Security On-Demand Received Top #21 Global Ranking in the 2022 MSP501 List. See the list here

Threat Flash Alert: Active Killnet DDoS Campaigns

Event Summary

As part of our proactive and continuous monitoring services and threat research, we have seen widespread DDoS campaigns targeting businesses and government entities across the world. The hacktivist group, Killnet is heavily involved in the Russian-Ukrainian conflict and stands out as the perpetrator for many active DDoS attacks.

As part of our ongoing monitoring service, we have updated our databases, like our Threat Intelligence Platform (TIP), with the information detailed on this document for allowing a faster and automated detection of any possible communication to any suspicious IP.

Background

Killnet is one of many hacktivist groups that has taken a side in the ongoing Russian-Ukrainian conflict. Killnet stands out as one of the most active groups in this conflict, having declared war on Anonymous, a group supporting Ukraine, since February 25, 2022. Killnet is located in Russia and supports its country in the war, alongside other groups such as Xaknet and, often in joint operations, Legion. Killnet has gained certain notoriety for releasing DDoS attacks on the websites of western critical infrastructure operators, such as airports, banks, energy providers and governmental agencies.

Details

At this time, the known IP Indicators of Compromise (IOCs) are listed below.

 

  • 5.2.69.50
  • 92.255.85.237
  • 92.255.85.135
  • 173.212.250.114
  • 144.217.86.109
  • 156.146.34.193
  • 162.247.74.200
  • 164.92.218.139
  • 171.25.193.25
  • 171.25.193.78
  • 185.100.87.133
  • 185.100.87.202
  • 185.129.61.9
  • 185.220.100.241
  • 185.220.100.242
  • 185.220.100.243
  • 185.220.100.248
  • 185.220.100.250
  • 185.220.100.252
  • 185.220.100.255
  • 185.220.101.15
  • 185.220.101.35
  • 185.220.102.242
  • 185.220.102.243
  • 185.220.102.253
  • 185.56.80.65
  • 185.67.82.114
  • 185.83.214.69
  • 195.206.105.217
  • 199.249.230.87
  • 205.185.115.33
  • 209.141.57.178
  • 209.141.58.146
  • 23.129.64.130
  • 23.129.64.131
  • 23.129.64.132
  • 23.129.64.133
  • 23.129.64.134
  • 23.129.64.137
  • 23.129.64.139
  • 23.129.64.142
  • 23.129.64.147
  • 23.129.64.148
  • 23.129.64.149
  • 23.129.64.210
  • 23.129.64.212
  • 23.129.64.213
  • 23.129.64.216
  • 23.129.64.217
  • 23.129.64.218
  • 23.129.64.219
  • 45.153.160.132
  • 45.153.160.139
  • 45.154.255.138
  • 45.154.255.139
  • 45.227.72.50
  • 72.167.47.69
  • 81.17.18.58
  • 81.17.18.62
  • 91.132.147.168

Recommendations

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. Currently, we recommend investigating all the connections detected and if possible, blocking all communications to the suspicious IPs listed in the “Details” section of this document.

Additional recommendations are as follows:

  • Monitor for any communication to suspicious IPs
  • Change defaults or easily guessable passwords of Internet-facing devices, especially IoT devices.
  • Identify and patch vulnerable IoT devices to prevent them from being used as SSH tunnels or part of DDoS botnets.
  • Ensure that all of your security devices, domain controllers, and highly valuable servers listed in your ThreatWatch service contract are reporting logs through the ThreatWatch platform to give the SOC the most visibility possible.

If Security On-Demand’s SOC has seen any suspicious activity related to these IOCs, we have already notified you. We will continue to monitor and to provide you with relevant updates.

Please contact your Security On-Demand Customer Success Manager if you have any questions about this alert.

Additional Resources

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

https://securityboulevard.com/2022/06/killnet-analysis-of-attacks-from-a-prominent-pro-russian-hacktivist-group/

 

RECOMMENDED POSTS

High-Severity Flaws in Juniper Junos OS

(CVE-2022-22241, CVE-2022-22242, CVE-2022-22243, CVE-2022-22244, CVE-2022-22245, CVE-2022-22246) Event Summary Multiple high-severity security flaws have been disclosed as affecting Juniper Networks devices (J-Web component of Juniper Networks

Read More