Security On-Demand’s Threat Reconnaissance Unit has observed what appears to be a sustained campaign of malicious activity originating from an Iraqi ISP on IP addresses 126.96.36.199/22 all over HTTPS (Port 443). Starting on July 9th, we observed a significant spike of data flooding networks with up to 20 million log events per day. To date, we have seen that this has been a widespread attack, affecting 35% of our clients so far.
We recommend that you pre-emptively apply blocks on this range unless you have business equities that utilize that network. For our SOD clients, if your organization was affected by this threat actor, we have already sent you a notification or are currently in the process of doing so. Further information regarding the details of this traffic is included below for additional analysis. SOD is always available to answer any questions you may have.
Here is an example of the kind of volumes we are observing, this traffic is consistent with what we are seeing across all affected clients, though the scale of log events varies:
This IP range is owned by an Internet Service Provider (ISP) based in Iraq. The connections are coming from a variety of IP addresses within that /22 range (1024 IP addresses) rather than one or two dedicated IPs launching the attack. It is unlikely that the Iraqi actors on that network are behind the attacks, rather it is more likely that this range has been partially hijacked by a third party who is carrying out the attacks using the ISP’s infrastructure. Various IP addresses have been blacklisted by a number of different threat intelligence sources, ranging from spam to malware to FTP blacklists. We do not have any indication at this point of who may be behind these attacks, though our TRU team is working on gathering additional intelligence on this campaign and will continue to provide updates to our clients being impacted.
IP Range: 188.8.131.52-184.108.40.206
IP Owner: Online Company for Technological Information
Email Contact: email@example.com
At Security On-Demand we are actively monitoring and searching through our customers’ data to identify if these attacks are affecting you. If we see activity that is not being blocked, we will send you a notification.
If you are a customer of our managed firewall or managed IPS services, at your direction, we will block this activity.
For more questions, email us at firstname.lastname@example.org