
Communication Barrier from KillNet
Active since at least January 2022, KillNet has evolved from initially a leased DDoS service to a full-fledged threat group. Group distributed denial of service (DDoS) attacks birth website servers to get hit. While KillNet's ties to official Russian government agencies, such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service, have not been confirmed, the group is involved in the group, including the health services. should be viewed as a threat to government and critical infrastructure organizations.
Indicators of Compromise
Domains (8)
client.smscredit.lvstrivemktsupporters.com85.lp.ret.sbx.tgbafybeig4warxkemgy6mdzooxeeuglstk6idtz5dinm7yayeazximd3azai.ipfs.w3s.linkw32.00ab15b194-95.sbx.tgsecnoticeview.dosecinfoview.do40gmail.comHashes (286)
bab56e71e7d0fd683b14b74d4001697550a93aacb5ce42313a8c32945d33d4bd7256c9d385cbcf130e023380c77feb89e50d206d82ac4f653d2448b88e0499a6e8bf07b3c2cb794286aafc7a7fc7070226be36b99b339484564c7743ac4aaec8a904df0968501d2ea3b225424ac8b05fd70571bbc17aead275715da5dfbbb641c82bfa7688a738846ec9400d8940133e0eca5d5ba7cf6d91568fcc058c4788941bb40fc528c6fe6143a95a66c59039c75ca42bdec09451f513cb9ce1d5981a748f39a7afa14541b709fe950d0618694400bb1ced41de00aec0a87fa581e66befaf85c7ebfdab4b58426ce7089a0819eb39df7849a7f328c50fd29ad796aabaf1dede554d156c0f6bd1e558c8fe16e4baf484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced42942d381996040ea279eab7e894026a5c4d533bf94fd95d5a164ba663763f5798f27afb7ac366867d327e6062cce7b05d568516aa0af6988363848a4118306584d69fbf6849d935432bac8b04bdb00fd68da004fbe911fc71ff0910045f00e323a8bc7f0fe593d3b6b9ebc402ffc4b848ed27e3e4216af4eec9d9358f4d88e57ccf553b0db217fe6a8a88c5452a3674b73b24b3f46c945fcb7981f500b5b417a9911a902004451e5c568fc1d215dfb1b651153dbc86b7424d7fff19db2ec558fe24c0d00c513dd3f70d030e6056aa32a540fea78eec53448cf161a580ae2033bd23d1817e36ad70a58b809e0eb1bd49533397d58bede47cf98fb4bf306c39109df266ed4124f393c588c6fba800bb2167805fdd8b729b271ef93feb7467bcd5385+266 moreIPv4 (150)
81.17.18.62167.179.78.1602.57.122.82164.92.218.139209.141.58.14614.63.165.3261.97.248.7272.167.47.69158.247.202.18881.17.18.58103.138.82.215203.233.72.35185.220.101.15185.220.102.24323.129.64.219134.122.188.187156.240.104.115137.220.53.22423.129.64.217185.220.100.243+130 moreCVEs (6)
CVE-2022-3602CVE-2022-42827CVE-2022-32917CVE-2022-32894CVE-2021-26606CVE-2022-42889APT Groups
Killnet
Russian Federation
Mitigation
<b><font>MITRE Map</font></b><div><b><br></b><div><b>Reconnaissance </b></div><div><ul><li>T1595: Active Scanning <br><br></li><li>T1589: Gather Victim Identity Information </li></ul></div><div><b>Resource Development</b></div><div><ul><li>T1583: Acquire Infrastructure <br><br></li><li>T1584: Compromise Infrastructure </li></ul></div><div><b>Credential Access </b></div><div><ul><li>T1110: Brute Force </li></ul></div><div><b>Impact</b></div><div><ul><li>T1498: Network Denial of Service <br><br></li><li>T1489: Service Stop</li></ul></div><div><div><b>Primary Killnet Tactics</b></div><div><b><br></b></div><div>Brute-force dictionary attacks against:</div><div><ul><li>SSH (port 22) primarily targets the root account</li></ul><ul><li>Minecraft and TeamSpeak servers</li></ul></div><div>DDoS attacks on the OSI model:</div><div><div><ul><li>layer 4 (SYN flood attacks)<br><br></li><li>layer 7 (high volume POST/GET requests) to cause resource exhaustion and system failure.</li></ul></div></div><div>In various Telegram groups, they collaborate with the members who are instructed to use IP stresser-for-hire tools such as Crypto Stresser, DDG Stresser, Instant-Stresser, and Stresser.ai. Moreover, several scripts are used during their attacks. Some of them are CC-attack, MDDoS, Low Orbit Ion Cannon (LOIC), KARMA, and Dummy.</div></div><div><br></div><div><div><b><font>How to Prevent a Killnet Attack</font></b></div><div><br></div><div>Firstly, we need to pay attention to two main defense tactics. One is enforcing strong password policies that can withstand basic brute-force credential attacks, and the second is to have a proper strategy for fighting off DDoS attacks.</div><div><br></div><div>The other defensive tactics are listed below:</div><div><br></div><div><ul><li>Purchase DDoS mitigation services from an Internet Service Provider (ISP), Content Delivery Network (CDN), or Web-Application Firewall (WAF) provider.<br><br></li><li>Deploy multi-factor authentication (MFA) mechanism for all remote accesses<br><br></li><li>Use blocklisting known Killnet-related IoC, such as IP addresses used by Killnet attacks.<br><br></li><li>Enable the DMZ (Demilitarized Zone) for internet-facing entities.<br><br></li><li>Employ DDoS protection via web bot detection techniques.<br><br></li><li>Reduce attack surfaces and make it easier with ASM (Attack Surface Management) platforms.<br><br></li><li>Get the CTI (cyber threat intelligence) feeds that monitor dark web information to identify and predict potential threats and provide actionable intelligence data for your organization.<br><br></li><li>Configure web servers and APIs with security modules to optimize performance during a web traffic spike.<br><br></li><li>Perform stress tests on all critical services for their ability to handle resource exhaustion attacks<br><br></li><li>Create and practice IRP (Incident Response Plan) for the worst case, which resulted in temporary downtime.</li></ul></div></div></div>