MARCH 10, 2022 1:48 GMT
New research shows Russian IP addresses using the Google ad delivery network as a mechanism to initiate client network connections. The activity has escalated since the invasion of Ukraine.
Administrators should use network controls to blacklist the IP addresses, and if possible, utilize geo-location tools to block all Russian IPs.
What’s the nature of the threat?
SOC-as-a-Service provider Pillr says their research identifies a small batch of known Russian IP addresses correlated with Google and Gmail ads. Telemetry data shows a notable increase in traffic between workstation endpoints and Russian IPs over the last couple weeks.
While the assessment is ongoing, early findings show connections from customer web browsers being made to Russian IPs, likely triggered by ads being loaded in Gmail or other applications that utilize a Google ad delivery network such as Adwords/Adsense.
Some native processes associated with applications that use embedded advertising delivery mechanisms also show as connecting to the IPs. Initial observations include a popular music streaming service, which loads and shows ads in the application window for free accounts.
What’s the risk?
While no clearly malicious activity or compromise has been observed, there is serious risk associated with having an endpoint connect to Russian IP addresses given the current state of Russia/NATO relations. We suspect this is a campaign using global digital marketing infrastructure and was put in place some time ago but only recently activated. On March 3, Google halted sales of ad campaigns in Russia.
If a web or native app is essentially executing the network connection for a Russian attacker, they could potentially deliver a malicious payload via that connection with no user click required. This could include malware or ransomware.
In the early stages of a broad scope attack, bad actors may simply be conducting recon by collecting logs and using analytics to map the network landscape of Western users, but they may also be going so far as to fingerprint individual users’ browsers. Collected data could potentially be provided to Russian government intelligence, or mined by the actor themselves to generate actionable intel.
The investigation is early and ongoing and we expect to learn more soon.
What can I do?
Block the IP addresses in the table below at the firewall level. Since this is a rapidly evolving battlefront, the list will likely continue growing.
If possible, use a geo-blocking feature of your firewall. For some appliances this can be done by simply selecting the countries to block, but for others, especially enterprise grade hardware, this may require purchasing a feed or data download of curated IP addresses known to be located in a geographic region. IP2Location is one service who sells this data by subscription.
Additionally, install all available updates and security patches for web browsers. If a malicious ad tries to deliver malware, it will likely depend on the browser being out-of-date and exploitable.
List of Russian IPs
The following IP addresses are physically located in Russia and have been recorded in EDR telemetry as receiving unsolicited connections from US-based endpoints.