A16-ccsf_usdn_incidentprt-BOT_20120131_no_appendicesv1-REDACTED

Page 1

Attachment 16

CITY COLLEGE OF SAN FRANCISCO EXECUTIVE REPORT OF NETWORK INCIDENT FINDINGS January 31, 2012 Prepared by USDN Inc. for presentation to the City College of San Francisco Board of Trustees

USDN Inc

Proprietary & Confidential


Table of Contents 1. About This Report ............................................................................................................................................ 1 2. Objective .......................................................................................................................................................... 1 3. Network Event Background ............................................................................................................................. 1 4. Prior CCSF Information Security Disclosures.................................................................................................. 2 2004 Virus Incident .............................................................................................................................................. 2 Description ....................................................................................................................................................... 2 Actions taken by CCSF.................................................................................................................................... 2 Remediation ..................................................................................................................................................... 2 2007 Dissemination of Student PII ...................................................................................................................... 2 Description ....................................................................................................................................................... 2 Remediation ..................................................................................................................................................... 2 5. Analysis Timeline ............................................................................................................................................. 2 6. Analysis Methodology ...................................................................................................................................... 4 6.1.

Identify CCSF Critical Assets .................................................................................................................. 4

6.2.

Evaluate events taking place on critical assets & determine malicious destinations ............................. 4

7. Analysis Scope ................................................................................................................................................ 4 7.1.

Networks Included in Analysis ................................................................................................................ 4

7.2.

CCSF Critical Assets............................................................................................................................... 4

8. Findings ........................................................................................................................................................... 4 8.1.

Summary of Critical Asset Findings ........................................................................................................ 4

9. Immediate Remediation Recommendation ..................................................................................................... 9 10.

Next Steps ................................................................................................................................................... 9

11.

Conclusion .................................................................................................................................................. 9

Appendix A - Inventory of Data Center Assets ..................................................................................................... 10 Appendix B – List of CCSF Critical Assets ........................................................................................................... 15 Appendix C – Command & Control (C&C) Bot Events ......................................................................................... 21 Appendix D – Trojan Events ................................................................................................................................. 22 USDN Inc

Proprietary & Confidential

i


USDN Inc

Proprietary & Confidential

ii


1. ABOUT THIS REPORT This report describes actions taken and analysis performed by USDN Inc. (USDN) related to a network event that was detected over the 2011 Thanksgiving holiday. The chronicle of actions and findings contained herein are of those performed from January 13, 2012 through January 30, 2012 and subsequent to USDN’s initial findings. Information about the initial discovery and preliminary findings of the network event can be found within the “Network Event Background” section in this document.

2. OBJECTIVE The objective of the analysis which USDN performed from January 13, 2012 through January 30, 2012 was to determine the existence or absence of Personally Identifiable Information (PII) transmitting from CCSF critical assets. USDN commenced this work at the request of the CCSF Facilities, Infrastructure & Technology (FIT) Committee.

3. NETWORK EVENT BACKGROUND This section provides a recapitulation of events and findings related to the initial discovery of computer viruses detected within the CCSF computing environment over the 2011 Thanksgiving holiday. The information was presented by the CTO and USDN at the January 12, 2012 CCSF FIT Committee Meeting. 

During the course of security monitoring, the USDN Lab noticed an anomaly in traffic patterns detected by the USDN SEIM (Security Event and Information Management) system installed at CCSF.

USDN enacted the escalation procedures by contacting the IS Engineer and CTO.

Initial analysis was conducted on 1 file server (a.k.a. the C247 File Server) identified out of approximately 200 IP addresses exhibiting unusual behavior.

9 malicious vectors were identified on the C247 File Server, to include the payloads HackTool.Patcher.A, Sality.NAR (4 Instances), OpenCandy & Conficker A/B

An analysis of reference drive images belonging to workstations connected to the C247 File Server, revealed the presence of personally identifiable banking information

USDN subsequently discovered that at least 3 networks in the CCSF environment (i.e. Instructional, Administrative & Wireless) are actually a single network since segregation did not exist between the subnets.

Under the direction of the CCSF CTO, USDN performed an analysis on IP addresses which reside within the Administrative side, specifically on assets deemed to be critical.

USDN’s initial analysis also confirmed that the same viral variants existing on the C247 File Server were found on the Administrative side.

On January 12, 2012, the CCSF FIT Committee gave USDN the directive to perform analysis in order to determine the impact on Data Center and critical assets in the CCSF environment.

USDN Inc

Proprietary & Confidential

Page 1


4. PRIOR CCSF INFORMATION SECURITY DISCLOSURES The college has experienced at least two information security incidents requiring public disclosure within the past seven years. This is important to note as it establishes the fact that information security issues are not new to CCSF, and that as of December 2011, remediation had not taken place with respect to one of the incidents, specifically, the W32mydoom virus found on the network in 2004. Additionally, in 2007, a file containing student PII was potentially viewable through the Internet.

2004 Virus Incident DESCRIPTION Per a web page on the CCSF website, in September, 2004 a series of virus laden spam e-mails were found to be circulating the CCSF network, propagating the W32mydoom virus.

ACTIONS TAKEN BY CCSF A web page was put up notifying both employees and students that the e-mail, and in turn, virus, was circulating "within CCSF."

REMEDIATION It does not appear that remediation took place. Preliminary reports show this virus still present in the CCSF network.

2007 Dissemination of Student PII DESCRIPTION According to a security alert notice from then Chancellor ''''''''''' ''''' ''''''''', on February 6, 2007 CCSF's IT Dept. learned that a file created in May of 2000 that contained names, addresses, and social security numbers of approximately 11,000 students was potentially viewable via the internet. The file did not contain any driver’s license numbers, credit card or banking information. Actions taken by CCSF A letter detailing the incident, as well as steps taken, was sent out on February 8, 2007 which was also posted on the ccsf.edu website. Additionally, the letter outlined steps to take to check for fraud, as well as a toll free number to call if there are any questions.

REMEDIATION According to the information posted on the ccsf.edu website, the college took steps to remove the file and ensure it could no longer be viewed.

5. ANALYSIS TIMELINE The chronology of events related to USDN’s analysis to determine the impact on Data Center and critical assets in the CCSF environment are presented in this section. 

1/13/12 – 1/15/12: In collaboration with the CTO, USDN develops a strategic plan for continuing the investigation and analysis to fulfill the FIT Committee’s directive.

1/15/12 – CTO communicates the investigative strategic plan & the estimated cost of equipment to the Chancellor.

USDN Inc

Proprietary & Confidential

Page 2


1/17/12 - CTO requests approval from Chancellor for the purchase of 3 additional servers needed for expanded network monitoring (approximately $5,000).

1/17/12 – USDN conducts physical inventory of Data Center assets & requests verification of inventory from the Manager, Technical Operations.

1/18/12 - Manager, Technical Operations provides verification of Data Center asset inventory to USDN.

1/18/12 - Approval for server purchase obtained and hardware ordered.

1/19/12 - Servers are delivered to USDN at approximately 5:30pm. USDN installs O/S and software, hardens and tests servers.

1/20/12 – According to statements of the CTO, the CTO briefs the FBI on the situation. The FBI Special Agent indicated his familiarity with ''''''''''''''''''''' '''''''''''''''''''’s (USDN) work and indicated that the logical path forward would be to review ''''''''' '''''''''''''''''’s report upon completion.

1/20/12 - USDN installs servers in the Data Center, located in Batmale Hall. The installation is completed at approximately 4:30pm.

1/20/12 – 1/25/12 - The expanded SEIM (Security Event & Information Management) data capture starts at approximately 5:00pm on 1/20/12. USDN analysis takes place over the course of 3 business days from 1/23/12 through the evening of 1/25/12.

1/26/12 - At approximately 5:30am, USDN’s ability to access the SEIM system where evidentiary data resided was cut off due to firewall issues. USDN was therefore unable to verify its findings.

1/27/12 (Approximately 3:30p – 5:15p) – At approximately 3:30pm, ''''''''''''' ''''''''''''''''''''', ViceChancellor-Finance & Administration contacts '''''''' ''''''''''''''''''. '''''''' '''''''''''''''' informs '''''''' ''''''''''''''''''''''' of the issues with the firewall that prevent USDN from accessing its monitoring devices and therefore its ability to fully corroborate its findings. '''''''' '''''''''''''''''''''' facilitates restoring the connection to USDN’s monitoring devices. Restoration is completed at approximately 5:15pm.

1/27/12 (Approximately 5:15p) – 1/31/12 – Data capture, CCSF-dependent tasks and USDN analysis completed.

USDN Inc

Proprietary & Confidential

Page 3


6. ANALYSIS METHODOLOGY The methodology which USDN used to determine malicious destinations and the dissemination of PII consisted of the following:

6.1. Identify CCSF Critical Assets USDN requested an inventory of CCSF Data Center assets. As CCSF could not produce this inventory list, USDN conducted a physical inventory audit of CCSF Data Center assets. Data regarding these assets, such as host name, IP address and purpose was collected. The data center inventory was reviewed, completed and signed by the Manager Technical Operations as being true and accurate (Refer to “Appendix A - List of Data Center Assets”.) In addition to Data Center Assets, additional assets utilized for administration, medical or instructional assets purposes and residing on other CCSF networks were also evaluated. An asset was deemed critical based upon functionality (i.e. administration, medical, instructional) and if there was a presence of malware (i.e. Control & Command Bots, Trojans or Spyware) residing on a given asset. The list of CCSF Critical Assets is provided in “Appendix B – List of Critical Assets”.

6.2. Evaluate events taking place on critical assets & determine malicious destinations USDN evaluated the events taking place on critical assets in order to determine (1) where critical assets were transmitting information and (2) if these transmissions included PII (Personally Identifiable Information). To accomplish these objectives, two USDN teams worked independently. One team analyzed SEIM data to identify events transmitting from critical CCSF assets to known bad reputation IP addresses1. The other team examined the packets in order to determine if PII was present in the data transmitted.

7. ANALYSIS SCOPE USDN performed a network based analysis.

7.1. Networks Included in Analysis The network groups analyzed included those listed below:  

7.2. CCSF Critical Assets Critical assets consisted of 122 hosts selected by the criteria as noted in Section 7.1 See “Appendix B – List of Critical Assets.”

8. FINDINGS USDN’s findings regarding the analysis are provided within this section.

8.1. Summary of Critical Asset Findings 1

Bad reputation IP addresses were based upon ratings entities widely recognized as reliable to include Carnegie-Mellon CERT, malwaredomainlist, alienvaultlabs, watchguard, etc.

USDN Inc

Proprietary & Confidential

Page 4


The USDN Lab analyzed event data collected by the CCSF SEIM system associated with critical assets. A total of 9,020,612 total events were examined and out of these 1,940 were determined to be potential PIIrelated events. These were comprised of Command & Control Botnets and Trojans as shown in the table below.

Command & Control Botnet Events

Trojan Events

1,402

Total PII - Related Events

538

1,940

USDN evaluated the severity of events taking place on critical assets based on reputational data of IP addresses identified within the data collected The types of events identified by USDN included the receipt and transmission of malware (i.e. Command & Control Bots and Trojans) to and from IP addresses widely acknowledged as being of bad reputation by entities such as Carnegie Mellon, US Cert/CIRT, etc. Out of the 122 critical asset hosts, 81 were determined to have PII-related events transmitting to known bad reputation IP addresses. A summary of findings are provided in the table below. Supporting information including malware analysis and packet data are provided in Appendices C and D.

1

PII Related 1

'''''''''''''''''''''''' '''''''''''''''''''''''' '''''''''''''''''''''''' ''''''''''''''''''''''''

1 1 1

1 1 1

'''''''''''''''''''''''''''30 ''''''''''''''''''''''''''''84

'''''''''''''''''''''''' ''''''''''''''''''''''

1

1

'''''''''''''''''''''''86

''''''''''''''''''''''

'''''''''''''''''''''''''32 ''''''''''''''''''''''''''34 '''''''''''''''''''''''''58 ''''''''''''''''''''''''''71 '''''''''''''''''''''''76 ''''''''''''''''''''''''92

'''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''' '''''''''''''''''''''''

1 1 1 1

1 1 1 1 1

'''''''''''''''''''''''28 ''''''''''''''''''''''''31 '''''''''''''''''''''''33 '''''''''''''''''''''''''32 ''''''''''''''''''''''''''35

''''''''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''''''''''

IP Address ''''''''''''''''''''''''100

IP Group '''''''''''''''''''''

''''''''''''''''''''''''200 ''''''''''''''''''''''''125 ''''''''''''''''''''''''130 '''''''''''''''''''''''''''146

USDN Inc

C&C Bot (1=Yes)

Trojan (1=Yes)

1

1 1 1 1 Proprietary & Confidential

Comments

1 1 1 1 Page 5


IP Address ''''''''''''''''''''''''38 '''''''''''''''''''''''''''40 ''''''''''''''''''''''''''46 ''''''''''''''''''''''''48 ''''''''''''''''''''''''''52 ''''''''''''''''''''''''53 ''''''''''''''''''''''''''57 '''''''''''''''''''''''''''65 '''''''''''''''''''''''''''66

IP Group ''''''''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''' ''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''''

'''''''''''''''''''''''''''102 ''''''''''''''''''''''''108 ''''''''''''''''''''''''''''56

''''''''''''''''''''''' '''''''''''''''''''''''' ''''''''''''''''''''''''

'''''''''''''''''''''''''83

''''''''''''''''''''''''

'''''''''''''''''''''''''''84 '''''''''''''''''''''''''''93 ''''''''''''''''''''''119 ''''''''''''''''''''''''''''140

'''''''''''''''''''''''' '''''''''''''''''''''' '''''''''''''''''''''' ''''''''''''''''''''''

''''''''''''''''''''''36

'''''''''''''''''''''''

'''''''''''''''''''''''37 '''''''''''''''''''''''''84 ''''''''''''''''''''''''110 '''''''''''''''''''''''''120

'''''''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''''''''''' '''''''''''''''''''''''''

'''''''''''''''''''''''''125 '''''''''''''''''''''''''138 '''''''''''''''''''''''''''147 '''''''''''''''''''''''''161 ''''''''''''''''''''''''163

C&C Bot (1=Yes)

Trojan (1=Yes) 1 1 1 1 1 1 1 1 1

1 1

1 1 1

1 1 1

1

''''''''''''''''''''''''' ''''''''''''''''''''''''' '''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''

1 1 1 1

1 1 1 1

'''''''''''''''''''''''''24 ''''''''''''''''''''''''''44

''''''''''''''''''''''' '''''''''''''''''''''''

1

1

''''''''''''''''''''''''''63

'''''''''''''''''''''''''

'''''''''''''''''''''''''''71 '''''''''''''''''''''''''''71

'''''''''''''''''''''''''' ''''''''''''''''''''''

1

1

''''''''''''''''''''''77

''''''''''''''''''''''

'''''''''''''''''''''''''''79

''''''''''''''''''''''

''''''''''''''''''''''81

''''''''''''''''''''''''

1

Proprietary & Confidential

Comments

1 1

1 1 1

USDN Inc

1

PII Related 1 1 1 1 1 1 1 1 1

Page 6


IP Address

IP Group

''''''''''''''''''''''''84 '''''''''''''''''''''''''''87 ''''''''''''''''''''''''26

'''''''''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''''''''

''''''''''''''''''''''''34

''''''''''''''''''''''''''

''''''''''''''''''''''''''50 ''''''''''''''''''''''''''51

''''''''''''''''''''''''' ''''''''''''''''''''''''''

''''''''''''''''''''''''''100 ''''''''''''''''''''''''16 ''''''''''''''''''''''''''160 '''''''''''''''''''''''''22

'''''''''''''''''''80 '''''''''''''''''80 '''''''''''''''''''80 '''''''''''''''''''80

''''''''''''''''''''''''''''23 '''''''''''''''''''''''''''29

''''''''''''''''80 ''''''''''''''''''80

''''''''''''''''''''''''34 '''''''''''''''''''''''''''38 ''''''''''''''''''''''''''55 ''''''''''''''''''''''''77 ''''''''''''''''''''''''''91

''''''''''''''''''80 ''''''''''''''''''''80 '''''''''''''''''''80 '''''''''''''''''80 '''''''''''''''''''80

'''''''''''''''''''''''''26

'''''''''''''''''''88

''''''''''''''''''''''28

'''''''''''''''''88

'''''''''''''''''''''''''''36

''''''''''''''''''88

''''''''''''''''''''''''41 '''''''''''''''''''''''''''35

C&C Bot (1=Yes)

Trojan (1=Yes)

PII Related

1 1

1 1

1

1

1 1

1 1 1

1 1

1 1

1

1

1 1 1 1

''''''''''''''''''88 ''''''''''''''''''''89

1

1

'''''''''''''''''''''''''''''

''''''''''''''''''''''1

1

''''''''''''''''''''''''''11 '''''''''''''''''''''''''''12 '''''''''''''''''''''''''''''49 '''''''''''''''''''''''''50 ''''''''''''''''''''''''''''''51 '''''''''''''''''''''''''''52

'''''''''''''''''''''''1 ''''''''''''''''''''1 ''''''''''''''''''''''1 ''''''''''''''''''''''1 '''''''''''''''''''''1 ''''''''''''''''''''''1

1 1 1 1

''''''''''''''''''''''''''''0 '''''''''''''''''''''''''''''''.100 ''''''''''''''''''''''''''''''''.108 ''''''''''''''''''''''''''''.110 '''''''''''''''''''''''''''''.129

'''''''''''''''''''''1 ''''''''''''''''''''''''''' '''''''''''''''''''''''''' ''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''

USDN Inc

1 1 1

1

1

1

1 1 1 1 1

1 1 1 1 1 Proprietary & Confidential

Comments

Over 2000 spyware instances broadcast

1 1 1 1 1 Page 7


IP Address ''''''''''''''''''''''''''''.145 ''''''''''''''''''''''''''''''.146 ''''''''''''''''''''''''''''''''.30

IP Group '''''''''''''''''''''''''' '''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''

''''''''''''''''''''''''''''.58 '''''''''''''''''''''''''''.26 ''''''''''''''''''''''''''''''''.35 ''''''''''''''''''''''''''''''''.37

''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''''''''''''''

''''''''''''''''''''''''''.42 '''''''''''''''''''''''''''.53 ''''''''''''''''''''''''''''''.54 ''''''''''''''''''''''''''.55 '''''''''''''''''''''''''''.56

'''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''

''''''''''''''''''''''''''.68

''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.72

''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''.75 ''''''''''''''''''''''''''.34

''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.51

''''''''''''''''''''''''''''

''''''''''''''''''''''''''.71

''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.73

''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''.77 ''''''''''''''''''''''''''''''.93

''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''.136

''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''.161

'''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.168 '''''''''''''''''''''''''''''.185

''''''''''''''''''''''''''' ''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''''.210

''''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''64 '''''''''''''''''''''''''107 ''''''''''''''''''''''''''116 '''''''''''''''''''''''''''''17 ''''''''''''''''''''''''''''''202 ''''''''''''''''''''''''''''''72 '''''''''''''''''''''''''79

''''''''''''''''''''''2 ''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''' '''''''''''''''''''''''' ''''''''''''''''''''''''' '''''''''''''''''''''''' '''''''''''''''''''''''''

USDN Inc

C&C Bot (1=Yes)

Trojan (1=Yes)

PII Related 1 1 1

1 1 1

1 1 1

1 1 1 1

1 1 1

1 1 1 1

1

1

1

1

1

1 1 1 1 1 1 Proprietary & Confidential

Comments

1

1 1 1 1 1 1 Page 8


IP Address ''''''''''''''''''''''''''''''179

IP Group '''''''''''''''''''''''''

C&C Bot (1=Yes)

Trojan (1=Yes) 1

PII Related 1

Comments

81

9. IMMEDIATE REMEDIATION RECOMMENDATION USDN created a database of all of IP addresses that have been conclusively proven to be receiving and transmitting malicious data. USDN recommends that this information be used at the perimeter level to prevent access to and from the CCSF network.

10.

NEXT STEPS

Meet with CCSF management to discuss findings in order to determine the next remediation steps.

An examination of the individual hosts highlighted in this report should be performed.

11.

CONCLUSION

Within the CCSF computing environment unauthorized disclosure of Personally Identifiable Information (PII) has been shown to be actively transmitted unintentionally, and access tunnels have been found to exist which allow passive access to PII. In order to determine the full legal implications of these findings to CCSF, it is necessary for USDN to meet with CCSF legal counsel and CCSF executive management. To further clarify, as USDN’s findings include both PII leakage within CCSF control and beyond its control, conclusions requiring regulatory requirements under SB1386 will necessitate further discussions with CCSF. Alternatively, if CCSF wishes to continue independently to determine legal scope, all raw data can be turned over to CCSF.

USDN Inc

Proprietary & Confidential

Page 9


APPENDIX A - INVENTORY OF DATA CENTER ASSETS The inventory data has been redacted.

USDN Inc

Proprietary & Confidential

Page 10


APPENDIX B – LIST OF CCSF CRITICAL ASSETS

IP Address

Network Group

'''''''''''''''''''''''''100

''''''''''''''''''''''''

''''''''''''''''''''''''200

''''''''''''''''''''''

'''''''''''''''''''''''''''125

''''''''''''''''''''''''''

'''''''''''''''''''''''''130

'''''''''''''''''''''

'''''''''''''''''''''''146

''''''''''''''''''''''

''''''''''''''''''''''''30

'''''''''''''''''''''''''

'''''''''''''''''''''''''''84

'''''''''''''''''''''''

'''''''''''''''''''''''''''86

'''''''''''''''''''''''

'''''''''''''''''''''''''32

''''''''''''''''''''''

'''''''''''''''''''''''''34

''''''''''''''''''''''''

''''''''''''''''''''''''58

'''''''''''''''''''''''

'''''''''''''''''''''''''''71

'''''''''''''''''''''''

''''''''''''''''''''''''''''76

'''''''''''''''''''''''

'''''''''''''''''''''''''92

''''''''''''''''''''''''''

'''''''''''''''''''''''''28

''''''''''''''''''''''''

''''''''''''''''''''''''31

'''''''''''''''''''''''

''''''''''''''''''''''''''''33

'''''''''''''''''''''

''''''''''''''''''''''''''32

'''''''''''''''''''''''''

''''''''''''''''''''''''35

'''''''''''''''''''''''

''''''''''''''''''''''38

''''''''''''''''''''''''

'''''''''''''''''''''''''40

''''''''''''''''''''''

''''''''''''''''''''''''46

'''''''''''''''''''''''''

USDN Inc

Proprietary & Confidential

Page 11


IP Address

Network Group

'''''''''''''''''''''''''''48

'''''''''''''''''''''''

''''''''''''''''''''''''''52

''''''''''''''''''''''

''''''''''''''''''''''''53

'''''''''''''''''''''''

''''''''''''''''''''''57

''''''''''''''''''''''''

'''''''''''''''''''''''''65

'''''''''''''''''''''

''''''''''''''''''''''''''66

'''''''''''''''''''''''''

''''''''''''''''''''''''102

'''''''''''''''''''''''''

'''''''''''''''''''''''''''108

'''''''''''''''''''''''''

'''''''''''''''''''''''''''56

''''''''''''''''''''''''

''''''''''''''''''''''''''83

''''''''''''''''''''''

''''''''''''''''''''''''84

''''''''''''''''''''''''''

''''''''''''''''''''''''''''93

'''''''''''''''''''''''

'''''''''''''''''''''''119

''''''''''''''''''''''''

'''''''''''''''''''''''''140

''''''''''''''''''''''

''''''''''''''''''''''''36

'''''''''''''''''''''''''

''''''''''''''''''''''''37

'''''''''''''''''''''''

''''''''''''''''''''''84

''''''''''''''''''''''

''''''''''''''''''''''''''110

''''''''''''''''''''''

'''''''''''''''''''''''''120

'''''''''''''''''''''''''

'''''''''''''''''''''''''125

''''''''''''''''''''''''

''''''''''''''''''''''''138

''''''''''''''''''''''''

''''''''''''''''''''''''''147

''''''''''''''''''''''

'''''''''''''''''''''''''161

'''''''''''''''''''''

'''''''''''''''''''''''163

''''''''''''''''''''''''

USDN Inc

Proprietary & Confidential

Page 12


IP Address

Network Group

''''''''''''''''''''''''24

'''''''''''''''''''''''''

'''''''''''''''''''''''44

''''''''''''''''''''''

'''''''''''''''''''''''''63

'''''''''''''''''''''''''

'''''''''''''''''''''''''71

''''''''''''''''''''''''

''''''''''''''''''''''71

''''''''''''''''''''''''

''''''''''''''''''''''''''77

''''''''''''''''''''''

'''''''''''''''''''''''''''79

'''''''''''''''''''''''''

'''''''''''''''''''''''''81

''''''''''''''''''''''''''

'''''''''''''''''''''''''84

''''''''''''''''''''''''

''''''''''''''''''''''''87

'''''''''''''''''''''''

'''''''''''''''''''''''''''26

'''''''''''''''''''''

''''''''''''''''''''''''''34

''''''''''''''''''''''

''''''''''''''''''''''''50

'''''''''''''''''''''''''

'''''''''''''''''''''''''''51

'''''''''''''''''''''''

'''''''''''''''''''''''''''100

''''''''''''''''80

''''''''''''''''''''''''''16

''''''''''''''''80

'''''''''''''''''''''''160

'''''''''''''''''''80

''''''''''''''''''''''''22

'''''''''''''''''''80

'''''''''''''''''''''''''''23

'''''''''''''''''80

''''''''''''''''''''''''''''29

''''''''''''''''80

''''''''''''''''''''''''''34

''''''''''''''''80

''''''''''''''''''''''''38

'''''''''''''''''''80

'''''''''''''''''''''''''''55

'''''''''''''''''80

'''''''''''''''''''''''''''77

''''''''''''''''80

USDN Inc

Proprietary & Confidential

Page 13


IP Address

Network Group

''''''''''''''''''''''''''91

'''''''''''''''''''80

'''''''''''''''''''''''''26

'''''''''''''''''88

'''''''''''''''''''''''28

'''''''''''''''''''88

'''''''''''''''''''''''''''36

'''''''''''''''''88

'''''''''''''''''''''''''41

''''''''''''''''''88

'''''''''''''''''''''''''35

''''''''''''''''89

'''''''''''''''''''''''''''''

''''''''''''''''''''''1

'''''''''''''''''''''''''''11

''''''''''''''''''''''1

''''''''''''''''''''''''''''''12

''''''''''''''''''''1

''''''''''''''''''''''''''''''49

''''''''''''''''''''1

''''''''''''''''''''''''''''''50

''''''''''''''''''''1

''''''''''''''''''''''''''''51

'''''''''''''''''''1

''''''''''''''''''''''''''''52

'''''''''''''''''''''''1

'''''''''''''''''''''''''0

'''''''''''''''''''''1

'''''''''''''''''''''''''''.100

'''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.108

''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''.110

''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.129

''''''''''''''''''''''''''

'''''''''''''''''''''''''''.145

''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.146

''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''.30

''''''''''''''''''''''''''''

USDN Inc

Proprietary & Confidential

Page 14


IP Address

Network Group

''''''''''''''''''''''''''.58

'''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''''.26

'''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.35

''''''''''''''''''''''''''

'''''''''''''''''''''''''''.37

''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.42

''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''.53

''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.54

'''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.55

''''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.56

''''''''''''''''''''''''''''''

''''''''''''''''''''''''''''.68

''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''''.72

''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.75

''''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.34

''''''''''''''''''''''''''''''''

''''''''''''''''''''''''''.51

''''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.71

''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''''.73

'''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.77

'''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''.93

'''''''''''''''''''''''''''

''''''''''''''''''''''''''''''.136

'''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''.161

'''''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''.168

'''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''.185

''''''''''''''''''''''''''''''

'''''''''''''''''''''''''''.210

'''''''''''''''''''''''''''''

'''''''''''''''''''''''''''''64

''''''''''''''''''''2

USDN Inc

Proprietary & Confidential

Page 15


IP Address

Network Group

'''''''''''''''''''''''''107

'''''''''''''''''''''''''

'''''''''''''''''''''''''''116

''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''17

'''''''''''''''''''''''''

'''''''''''''''''''''''''202 '''''''''''''''''''''''''72

''''''''''''''''''''''''' ''''''''''''''''''''''''''

'''''''''''''''''''''''''''79

''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''179

''''''''''''''''''''''''''''

USDN Inc

Proprietary & Confidential

Page 16


APPENDIX C – COMMAND & CONTROL (C&C) BOT EVENTS '''''' ''''''' '''''''''''''''''''

USDN Inc

Proprietary & Confidential

Page 17


APPENDIX D – TROJAN EVENTS '''''' ''''''' ''''''''''''''''''''''

USDN Inc

Proprietary & Confidential

Page 18