ThreatSTOP's Security Research Team has been monitoring activity on the ASN 51852 Private Layer, a medium-sized AS with a reputation for a ton of badness. So it's no surprise that we continue to receive threat intelligence on malicious activity over there.

private_layerAS Spam statistics. Image: CleanTalk

According to CleanTalk, nearly half of the IPs on the AS are a source of spam. In this blog post we talk about a specific subnet - 141.255.164[.]0/24 - which has been starring in a lot of malicious activity lately. If you search our IOC database for that subnet, you'll discover that a number of individual IP addresses are listed as bad for one reason or another. There are current and former port scanners, SSH, IMAP, SIP and Brute Force attackers, Phishing sites, Botnet and malware C2s, and more. Let's take a look at a few of the worst:

 

APT29/Cozy Bear are a big fan

Right when the Covid-19 pandemic was peaking, the APT group dubbed Cozy Bear (also known as The Dukes) attacked various organizations involved in COVID-19 vaccine development in North America and the UK. It is suspected that the threat group, which has been attributed to Russia's Foreign Intelligence Service (SVR), tried to steal information and intellectual property relating to the development and testing of COVID-19 vaccines. APT29 use two custom malware variants - WellMess (executes commands, uploads and downloads files) and WellMail (communicates with C2 servers and runs commands scripts).

In this Covid-19 data stealing campaign, APT29 hosted part of their infrastructure on the IP 141.255.164[.]29. Fast forward to last week, and RiskIQ have discovered 30 more active C2 servers being used by the threat group - three of which are hosted on our same bad subnet: 141.255.164[.]11, 141.255.164[.]36, 141.255.164[.]40.

apt29

APT29 Covid-19 Attacks C2s. Image: RiskIQC

 

Looking back reveals more bad behavior

badipapt29
 

Many of the IPs in this subnet have been tracked and blocked in our system over time due to their malicious activity. Just to name a few:

  • 141.255.164[.]13 - Critical Threats and Email Attacks

  • 141.255.164[.]39 - Scanning SSH and Inbound Attacks

  • 141.255.164[.]154 - VOIP Attacks

The IP 141.255.164[.]19 also shows funky past activity. Looking at its passive DNS, we can see a number of domain resolves that are far from innocuous. Whether they are DGA domains for C2s of some ransomware variant, or  phishing websites, these are bad. No legit website will use a 6th level subdomain (like login.mailchimp.com.new.session.2135454.mobilfunkbau[.]de), and no legit amazon/microsoft/twitter website will have their name as a subdomain of a different parent domain (like twitter.api.[random string].com).

pdnsip

We have been seeing badness on this subnet for years, with domains like paypal.de.private-data-check.onlineverification[.]su dating back to 2014 (hosted on 141.255.164[.]26).

It's all rather impressive and shows that criminals will cheerfully re-use infrastructure they trust to deliver different kinds of malicious activity. This is a part of the Internet that seems to have a ton of malicious activity. Since ThreatSTOP is blocking the entire subnet, our customers are protected against all of the threats from this subnet, whether new or old, no matter whether the threats are inbound attacks or outbound call-homes.

Attacks from this subnet are blocked at the initial connection which means that IDSes and other analytical tools can use their resources elsewhere. Most importantly our customers are protected against attacks from this subnet that exploit zero-days or unpatched vulnerabilities without needing to worry exactly what the attack is attempting to exploit.

It takes less than an hour to install ThreatSTOP, and the security benefits are immediately visible.

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Get a DemoStart a Trial