DIVD-2022-00014 - GreyNoise's Ukraine only list
|Case lead||Frank Breedijk|
|Recommendation||We explicitly leave it up to the network administrators to decide what to do with the observed facts|
|Last modified||05 Mar 2022 08:08|
GreyNoise has published a “free, public, unauthenticated, self-updating feed of all IPs that are exclusively targeting devices geographically located in Ukraine’s IP space with scans, exploits, etc.” We first became aware of it via a tweet from GreyNoise founder Andrew Morris. We feel that in these times, network administrators should be aware of these IP addresses even if they are unaware of the services of GreyNoise.
We are using the list of “unspoofed” IPs (IP addresses that have completed a full three-way handshake) located on GreyNoise Pulse. If you want to check other lists, feel free to inspect the manifest of the full API.
What you can do
We are sending out these emails for awareness only. We want you to be aware that you have one or more nodes in your network displaying this behavior. How you act on this information is entirely up to you. We cannot determine if this behavior is expected, unexpected, logical, illogical, wanted, or unwanted by you.
What we are doing
On a regular basis, we will retrieve the list from GreyNoise and send notifications to network administrators. We will only send out notifications for systems last seen on or after 1 March 2022 and only to system owners; we have not received a notification before.
|24 Feb 2022||GreyNoise anounces their plans to publish a “free, public, unauthenticated, self-updating feed of all IPs that are exclusively targeting devices geographically located in Ukraine’s IP space with scans, exploits, etc.”|
|04 Mar 2022||Case opened|
|05 Mar 2022||First notifications sent|