惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
Simon Willison's Weblog
Simon Willison's Weblog
H
Help Net Security
F
Fortinet All Blogs
H
Heimdal Security Blog
S
Schneier on Security
L
LangChain Blog
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
NISL@THU
NISL@THU
P
Palo Alto Networks Blog
J
Java Code Geeks
博客园 - 【当耐特】
The Last Watchdog
The Last Watchdog
W
WeLiveSecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Vulnerabilities – Threatpost
I
InfoQ
Recorded Future
Recorded Future
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CERT Recently Published Vulnerability Notes
T
Tenable Blog
腾讯CDC
C
Check Point Blog
量子位
M
MIT News - Artificial intelligence
GbyAI
GbyAI
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
小众软件
小众软件
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
V2EX - 技术
V2EX - 技术
T
Threatpost
Engineering at Meta
Engineering at Meta
Attack and Defense Labs
Attack and Defense Labs
T
Tailwind CSS Blog
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
爱范儿
爱范儿

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Flowspec – TA505’s bulletproof hoster of choice
Intel 471 · 2020-07-16 · via Intel 471 Blog

By the Intel 471 Intelligence Analysis team.

Here at Intel 471 we spend a fair amount of time tracking malicious infrastructure providers. In the world of cybercrime the malicious infrastructure provider, or Bulletproof Hoster (BPH) as they are called in the underground marketplace, is a core enabling service that often gets little attention from threat intelligence analysts. It’s difficult to quantify their impact as it’s often spread over the activities of many different clients that are conducting activities that range from low-level phishing to more sophisticated intrusions. Sure, IP addresses and domains associated with badness get pushed over to the NOC/SOC, SIEM or endpoints to protect the enterprise, but few are digging beyond the initial incident and indicators then working up the chain to prefixes, Autonomous System Numbers (ASN) or even the companies behind them.

As you divert your attention to the malicious infrastructure provider and move up this chain, you’re dealing with aspects of the bad guy’s business model that are more costly to put in place and thus change less frequently. You’re also allowing for opportunities to identify, track and proactively block clusters of infrastructure that, while not yet used for malicious activity, have been set aside for such badness. In this blog we’ll start with some infrastructure suspected to be in use by TA505 and make the case for blocking the entire associated prefix as well as using BGP announcements to monitor for future indications of infrastructure being put in place.

Through the course of our research we’ve identified a couple of IPs addresses suspected to have been used in secondary activity by TA505, so if you’re seeing these then it means you’ve potentially got some big problems.

176.121.14.175

176.121.14.238

These are a bit more significant to TA505 operations than Get2 Loader malware infrastructure, which are used early on as part of the initial infection. Get2 Loader is widely thought to be the loader operated by TA505 early on in their intrusions. This infrastructure will typically see more frequent turnover given its position in the chain, but the same exercise can be done with those domains & IPs as well…and it’s worth doing.

When looking at an IP address there are few red flags that should get your attention. It’s certainly not a perfect science, but they do offer indications you may be dealing with BPH infrastructure set aside to support malicious activity.

  1. Things to look out for include:
  2. The associated company is registered to an offshore location such as Belize, Seychelles, Panama or others;
  3. The company was registered in the last 1-3 years;
  4. The associated ASNs were created in the last 1-3 years;
  5. There are only a small number (1 – 6) prefixes associated with the ASN;
  6. The prefixes associated with the ASN are smaller (/22 to /24);
  7. The ASN has a small number (1 – 2) of peers (as in BGP peering);
  8. Little or no benign content is hosted within the infrastructure;
  9. The organization maintains a presence in the underground marketplace…obvious giveaway!

To give a quick and simple example we’ll start with the two IPs mentioned above as being associated with TA505 activity. The first thing we want to understand is the smallest prefix announcement and routing history associated with the IP address. That’s pretty easy using RIPE’s free tool RIPEStat. The key takeaways from the screens below are that both IPs have been part of 176.121.14.0/24 since mid-2018 and it is currently announced by AS210138. Also, this prefix provides a fairly small number of IP addresses — 256 to be exact.

https://stat.ripe.net/widget/routing-history#w.resource=176.121.14.175

We can also use RIPEStat to understand the routing history for AS210138. This will provide you information related to what other prefixes have been and are being announced under a particular Autonomous System (AS). What we can see is that AS210138 has only announced the subject /24 IPv4 prefix since October 2019 and the IPv6 /48 since in April 2020. If you were confident an ASN was controlled by a malicious infrastructure provider you could make the case for blocking any prefixes associated with it currently and in the future.

https://stat.ripe.net/widget/routing-history#w.resource=AS210138

We can look further into the ASN, the parent organization, and more using the RIPE database and other tools, but that’s beyond the scope of this blog. We’ll stick to three RIPE objects (person, organization and ASN) that provide some pretty decent insight into the AS and those that control it.

https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=AS210138&type=aut-num

https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=ORG-FL235-RIPE&type=organisation

https://apps.db.ripe.net/db-web-ui/lookup?source=RIPE&type=person&key=NS7363-RIPE

The information gleaned from the RIPE DB and from RIPEStat is somewhat more reliable than domain WHOIS as it can’t all simply contain dummy data and some of it is related to BGP, which needs to be legitimate if you’re going to play on the internet. To summarize some of the info we’ve pulled together:

  • Both IPs are part of 176.121.14.0/24, which is a relatively small netblock of 256 IP addresses
  • The prefix falls under ASN 210138, which was created on Oct 2, 2019
  • The AS first announced 176.121.14.0/24 on Oct 12, 2019
  • The prefix and ASN are associated with a company called Flowspec LTD

Next, we consider the question of whether or not this particular organization is catering its services to cybercriminals directly in the underground marketplace. A quick look across a number of forums will show that Flowspec is operating in plain sight and clearly offering bulletproof hosting services. It’s not always this easy to answer this question, however.

We’ve taken an abbreviated look at Flowspec’s setup, but what we can conclude is that TA505 are likely active in the underground marketplace and using the BPH services of Flowspec. It’s a safe bet to also conclude that nothing good is coming out of Flowspec’s /24 and it’s more or less set aside for nefarious activity. TA505, a somewhat sophisticated adversary, are just one of a number of clients so to block that /24 will also help defend against any other badness originating from Flowspec.

So what can we do about it?

Course of action (COA) analysis must take into account your organization’s capabilities, but below are a number of simple COAs that might make this sort of research and analysis actionable for your organization.

  1. Block/alert on all 256 IPs associated with 176.121.14.0/24. The prefix is owned and operated by a known BPH service. One of the service’s clients is TA505. Better yet, blacklist the ASN and any prefixes associated with it.
  2. Monitor the 176.121.14.0/24 for BGP announcements that would suggest it is being removed from Flowspec or moved to another entity. This could indicate the prefix is no longer used as part of the BPH service or has been transferred to a new entity under the service’s control.
  3. Monitor BGP announcements for Flowspec’s ASN to identify new prefixes being added so you can immediately block/alert on them.
  4. TA505 Webinar – 23 July 2020

Want to learn more about TA505?

Join us on July 23rd, 2020 for our TA505 Deep Dive webinar that will cover the group’s history including TTPs.

Register at: https://us02web.zoom.us/webinar/register/WN_Z_YvCOXHRweL6vW3EoqO2Q