NEW PRESS RELEASE: SOD Awarded $2.2 M Grant to Futher Develop AQ Technology | Click Here
widespread network probing

Threat Flash Alert: Widespread Network Probing from Malicious Russian Infrastructure

17 November 2020

Malicious Probing Event Summary

The Security On-Demand Security Operations Center (SOC) has observed widespread network probing from Russian IP range 193.27.228.0/23. In some cases, we have observed millions of events in a 24-hour period possibly resulting a DOS condition. In the last 24 hours we have observed over 190 clients having received at least two inbound packets from this range based upon the data being fed into our monitoring system. However over 130 environments generated 1,000+ events with 53 generating 10,000+, and four with over 1,000,000.

During the course of our investigation, our Threat Reconnaissance Unit (TRU) discovered that this IP range is notorious for conducting cyberattacks and reconnaissance. In 2019, for example, multiple IP’s in this range scanned various networks looking for devices vulnerable to Bluekeep and attempted to exploit Remote Desktop Protocol (RDP, Port 3389)[1]. Around that same time and since, various ransomware attacks believed to have originated from Russia or Eastern Europe have successfully exploited RDP. It is our belief that this ongoing scanning we have seen over these past days could be a widespread campaign to identify vulnerable systems on the Internet to infect with ransomware.

Details

The scanning activity does appear to be widespread and is not focused on a single protocol or port number. Rather in the environments where we are seeing high volume, the destination ports are varied, ranging from well-known ports (0-1024) up to randomly assigned ports (10,000+). In nearly every case, all of the activity was successfully blocked based upon the investigations carried out thus far.

We observed a majority of the scanning activity occurring from the following three IP addresses:

  • 193.27.229[.]38
  • 193.27.228[.]153
  • 193.27.228[.]157

Interestingly, it does appear that these IP addresses may be controlled by the same entity as the bulk of the activity appeared to start with the .157 IP address, then move to the .153, ultimately transitioning to the .38 in the last 24-48 hours.

These IP addresses are owned by hostway.ru within the Selectel autonomous system. As mentioned above, these IP’s and the entire /23 range they sit on are known for malicious activity. However, it is important to point out that the malicious activity emerging from this range is just a small percentage of the internet traffic generated from or hosted by this Selectel autonomous system. So, simply seeing that you are communicating with an IP within that range does not generally mean something malicious is occurring.

Recommendations

Considering nearly all of this activity appears to have been successfully blocked in the environments wherein we have seen it, it may not be necessary to take any direct action, aside from perhaps investigating if any additional malicious activity may have occurred on devices that we may not be monitoring for you.

Organizations with very high volumes of activity ought to evaluate the performance impact on devices that are being impacted to minimize risk of system failure or overload. We also recommend applying additional blocks on other internet facing devices as you deem necessary.

SOD Actions

The SOC is conducting a thorough investigation of each environment and will be sending out Security Event Notifications to any customers who meet any of the following conditions:

  1. Very high volume of traffic that could result in a DOS condition or that significantly impacts network performance
  2. Any indication where the scans were “allowed” and may have been able to glean information on your environment for the malicious actors conducting the reconnaissance.
  3. Any alerts generated in our alerting system that an environment is under attack or has been compromised (note: thus far nothing meets this criteria).

Additionally, for customers for whom we are managing network devices, our services delivery team will be applying additional mitigation actions on the devices we manage once approved by the appropriate decision maker at your organization.

[1] Note: RDP attacks do not only occur over port 3389, the actors also targeted additional ports. However, 3389 is the primary focus.

 

Additional Resources

For questions, contact us at soc@securityondemand.com or call us at +1(858)408-1443. You can also contact us here.