Re: Russian Anal Probing + Malware

[Brad via NANOG <nanog () nanog org>]

See inline responses...

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette <rfg () tristatelogic com> wrote:

> https://twitter.com/GreyNoiseIO/status/1129017971135995904
> https://twitter.com/JayTHL/status/1128718224965685248


After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which 
suggest these subnets are doing anything other than port scanning.

For those who refuse to follow Twitter links (I'm with ya):
There is one cropped screen shot of a pcap with some incomplete information for a entirely different subnet and zero 
useful intel.

Am I missing something, or do you have any actual log files to support your claims of malware slinging from these guys? 
 ....and I do not want "popularity contest" results of the twitter-verse - to protect our networks.  Real data is 
needed.  We need to know what we are looking for specifically.

As for the network probing - this is why those activities are blocked and other techniques are implemented to obscure 
the usefulness of the data they collect.  The way I see it... If people go poking their hands in the honey jars without 
permission, they may just get something they do not want or expect (I hear non-consensual probing can infect the 
violator with certain diseases, and that would be a shame)


> Friday Questionaire:
>
> Is there anybody on this list who keeps firewall logs and who
> DOESN'T have numerous hits recorded therein from one or more
> of the following IP addresses?

[snip]

> NOTE: Dshield has already assigned an 8 rating on their Badness Richter
> Scale to the specific one of the above addresses that's been poking me
> personally in recent days:
>
> https://www.dshield.org/ipinfo.html?ip=89.248.162.168
> https://www.dshield.org/ipdetails.html?ip=89.248.162.168
>
> And the Dshield rating is just based on the probing. The addition of
> malware slinging also puts this whole mess over the top entirely.


What malware?


> Oh! And I'll save you all the time looking it up.... 100% of the IPs
> listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles
> Islands, where the employees and management are no doubt enjoying their
> luxurious and expansive new corporate headquarters...


Sounds like a good deal.


> https://bit.ly/2ZBayc4

I do not follow external links generally, as a rule, without compelling need and additional measures taken.


> Regards,
> rfg
>
> P.S. This is the kind of thing that everybody really should expect
> when the U.S. Department of Defense takes it upon itself to start up
> its own little private and unauthorized (cyber)war on Russia, wthout
> first obtaining the consent of Congress... you know, kinda like that
> ancient yellowed document that nobody in this country reads anymore
> says they should. And apparently, the DoD was understandably not
> anxious to brief even the President about all this...
>
> https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-trump-2019-6
>
> (Not that anybody can really blame them for THAT.)


P.S - Lets try to keep politics off the list.  We get enough of that everywhere else.

Thanks,
Brad