Augur Predicts and Blocks Key IPs for ProxyNotShell Exchange Exploit
By
We always like to share when research from a respected third party on a high-profile threat confirms an Augur prediction to help underline the power and value of having proactive, predictive intelligence as part of your threat intel coverage. In this case, the threat under the microscope was the new exploit affecting Microsoft Exchange Servers (CVE-2022-41040 and CVE-2022-41082) dubbed ProxyNotShell by researcher Kevin Beaumont because of its similarity to the ProxyShell vulnerability.
In this post, we’ll take a look at a more detailed look at a list of IPs associated with ProxyNotShell activity that were identified in reporting from Cisco Talos in late September.
Augur Predicted 7 IPs Associated with ProxyNotShell
The Talos research piece lists 17 IPs associated with ProxyNotShell, and of those 17, seven were predicted by Augur – giving Augur subscribers advanced protection. Let’s take a look at the IPs Augur predicted to be malicious.
94[.]140[.]8[.]113 - Predicted in Q1 2021, more than a year and a half before it was reported as part of the ProxyNot Shell infrastructure. This IP is part of the 94.140.8.0/24 CIDR and all 256 IPs in this CIDR have been, over time, reported by third parties as malicious. This prediction is attributed to threat profile-139560, which is linked to the Naikon APT group. The ASN this IP belongs to also has 16 associated predictions, and more than 80 CIDRs belonging to this ASN have been reported malicious.
194[.]150[.]167[.]88 - In Q3 2022, Augur predicted all IPs within the CIDR 194.150.167.0/24 to be malware – 90 days before the IP was reported as part of the ProxyNotShell architecture. All 256 IPs in this CIDR have been reported as malicious. The CIDR is attributed to profile-154538 which has no APT groups associated with it. The ASN is hosted by Hostroyale in India and has three associated predictions and nearly 200 CIDRs that have been reported malicious.
5[.]180[.]61[.]17 - In Q1 2022, we predicted all IPs within the CIDR 5.180.61.0/24 to be malware, more than 180 days before it was reported as part of ProxyNotShell. The CIDR is attributed to threat profile-139560 (Naikon - PLA associated) – ASN PACKETHUBSA-AS-AP PacketHub S.A. in Australia – with six associated predictions and 16 reported CIDRS.
185[.]220[.]101[.]182 - This IP was also predicted in Q1 of 2022, more than 180 days before it was named as an IOC related to ProxyNotShell. The IP part of CIDR 185.220.101.128/26 that Augur predicted to be malicious. All 62 IPs in this range have been confirmed malicious by multiple third-party sources. This CIDR is attributed to threat profile-146532, associated with the Killnet group, which is mostly known for DDoS attacks. The ASN is hosted on ZWIEBELFREUN in Germany and has five associated predictions, and 10 reported CIDRs.
212[.]119[.]34[.]11 Just over a year before the ProxyNotShell IOCs were identified and confirmed, Augur predicted all IPs within the CIDR 212.119.34.0/24 to be malicious and attributed the CIDR to threat group profile-147359 (Naikon - PLA associated).
94[.]140[.]8[.]48 and 94[.]140[.]8[.]113 are part of the same Augur prediction made more than 180 days before the ProxyNotShell IOCs were confirmed. All 254 IPs belonging to CIDR 94.140.8.0/24 were predicted to be malicious. This CIDR is attributed to threat group profile-139560 (Naikon - PLA associated) - ASN 136787 owned by TEFINCOMSA-AS-AP TEFINCOM S.A, Panama, 19 predictions and 43 CIDRs reported.
If you are an Augur subscriber, you can click on any of the IP addresses, CIDRs and threat groups listed above to do a deeper dive.
Attribution Insights
One clear observation emerges in terms of attribution: 5 of the 7 IPs are attributed by Augur to threat group profiles that are associated with only one APT, the Chinese APT known as Naikon, which is often described as being a unit of the PLA (aka Override Panda, Lotus Panda and numerous more). Therefore, it is safe to assume that there is some level of Chinese state involvement in this threat.
Find Out More
Curious to see how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture? You can learn more about how Augur works and how it solves real-world security problems.