On June 9th, security researcher Brad Duncan published a post on the SANS Internet Storm Center blog, sharing his research findings on a recent wave of Qakbot attacks. The attacks use thread-hijacked e-mails and malicious attachments to infect workstations with the Qakbot DLL and the Follina Microsoft exploit (CVE-2022-30190). Brad’s article lays out the whole infection chain and makes for a very informative read (you can read his blog post here).

‍Predicted and Blocked Four Months Before First Confirmed Reports
For Augur subscribers, the good news is that a key IP used in this campaign 185[.]234[.]247[.]119 was predicted and blocked in Q1 2022, providing more than 100 days of advanced protection before this IP was first reported to be malicious and associated with the current wave of Qakbot attacks.

‍The Bigger Picture on This IP
The IP was predicted as part of a CIDR 185[.]234[.]247[.]0/25 that was flagged as malicious, and already, despite this being a relatively fresh prediction, there are ten other IPs associated with this CIDR that have been confirmed as malicious.

The ASN for this CIDR is registered to a Moldovan hoster with the humorous name Stark Industries (Marvel comic geeks will recognize this). Augur has predicted that seven other CIDRs associated with this hoster are malicious, and more than 100 IPs in these CIDRs have already been reported malicious by third-party security researchers. The types of activity associated with these IPs include botnets, DDoS, malware, phishing and spam.

The CIDR in question is associated with activity from Augur Threat Group 15140, which includes Naikon (aka APT30, Goblin Panda, PLA unit 78020, and the list goes on) as well as SaintBear (aka UAC-0056, UNC2589 and TA471), and more than 50 CIDRs are associated with this profile.

If you are an Augur subscriber, you were protected before any of these threat actors launched attacks associated with these IPs. You also benefited from proactive protection against all threats from the CIDRs these IPs were associated with. 

If you aren’t an Augur subscriber, we strongly recommend blocking both these CIDRs if you haven’t already. 

‍Proactive Defense for Better Protection
Reactive threat intelligence solutions only protect against documented threats. Augur’s predictive intelligence looks beyond current threats, identifying the build-up of attack infrastructure an average of 51 days before an attack. With a false positive rate of less than 0.01%, you can trust Augur's predictions.

‍Prove It to Me
We get it: these predictions are startling, and you want to know if they are real. If you’re interested in seeing how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture, email us at augur@seclytics.com.

‍Check Out Augur on Our Website
You can learn more about how Augur works and how it solves real-world security problems.