Threat Intel Banner


  • The top attacker country was China with 215190 unique attackers (50.50%).
  • The top Trojan C&C server detected was TrickBot with 18 instances detected.
  • The top phishing campaign detected was against Facebook with 107 instances detected.

Microsoft Issues 83 patches one for actively exploited vulnerability

Microsoft has released its first batch of security patches for 2021. With fixes for 83 documented security vulnerabilities including one critical bug which is being actively exploited and possibly linked to the massive SolarWinds hacks. 

Red Piranha's Security Researchers are urging security response personnel to pay special attention to CVE-2021-1647. This is a remote code execution flaw within Microsoft Defender, the organisation's flagship anti-malware product. 

Please note, the bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as required. However, if your systems are not connected to the internet, you will need to apply the patch manually. 

   Top Attackers By Country

Country Occurences Percentage
China 215190 50.50%
United States 122446 28.73%
Canada 28778 6.75%
Russia 17113 4.01%
Vietnam 11021 2.58%
India 7801 1.83%
France 4112 0.96%
Brazil 3765 0.88%
Thailand 3425 0.80%
Belize 2894 0.67%
Isle of Man 2225 0.52%
Italy 2061 0.48%
Kenya 2029 0.47%
Sweden 1894 0.44%
Thailand 665 0.15%
Netherlands 651 0.15%

   Top Attackers By Country

  •  China
  •  United States
  •  Canada
  •  Russia
  •  Vietnam
  •  Other

   Threat Geo-location


   Top Attacking Hosts

Host Occurrences 62933 14007 10042 8783 8763 6694 6170 4700 3863 3441 2549 2541 2530 2355 2225

Top Attackers

   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
202425 Netherlands INT-NETWORK, SC
49505 Russia SELECTEL, RU
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
12876 France Online SAS, FR
212370 Netherlands PEENQ, NL
45899 Vietnam VNPT-AS-VN VNPT Corp, VN
42237 Sweden ICME, IM

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Amadey 2 ,
Anubis 2 ,
Azorult 2 ,
BlackNet 3 , ,
CobaltStrike 1
DiamondFox 4 , , ,
Heodo 11 , , , , , , , , , ,
Loader 1
Lokibot 1
Nexus 2 ,
Predator 3 , ,
SmokeLoader 1
Trickbot 18 , , , , , , , , , , , , , , , , ,
Unknown 2 , brdjbk4daam647jak4vf4ue7xtg5flympsujyup2xbci2npxrjxgujyd.onion
Zloader 1
zTDS 1

Trojan C&C Servers Detected

  •  Amadey
  •  Anubis
  •  Azorult
  •  BlackNet
  •  DiamondFox
  •  Heodo
  •  Nexus
  •  Predator
  •  TrickBot
  •  Unknown
  •  Other

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
8c80dd97c37525927c1e549cb59bcbf3 Eternalblue-2.2.0.exe N/A
eb20ca63dc3badc1a48072d33bd6428b 1 Total New Invoices-Monday December 14 2020.xlsm N/A W32.2C36CB4E17-90.SBX.TG
8193b63313019b614d5be721c538486b SAService.exe SAService
7e36752d274e61b9f2b0ee43200fe36d Click HERE to start the File Launcher by WebNavigator Installer_ryymehv3_.exe WebNavigatorBrowser W32.48C6324412-95.SBX.TG
552299482ffa389321df9b05740c1b92 webnavigatorbrowser.exe WebNavigatorBrowser W32.763D0F405C-100.SBX.VIOC

   Top Phishing Campaigns

Phishing Target Count
Other 939
Facebook 107
Google 11
PayPal 14
Special 3
Rakuten 2 21
Adobe 7
VKontakte 2
Microsoft 8
VirusTotal 8
Docusign 2
RuneScape 1
Halifax 5
Netflix 2
EE 1
Caixa 6
UniCredit 1
Bradesco 1
Binance 1
Vodafone 3
Allegro 1

   CVEs with Recently Discovered Exploits

     This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated


Microsoft Kerberos Security Feature Bypass Vulnerability


A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. CVSSv3BaseScore:7.2(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) 11/11/2020 11/23/2020


Apache Struts OGNL Remote Code Execution Vulnerability


A vulnerability exists in the "forced OGNL evaluation on raw user input in tag attributes" of Apache Struts. Due to insufficient validation of user input in OGNL evaluation functionality, an unauthenticated user can exploit this flaw leading it to remote code execution vulnerability. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 12/10/2020 12/24/2020


Microsoft Windows SMB Information Disclosure Vulnerability


Microsoft Windows is exposed to SMB information disclosure vulnerability where an attacker can successfully exploit this vulnerability to access contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. In a network-based attack, an authenticated attacker would need to open a specific file with captured oplock lease, then perform repeated specific modifications to that file. CVSSv3BaseScore:8.1(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) 12/09/2020 12/11/2020


Microsoft Exchange Information Disclosure Vulnerability


Microsoft Exchange Server is exposed to information disclosure vulnerability that could be disclosed if an attacker successfully exploited this vulnerability for sensitive information. CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 12/09/2020 12/11/2020


VMware Workspace One Access Command Injection Vulnerability


VMware Workspace One Access is exposed to a command injection vulnerability in the administrative configurator that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system. CVSSv3BaseScore:9.1(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) 11/23/2020 12/10/2020


containerd Privilege Escalation Vulnerability


The containerd-shim API is improperly exposed to host network containers. Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. CVSSv3BaseScore:5.2(AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) 11/30/2020 12/09/2020


XStream Server-Side Forgery Request Vulnerability


A Server-Side Forgery Request vulnerability exists in XStream that can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. CVSSv3BaseScore:7.7(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)/td> 12/15/2020 01/08/2021
Date Published
January 14, 2021