...
The use and mining of cryptocurrency is not inherently benign or malicious, or used exclusively by threat actors or general users. However, over the last several years, it has been increasingly used for illegal and/or fraudulent activities such as human trafficking, black market sales/purchases, and ransomware payments, and others. Cryptocurrency mining can impair system performance and risk end users and businesses to information theft, hijacking, and a plethora of other malware. This feed features threats that allow malicious actors to perform illegal and/or fraudulent activities, coinhives that allows site owners to embed cryptocurrency mining software into their webpages as a replacement to normal advertising, Cryptojacking that allows site owners to mine for cryptocurrency without the owner’s consent, and cryptocurrency mining pools working together to mine cryptocurrency. This feed features indicators of activity which may indicate malicious or unauthorized use of resources including: coinhive which can be embedded into a site owner’s web pages to lie cryptocurrency with the visitor’s permission as an alternative to web banner advertising; cryptojacking where malicious actors use in-browser mining without the victim’s consent; and cryptocurrency mining pools working together to mine cryptocurrency.
Custom
Custom threat feed. This a user-defined threat feed.
DHS_AIS_Domain
The Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) program enables the exchange of cyber threat indicators between the Federal Government and the private sector. AIS is a part of the Department of Homeland Security’s effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator is shared with AIS program partners, including Infoblox. Hostname Indicators contained in this feed are not validated by DHS as the emphasis is on velocity and volume. Infoblox does not modify or verify the indicators. However, indicators from the AIS program are classified and normalized by Infoblox to ease consumption. Data included in this AIS_IP feed includes AIS data subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Prior to further distributing the AIS data, you may be required to sign and submit the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information.
...
Suspicious/malicious as destinations: An extension of the AntiMalware IP feed that contains recently expired Malware IP’s IPs with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection for the DNS FW, but may also increase the risk of false positives as some of these Malware IP’s IPs may no longer be active.
Ext_Base_AntiMalware
...
Suspicious/malicious as destinations: An extension of the Exploit Kits feed that contains recently expired ExploitKits with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection the DNS FW, but may also increase the risk of false positives as some of these Exploit Kits IP’s I’s may no longer be active.
Ext_Ransomware
...
Suspicious/malicious as destinations. An extension of the Tor Exit Nodes feed that contains recently expired Tor Exit Nodes with an extended time-to-live (TTL) applied. The extended time-to-live (TTL) provides an extended reach of protection for the DNS FW, but may also increase the risk of false positives as some of these Tor Exit Node IP’s IPs may no longer be active.
Extreme_Block
...
May choose to block based on company policy. Contains IP’s IPs assigned to United States sanctioned countries listed by US Treasury Office of Foreign Assets Control (OFAC). The Treasury Department’s Office of Foreign Asset Control (OFAC) administers and enforces economic sanctions imposed by the United States against foreign countries. More information can be found by visiting the “Sanctions Programs and Country Information” page found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx. This feed includes Geo IP data provided by MaxMind.
...
Suspicious/malicious as sources. IPs of known spam servers. Enables protection against a computer or bot node as part of a botnet seen sending spam. IP’s IPs listed are also frequently found with a poor/negative reputation on that IP address. Recommended to run in ‘logging’ mode prior to blocking to see what would have been blocked. Can also be used to help block incoming Spam or potentially malicious emails from known spam sources by feeding into your email platform or appliance.
TOR_Exit_Node_IP
...
Suspicous_Domains
TOR_Exit_Node_IP
Tor Exit Nodes are the gateways where encrypted Tor traffic hits the Internet. This means an exit node can be used to monitor Tor traffic (after it leaves the onion network). It is in the design of the Tor network that locating the source of that traffic through the network should be difficult to determine.