216.73.217.80

Indicators of Malicious Activity and Recommendations for Impacted Organizations - Hunting pulse

· Published 08/09/2025 10:13 · Modified 08/09/2025 11:31

Export JSON

Essential information

Published
08/09/2025 10:13
Modified
08/09/2025 11:31
Tags
2025-09-08 authentication drift integration network traffic supplychain user-agent strings
Related entities
18 observables, 5 techniques (mitre)

Description

A comprehensive investigation has uncovered numerous indicators of malicious activity related to a specific incident. Organizations are urged to scrutinize their logs for signs of compromise using the provided Indicators of Compromise (IOCs). The analysis reveals that legitimate traffic should originate from a set of known source IPs owned and operated by Drift. Any successfully authenticated connections using Drift tokens from IP addresses not listed in the official document should be treated as suspicious and potentially malicious. The findings include a list of confirmed malicious IP addresses and suspicious (See reference). While these IPs are confirmed malicious, some may generate noise since they are associated with Tor exit nodes. Organizations are advised to consider any traffic from these IPs to a with a successfully authenticated Drift connection as malicious

External references