In July, our researchers noted an uptick in Cobalt Strike prediction confirmations. In fact, we’ve had 5 confirmations since the beginning of July. This intense activity on a single threat vector usually means that there is an increase in attack volume since most third-party confirmations result from research linked to observed IOCs. So we wanted to dig into our Augur predictions to see if there are any patterns we could surface that might be helpful to researchers and threat hunters.

What Is Cobalt Strike, and Why Are Cybercriminals Using It?
Cobalt Strike is a security tool developed for Red Team testing. Its standout feature is its ability to carry out vulnerability assessments and run deep penetration tests. The platform is effective – so effective that cybercriminals have added it to their arsenal, even creating a Linux version of the tool to make detection more difficult. You can read up on why Cobalt Strike is so popular with threat actor groups in a great post from last March by Julien Maury on eSecurity Planet.

‍Four Cobalt Strike Predictions

‍

What We Know About Each Threat

95[.]179[.]162[.]125 is part of CIDR 95[.]179[.]162[.]0/23, which Augur predicted to be malicious almost four years ago. Third-party security researchers have reported 114 out of the total of 512 IPs to be malicious. IPs in this CIDR have been confirmed to be serving up malware, trojans, phishing campaigns and ransomware, among other malicious activity. This CIDR is attributed to Augur profile 82721, which is made up of a large and diverse group of threat actors, including Naikon, Rancor and Hacking Team, that seem to share criminal infrastructure. 

‍45[.]129[.]10[.]65 belongs to CIDR 45[.]129[.]10[.]0/24, which was predicted to be malicious eight months ago. This turned out to be another prolific prediction, with all 256 IPs in this prediction being confirmed malicious by thirdrd parties. This CIDR is attributed to Augur threat profile 148664, which includes Naikon, RedDelta, Bronze President, Mustang Panda, and Gallium.

‍193[.]200[.]149[.]181 is an IP that belongs to CIDR 193[.]200[.]149.0/24. It was predicted eight months ago, but so far there is only one other IP on this CIDR that has been confirmed to be malicious. Still, this CIDR has all the hallmarks of having been created by and for cybercriminals. It’s attributed to Augur threat profile 148664, just like the previous prediction. For context, the ASN this CIDR is associated with also includes 64 other CIDRs that have been reported for malicious activity, which definitely supports the assumption made by Augur's predictive AI.

‍45[.]133[.]1[.]186 was predicted a year ago and is part of CIDR: 45[.]133[.]1[.]0/24. This CIDR has shown a large amount of malicious activity, with all 256 IPs being identified as malicious by third parties. The CIDR belongs to Augur threat profile 141857, which includes Roaming Mantis, Dark Hotel, APT 29 (aka the Dukes, Cozy Bear). 

‍What We Observed
45[.]129[.]10[.]65 and 193[.]200[.]149[.]181 both belong to CIDRs attributed to the same Augur threat profile and 95[.]179[.]162[.]125 belongs to a CIDR attributed to another profile that has many of the same members. And though the infrastructure was set up at different times in different places, these three attacks were all first reported within a day or two of each other in early June. Though it's not enough evidence to say anything definitive, the pattern does seem to indicate some sort of organized campaign.

If you aren’t an Augur subscriber, we strongly recommend blocking all four of these CIDRs if you haven’t already. 

‍Stay Tuned – Deep Dive on 45.133.1.186
The four confirmed IPs above are all solid predictions with supporting confirmations on other IPs from the same CIDR. But 45.133.1.186 is a standout. Not only was the individual IP confirmed malicious, but all 256 IPs in the /24 range were also reported malicious, and the ASN they belong to includes numerous other “dirty” CIDRs. Stay tuned for our next post, where we take a more detailed look at this prediction and the massive amount of cybercriminal activity associated with this CIDR and ASN.

‍