Observation Summary
On November 3rd, a Cross-Site Scripting (XSS) vulnerability was reported for the domain x.fidelity-mediahttps://www.openbugbounty.org/reports/618188/). Initially, the domain resolved to IP 104.247.81[.]99, flagged in OTX for suspicious activity.
Since October 30th, successful connections to this domain have increased. Recently, the domain shifted to IP 91.195.240[.]12, which has historical malicious reports, triggering multiple alerts for DNS queries and suspicious network connections.
Detailed Breakdown / What’s Happening
- Vulnerability Identified: An XSS flaw, disclosed on November 3rd, exposes users to client-side script execution and potential session hijacking- making this a notable web application security threat.
- Domain: x.fidelity-media[.]com
- Previous IP: 104.247.81[.]99 (recent OTX report).
- Current IP: 91.195.240[.]12 (historically malicious per OTX).
- Alert Types:
- DNS query for suspicious domain
- Suspicious network connection
- Increased outbound traffic to a known malicious IP
- Indicators of potential phishing or malware delivery
- Timeline:
- Past month: multiple failed connection attempts
- Since Oct 29–30: successful connections observed
- Nov 3: vulnerability disclosure
- Current hosting on malicious IP detected
Strengthening your SOC visibility and web application monitoring helps detect shifts to malicious IPs earlier. Explore how ProArch’s cybersecurity services enhance detection and response.
Risk / Why It Matters
Recommendations / What to Do (Incident Response Steps)
To reduce risk and prevent further exploitation:
- Block domain x.fidelity-media[.]com and malicious IP 91.195.240[.]12 at network perimeter.
- Monitor for any residual traffic or DNS queries to the domain.
- Review logs for successful connections since Oct 29 for potential compromise indicators.
- Apply XSS mitigation measures and validate input sanitization on web applications.
- Update threat intelligence feeds and alert rules for associated indicators.
