Russia Lists 17,576 IPs Used in DDoS AttacksSeparate List Contains 166 Domains Used in Attacking Russia's Infrastructure
Russia's National Coordination Center for Computer Incidents has published a list of 17,576 IP addresses and 166 domains that it says are targeting the country's information resources via distributed denial-of-service attacks.
The agency has also released a separate document containing remediation measures to help organizations and users protect their information resources.
List of Attackers
Some noteworthy names in the list of domains used for carrying out DDoS attacks against Russian information resources, according to the NCCCI, include:
- fbi.com - U.S. Federal Bureau of Investigation;
- cia.gov/index.html - U.S. Central Intelligence Agency;
- usatoday.com/search/results?q= - U.S. news outlet;
- korrespondent.net and ua.korrespondent.net –Ukrainian media outlet;
- 24News.ge, megatv.ge - German news and media outlets;
- tv8.md, stiri.md - Moldavian news and media outlets;
- euroradio.fm –European Radio for Belarus.
Recommendations for Protection
The self-proclaimed hacktivist group Anonymous recently called upon hackers around the globe to target the Russian infrastructure and wage a cyberwar against the Kremlin's intentions of invading Ukraine, the group announced in a tweet. Since then, the number of registered cyberattacks and cyberwarfare incidents directed toward both countries by their respective supporters and hacker groups have increased.
Citing these massive cyberattacks on Russian IT resources, the NCCCI has recommended 20 measures to counter these security threats. The first is to add a security perimeter to the organization's or user's network devices.
The NCCCI says to conduct an inventory of all network devices and services operating in your organization, as well as firewall rules that provide access to them, and restrict outside access to all services and devices in the IT infrastructure, except those that are absolutely necessary."
For protection against DDoS attacks, the NCCCI recommends:
- Using anti-DDoS solutions to protect against this attack vector;
- Restricting network traffic containing the Referer HTTP header field of the value from the referer_http_header.txt file;
- Limiting network traffic from the IP addresses listed in the proxies file containing 17,576 IP addresses because those addresses belong to proxy servers used in DDoS attacks.
"Use Russian DNS servers. Use the corporate DNS servers and/or the DNS servers of your telecom operator in order to prevent the organization's users from being redirected to malicious resources or other malicious activity. If your organization's DNS zone is serviced by a foreign telecom operator, transfer it to the information space of the Russian federation," it says.
It also asks users to use remote access tools that are not provided by foreign companies and to use virtual private network technology for secure data exchange.
Other recommended cybersecurity measures include:
- Set up logging.
- Perform unscheduled password changes for all systems linked with key infrastructure elements.
- Use strong and unique passwords.
- Update antivirus protection tools on a regular basis.
- Turn off automatic software updates.
- Enforce data backups.
- Watch out for phishing mails.
- Disable third-party plug-ins such as Google AdSense, SendPulse, MGID, lentainform and onthe.io on their organization's websites.
The Russian communications watchdog Roskomnadzor had also asked Google to stop showing online video ads with what it called "false political information" about Ukraine, according to a report from The Wall Street Journal. Citing the stringent norms of the Russian government, the technology giant on Friday halted its operations in the country. "In light of the extraordinary circumstances, we're pausing Google ads in Russia. The situation is evolving quickly, and we will continue to share updates when appropriate," Google/Alphabet said in a written statement.
Russia has also hardened its restrictions on Facebook access within the country, according to NetBlocks, an independent organization that maps internet freedom across the globe. NetBlocks also said that several other news sites were unavailable due to the international community targeting the state-owned media, but it is still not clear whether the outage of news sites is due to cyberattacks from external adversaries or the censorship of the Russian government.
Additionally, various news sites have become partially or entirely unavailable on multiple internet providers in #Russia. The incidents come as the country's state-aligned media outlets are targeted by the international community. pic.twitter.com/2wD9OjBVMm— NetBlocks (@netblocks) March 4, 2022
NCCCI's Alert for Critical Infrastructure
On Feb. 21, Russian President Vladimir Putin recognized two independent nations from Ukraine's Donbas region and ordered the Russian army to launch peacekeeping operations into the area. But the first missile shells were fired on Feb. 24. Considering this, the NCCCI, on the same day, released an alert for all its critical infrastructure organizations.
"In the current tense geopolitical environment, we expect an increase in the intensity of cyberattacks on Russian information resources, including entities of critical infrastructure. Attacks may be aimed at violating functioning of important information resources and services, causing reputational damage, including for political purposes. In addition, it is possible to carry out further malicious influences from the Russian information space for consistent formation of a negative image of our country in the eyes of the world communities," it said.
The NCCCI asked information specialists to increase their monitoring of malicious activity and report any information about anomalies in systems associated with any critical infrastructure operation.
Old Cisco Vulnerabilities Targeted
In a separate alert published on Thursday, the NCCCI warned users of a "mass exploitation of vulnerabilities in Cisco's equipment by cybercriminals."
The nine vulnerabilities date back to 2017 and persisted in Cisco IOS and IOS XE software. They are:
According to the Cisco advisory issued at the time, the nine vulnerabilities are present in the Simple Network Management Protocol subsystem of Cisco IOS and IOS XE Software. The advisory says an attacker can exploit these flaws by sending a specially crafted SNMP packet to an affected system via IPv4 or IPv6. If exploited, it allows "an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload."
Cisco says the vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software and affect all versions of SNMP - Versions 1, 2c, and 3.
"Only traffic directed to an affected system can be used to exploit these vulnerabilities," according to Cisco.
Cisco says the conditions for exploitation vary according to the version of the software used.
- SNMP Version 2c or earlier: The attacker must know the SNMP read-only community string for the affected system to exploit these vulnerabilities.
- SNMP Version 3: The attacker must have user credentials for the affected system. A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload.
At the time, Cisco said, "On January 6, 2017, a security researcher published functional exploit code for these vulnerabilities."
Software updates and workarounds for the vulnerabilities are available, and the NCCCI has urged Russian organizations to update their software.