Summary
Sometimes events occur that capture the world’s consolidated attention. These last several years have had more than its share of such events, including the global pandemic and now the conflict in Ukraine. Unfortunately, there are many actors that strive to take advantage of this attention for nefarious purposes. Frequently they are just opportunistic threat actors looking to exploit chaos for their own purposes but also include more sophisticated criminal enterprises and governments.
Collateral damage from cyber attacks can extend far from their initial target. For example, the NotPetya malware variant appeared to initially target Ukrainian interests in 2017, disabling the Chernobyl nuclear power plant and several Ukrainian ministries and banks and metro systems. However, it quickly spread to organizations outside of Ukraine including Maersk, Merck & Co amongst others.
Regardless of the actors involved, organizations have to protect themselves from the actions taken by these actors. This document will describe some of the things Infoblox is doing to help, and some of the things you can do with Infoblox in order to protect your organization from the actions taking place throughout the world.
What is Infoblox Doing?
Threat Indicators
As part of Infoblox daily operations, we monitor any trending topics in order to quickly identify actors looking to exploit interest in the events in Ukraine. These may be targeted or even broadly-distributed phishing attacks that drive users towards scam sites or even sites used for the distribution of malware and ransomware. Infoblox has identified a decided increase in such activity recently, and we continue to see new sites show up frequently. While these sites may lead to malware, or sometimes lure users to make donations that will never reach their intended target, all of these are malicious in nature regardless of the originating group.
In addition to these indicators of compromise that we identify through our direct research, the cybersecurity community has been extremely active and transparent in their efforts to share new threat intelligence. Infoblox strives to include as much of this information in our threat feeds as possible. This means not only monitoring for such activity, but also vetting these indicators to ensure the shared indicator isn’t a false positive that could disrupt legitimate crisis response activities.
Infoblox is committed to the ongoing monitoring of such indicators, and to continue to refresh our existing threat feeds with this information as the events progress.
Policy Feeds
Infoblox maintains two policy feeds in the product today that some customers use to further prevent possible attacks: EECN IP (Eastern Europe and China), as well as Sanctions IP.
The Infoblox EECN IP feed originally included any IP address hosted in the following nations: Belarus, China, Moldova, Russia, Turkey and Ukraine. Due to the humanitarian concerns in Ukraine, Infoblox has decided to temporarily remove Ukraine from this list. Users wishing to block Russian IP addresses may enable this feed in blocking mode. However, understand that blocking EECN may have unintended consequences, as this blocks all traffic from those countries, and would include China and Turkey (countries in which organizations may have legitimate business interests). Infoblox is working to create a version of this feed that will still include Ukraine, providing users with the choice of blocking or not blocking Ukraine when using EECN.
Similarly, Infoblox also has a Sanctions IP feed that was useful in blocking countries on the sanctions list. Unfortunately, this originally included Ukraine, so Infoblox has decided to modify the Sanctions IP feed to only include sanctioned countries for which an embargo has been levied. As a result, the following countries are included in this list: Cuba, Iran, Myanmar, North Korea, Syria, and Venezuela. While this no longer blocks Ukraine, the new definition also does not include Russia. Infoblox will be monitoring the changing sanctions and adjust this list as needed.
Infoblox Infrastructure
Infoblox understands the criticality of the secure DNS resolver service provided as part BloxOne Threat Defense and is taking the necessary steps to remain at a high level of alertness. With reports of cyber attacks, often related to Distributed Denial of Service (DDOS), Infoblox is taking additional measures to ensure the resiliency of the service and operations during these unique circumstances.
What can you do with Infoblox?
Existing users can take advantage of the protection already provided through the normal threat feeds, including Base, Antimalware, Antimalware_IP, Ransomeware, etc, as new indicators trying to opportunistically take advantage of the Ukraine Crisis are added to the appropriate feeds as they are discovered.
Consider using the policy feeds EECN_IP and Sanctioned_IP. These feeds block IP addresses known to reside in Russia, but may also block a number of other nations’ IP addresses with which your organization may have legitimate business. Having a good understanding of the sites with which your organization interacts is important before implementing either of these feeds in blocking mode. For example, while EECN would block Russia, it would also block China, which may impact mission-critical communications. Similarly, the Sanctions feed includes 19 different countries for which economic sanctions exist. If you are considering the implementation of either of these feeds in blocking mode, it may be advisable to implement the feed in “logging mode” for a week or longer to determine if there are any mission critical sites that may impact your business.
Infoblox frequently releases Cyber Campaign Briefs (CCBs) to provide in-depth detail about new indicators we have discovered and provide timely details about recent threat campaigns.
Often the goal of such attacks is to create a platform for which to launch a Distributed Denial of Service Attack (DDoS Attack). These attacks attempt to disrupt services such as websites by flooding them with requests that overwhelm the resources available to it. Infoblox’s Advanced DNS Protection (ADP) can help organizations protect themselves from DNS attacks as well as DDoS attacks. If you suspect your organization is a likely target of such an attack, you may want to consider protecting yourself with ADP.
Finally, if you are not a current BloxOne Threat Defense user, Infoblox is providing a limited short-term offer to provide free access to our BloxOne Threat Defense product in order to better protect your organization. Access to this program is available by contacting your Infoblox representative or by accessing the online form here.
Conclusion
Threat actors use the chaos of current events to opportunistically take advantage of users’ attention. In times of conflict, especially in the 21st century, military campaigns are frequently accompanied by cyber attacks. Unfortunately, such cyber attacks can also spill over to impact other unintended victims. Whether you face a threat actor taking advantage of the disruption,or are getting impacted by the crossfire of another attack, the impact to your business is real. Infoblox has mobilized to protect the community from all related attacks, and is extending its resources to help you protect your organization.
