30 October 2019
Beginning the 18th of August, a sustained DDoS attack was levied against the human rights website Humanrightsclub.net after it published an article discussing the various companies affiliated with Rovnaq Abdullayeva, president of the State Oil Company of Azerbaijan Republic, known as SOCAR. The perpetrators launched the attack using Fineproxy, a service that leverages large botnets used by illegitimate search engine optimization and other grey business. In the past two years, we have traced several attacks targeting content critical of SOCAR to this proxy platform.
Trusov Ilya Igorevych, owner and provider of Fineproxy, via his company Quality Network OU, has for years been loading bogus information in RIPE registry objects to make his platform appear to have presence in dozens of countries. Having done so, the proxy platform can be used to game search engine optimization, which gives credence to pages visited by a diverse geographic base. Additionally, Fineproxy is used by social media marketing specialists that use it to flood comment areas on discussion boards and create bogus twitter accounts. During the past year alone, their prefixes have launched thousands of attacks against websites including cross site scripting, sql injection and denial of service attacks.
Several new companies were created by Ilia Trusov in 2018 so as to become LIRs in RIPE and to harvest new IP space. The table below shows the companies currently registered by Ilia Trusov in Estonia.
“Pay-as-you-go” has turned to “Abuse-as-you-go”
In the case of Fineproxy occasionally respond to abuse reports of their victims. They normally suspend the abusers’ accounts within 24h, but the damage is already done. As the service is inexpensive, the abusers know that they just need to create a new account in Fineproxy systems to keep running their criminal campaigns.
humanrightsclub.net, the attacks lasted hours during several days with several million of requests proxied by more than 1000 IP addresses from Fineproxy.
Similar to the attacks we have monitored against Meydan.tv and Azerbaycansaati.tv, the attacker uses the combination of Fineproxy and Host-tracker to launch the DDOS and monitor its effectiveness.
From Kaluga to London, from Tallin to Narva… and finally the Seychelles
Trusov Ilya Igorevych started his business in Kaluga, Russia under the name Region40 LC. Next he launched Quality Network OU in Narva, Tallin.
Quality Network OU that recently changed its contact details to Office 14; First Floor; Trinity House; Victoria; Mahe Seychelles a known address for Offshore companies and headquarter of SAST Offshore Services Ltd, revealed by the Panama Papers.
However, the proxy service keeps operating in Europe in UGB Hosting, a hosting company run by Roman Jevstafjev and business partner Jevgeni Fanfora
Roman started in the hosting business with Dmitri Kostenko with Fairy Hosting operated by the company Web Hosting Solutions At the end of 2014, they moved to a building in Narva operated by Apest Grupp.
With the transformation of the building into a business center, Roman started UGB Hosting that seems to be setup for the only purpose of announcing Fineproxy network prefixes.
Both companies operate from shared infrastructure at Maslovi, 1 in Narva a city at the Russian border using ASN 206485 and 202759.
From Region40 in Russia to UGB Hosting in Estonia
Back in 2015-2016, Fineproxy started its operations with Region40 LLC in Kaluga, Russia. The connection between UGB Hosting OU, Quality Network OU and Region40 LLC in Kaluga, where also Fineproxy operates, is visible in the prefixes announced by UGB.
Their AS206485 announces the traffic of FITZ ISP LTD, a company registered in the UK by Alexei Filippenko. Not surprisingly Filippenko is also business partner of Ilya Trusov Igorevych in Region40 LLC (aka Depo40) in Russia.
organisation: ORG-RL208-RIPE org-name: REGION40 LLC org-type: OTHER address: 249806, Russia, Kaluga region, Moscow Street 258, office 16 e-mail: a.filippenko@simplit.ru abuse-c: AC31835-RIPE mnt-ref: MNT-DEPO40 mnt-by: MNT-DEPO40 created: 2015-06-04T07:36:41Z last-modified: 2016-05-13T10:40:23Z source: RIPE person: Trusov Ilya Igorevych remarks: Depo Data Center Kaluga address: 248021, Russia, Kaluga region, Moscow Street 258, office 16 phone: +79533100064 nic-hdl: TII10-RIPE e-mail: noc@depo40.ru mnt-by: MNT-DEPO40 created: 2013-07-19T09:32:30Z last-modified: 2017-10-30T22:28:06Z source: RIPE
No evil, really?
The Use Policy of Fineproxy is interesting. While they try to stay away from big spam campaigns and DDOS customers, they openly promote and support tools that are designed to “spam” forums such as GSA and Xrumer.
Networks for proxy services
The following list is a sample of the networks used by Fineproxy to enable Denial of Service attacks, no less than 160 networks spread across 12 ASN.
Several companies are used to obtain IP space from RIPE, including companies in the name of Alexei Filippenko (Region40, Blockchain Solutions, Silverstart), Trusov Ilya Igorevych (QualityNetwork OU, IPTransit, Fine Transit OU) and Roman Jevstafjev (UGB Hosting)
109.196.129.0 |35624 | SILVERSTAR-AS, GB 109.236.53.0 |35913 | DEDIPATH-LLC - DediPath, US 109.236.54.0 |35913 | DEDIPATH-LLC - DediPath, US 109.236.55.0 |35913 | DEDIPATH-LLC - DediPath, US 109.94.173.0 |35913 | DEDIPATH-LLC - DediPath, US 109.94.174.0 |35913 | DEDIPATH-LLC - DediPath, US 109.94.175.0 |35913 | DEDIPATH-LLC - DediPath, US 109.94.221.0 |35913 | DEDIPATH-LLC - DediPath, US 109.94.222.0 |35913 | DEDIPATH-LLC - DediPath, US 109.94.223.0 |35913 | DEDIPATH-LLC - DediPath, US 146.185.200.0 |62282 | RACKRAY UAB Rakrejus, LT 146.185.201.0 |62282 | RACKRAY UAB Rakrejus, LT 146.185.202.0 |62282 | RACKRAY UAB Rakrejus, LT 146.185.203.0 |62282 | RACKRAY UAB Rakrejus, LT 146.185.205.0 |62282 | RACKRAY UAB Rakrejus, LT 146.185.206.0 |62282 | RACKRAY UAB Rakrejus, LT 176.119.141.0 |43444 | BNS-AS, GB 178.159.100.0 |49453 | GLOBALLAYER, NL 178.159.97.0 |200557 | REGION40, RU 178.57.65.0 |200557 | REGION40, RU 178.57.66.0 |200557 | REGION40, RU 178.57.67.0 |200557 | REGION40, RU 178.57.68.0 |200557 | REGION40, RU 185.101.68.0 |200557 | REGION40, RU 185.101.69.0 |8100 | ASN-QUADRANET-GLOBAL 185.101.71.0 |200557 | REGION40, RU 185.13.32.0 |32181 | ASN-GIGENET - GigeNET, US 185.13.33.0 |57172 | GLOBALLAYER, NL 185.14.192.0 |200557 | REGION40, RU 185.14.194.0 |8100 | ASN-QUADRANET-GLOBAL 185.14.195.0 |200557 | REGION40, RU 185.223.160.0 |50896 | AS-REGION40, UA 185.223.161.0 |50896 | AS-REGION40, UA 185.233.187.0 |206485 | UGB, EE 185.251.14.0 |206485 | UGB, EE 185.251.15.0 |206485 | UGB, EE 185.251.70.0 |206485 | UGB, EE 185.251.71.0 |206485 | UGB, EE 185.46.84.0 |200557 | REGION40, RU 185.46.86.0 |200557 | REGION40, RU 185.46.87.0 |200557 | REGION40, RU 185.50.250.0 |200557 | REGION40, RU 185.50.251.0 |200557 | REGION40, RU 185.89.100.0 |8100 | ASN-QUADRANET-GLOBAL 185.89.101.0 |8100 | ASN-QUADRANET-GLOBAL 188.68.0.0 |200557 | REGION40, RU 188.68.1.0 |200557 | REGION40, RU 188.68.3.0 |200557 | REGION40, RU 193.22.14.0 |8100 | ASN-QUADRANET-GLOBAL 193.22.15.0 |8100 | ASN-QUADRANET-GLOBAL 193.32.94.0 |206485 | UGB, EE 193.32.95.0 |206485 | UGB, EE 193.56.65.0 |35913 | DEDIPATH-LLC - DediPath, US 193.56.66.0 |35913 | DEDIPATH-LLC - DediPath, US 193.56.67.0 |35913 | DEDIPATH-LLC - DediPath, US 193.56.73.0 |35913 | DEDIPATH-LLC - DediPath, US 193.56.74.0 |35913 | DEDIPATH-LLC - DediPath, US 193.56.75.0 |35913 | DEDIPATH-LLC - DediPath, US 193.9.158.0 |200557 | REGION40, RU 193.93.192.0 |206485 | UGB, EE 193.93.193.0 |206485 | UGB, EE 193.93.194.0 |206485 | UGB, EE 193.93.195.0 |206485 | UGB, EE 194.156.124.0 |35624 | SILVERSTAR-AS, GB 194.156.125.0 |35624 | SILVERSTAR-AS, GB 212.115.51.0 |49453 | GLOBALLAYER, NL 2.57.76.0 |43444 | BNS-AS, GB 2.57.77.0 |43444 | BNS-AS, GB 31.40.210.0 |174 | COGENT-174 - Cogent Communications, US 31.40.211.0 |174 | COGENT-174 - Cogent Communications, US 37.44.252.0 |49453 | GLOBALLAYER, NL 37.44.253.0 |49453 | GLOBALLAYER, NL 37.9.40.0 |50896 | AS-REGION40, UA 37.9.41.0 |50896 | AS-REGION40, UA 37.9.46.0 |32181 | ASN-GIGENET - GigeNET, US 37.9.47.0 |32181 | ASN-GIGENET - GigeNET, US 46.148.112.0 |200557 | REGION40, RU 46.148.115.0 |57172 | GLOBALLAYER, NL 46.148.120.0 |200557 | REGION40, RU 46.148.124.0 |57172 | GLOBALLAYER, NL 46.148.127.0 |200557 | REGION40, RU 46.161.56.0 |62282 | RACKRAY UAB Rakrejus, LT 46.161.57.0 |62282 | RACKRAY UAB Rakrejus, LT 46.161.58.0 |62282 | RACKRAY UAB Rakrejus, LT 46.161.59.0 |62282 | RACKRAY UAB Rakrejus, LT 46.161.60.0 |62282 | RACKRAY UAB Rakrejus, LT 46.161.61.0 |62282 | RACKRAY UAB Rakrejus, LT 46.161.62.0 |62282 | RACKRAY UAB Rakrejus, LT 46.161.63.0 |62282 | RACKRAY UAB Rakrejus, LT 5.101.217.0 |50896 | AS-REGION40, UA 5.101.219.0 |50896 | AS-REGION40, UA 5.101.220.0 |50896 | AS-REGION40, UA 5.101.222.0 |50896 | AS-REGION40, UA 5.188.216.0 |200557 | REGION40, RU 5.188.217.0 |8100 | ASN-QUADRANET-GLOBAL 5.188.219.0 |50896 | AS-REGION40, UA 5.189.200.0 |50896 | AS-REGION40, UA 5.189.201.0 |50896 | AS-REGION40, UA 5.189.202.0 |50896 | AS-REGION40, UA 5.189.203.0 |50896 | AS-REGION40, UA 5.189.204.0 |50896 | AS-REGION40, UA 5.189.205.0 |50896 | AS-REGION40, UA 5.189.206.0 |50896 | AS-REGION40, UA 5.189.207.0 |50896 | AS-REGION40, UA 5.62.152.0 |32181 | ASN-GIGENET - GigeNET, US 5.62.154.0 |32181 | ASN-GIGENET - GigeNET, US 5.62.155.0 |32181 | ASN-GIGENET - GigeNET, US 5.62.157.0 |32181 | ASN-GIGENET - GigeNET, US 5.62.159.0 |32181 | ASN-GIGENET - GigeNET, US 5.8.37.0 |50896 | AS-REGION40, UA 5.8.47.0 |50896 | AS-REGION40, UA 79.110.17.0 |200557 | REGION40, RU 79.110.18.0 |200557 | REGION40, RU 79.110.19.0 |200557 | REGION40, RU 79.110.25.0 |200557 | REGION40, RU 79.110.28.0 |8100 | ASN-QUADRANET-GLOBAL 79.110.31.0 |8100 | ASN-QUADRANET-GLOBAL 79.133.106.0 |32181 | ASN-GIGENET - GigeNET, US 79.133.107.0 |200557 | REGION40, RU 81.22.46.0 |206485 | UGB, EE 81.22.47.0 |206485 | UGB, EE 83.171.252.0 |49453 | GLOBALLAYER, NL 83.171.253.0 |49453 | GLOBALLAYER, NL 84.54.56.0 |174 | COGENT-174 - Cogent Communications, US 84.54.57.0 |174 | COGENT-174 - Cogent Communications, US 84.54.58.0 |174 | COGENT-174 - Cogent Communications, US 85.202.194.0 |62282 | RACKRAY UAB Rakrejus, LT 85.202.195.0 |206485 | UGB, EE 91.200.80.0 |50896 | AS-REGION40, UA 91.200.81.0 |200557 | REGION40, RU 91.200.82.0 |200557 | REGION40, RU 91.204.14.0 |8100 | ASN-QUADRANET-GLOBAL 91.204.15.0 |8100 | ASN-QUADRANET-GLOBAL 91.216.3.0 |200557 | REGION40, RU 91.222.236.0 |206485 | UGB, EE 91.222.239.0 |206485 | UGB, EE 91.243.190.0 |35913 | DEDIPATH-LLC - DediPath, US 91.243.191.0 |206485 | UGB, EE 91.243.90.0 |200557 | REGION40, RU 91.243.91.0 |200557 | REGION40, RU 91.243.93.0 |200557 | REGION40, RU 93.179.89.0 |200557 | REGION40, RU 93.179.90.0 |200557 | REGION40, RU 93.179.91.0 |200557 | REGION40, RU 94.158.22.0 |62282 | RACKRAY UAB Rakrejus, LT 94.158.23.0 |206485 | UGB, EE 94.231.217.0 |35913 | DEDIPATH-LLC - DediPath, US 94.231.218.0 |35913 | DEDIPATH-LLC - DediPath, US 94.231.219.0 |35913 | DEDIPATH-LLC - DediPath, US 95.181.176.0 |200557 | REGION40, RU 95.181.177.0 |200557 | REGION40, RU 95.181.182.0 |200557 | REGION40, RU 95.181.183.0 |200557 | REGION40, RU 95.181.217.0 |50896 | AS-REGION40, UA 95.181.218.0 |8100 | ASN-QUADRANET-GLOBAL 95.85.68.0 |57172 | GLOBALLAYER, NL 95.85.69.0 |57172 | GLOBALLAYER, NL 95.85.70.0 |57172 | GLOBALLAYER, NL 95.85.71.0 |57172 | GLOBALLAYER, NL 95.85.80.0 |200557 | REGION40, RU
New IP space moving from PIN to Region40 and then UGB in Estonia
An good example of how IP space is being moved between organization can be found in the prefix 193.93.192.0/22
Alexei Filippenko creates the company BTT Group Finance LTD in the UK in November 2018, soon after he obtains a pool of IPs from Peterburg International Network (PIN), which he moves into Kaluga Region40 LLC. Two months later, the IPs are transferred to Estonia and announced by UGB Hosting.
The prefix has been detected launching SQL injection attacks, intrusions into HP Openview, exploitation of CMSs, such as Joomla and others.
# UGB Starts to announce 2017-08-02T11:31:00Z 'abuse@ugb.ee' '185.215.184.0/22 2017-08-02T11:37:41Z '2a0b:ac40::/29' is 'abuse@ugb.ee' # Fineproxy arrives in 5 months 2018-03-30T17:42:51Z quality-network.eu 185.251.14.0/23 2018-03-30T17:44:10Z quality-network.eu 185.251.22.0/23 2018-03-30T17:44:53Z quality-network.eu 185.251.70.0/23 2018-03-30T17:45:48Z quality-network.eu 185.251.182.0/23 2018-04-28T13:43:51Z quality-network.eu 185.252.214.0/23 2018-04-28T13:45:00Z quality-network.eu 185.253.6.0/23 2018-04-28T13:46:07Z quality-network.eu 193.32.86.0/23 2018-04-28T13:46:31Z quality-network.eu 193.32.94.0/23 2018-09-17T06:48:15Z quality-network.eu 81.22.46.0/24 2018-09-17T06:51:28Z quality-network.eu 81.22.47.0/24 2018-09-17T06:52:16Z quality-network.eu 85.202.195.0/24 2018-09-17T06:52:53Z quality-network.eu 91.243.191.0/24 2018-09-17T06:53:25Z quality-network.eu 94.158.23.0/24 #Alexei P space moves from PIN->Region40->UGB 2018-12-18T07:45:55Z abuse@pinspb.ru 193.93.192.0/24 2018-12-18T07:45:55Z abuse@pinspb.ru 193.93.193.0/24 2018-12-18T07:45:55Z abuse@pinspb.ru 193.93.194.0/24 2018-12-18T07:45:55Z abuse@pinspb.ru 193.93.195.0/24 2019-01-16T09:17:57Z fitz-isp.uk 91.222.236.0/24 2019-01-16T09:22:03Z fitz-isp.uk 91.222.239.0/24 2019-01-16T09:36:16Z fitz-isp.uk 185.233.187.0/24
The list of LIR providers were the 160 prefixes of fineproxy comes from:
42 org-name: Petersburg Internet Network ltd.
26 org-name: ATOMOHOST LLC
25 org-name: Transit Telecom LLC
11 org-name: HOSTING TELECOM LTD
7 org-name: Intercom LLC
7 org-name: Infolink LLC
6 org-name: Rustel LLC
5 org-name: Mosnet LLC
4 org-name: Trusov Ilya Igorevych
4 org-name: Telenet LLC
4 org-name: Premier Trading Solutions Ltd
3 org-name: Quasar LLC
3 org-name: Express Courier LLC
2 org-name: Ubisky Corp.
2 org-name: Transcom LLC
2 org-name: Teleport LLC
2 org-name: GOLOX LTD
2 org-name: Data Agency Inc.
2 org-name: Atex LLC
1 org-name: Gigabit LLC