Multiple MOVEit IPs Predicted by Augur
By
MOVEit is big news. Especially since the US Government confirmed that multiple federal agencies have fallen victim to cyberattacks exploiting vulnerabilities in the software. You can read more about MoveIT and federal breaches here in a July 16 article on TechCrunch.
MOVEit is a popular file transfer platform used by thousands of companies and more than 3.5 million developers. The vulnerability (CVE-2023-34362) being exploited is an SQL injection flaw enabling privilege escalation and unauthorized access. CISA attributes the latest round of attacks to the Russia-linked Cl0p ransomware gang, which this week started posting the names of organizations it claims to have hacked by exploiting the MOVEit flaw. But the vulnerability could be exploited for data theft or any number of other criminal applications. For full details of the CVE click here.
Augur Predictions
As threat intel companies started sharing MOVEit research our tracking indicates that Augur predicted more than 100 IPs that are attributed to Cl0p and the MOVEit vulnerability.
Let’s look at a few of those predicted IPs. If you are an Augur subscriber, you can follow the links below to get the full story on each IP.
5[.]252[.]23[.]116
This IP was predicted as part of CIDR 5.252.23.0/24 in Q1 2022 and confirmed by third-party research to be related to CVE-2023-34362 in June 2023. That’s more than 480 days of Patient Zero protection for Augur subscribers.
Over that period of time, all 254 IPs in the CIDR have been reported by threat researchers as malicious. The ASN this prediction belongs to (61424) includes three predicted CIDRs all with significant malicious activity.
The IP has also been assigned a MITRE Technique ID - T1329 (Acquire and/or use 3rd party infrastructure services).
5[.]188[.]87[.]226
5[.]188[.]87[.]194
5[.]188[.]87[.]27
The three IPs above are all from the same predicted CIDR (5.188.87.0/24). They were predicted 20 months and all first reported and associated with MOVEit on June 7 by a number of 3rd party sources (AlienVault OTX, FBI Flash Reports, MISP Circl). All three IPs have also been assigned a MITRE Technique ID T1329 (Acquire and/or use 3rd party infrastructure services).
All 254 IPs in the CIDR have been reported by threat researchers as malicious. And the ASN that this CIDR belongs to (AS49453) is also associated with significant malicious activity. On this prediction, Augur subscribers benefited from more than 12 months of Patient Zero protection.
Predicted in Q1 2022, this IP was confirmed malicious and associated with the MOVEit vulnerability and the MITRE Technique ID T1329 (Acquire and/or use 3rd party infrastructure services). More than 127 IPs belonging to this CIDR have been reported as malicious, and the ASN (147049) the CIDR belongs to includes 10 other CIDRs Augur has predicted to be malicious and there is considerable reported criminal activity associated with these CIDRs.
Time to Block!
If you are not an Augur subscriber, we recommend blocking all of these IPs and CIDRs.
Conclusions
Augur’s over 100 MOVEit-associated predictions are spread out over a large number of CIDRS belonging to a wide range of organizations and using server infrastructure in many countries. This indicates an extensive and well-organized effort to exploit the MOVEit vulnerability. Augur’s predictions are the only threat intel source that reliably provides security teams with proactive protection to take action on adversary attack infrastructure.
On the MOVEit vulnerability, Augur provided subscribers with an average of more than 12 months advanced protection against critical elements of the MOVEit threat infrastructure - ensuring Augur users don’t become Patient Zero (or even Patient 100) for this emerging threat.
Your Early Warning System
Augur is your best early warning system and your insurance policy against novel threats.
Our smart behavioral prediction models identify and group threat actors based on patterns of activity. The platform can then predict novel attacks up to 50 days out. At the time of prediction, these predictions are often +-90% unique compared to other leading threat data sources.
Augur has predicted and protected against major elements of numerous important vulnerabilities, including Solar Winds, Log4JShell, Colonial Pipeline and ProxyNotShell hacks months ahead of first reports.
Find Out More
Curious to see how Augur works and how Augur’s predictive intelligence can improve your Patient Zero protection and overall security posture? You can learn more about how Augur works and how it solves real-world security problems.