In the wake of Killnet’s latest DDoS attack on U.S. hospitals on January 30, SecurityScorecard has made its KillNet open proxy IP blocklist available to the public. This list is the product of the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team’s ongoing research into KillNet. We released this list to help organizations better defend themselves against KillNet and other groups like it by preventing traffic from exploitable assets. In this blog, I’ll explain how we developed this proxy list and our recommendations for preventing DDos attacks.
Background on Killnet
Killnet, a Russia-aligned threat actor group, organizes within a Telegram channel with over 92,000 subscribers, sharing scripts for carrying out attacks.
We have observed the use of botnets such as Zhadnost and traditional attacks such as DNS amplification attacks against anti-Russian targets. The KillNet group specifically engages in crowdsourced attacks, several of which utilize open-source Python scripts. The Challenge Collapsar (CC)-Attack methodology, a type of DDoS attack that frequently sends forged HTTP requests to a target web server, has some similarity in the attack methods of Zhadnost, specifically in the use of vulnerable proxy servers that run MikroTik RouterOS.
The image below contains a screenshot of instructions provided on KillNet’s Telegram channel, which shows the commands that users can copy and paste into their computers in order to carry out attacks using the CC-Attack script.
Image 1: KillNet Telegram post providing DDoS instructions (Source: Telegram)
Brief history of CC-Attack
According to the CC-Attack GitHub page, the attack script appears to have been written by a programmer who identifies as a student “interested in cyber-attack” (sic). The original version was uploaded in 2020, and there have been several updates committed to the repository. When the script was created, there was no indication that the developer was directly associated with KillNet. That said, it’s common for attackers to make use of publicly available tools and exploits developed by unaffiliated third parties in order to accomplish their goals. We assess that is the case here with the KillNet collective.
The CC-Attack toolkit consists of very few files and requires little skill to deploy. This ease of use is likely one of the reasons KillNet distributed it as a suggested method for attack campaigns.
How STRIKE developed the proxy list
Because many of the group’s actions are publicly available, SecurityScorecard’s STRIKE team was able to gain some fundamental insights into the attack and its victims:
Members of the STRIKE team went to Github and found the code the group was using for its attack script.
By analyzing the code, STRIKE noticed that it goes to a few different websites where open proxies are listed.
By scraping the IP addresses in that code–and keeping an eye on it when it gets updated–STRIKE can keep a list of the proxies through which they’re routing their traffic.
Because STRIKE knew who got attacked (14 hospitals) and when (January 30), they were able to see who the proxies were talking to on the day of the attack and research the other sides of communications to see who was involved. This is all possible through a strategic partnership that allows SecurityScorecard exclusive access to traffic data.
We used our Attack Surface Intelligence tool to identify the IP addresses connected to MikroTik router software. This software has a specific vulnerability that can result in an open proxy, which gives permission for other devices to route traffic through it. By scanning the Internet, STRIKE is able to see where those vulnerable routers are and can put those IP addresses on a list. This is how we came up with the Zhadnost list, which has a lot of overlap with Killnet.
Recommendations for preventing future DDoS attacks
While Killnet has shown that it can do a lot of damage, its tactics are not highly sophisticated. Because there are only so many open proxies in the world, adding our blocklist is a good start in preventing future attacks. This list also stays up to date with the proxy list in the CC attack script. For this list to become irrelevant, Killnet would need to use a different script in its attacks. Other members of the group may have their own methods that don’t appear on the blocklist, which is why STRIKE has additional potential IP addresses (available by request), and also why STRIKE manually searches for other vulnerable IP addresses.
In addition to using our Killnet open proxy IP blocklist, we recommend the following to reduce your risk of a future DDoS attack:
Put layer 7 DDoS mitigations in place. Dedicated services like Cloudflare, Akamai, or AWS Cloudfront, to name a few, can help, but we recommend checking the feature list of your current vendors first. Also check with your firewall vendor, as some will not stop the volume of traffic we have observed against Ukrainian targets via netflow analysis.
Blocking Russian IPs will not stop DDoS attacks. The attacks are coming from exploited proxy servers across the world. We have observed attacks starting from neutral countries in Latin America, Europe (not Russia or Belarus), and southeast Asia.
If you are unsure of what to do, reach out to our threat intel team who can provide a data feed of known bad open proxy IP addresses for your firewall. Our cyber resilience services team can address your concerns and recommend next steps for active testing or investigation.
We will be continuing research efforts into KillNet’s activities to help defend against future related threats. More information is available by contacting our STRIKE team.