New Cyber Defense Brand DeepSeas to Unite Newly Acquired Commercial Managed Threat Services Business from Booz Allen Hamilton with Security On-Demand. Learn More

Schedule a demo

Threat Flash Alert: Significant Attacks Being Observed from Iraqi Infrastructure

Peter Bybee

Peter Bybee

Event Summary

Security On-Demand’s Threat Reconnaissance Unit has observed what appears to be a sustained campaign of malicious activity originating from an Iraqi ISP on IP addresses 185.166.24.0/22 all over HTTPS (Port 443). Starting on July 9th, we observed a significant spike of data flooding networks with up to 20 million log events per day.  To date, we have seen that this has been a widespread attack, affecting 35% of our clients so far.

Recommendation

We recommend that you pre-emptively apply blocks on this range unless  you have business equities that utilize that network. For our SOD clients, if your organization was affected by this threat actor, we have already sent you a notification or are currently in the process of doing so. Further information regarding the details of this traffic is included below for additional analysis. SOD is always available to answer any questions you may have.

Details

Here is an example of the kind of volumes we are observing, this traffic is consistent with what we are seeing across all affected clients, though the scale of log events varies:

 

Threat Intelligence

This IP range is owned by an Internet Service Provider (ISP) based in Iraq. The connections are coming from a variety of IP addresses within that /22 range (1024 IP addresses) rather than one or two dedicated IPs launching the attack.  It is unlikely that the Iraqi actors on that network are behind the attacks, rather it is more likely that this range has been partially hijacked by a third party who is carrying out the attacks using the ISP’s infrastructure. Various IP addresses have been blacklisted by a number of different threat intelligence sources, ranging from spam to malware to FTP blacklists. We do not have any indication at this point of who may be behind these attacks, though our TRU team is working on gathering additional intelligence on this campaign and will continue to provide updates to our clients being impacted.

Whois Data
IP Range: 185.166.24.0-185.166.27.255
IP Owner: Online Company for Technological Information
Country: Iraq
Email Contact: gharib@onlineco.com

SOD Actions

At Security On-Demand we are actively monitoring and searching through our customers’ data to identify if these attacks are affecting you. If we see activity that is not being blocked, we will send you a notification.

If you are a customer of our managed firewall or managed IPS services, at your direction, we will block this activity.

For more questions, email us at soc@securityondemand.com

RECOMMENDED POSTS

70% of threats today cannot be detected using static cyber security tools. Security On-Demand’s ThreatWatch® platform can detect the advanced threats that most providers miss. 

Detect Early. Respond Early.

sales@securityondemand.com

SERVICES

ABOUT

SIGN-UP FOR FREE THREAT FLASH ALERTS

FOLLOW US

Twitter-square Linkedin Facebook Youtube

© 2014-2022 Security On-Demand. All Right Reserved