|
A couple of weeks back, a security researcher alerted his LinkedIn contacts about possibly ongoing targeted attacks stemming from the Iranian subnet 194[.]147[.]140[.]x. He advised cybersecurity specialists to watch out for subnets that may be threatful and consider blocking them. This post encouraged us to look into the subnets and details our findings using IP Netblocks WHOIS Database.
As the first step, we downloaded the daily IP netblocks WHOIS data feeds for three days (i.e., 10—12 January 2021) leading up to the time the post was shared. The goal? To see if IP addresses included in the netblock were being tagged as malicious on open-source blocklist AbuseIPDB, which could be indicative of an ongoing campaign.
The IP netblocks WHOIS data feed for 10 January showed that the IP netblock 194[.]147[.]140[.]0—194[.]147[.]140[.]255 has been modified on January 8 2021. The screenshot below contains an overview of the change:
Note that this highlight contains the domain name kbcequitas[.]hu, which current owner is KBC Securities Hungary, a part of the KBC Equitas Hungary group. The organization is a known local Hungarian stockbroker, investment, and banking company. This post will later provide an interpretation of the organization’s presence in this netblock change.
The feed for 11 January, meanwhile, did not have entries pertaining to the IP netblock in question. But that for 12 January showed various changes made within the netblock as shown by the following screenshots:
While these modifications may not necessarily have anything to do with attacks or malicious activity (especially since some changes happened several months before), it is advisable to double check and dig deeper for utmost security.
Keying in the IP addresses on AbuseIPDB allowed us to determine that the following were tagged as malicious for the reasons indicated:
Organizations that are hesitant to block an entire IP netblock can settle for blocking the small subset indicated in IP Netblocks WHOIS Database (i.e., 194[.]147[.]140[.]0/24) or the specific IP addresses that have been confirmed malicious listed above. Priority should be accorded to those reported hundreds of times, namely, 194[.]147[.]140[.]5, 194[.]147[.]140[.]20, 194[.]147[.]140[.]21, 194[.]147[.]140[.]22, 194[.]147[.]140[.]23, and 194[.]147[.]140[.]24.
In light of these IPs identified as malicious and our earlier findings regarding kbcequitas[.]hu, the netblock seems now to be owned by a benign Hungarian company, according to the currently valid IP WHOIS data at the time of writing. It is probable that the netblock was revoked from the previous owner (originally behind the Iranian subnet) and has been reallocated to a new owner (KBC Securities Hungary) who may even not be aware of the dark history of their new netblock.
So security-wise while it is important to be careful with such a netblock, the new owner should also take care of initiating the blacklist removal, and possibly avoid using the particular IPs that were recently found malicious for some time.
If correct, this interpretation tends to illustrate a consequence of the saturation of the IPv4 space. Organizations getting hold of an IPv4 netblock should therefore be absolutely certain that it does not have a bad reputation due to previous owners’ activities.
Want to know more about the artifacts identified in this post for your own research? Or are you thinking of collaborating with our threat researchers? Contact us for partnership opportunities.
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byCSC