See inline responses... ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, June 21, 2019 6:13 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248
After forwarding these links to a sanitized client on another network, I saw nothing on the "twitter reports" which suggest these subnets are doing anything other than port scanning. For those who refuse to follow Twitter links (I'm with ya): There is one cropped screen shot of a pcap with some incomplete information for a entirely different subnet and zero useful intel. Am I missing something, or do you have any actual log files to support your claims of malware slinging from these guys? ....and I do not want "popularity contest" results of the twitter-verse - to protect our networks. Real data is needed. We need to know what we are looking for specifically. As for the network probing - this is why those activities are blocked and other techniques are implemented to obscure the usefulness of the data they collect. The way I see it... If people go poking their hands in the honey jars without permission, they may just get something they do not want or expect (I hear non-consensual probing can infect the violator with certain diseases, and that would be a shame)
Friday Questionaire:
Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?
[snip]
NOTE: Dshield has already assigned an 8 rating on their Badness Richter Scale to the specific one of the above addresses that's been poking me personally in recent days:
https://www.dshield.org/ipinfo.html?ip=89.248.162.168 https://www.dshield.org/ipdetails.html?ip=89.248.162.168
And the Dshield rating is just based on the probing. The addition of malware slinging also puts this whole mess over the top entirely.
What malware?
Oh! And I'll save you all the time looking it up.... 100% of the IPs listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles Islands, where the employees and management are no doubt enjoying their luxurious and expansive new corporate headquarters...
Sounds like a good deal.
I do not follow external links generally, as a rule, without compelling need and additional measures taken.
Regards, rfg
P.S. This is the kind of thing that everybody really should expect when the U.S. Department of Defense takes it upon itself to start up its own little private and unauthorized (cyber)war on Russia, wthout first obtaining the consent of Congress... you know, kinda like that ancient yellowed document that nobody in this country reads anymore says they should. And apparently, the DoD was understandably not anxious to brief even the President about all this...
https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-tru...
(Not that anybody can really blame them for THAT.)
P.S - Lets try to keep politics off the list. We get enough of that everywhere else. Thanks, Brad