Thursday, January 14, 2021

Threat Intel Banner

   
   Trends

  • The top attacker country was China with 215190 unique attackers (50.50%).
  • The top Trojan C&C server detected was TrickBot with 18 instances detected.
  • The top phishing campaign detected was against Facebook with 107 instances detected.

Microsoft Issues 83 patches one for actively exploited vulnerability

Microsoft has released its first batch of security patches for 2021. With fixes for 83 documented security vulnerabilities including one critical bug which is being actively exploited and possibly linked to the massive SolarWinds hacks. 

Red Piranha's Security Researchers are urging security response personnel to pay special attention to CVE-2021-1647. This is a remote code execution flaw within Microsoft Defender, the organisation's flagship anti-malware product. 

Please note, the bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as required. However, if your systems are not connected to the internet, you will need to apply the patch manually. 
 

   Top Attackers By Country

Country Occurences Percentage
China 215190 50.50%
United States 122446 28.73%
Canada 28778 6.75%
Russia 17113 4.01%
Vietnam 11021 2.58%
India 7801 1.83%
France 4112 0.96%
Brazil 3765 0.88%
Thailand 3425 0.80%
Belize 2894 0.67%
Isle of Man 2225 0.52%
Italy 2061 0.48%
Kenya 2029 0.47%
Sweden 1894 0.44%
Thailand 665 0.15%
Netherlands 651 0.15%

   Top Attackers By Country

  •  China
  •  United States
  •  Canada
  •  Russia
  •  Vietnam
  •  Other

   Threat Geo-location

458146,734

   Top Attacking Hosts

Host Occurrences
49.88.112.118 62933
49.88.112.65 14007
103.100.29.81 10042
80.82.76.132 8783
45.155.205.172 8763
112.85.42.94 6694
49.88.112.117 6170
121.218.129.56 4700
69.162.124.234 3863
51.159.53.174 3441
112.85.42.151 2549
218.92.0.190 2541
37.49.225.212 2530
14.170.160.49 2355
185.217.1.246 2225


Top Attackers

   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
202425 Netherlands INT-NETWORK, SC
49505 Russia SELECTEL, RU
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
46475 United States LIMESTONENETWORKS, US
12876 France Online SAS, FR
212370 Netherlands PEENQ, NL
45899 Vietnam VNPT-AS-VN VNPT Corp, VN
42237 Sweden ICME, IM

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Amadey 2 8.208.90.28 , 91.203.192.199
Anubis 2 45.141.86.67 , 45.143.137.28
Azorult 2 103.83.81.17 , 88.98.24.67
BlackNet 3 185.239.236.74 , 40.87.40.177 , 64.225.31.236
CobaltStrike 1 8.208.12.69
DiamondFox 4 165.22.30.153 , 168.235.67.97 , 213.159.203.232 , 47.254.149.61
Heodo 11 125.0.215.60 , 152.170.79.100 , 173.70.61.180 , 186.147.237.3 , 190.247.139.101 , 201.143.224.27 , 5.2.136.90 , 59.21.235.119 , 66.57.108.14 , 82.48.39.246 , 90.160.138.175
Loader 1 45.141.84.187
Lokibot 1 213.159.212.148
Nexus 2 141.8.192.151 , 87.236.16.62
Predator 3 141.8.193.236 , 185.50.25.27 , 185.50.25.51
SmokeLoader 1 5.61.35.193
Trickbot 18 107.152.46.188 , 107.172.188.113 , 158.51.96.31 , 185.198.59.45 , 198.144.191.144 , 198.44.97.143 , 198.46.198.115 , 198.46.198.116 , 34.209.40.84 , 45.14.226.101 , 45.155.173.248 , 45.83.151.103 , 45.89.125.214 , 52.90.110.55 , 54.184.178.68 , 64.74.160.218 , 64.74.160.228 , 66.70.246.0
Unknown 2 8.208.24.255 , brdjbk4daam647jak4vf4ue7xtg5flympsujyup2xbci2npxrjxgujyd.onion
Zloader 1 185.240.102.113
zTDS 1 45.150.206.246


Trojan C&C Servers Detected

  •  Amadey
  •  Anubis
  •  Azorult
  •  BlackNet
  •  DiamondFox
  •  Heodo
  •  Nexus
  •  Predator
  •  TrickBot
  •  Unknown
  •  Other

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos
eb20ca63dc3badc1a48072d33bd6428b https://www.virustotal.com/gui/file/2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5/details 1 Total New Invoices-Monday December 14 2020.xlsm N/A W32.2C36CB4E17-90.SBX.TG
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
7e36752d274e61b9f2b0ee43200fe36d https://www.virustotal.com/gui/file/4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01/details Click HERE to start the File Launcher by WebNavigator Installer_ryymehv3_.exe WebNavigatorBrowser W32.48C6324412-95.SBX.TG
552299482ffa389321df9b05740c1b92 https://www.virustotal.com/gui/file/763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a/details webnavigatorbrowser.exe WebNavigatorBrowser W32.763D0F405C-100.SBX.VIOC

   Top Phishing Campaigns

Phishing Target Count
Other 939
Facebook 107
Google 11
PayPal 14
Special 3
Rakuten 2
Amazon.com 21
Adobe 7
DHL 3
VKontakte 2
Microsoft 8
VirusTotal 8
Docusign 2
RuneScape 1
Halifax 5
Netflix 2
EE 1
Caixa 6
UniCredit 1
Bradesco 1
Binance 1
Vodafone 3
Allegro 1

   CVEs with Recently Discovered Exploits

     This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-17049

Microsoft Kerberos Security Feature Bypass Vulnerability

MIcrosoft

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. CVSSv3BaseScore:7.2(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) 11/11/2020 11/23/2020

CVE-2020-17530

Apache Struts OGNL Remote Code Execution Vulnerability

Apache

A vulnerability exists in the "forced OGNL evaluation on raw user input in tag attributes" of Apache Struts. Due to insufficient validation of user input in OGNL evaluation functionality, an unauthenticated user can exploit this flaw leading it to remote code execution vulnerability. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 12/10/2020 12/24/2020

CVE-2020-17140

Microsoft Windows SMB Information Disclosure Vulnerability

Microsoft

Microsoft Windows is exposed to SMB information disclosure vulnerability where an attacker can successfully exploit this vulnerability to access contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. In a network-based attack, an authenticated attacker would need to open a specific file with captured oplock lease, then perform repeated specific modifications to that file. CVSSv3BaseScore:8.1(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) 12/09/2020 12/11/2020

CVE-2020-17143

Microsoft Exchange Information Disclosure Vulnerability

Microsoft

Microsoft Exchange Server is exposed to information disclosure vulnerability that could be disclosed if an attacker successfully exploited this vulnerability for sensitive information. CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 12/09/2020 12/11/2020

CVE-2020-4006

VMware Workspace One Access Command Injection Vulnerability

VMware

VMware Workspace One Access is exposed to a command injection vulnerability in the administrative configurator that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system. CVSSv3BaseScore:9.1(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) 11/23/2020 12/10/2020

CVE-2020-15257

containerd Privilege Escalation Vulnerability

Multi-Vendor

The containerd-shim API is improperly exposed to host network containers. Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. CVSSv3BaseScore:5.2(AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) 11/30/2020 12/09/2020

CVE-2020-26258

XStream Server-Side Forgery Request Vulnerability

Multi-Vendor

A Server-Side Forgery Request vulnerability exists in XStream that can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. CVSSv3BaseScore:7.7(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)/td> 12/15/2020 01/08/2021