The Server That Attacked Itself: Tracing a Live Ransomware Operation Through Luxury Hotel and Airline Infrastructure | Intercept Cell
Starting from a single exposed open directory on a UK server, we mapped a network of six compromised Kaleidovision KL4 music scheduling systems, background music infrastructure for Schroders, Cathay Pacific, and The Beaumont Hotel, all implanted with the same custom Go reverse SOCKS5 proxy. The servers double as staging platforms, malware depots, and proxy nodes. One exposed MySQL general query log captured a complete database ransom operation. Another MySQL instance remains wide open with root access, PE executables stored in tables, and artifacts from multiple unrelated threat actors. The implant was updated across all nodes within hours of publication.
What began as an open directory on a UK server turned into a six-node proxy network spanning two continents, three luxury brands, and at least three distinct threat actors operating on the same compromised infrastructure simultaneously. While scanning for exposed infrastructure, we found a Windows server at 94[.]31[.]47[.]252 on ZAYO GROUP UK (AS6461) with nine ports open to the internet: HTTP (80), RDP (3389), VNC (5800/5900), MySQL (3306), SMB (139/445), RPC (135), and an application on port 1000. The HTTP server hosted an open directory. On port 1000, a service identified itself as **KL4 Music Scheduler**, commercial broadcast automation software by Kaleidovision. The KL4 API endpoint at /currentplaying.xml returned: > Andres Cardenes, Luz Manriquez >