Russia lists 17,576 IP addresses used in DDoS attacks

Business Continuity Management / Disaster Recovery, Critical Infrastructure Security, Cybercrime

A separate list contains 166 domains used to attack Russian infrastructure

Mihir Bagwe •
March 4, 2022

The Russian National Computer Incident Coordination Center has published a list of 17,576 IP addresses and 166 domains which it claims are targeting the country’s information resources via distributed denial of service attacks.

See also: The Ransomware Files, Episode 3: Critical Infrastructure

The agency also released a separate document containing corrective measures to help organizations and users protect their information assets.

List of attackers

Some notable names in the list of domains used to carry out DDoS attacks against Russian information resources, according to NCCCI, include:

• fbi.com – United States Federal Bureau of Investigation;
• cia.gov/index.html – United States Central Intelligence Agency;
• usatoday.com/search/results?q= – American media;
• korrespondent.net and ua.korrespondent.net – Ukrainian media;
• 24News.ge, megatv.ge – German news organizations and media;
• tv8.md, stiri.md – Moldovan news organizations and media;
• euroradio.fm – European Radio for Belarus.

Recommendations for protection

The self-proclaimed hacktivist group Anonymous recently called on hackers around the world to target Russian infrastructure and wage cyber warfare against the Kremlin’s intentions to invade Ukraine, the group announced in a tweet. Since then, the number of recorded cyber attacks and cyber warfare incidents directed against the two countries by their respective supporters and hacker groups has increased.

Citing these massive cyberattacks on Russian computing resources, the NCCCI recommended 20 measures to counter these security threats. The first is to add a security perimeter to the organization’s or user’s network devices.

The NCCCI says to take an inventory of all network devices and services running in your organization, along with the firewall rules that give them access, and to restrict outside access to all infrastructure services and devices. computers, except those that are absolutely necessary. “

For protection against DDoS attacks, NCCCI recommends:

• Use anti-DDoS solutions to guard against this attack vector;
• Restrict network traffic containing the Referer HTTP header field by the value of the referer_http_header.txt file;
• Restricted network traffic from IP addresses listed in the proxy file containing 17,576 IP addresses, as these addresses belong to proxy servers used in DDoS attacks.

“Use Russian DNS servers. Use corporate DNS servers and/or your telco’s DNS servers to prevent organization users from being redirected to malicious resources or other malicious activity. If the DNS zone of your organization is served by a foreign telecommunications operator, transfer it to the information space of the Russian Federation, ”he says.

It also asks users to use remote access tools that are not provided by foreign companies and to use virtual private network technology for secure data exchange.

Other recommended cybersecurity measures include:

• Configure logging.
• Perform unplanned password changes for all systems related to key infrastructure elements.
• Use strong and unique passwords.
• Regularly update anti-virus protection tools.
• Disable automatic software updates.
• Apply data backups.
• Beware of phishing emails.
• Disable third-party plugins such as Google AdSense, SendPulse, MGID, lentainform, and onthe.io on their organization’s websites.

Russian communications watchdog Roskomnadzor had also asked Google to stop showing online video ads containing what it called “false political information” about Ukraine, according to a Wall Street Journal report. Citing strict Russian government standards, the tech giant halted operations in the country on Friday. “Given the extraordinary circumstances, we are suspending Google ads in Russia. The situation is changing rapidly and we will continue to share updates as appropriate,” Google/Alphabet said in a written statement.

Russia has also tightened its restrictions on Facebook access in the country, according to NetBlocks, an independent organization that maps internet freedom around the world. NetBlocks also said several other news sites were unavailable due to the international community targeting state-run media, but it’s still unclear whether the downing of news sites was due to cyberattacks. external adversaries or censorship by the Russian government.

In addition, various news sites have become partially or completely unavailable on several internet service providers in #Russia. The incidents come as the country’s state-aligned media are targeted by the international community. pic.twitter.com/2wD9OjBVMm

—NetBlocks (@netblocks) March 4, 2022

NCCCI Alert for Critical Infrastructure

On February 21, Russian President Vladimir Putin recognized two independent nations in Ukraine’s Donbass region and ordered the Russian military to launch peacekeeping operations in the region. But the first missile shells were fired on February 24. In view of this, the NCCCI, on the same day, issued an alert for all its critical infrastructure organizations.

“In the current tense geopolitical environment, we expect an increase in the intensity of cyberattacks against Russian information assets, including critical infrastructure entities. Attacks may be aimed at violating the functioning of important assets and information services, causing reputational damage, including for political purposes. In addition, it is possible to exert other malevolent influences from the Russian information space for the consistent formation of a negative image of our country in the eyes of global communities,” he said.

NCCCI has instructed information specialists to increase their monitoring of malicious activity and report any information on system anomalies associated with any critical infrastructure operation.

Legacy Cisco Vulnerabilities Targeted

In a separate alert released Thursday, the NCCCI warned users of “massive exploitation of vulnerabilities in Cisco equipment by cybercriminals.”

The nine vulnerabilities date back to 2017 and persisted in Cisco IOS and IOS XE software. They are:

According to the Cisco advisory released at the time, all nine vulnerabilities are present in the Simple Network Management Protocol subsystem of Cisco IOS and IOS XE Software. The advisory says an attacker can exploit these flaws by sending a specially crafted SNMP packet to an affected system over IPv4 or IPv6. If exploited, it allows “an authenticated remote attacker to remotely execute code on an affected system or cause an affected system to reload”.

Cisco says the vulnerabilities are due to a buffer overflow condition in the affected software’s SNMP subsystem and affects all versions of SNMP – Versions 1, 2c, and 3.

“Only traffic directed to an affected system can be used to exploit these vulnerabilities,” Cisco said.

Cisco specifies that the operating conditions vary according to the version of the software used.

• SNMP version 2c or earlier: The attacker must know the SNMP read-only community string of the affected system to exploit these vulnerabilities.
• Version 3: The attacker must have user credentials for the affected system. A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload.

At the time, Cisco said, “On January 6, 2017, a security researcher released working exploit code for these vulnerabilities.”

Software updates and workarounds for the vulnerabilities are available, and NCCCI has urged Russian organizations to update their software.