Last week we featured four separate Augur predictions that were confirmed to be Cobalt Strike servers, all within a week of each other. The predictions were made at different times and identified different infrastructure being spun up to support eventual cybercriminal activity. The four confirmed IPs were all solid predictions with supporting confirmations on other IPs from the same CIDR. But one predicted IP was a standout. For 45[.]133[.]1[.]186, the IP was identified as a Cobalt Strike server. Not only was the individual IP confirmed malicious, all 256 IPs in the /24 range, often from multiple sources. And when we looked at the ASN, the CIDR belonged, and it told a great story about how powerful an Augur prediction can be. 

‍Breaking Down 45[.]133[.]1[.]186
45[.]133[.]1[.]186 is part of a /24 IP range predicted to be malicious back in February 2021, and the IP was reported to be a Cobalt Strike C2 server on June 12, 2022. The CIDR belongs to Augur threat profile 141857, which includes Roaming Mantis, Dark Hotel, and APT 29 (aka the Dukes, Cozy Bear).

‍

45[.]133[.]1[.]0/24 – A Very Malicious CIDR
The CIDR 45[.]133[.]1[.]186 belongs to 45[.]133[.]1[.]0/24. Predicted to be malicious 18 months ago, 45[.]133[.]1[.]0/24 is a real overachiever. All 256 IPs in the CIDR have been reported malicious, often by multiple sources. Threat identifiers associated with IPs in the CIDR include agnettesla, assyncrat, autoit_backdoor, cobalt strike, crimson rat, loki_bot, mirai, roaming_mantis, tinybanker and scores of others. Threat categories represented include backscatter, botnets, malicious, phishing, proxy, scanners, and spam. The CIDR belongs to Augur threat profile 141857, which includes Roaming Mantis, Dark Hotel, and APT 29 (aka the Dukes, Cozy Bear).

‍

211252 – A Problematic ASN
ASN 211252 is owned by Dutch hoster Delis LLC (AS_Delis) and hosted in the US. Delis runs over 20K IP addresses, all of which are running on anonymizing VPNs and public proxies. The ASN includes 25K IP addresses and nearly 7K domains. Although there is legitimate activity originating from IPs in this ASN, 32 /24 CIDRs contain IPs that have been reported as malicious. A quick sampling of these CIDRs shows that many also have a 100% malicious reporting rate with serious associated threat categories. This host seems to be an example of a legitimate host that cybercriminals have felt offers them a certain amount of protection since SOCs are leery about blocking large ranges where there is some chance, even a slight chance, of false positives. To take a more complete look at malicious activity associated with this ASN you can check out a full report from Abuse.ch. 

‍The Power of Augur Predictions
By definition, most threat intel is reactive by nature. An IOC is detected, reported and then blocked. Most organizations are at risk from the IOC in question in the time between first detection and reporting. Augur’s predictive threat intelligence addresses this vulnerability by detecting the setup of cybercriminal infrastructure. Its predictions are at the CIDR level, meaning that an Augur prediction includes all the IPs included in a new registration. So instead of blocking a single IP after the first attack is detected, Augur blocks all the IPs in the CIDR, giving you advanced protection against all activities coming from the cybercriminal infrastructure and reducing your risk profile. Augur also attributes infrastructure to threat actor profiles, allowing threat hunters to understand if their organization is being targeted by specific groups. So you can think of Augur like a preventative vaccine rather than a treatment for a specific infection. 

‍Prove It to Me
We get it: these predictions are startling, and you want to know if they are real. If you’re interested in seeing how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture, email us at augur@seclytics.com.

‍Check Out Augur on Our Website
You can learn more about how Augur works and how it solves real-world security problems.