惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fox-IT International blog
Recent Announcements
Recent Announcements
D
Docker
IT之家
IT之家
B
Blog
Jina AI
Jina AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 【当耐特】
Google DeepMind News
Google DeepMind News
F
Fortinet All Blogs
量子位
C
Check Point Blog
Microsoft Azure Blog
Microsoft Azure Blog
罗磊的独立博客
博客园 - 司徒正美
李成银的技术随笔
美团技术团队
Blog — PlanetScale
Blog — PlanetScale
雷峰网
雷峰网
The GitHub Blog
The GitHub Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
J
Java Code Geeks
T
The Blog of Author Tim Ferriss
酷 壳 – CoolShell
酷 壳 – CoolShell
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
L
LangChain Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Y
Y Combinator Blog
大猫的无限游戏
大猫的无限游戏
有赞技术团队
有赞技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Visual Studio Blog
T
Tailwind CSS Blog
H
Help Net Security
Engineering at Meta
Engineering at Meta
小众软件
小众软件
B
Blog RSS Feed
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
M
Microsoft Research Blog - Microsoft Research
宝玉的分享
宝玉的分享
人人都是产品经理
人人都是产品经理
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
GbyAI
GbyAI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Last Week in AI
Last Week in AI
Martin Fowler
Martin Fowler
Stack Overflow Blog
Stack Overflow Blog

SANS Internet Storm Center, InfoCON: green

ISC Stormcast For Tuesday, May 26th, 2026 https://isc.sans.edu/podcastdetail/9944 Possible ACR Stealer From Page Impersonating Claude Microsoft Access VBA - SANS Internet Storm Center TeamPCP Supply Chain Campaign: Activity Through 2026-05-24 TeamPCP Supply Chain Campaign: Activity Through 2026-05-24 Wireshark 4.6.6 Released - SANS Internet Storm Center An Example of Stack String in High Level Language - SANS ISC Cross-Platform NPM Stealer - SANS Internet Storm Center ISC Stormcast For Friday, May 22nd, 2026 https://isc.sans.edu/podcastdetail/9942 Selective HTTP Proxying in Linux - SANS Internet Storm Center ISC Stormcast For Thursday, May 21st, 2026 https://isc.sans.edu/podcastdetail/9940 ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938 ISC Stormcast For Tuesday, May 19th, 2026 https://isc.sans.edu/podcastdetail/9936 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17 [Guest Diary] New Malware Libraries means New Signatures ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934 Simple bypass of the link preview function in Outlook Junk folder ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932 [GUEST DIARY] Tearing apart website fraud to see how it works. ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930 Proxying the Unproxyable? Sending EXE traffic to a Proxy Microsoft May 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928 Apple Patches Everything - SANS Internet Storm Center Why we use CAPTCHAs - SANS Internet Storm Center ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926 YARA-X 1.16.0 Release - SANS Internet Storm Center Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag ISC Stormcast For Friday, May 8th, 2026 https://isc.sans.edu/podcastdetail/9924 SANS.edu Internet Storm Center - SANS Internet Storm Center SANS.edu Internet Storm Center - SANS Internet Storm Center ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920 Cleartext Passwords in MS Edge? In 2026? - SANS ISC SSL.com rotates their root certificate today - SANS ISC ISC Stormcast For Tuesday, May 5th, 2026 https://isc.sans.edu/podcastdetail/9918 TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03) DShield Honeypot Update - SANS Internet Storm Center ISC Stormcast For Monday, May 4th, 2026 https://isc.sans.edu/podcastdetail/9916 Wireshark 4.6.5 Released - SANS Internet Storm Center Malicious Ad for Homebrew Leads to MacSync Stealer ISC Stormcast For Friday, May 1st, 2026 https://isc.sans.edu/podcastdetail/9914 ISC Stormcast For Thursday, April 30th, 2026 https://isc.sans.edu/podcastdetail/9912 Danger of Libredtail [Guest Diary] - SANS Internet Storm Center Today's Odd Web Requests - SANS Internet Storm Center ISC Stormcast For Wednesday, April 29th, 2026 https://isc.sans.edu/podcastdetail/9910 HTTP Requests with X-Vercel-Set-Bypass-Cookie Header ISC Stormcast For Tuesday, April 28th, 2026 https://isc.sans.edu/podcastdetail/9908 TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns ISC Stormcast For Friday, April 24th, 2026 https://isc.sans.edu/podcastdetail/9906 Apple Patches Exploited Notification Flaw - SANS ISC ISC Stormcast For Thursday, April 23rd, 2026 https://isc.sans.edu/podcastdetail/9904 ISC Stormcast For Wednesday, April 22nd, 2026 https://isc.sans.edu/podcastdetail/9902, (Wed, Apr 22nd) [Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd) A .WAV With A Payload, (Tue, Apr 21st) ISC Stormcast For Tuesday, April 21st, 2026 https://isc.sans.edu/podcastdetail/9900, (Tue, Apr 21st) Handling the CVE Flood With EPSS - SANS Internet Storm Center ISC Stormcast For Monday, April 20th, 2026 https://isc.sans.edu/podcastdetail/9898 ISC Stormcast For Friday, April 17th, 2026 https://isc.sans.edu/podcastdetail/9896 Lumma Stealer infection with Sectop RAT (ArechClient2) ISC Stormcast For Thursday, April 16th, 2026 https://isc.sans.edu/podcastdetail/9894, (Thu, Apr 16th) [Guest Diary] Compromised DVRs and Finding Them in the Wild, (Thu, Apr 16th) ISC Stormcast For Wednesday, April 15th, 2026 https://isc.sans.edu/podcastdetail/9892, (Wed, Apr 15th) Microsoft Patch Tuesday April 2026., (Tue, Apr 14th) ISC Stormcast For Tuesday, April 14th, 2026 https://isc.sans.edu/podcastdetail/9890 Scans for EncystPHP Webshell - SANS Internet Storm Center ISC Stormcast For Monday, April 13th, 2026 https://isc.sans.edu/podcastdetail/9888, (Mon, Apr 13th) Obfuscated JavaScript or Nothing - SANS Internet Storm Center ISC Stormcast For Thursday, April 9th, 2026 https://isc.sans.edu/podcastdetail/9886 Number Usage in Passwords: Take Two - SANS ISC TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory More Honeypot Fingerprinting Scans - SANS Internet Storm Center ISC Stormcast For Wednesday, April 8th, 2026 https://isc.sans.edu/podcastdetail/9884 A Little Bit Pivoting: What Web Shells are Attackers Looking for? ISC Stormcast For Tuesday, April 7th, 2026 https://isc.sans.edu/podcastdetail/9882 How often are redirects used in phishing in 2026? - SANS ISC ISC Stormcast For Monday, April 6th, 2026 https://isc.sans.edu/podcastdetail/9880
Scanning for AI Models - SANS Internet Storm Center
2026-04-15 · via SANS Internet Storm Center, InfoCON: green

Starting March 10, 2026, my DShield sensor started getting probe for various AI models such as claude, openclaw, huggingface, etc. Reviewing the data already reported by other DShield sensors to ISC, the DShield database shows reporting of these probes started that day and has been active ever since.

Based on what we currently have reported, it appears the only source scanning for these models is IP 81.168.83.103. However, my sensor has been actively scanned by this source since January 29, 2026 and is still ongoing today. Beside the AI probe, it has been scanning various ports that are often associated with web content.

Reviewing the scanning activity from this host, it appears this source is the only IP we see reported to DShield performing this activity. 


ES|QL Query [1]

Using this ES|QL query in Kibana discover, it lists all the URL the actor is looking for. I recorded 52 queries between March 10 to April 13, 2026 where April 3rd, 2026 received the most activity.

FROM cowrie* 
| WHERE event.reference == "no match"
| WHERE http.request.body.content IS NOT NULL
| KEEP @timestamp, http.request.body.content
| WHERE http.request.body.content LIKE "*openclaw*" OR http.request.body.content LIKE "*claude*" OR  http.request.body.content LIKE "*huggingface*" OR  http.request.body.content LIKE "*openai*"  OR  http.request.body.content LIKE "*clawdbot*"
| SORT @timestamp DESC
| STATS Total=COUNT(http.request.body.content) BY AI_Scan_Activity=BUCKET(@timestamp, 50, ?_tstart, ?_tend)

This graph shows the start of activity searching for clawbot/moltbot first reported March 10, 2026 ever since then.

Indicators

81.168.83.103 (AS 20860)
/.openclaw/workspace/db.sqlite
/.openclaw/workspace/chroma.db
/.openclaw/secrets.json
/.clawdbot/moltbot.json
/.claude/settings.json
/.claude/.credentials.json
/.cache/huggingface/token
/openai/env.json
/openai/credentials.json

[1] https://www.elastic.co/guide/en/elasticsearch/reference/8.19/esql-functions-operators.html
[2] https://isc.sans.edu/weblogs/urlhistory.html?url=Ly5jYWNoZS9odWdnaW5nZmFjZS90b2tlbg== (/.cache/huggingface/token)
[3] https://isc.sans.edu/weblogs/urlhistory.html?url=Ly5jbGF3ZGJvdC9tb2x0Ym90Lmpzb24= (/.clawdbot/moltbot.json)
[4] https://isc.sans.edu/weblogs/urlhistory.html?url=Ly5vcGVuY2xhdy9zZWNyZXRzLmpzb24= (/.openclaw/secrets.json)
[5] https://www.ox.security/blog/one-step-away-from-a-massive-data-breach-what-we-found-inside-moltbot/
[6] https://www.virustotal.com/gui/ip-address/81.168.83.103
[7] https://www.shodan.io/host/81.168.83.103 (Linux system)

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。