ThreatSTOP Blog

45.146.165[.]168 exploiting Log4j is another reason to block Selectel

Written by Ofir Ashman | February 28, 2022

If you have had reservations about blocking traffic from Russia in the past, today is definitely the time to rethink your decision. With the breakout of land, air and cyber warfare between Russia and Ukraine, organizations around the world should take extra caution in protecting their network from Russian malware and traffic. This is specially true for most Western countries, who are not is not on the same geo-political side as this massive country, known for its cyber attack capabilities.

Last week, we witnessed over fifty thousand blocked connection attempts on our customer networks from a malicious IP on the Russian Selectel ISP, specifically - AS 49505. This IP has been flagged by numerous threat intelligence sources, and was spotted in a Log4j abuse campaign last month by the Initial Access Broker (IAB) group Prophet Spider.

ThreatSTOP recommends blocking the whole 45.146.164[.]0/23 IP address space. Most of these IPs have recently shown up in blocklists provided by many of our 900+ threat intelligence sources such as:

  • DSBLEXP - DShield Block List, based on millions of intrusion detection log entries, collected every day from sensors covering over 500,000 IP addresses in over 50 countries by the Internet Storm Center.
  • GRSNOWIP - Green Snow Block List, these IP addresses were detected as involved in Scan Port of FTP, POP3, mod_security, IMAP, SMTP, SSH, and also in cPanel attacks and brute force attempts. This data is provided thanks to Green Snow.
  • CINSARMY - The CINS Army list contains IP addresses characterized as malicious across a broad customer-base who use Sentinel's intrusion prevention systems. Sentinel's CINS system gathers attack data from deployed IPS's and the larger security community to identify threat actors and the IP infrastructure they use.
  • TSTOPIPS - A ThreatSTOP originated target, these are the most blocked IPs by ThreatSTOP customers. This list can contain all types of inbound threats. The list generated daily.
  • UDGERHA - IPs observed engaging in various HTTP attacks.
  • DST4KEXP - IP addresses from the DShield Top 4000 list.
  • HONEYDB - IPs that have connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general, there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat.
  • BOTNET2E - A ThreatSTOP curated target, these are IP addresses of known active C2 infrastructure for major botnets. Attempts to connect to these addresses may show an infected system in need of cleaning.
  • AVEXP - AlienVault Malware Droppers and Botnet C2 infrastructure.
  • TELATACK - IP addresses currently attacking Telecommunications infrastructure.
  • AP-THREA - IP addresses of attackers seen on large anonymous networks.

 

ThreatSTOP users are automatically protected from attacks launched from these IPs and others as they appear. Contact us to learn more, or click below to get a demo: