Most Active Attackers Predicted by Augur in 2021
Last year we were ahead of the pack on several high-profile threats, including Colonial Pipeline, SolarWinds, and Log4JShell.
But many Augur predictions, though less high-profile, were also detected and blocked on our client’s networks and later were spotted trying to connect to those networks. Here are the top 10 malicious IPs predicted by Augur, ranked by activity volume in 2021.
The table above shows the most prolific IOCs in 2021 (attacks against networks protected by Augur).
Of particular note are the IOCs with a long gap between detection and confirmation. That gap indicates the amount of time organizations not using Augur may have been exposed to this threat vector before conventional threat intelligence sources recommended blocking these IOCs.
It goes without saying, but we’ll say it anyway. If you’re not blocking any of these IPs, we recommend doing so immediately.
What We Know About These IOCs
- 126.96.36.199 was predicted in January 2021 and was first detected trying to access networks on February 9. Attacks from this IP started four months before the first third party confirmation, but Augur users were already protected. These attacks are associated with the Mirai malware family and turn smart devices into a network of remotely controlled bots. This IP attempted more than 2.2 million connections to networks protected by Augur.
- 188.8.131.52 was predicted a month before the first third-party confirmation and then detected on our networks 60 days later. This IP is associated with AsyncRAT, a remote access tool (RAT) often abused for malicious purposes. This IP attempted just under 1 million connections.
- 184.108.40.206 was predicted nearly 20 months before it was confirmed to be malicious by third-party security companies. It was subsequently detected attempting connections by our sensors four months later. This IP is also associated with the Mirai malware family and attempted 400k connections to networks protected by Augur.
- 220.127.116.11 was predicted to be malicious three and a half years before the first connection attempts were detected. Traffic from this IP was detected attempting connections on our networks almost four months before the first third-party confirmation. Organizations not using Augur could have been exposed to this risk for that entire period. This IP was associated with an important Microsoft remote code execution vulnerability (cve_2017_8570) used in malspam attacks. This IP was detected attempting to connect just under 315K times.
- 18.104.22.168 was predicted over two years before it was first detected, and it was first confirmed by security researchers the same day the first activity was detected on this IP. In other words, Augur customers were protected even if they didn’t react to reports right away. The IP is associated with Cobalt Strike, a commercially available remote access toolkit commonly abused by cybercriminals. Augur detected and blocked communication attempts with this IP more than 250K times.
- 22.214.171.124 was predicted to be malicious nearly two years before it was confirmed as malicious by third parties. Traffic from this IP was detected on our networks 21 days after the first third-party confirmation. The IOC is associated with CVE-2017-11882, an old remote code execution vulnerability in Microsoft Office that sometimes remains unpatched. This IP attempted to connect to our client’s networks over 110K times.
- 126.96.36.199. This IP was first detected by our sensor networks in April 2021, but Augur had predicted it to be malicious nearly two years earlier. The earliest third party confirmation occurred in mid-June 2021, two months after the first traffic to/from this IP was detected. This IP was associated with a Microsoft Office memory corruption vulnerability code (CVE_2017_11882) used primarily for privilege escalation. Connection attempts to this IP were seen 93K times.
- 188.8.131.52 was predicted to be malicious in Q1 2021 and it was first confirmed by security researchers nearly four months later. Within a day of these first reports, we detected traffic from this IP on our networks. Just another case where proactive blocking saved Augur clients from scrambling at the last second to protect against an emerging threat. This IOC is associated with the 04 Keylogger (aka Snake Keylogger), a subscription-based malware that can steal sensitive information, log keyboard strokes, take screenshots and steal information from the system clipboard. Augur detected activity on this IP nearly 90K times.
- 184.108.40.206 (along with its entire CIDR) was predicted to be malicious in Q2 2019 and then first detected on our networks nearly two years later. It was first confirmed as malicious by third-party sources 25 days after that. This IP range is associated with several types of malicious activity including the Tinba (banking trojan), RoamingMantis (android smishing), and InstallCore (bundler). Augur detected and blocked communication attempts with this IP more than 75K times.
- 220.127.116.11 (along with its entire CIDR) was predicted to be malicious in Q1 2020 and first detected by our sensors on February 4, 2021. It was confirmed by third parties 24 days later, on February 28. Identifiers associated with this IP include Mirai, AZORult, Gafgyt and AsycncRAT. Of the 256 IPs in this CIDR, all 256 have now been confirmed as malicious.
Proactive Defense for Better Protection
Reactive threat intelligence solutions only protect against documented threats. Augur’s predictive intelligence looks beyond current threats. It leverages machine learning and artificial intelligence to model threat actor behavior, Identifying the build-up of attack infrastructure an average of 51 days before an attack launches. And with a false positive rate of less than 0.01%, you can trust Augur’s predictions, as demonstrated, to provide a valuable layer of proactive protection. Our unique predictive threat intel combines with Augur’s enforcement orchestration and automation and rich threat hunting environment to improve protection and streamline SOC operations.
Prove It to Me
We get it. These predictions are startling, and you want to know if they are real. If you’re interested in seeing how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture, email us at firstname.lastname@example.org.
Check Out Augur on Our Website