistKevin Beaumont
•https://gist.github.com/GossiTheDog/f1079fe5486b2e7ac61d2e069caa67d4
#threatintel
NoName Ddosia new client info - 09-02-2024
GistKevin Beaumont
•New C2 185.234.66.239 - pq.hosting
www.ineco.com
cornelia.apc.es
www.parlament.cat
www.apvigo.es
www.asambleamadrid.es
www.juntadeandalucia.es
www.puertomalaga.com
www.portsdebalears.com
www.apcoruna.com
www.portcastello.com
www.huelvaport.com
www.mapfre.es
www.occident.com
www.reale.es
www.axa.es
Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_09_2pm.txt
#threatintel
Etienne / Tek
•