Augur Predicts and Blocks Key IP in New MagicRAT Developed by Lazarus APT
We always like to share when research from a respected third party on a high-profile threat confirms an Augur prediction to help underline the power and value of having proactive, predictive intelligence as part of your threat intel coverage. In this post, we’ll take a look at some interesting reporting from Cisco Talos.
In a post on the Talos Intelligence blog in early September, Talos researchers announced that they had discovered a brand new type of RAT (remote access trojan) developed by the Lazarus APT group, which US government analysts believe to be a North Korean state-sponsored actor. This new RAT was often found on systems that had first been breached via exploits on the VMWare Horizon platform, and it was often linked to espionage, data theft, and disruptive attacks. To read more about MagicRAT, you can check out the blog post here.
An Interesting Prediction – to Block or Not to Block
One of the main IPs associated with MagicRAT, 22.214.171.124, was part of an Augur prediction from 2018. And if you look at the graphic below, you’ll see that almost immediately after the prediction there were reports of spam activity on this IP leading up to Talos identifying MagicRAT in September 2020. This pattern illustrates an important issue in threat intel and cybersecurity as a whole: the hesitancy to block IPs and IP ranges due to the fear of false positives.
The Case for Blocking
As we’ve explained in the past, Augur works by using AI and ML to identify the setup of cyber criminal infrastructure. If you want to learn more about how we do it and why it's important, just read this post.
Long story short, when Augur makes a prediction, it predicts an entire IP range (CIDR) will be used for cybercriminal activities. For many analysts, this poses a problem due to their hesitancy to block entire ranges for fear of false positives – but the end result of that hesitancy is increased risk.
Let’s take a look at the CIDR that the MagicRAT IP belongs to. 126.96.36.199/24 is a CIDR created on September 13, 2018, hosted in the UK by WHG Networks. Over the four years since it was registered, all 256 IPs in this CIDR have been reported (often by multiple sources) for some sort of malicious activity, as you can see in the chart below (if you are an Augur subscriber, you can drill down on this CIDR here).
So in this case, Augur subscribers were protected weeks, months and in some cases years before first detection against literally hundreds of possible attack vectors. If your SOC took the traditional threat intel approach of blocking each IP individually when it was reported as malicious, your network would have been exposed to unnecessary risk and your analysts would be locked in a constant cycle of responding to alerts and hoping your response came before any intrusions. Here are just a few of the detections related to this CIDR and who made them:
Predictive Protection vs. the Risk of False Positives
Not every CIDR we predict has a 100% prediction-to-confirmation rate like this one. Sometimes cybercriminals just don’t use an IP, sometimes the wily ones don’t get detected, and sometimes they even allow legitimate sites to be hosted on their infrastructure just to throw analysts off.
Our tracking shows that Augur’s FP rate is around 0.01%, which is very low. But even if a few FPs slip through, there’s only one relevant question: isn’t the increased protection worth the work of unblocking the odd IP? Stay tuned to the Precog Blog in the coming weeks because we’ll be publishing some interesting thoughts from our CEO Saeed Abu-Nimeh on why lowering risk is more critical for today’s SOC than obsessing over false positives.
Find Out More
Curious to see how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture? You can learn more about how Augur works and how it solves real-world security problems.