Checking these IOCs for this latest Flash 0-day came up with an interesting IP address of 89.45.67.107 which belongs to Fast Serv Inc aka Qhoster, probably of Bulgaria but masquerading themselves as a Belize outfit.
I came across Fast Serv / Qhoster a lot last year during the Angler EK epidemic, where they had entire ranges full of badness, often with no discernable legitimate sites at all. It turns out that I'd blocked the /24 a year ago as it was full of EK servers. The full analysis I did of Fast Serv / Qhoster Angler ranges can be found in these Pastebins: [1] [2] [3] [4] [5] [6] [7]
So, this Flash 0 day gave me a renewed impetus to identify these ranges and keep them the hell off my network. Luckily HE's BGP tool can identify most of the allocated IPs of a /24 size or larger [8] [9] plus a bit of infill from other sources.
I can't guarantee that these ranges are free of legitimate sites, but even a quick glance at some of the ranges (the BGP tool is quite good for this [10]) shows signs of obvious badness in almost all of them. Use at your own risk :)
Note that these ranges are across many different ASes and hosts, although AS201630 is allocated to Qhoster themselves.
5.104.105.192/26
37.157.253.64/26
46.102.152.0/24
46.102.252.0/23
85.204.74.0/24
86.104.15.0/24
86.105.1.0/24
86.105.5.0/24
86.105.18.0/24
86.105.227.0/24
86.106.93.0/24
86.106.102.0/24
86.106.131.0/24
89.32.40.0/24
89.33.64.0/24
89.34.111.0/24
89.35.178.0/24
89.37.226.0/24
89.42.212.0/24
89.43.60.0/24
89.43.202.0/23
89.44.103.0/24
89.45.67.0/24
92.114.35.0/24
92.114.92.0/24
93.113.45.0/24
93.115.38.0/24
93.115.201.0/24
93.117.137.0/24
93.119.123.0/24
94.177.12.0/24
94.177.123.0/24
103.197.160.0/22
138.204.168.0/22
141.255.160.48/28
146.0.43.64/26
168.227.36.0/24
168.227.37.0/24
168.227.38.0/24
168.227.39.0/24
176.223.111.0/24
176.223.112.0/24
176.223.113.0/24
176.223.165.0/24
185.77.128.0/24
185.77.129.0/24
185.77.130.0/24
185.77.131.0/24
188.213.204.0/24
188.215.92.0/24
188.241.39.0/24
188.241.68.0/24
220.158.216.0/22
2403:1480:1000::/36
2403:1480:9000::/36
2a05:6200::/32
2a05:6200:72::/48
2a05:6200:74::/48
No comments:
Post a Comment