Weekly Threat Intelligence Report

Date: May 6, 2024

Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS

This week, we continue to see significant activity originating from Autonomous System Numbers (ASNs) AS8968, AS44477, AS9318, AS216309, and AS216319. The observed activities from the mentioned ASNs signify diverse cybersecurity threats, including malware infections, data theft, botnet operations, and potential collaboration with cybercriminals. Mitigation efforts should prioritize enhancing security measures, collaborating with ISPs and cybersecurity organizations, and educating users to mitigate the risks posed by these threats.

AS8968 – BT Italia S.p.A. (Italy)

Analysis:
AS8968, managed by BT Italia S.p.A., exhibits significant malware activity, indicative of potential security vulnerabilities within the network infrastructure. The high volume of infected systems suggests inadequate security measures or compromised endpoints, posing a substantial risk to cybersecurity. The organization managing this ASN may be experiencing cybersecurity challenges, necessitating immediate attention to strengthen their defenses and mitigate the risk of further infections.

Mitigation Strategy:

• Conduct a thorough assessment of network infrastructure to identify and remediate security vulnerabilities.
• Implement robust endpoint protection solutions, including anti-malware software and endpoint detection and response (EDR) systems.
• Enhance network monitoring capabilities to detect and mitigate malicious activities in real-time.
• Collaborate closely with BT Italia to strengthen security measures and share threat intelligence for proactive threat mitigation.

AS44477 – STARK INDUSTRIES (Russia)

Analysis:
AS44477, associated with STARK INDUSTRIES, operates as a suspected bulletproof host with connections to Russia. The observed activity, particularly the presence of Redline stealer and botnet-related traffic, indicates malicious intent aimed at compromising user data and expanding botnet networks. STARK INDUSTRIES may be operating as a bulletproof hosting provider facilitating cybercriminal activities. The presence of Redline stealer suggests a focus on data theft and potentially monetizing stolen information.

Mitigation Strategy:

• Deploy advanced threat detection technologies, such as behavioral analysis and sandboxing, to detect and block Redline stealer infections.
• Establish partnerships with law enforcement agencies and international cybersecurity organizations to disrupt the operations of STARK INDUSTRIES.
• Enhance user awareness and education programs to educate stakeholders about the risks associated with malicious activities originating from AS44477.

AS9318 – SK Broadband Co Ltd (South Korea)

Analysis:
AS9318, operated by SK Broadband Co Ltd, has been linked to significant malware activity, suggesting compromised devices within the network. While the ISP may not be directly involved, infected devices contribute to cyber threats, necessitating proactive mitigation measures. SK Broadband Co Ltd should focus on enhancing network security measures and collaborating with customers to address compromised devices. Educating users about cybersecurity best practices can help mitigate the risk of further infections.

Mitigation Strategy:

• Collaborate with SK Broadband Co Ltd to conduct thorough network assessments and identify compromised devices for remediation.
• Implement network segmentation to contain the spread of malware and prevent lateral movement within the network.
• Enhance customer education initiatives to promote cybersecurity best practices and reduce the risk of device infections.

AS216309 – TNSecurity (Germany/Russia)

Analysis:
AS216309, associated with TNSecurity, exhibits an unusually high level of malware activity, controlled by cybercriminals. Conflicting reports suggest origins in both Germany and Russia, posing challenges for effective threat mitigation. The unusually high level of malware activity controlled by cybercriminals suggests a sophisticated threat actor leveraging compromised infrastructure for malicious purposes. TNSecurity may have been compromised or willingly collaborating with cybercriminals, highlighting the need for vigilance and stringent security measures. Blocking traffic from this ASN and sharing threat intelligence are crucial for mitigating associated risks.

Mitigation Strategy:

• Implement strict filtering measures to block traffic originating from AS216309 and prevent exposure to malicious activities.
• Share threat intelligence with cybersecurity organizations to raise awareness of the risks associated with TNSecurity.
• Conduct ongoing monitoring and analysis to identify emerging threats and adapt mitigation strategies accordingly.

AS216319 – CHROMIS LTD (UK/Russia)

Analysis:
AS216319, registered to CHROMIS LTD in the UK, has been linked to Amadey and Redline-based malware traffic originating from Moscow, Russia. Further investigation revealed collaboration with ELITE-HOSTING-LTD in Russia, indicating a sophisticated threat landscape with international ramifications. CHROMIS LTD may be involved in facilitating cybercriminal activities, such as malware distribution and botnet operations. Geo-blocking measures and due diligence before engaging with entities associated with this ASN are essential to mitigate risks.

Mitigation Strategy:

• Implement geo-blocking measures to restrict traffic from Moscow, Russia, associated with AS216319.
• Conduct thorough due diligence before engaging with CHROMIS LTD or ELITE-HOSTING-LTD to mitigate potential risks associated with their involvement in malicious activities.
• Enhance collaboration with international cybersecurity organizations to disrupt the operations of CHROMIS LTD and ELITE-HOSTING-LTD.

By adopting proactive mitigation strategies, collaborating with ISPs and international cybersecurity organizations, and maintaining vigilance against emerging threats, organizations can effectively safeguard their digital assets and mitigate the risks posed by malicious actors. For further inquiries or assistance, please don’t hesitate to contact our cybersecurity team.

Want more threat intel on a weekly basis?

Follow HYAS on LinkedIn
Follow HYAS on X

Read last week’s report:
Agent Tesla Unmasked: Revealing Unrelated Cyber Campaigns – May 6, 2024

Sign up for the NEW (and free!) HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report’s information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.  

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

*** This is a Security Bloggers Network syndicated blog from HYAS Blog authored by David Brunsdon. Read the original post at: https://www.hyas.com/blog/hyas-threat-intel-report-may-6-2024