Weekly Threat Intelligence Report
Date: May 6, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
This week, we continue to see significant activity originating from Autonomous System Numbers (ASNs) AS8968, AS44477, AS9318, AS216309, and AS216319. The observed activities from the mentioned ASNs signify diverse cybersecurity threats, including malware infections, data theft, botnet operations, and potential collaboration with cybercriminals. Mitigation efforts should prioritize enhancing security measures, collaborating with ISPs and cybersecurity organizations, and educating users to mitigate the risks posed by these threats.
Analysis:
AS8968, managed by BT Italia S.p.A., exhibits significant malware activity, indicative of potential security vulnerabilities within the network infrastructure. The high volume of infected systems suggests inadequate security measures or compromised endpoints, posing a substantial risk to cybersecurity. The organization managing this ASN may be experiencing cybersecurity challenges, necessitating immediate attention to strengthen their defenses and mitigate the risk of further infections.
Mitigation Strategy:
Analysis:
AS44477, associated with STARK INDUSTRIES, operates as a suspected bulletproof host with connections to Russia. The observed activity, particularly the presence of Redline stealer and botnet-related traffic, indicates malicious intent aimed at compromising user data and expanding botnet networks. STARK INDUSTRIES may be operating as a bulletproof hosting provider facilitating cybercriminal activities. The presence of Redline stealer suggests a focus on data theft and potentially monetizing stolen information.
Mitigation Strategy:
Analysis:
AS9318, operated by SK Broadband Co Ltd, has been linked to significant malware activity, suggesting compromised devices within the network. While the ISP may not be directly involved, infected devices contribute to cyber threats, necessitating proactive mitigation measures. SK Broadband Co Ltd should focus on enhancing network security measures and collaborating with customers to address compromised devices. Educating users about cybersecurity best practices can help mitigate the risk of further infections.
Mitigation Strategy:
Analysis:
AS216309, associated with TNSecurity, exhibits an unusually high level of malware activity, controlled by cybercriminals. Conflicting reports suggest origins in both Germany and Russia, posing challenges for effective threat mitigation. The unusually high level of malware activity controlled by cybercriminals suggests a sophisticated threat actor leveraging compromised infrastructure for malicious purposes. TNSecurity may have been compromised or willingly collaborating with cybercriminals, highlighting the need for vigilance and stringent security measures. Blocking traffic from this ASN and sharing threat intelligence are crucial for mitigating associated risks.
Mitigation Strategy:
Analysis:
AS216319, registered to CHROMIS LTD in the UK, has been linked to Amadey and Redline-based malware traffic originating from Moscow, Russia. Further investigation revealed collaboration with ELITE-HOSTING-LTD in Russia, indicating a sophisticated threat landscape with international ramifications. CHROMIS LTD may be involved in facilitating cybercriminal activities, such as malware distribution and botnet operations. Geo-blocking measures and due diligence before engaging with entities associated with this ASN are essential to mitigate risks.
Mitigation Strategy:
By adopting proactive mitigation strategies, collaborating with ISPs and international cybersecurity organizations, and maintaining vigilance against emerging threats, organizations can effectively safeguard their digital assets and mitigate the risks posed by malicious actors. For further inquiries or assistance, please don't hesitate to contact our cybersecurity team.
Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X
Read last week's report:
Agent Tesla Unmasked: Revealing Unrelated Cyber Campaigns - May 6, 2024
Sign up for the NEW (and free!) HYAS Insight Intel Feed
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.