The Russian hosting provider Selectel[.ru] (ASN: 49505) is known for hosting fishy activity, so it probably doesn't come as a surprise that our security research team has seen a lot of malicious traffic from a Selectel IP trying to reach our customer networks (and failing of course, thanks to ThreatSTOP's IP Firewall). The IP - 45.146.164[.]38 - attempted to make over 3 Million connections to customer devices over the last week alone.

checkioc_selectel2 Image: ThreatSTOP CheckIOC Analysis Tool

 

We recently posted about the neighboring IP address space, 45.146.165[.]0/24, and the fishy activity that's going on over there. When researching the IP neighbors for our current IP in question, 45.146.164[.]38, our team found some interesting activity.

Taking a sample domain from a few of the IPs, we saw patterns that look very much like DGAs hosted dynamically over multiple addresses in this space. A quick domain search on VirusTotal confirms that these IPs are indeed actively hosting DGA infrastructure.

dgas_selectel

Image: ipinfo.io

 

Selectel has been in the malicious activity spotlight for a while now, getting flagged already as part of a "bulletproof" hosting system by Spamhaus back in 2019. ThreatSTOP has been protecting customers from the IPs mentioned, which were added to our systems thanks to the aggregation of the DShield blocklist, one of our 800+ threat intelligence sources. In addition, ThreatSTOP customers can block the whole IP address space 45.146.164[.]0/23 by activating the Russian Geo IP target, fully protecting themselves from malicious DGAs and other badness going on across the Selectel infrastructure.

We highly recommend blocking these IPs, and consider blocking all IPs in the address space that have been deemed malicious by high quality threat intelligence providers such as the ones we aggregate. To find out if an IP is in our threat targets, use our free checkIP tool.

 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Get a Demo      Start a Trial