ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
Ann Banner (14)

Active VPN Reconnaissance Campaign from Russia Based IP

Event Summary

Security On-Demand has discovered a Russian based IP performing an active VPN scanning and password spraying campaign.  This IP was observed performing this activity as of May 30, 2021.  We are taking this opportunity to alert our client base and recommend any preemptive actions to deter or negate any negative outcomes.

Details

Source IP: 193.27.228.247

NetRange: 193.27.228.0/23

ISP:    Starcrecium Limited

Usage Type: Data Center/Web Hosting/Transit

Domain Name: starcrecium.com

Country: Russian Federation

City: Moscow, Moskva

Per online sources, this IP has been observed performing brute force access attempts on VPN services. This does appear to be an active automated spraying campaign.  This spraying campaign is attempting a wide range of user names and passwords in order to either gain access or narrow down any user credentials that may not be secure.

This appears to be a large reconnaissance campaign aimed at collecting login credentials, specifically a large number of events are targeting VPN credentials. It is likely any credentials that have been successfully authenticated against a target environment will be used in a malicious fashion, such as selling the credential information to bad actors, using the credentials in a future network intrusion campaign, or other nefarious activity.

 

SOD has not seen any instances of the user names being listed in the event logs we have received, which shows no valid user names have been used.  However, it only takes one predictable user name/password combination to gain access to a network.

 Recommendations

It is recommended to block this IP or the entire subnet address range across all public facing interfaces in order to guarantee there are is successful reconnaissance information gathering or access attempts.

SOD Actions

The Security On-Demand Threat Recon Unit will continue to monitor these events and will notify you of any critical updates as more information is provided.  Please contact us if you have any questions.

Sources

https://www.abuseipdb.com/check/193.27.228.247?page=1#report

https://www.virustotal.com/gui/ip-address/193.27.228.247/detection

https://dnslytics.com/ip/193.27.228.247