Augur Predicts Infrastructure Used in Recent Mustang Panda Attacks
By:
On May 5, a team of researchers from Talos published a blog post about a new wave of malware targeting Europe attributed to a China-based threat actor known as Mustang Panda. The threat is a serious and persistent one that uses convincing themed lures to phish and then implants the group's custom PlugX remote access trojan to establish a persistent, long-term foothold in infected endpoints to carry out espionage activities. The good news for Augur subscribers is that two of the IPs associated with these attacks were predicted by the platform and blocked automatically (where subscribers use our enforcement automation integrations).
You can read the full Talos Blog Post here.
For the first IP, in Q4 2021, we predicted all IPs in the CIDR 92[.]118[.]188[.]0/24 to be malicious using our predictive analytics. So far, we have eight other IPs from this range that have been confirmed malicious via third-party security research.
92[.]118[.]188[.]78 is part of a prediction attributed to Augur threat group 148664, which in addition to Mustang Panda, includes Naikon and Red Delta – all China-based groups who sometimes share attack infrastructure.
The second, 86[.]105[.]227[.]115, is an old favorite. Way back in mid-2015, Augur predicted all IPs within the CIDR 86[.]105[.]227[.]0/24 to be malicious based on its predictive behavioral modeling. And over the years, well over 100 IPs in this range have been confirmed to be malicious and associated with a broad range of threat actor groups. This prediction was first confirmed in Q4 2015 and has continued to generate new confirmed attacks right up until the present day.
The CIDR is attributed to Augur threat group 11566, which includes Dubnium, BlackOasis, Hacking Team, Cobalt Group, CarbonSpider, APT 32, Fancy Bear, Cozy Bear, Hidden Cobra, Naikon, HAFNIUM, Mustang Panda, Wet Panda, Evasive Panda and the list goes on and on. Some of these groups are nation-backed, some are pure for-profit cybercriminals, and they come from around the world, so it seems safe to assume that this CIDR must be rented infrastructure available for hire.
If you are an Augur subscriber, you were protected before any of these threat actors launched attacks associated with these IPs. You also benefited from proactive protection against all threats from the CIDRs these IPs were associated with.
If you aren’t an Augur subscriber, we strongly recommend blocking both these CIDRs if you haven’t already.
Proactive Defense for Better Protection
Reactive threat intelligence solutions only protect against documented threats. Augur’s predictive intelligence looks beyond current threats. It leverages machine learning and artificial intelligence to model threat actor behavior, identifying the build-up of attack infrastructure an average of 51 days before an attack launches. And with a false positive rate of less than 0.01%, you can trust Augur’s predictions – as demonstrated in this case, where protection started nearly 12 months before the first attacks launched and 18 months ahead of the first confirmed reports.
Prove It to Me
We get it: these predictions are startling, and you want to know if they are real. If you’re interested in seeing how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture, email us at augur@seclytics.com.
Check Out Augur on Our Website
You can learn more about how Augur works here and how it solves real-world security problems here.