Threat Intel Banner

   
   Trends

  • The top attacker country was Canada with 78078 unique attackers (36.23%).
  • The top Trojan C&C server detected was Collector with 6 instances detected.
  • The top phishing campaign detected was against Facebook with 36 instances detected.


   Top Attackers By Country

CountryOccurencesPercentage
Canada7807836.23%
United States5517725.60%
China4248219.71%
Russia132456.15%
Brazil41171.91%
India31271.45%
Indonesia27291.27%
Vietnam25601.19%
South Korea22351.04%
France21691.01%
Honduras20780.96%
Hong Kong20130.93%
Singapore17000.79%
Egypt12510.58%
Thailand11970.56%
Belize7720.36%
Tunisia5680.26%

Top Attackers by CountryCanadaUnited StatesChinaRussiaOther36.2%12.3%19.7%25.6%
CountryPercentage of Attacks
Canada78,078
United States55,177
China42,482
Russia13,245
Brazil4,117
India3,127
Indonesia2,729
Vietnam2,560
South Korea2,235
France2,169
Honduras2,078
Hong Kong2,013
Singapore1,700
Egypt1,251
Thailand1,197
Belize772
Tunisia568

   
   Threat Geo-location

56878,078

   
   Top Attacking Hosts

HostOccurrences
94.12.69.3218679
61.177.173.1718670
63.143.42.2423658
115.85.129.1253102
45.146.164.2352624
179.84.126.822340
195.54.161.1522213
201.220.128.852078
125.167.180.91999
61.177.173.241808
103.248.31.501687
101.180.27.1941536
209.141.45.1271459
61.177.173.31322
14.169.10.1931284
125.26.183.111197
41.34.167.661191
134.175.126.1081078
69.162.124.2341055


   Top Network Attackers

ASNCountryName
5607United KingdomBSKYB-BROADBAND-AS, GB
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
46475United StatesLIMESTONENETWORKS, US
49505RussiaSELECTEL, RU
26599BrazilTELEFONICA BRASIL S.A, BR
27884HondurasCABLECOLOR S.A., HN
7713IndonesiaTELKOMNET-AS-AP PT Telekomunikasi Indonesia, ID
133720IndiaSOFTCALLCOC-AS SOFT CALL CUST-O-CARE PRIVATE LIMITED, IN
53667United StatesPONYNET, US
45899VietnamVNPT-AS-VN VNPT Corp, VN
23969ThailandTOT-NET TOT Public Company Limited, TH
8452EgyptTE-AS TE-AS, EG
45090ChinaCNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN


   Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
AgentTesla4103.133.105.179 , 103.151.125.220 , 172.96.185.195 , 185.55.225.19
Amadey2185.215.113.118 , 31.192.105.20
Azorult145.87.81.117
Cerberus1185.215.113.25
CobaltStrike1194.26.29.202
Collector6141.8.192.151 , 141.8.193.236 , 185.114.247.102 , 195.161.41.50 , 81.91.178.23 , 95.142.37.63
DiamondFox2103.245.19.107 , 5.206.224.22
DT-Stealer1145.14.145.74
Godzilla1185.215.113.77
Lokibot5104.21.48.181 , 172.67.155.186 , 172.67.222.40 , 203.159.80.209 , 45.252.248.59
Oski4209.141.61.124 , 31.210.20.5 , 31.210.21.193 , 45.144.225.201
Predator1141.8.192.151
Qudox1141.8.192.169
Sh1zo1der1178.47.141.153

Trojan C&C Servers DetectedAgentTeslaAmadeyAzorultCerberusCobaltStrikeCollectorDiamondFoxDT-StealerGodzillaLokibotOskiPredator1/212.9%6.5%19.4%12.9%16.1%6.5%
NameNumber Discovered
AgentTesla4
Amadey2
Azorult1
Cerberus1
CobaltStrike1
Collector6
DiamondFox2
DT-Stealer1
Godzilla1
Lokibot5
Oski4
Predator1
Qudox1
Qudox1

    
   Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
9a4b7b0849a274f6f7ac13c7577daad8https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/detailsww31.exeN/AW32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg
34560233e751b7e95f155b6f61e7419ahttps://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/detailsSAntivirusService.exeA n t i v i r u s S e r v i c ePUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detectionEternalblue-2.2.0.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos
0a13d106fa3997a0c911edd5aa0e147ahttps://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/detailsmg20201223-1.exeN/ARanumBot::mURLin::W32.5E46ECFFCF.in12.Talos


   Top Phishing Campaigns

Phishing TargetCount
Other1298
Facebook36
PayPal12
Instagram1
Itau2
RuneScape2
Steam20
Google1
Amazon.com6
Hermes2
Vodafone1
Rakuten1
Allegro1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-17510

Authentication Bypass Vulnerability in Apache Shiro

Apache

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)11/05/202105/04/2021

CVE-2020-13942

Code Injection Vulnerability in Apache Unomi

Apache

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)11/24/202105/05/2021

CVE-2020-24636

Remote Code Execution Vulnerability in Aruba IAP

Aruba Networks

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)03/29/202105/11/2021

CVE-2021-30642

Input Validation Vulnerability in Symantec Security Analytics

Symantec

An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/27/202105/07/2021

CVE-2020-18020

SQL Injection Vulnerability in PHPSHE Mail System

PHPSHE

SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user phone" parameter of a crafted HTTP request to the "admin.php" component.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/28/202105/05/2021

CVE-2021-29145

SSRF RCE in Aruba Policy Manager

Weak Authentication Vulnerability in Dell EMC Firmware

Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/30/202105/10/2021

CVE-2021-21507

SSRF RCE in Aruba Policy Manager

Aruba Networks

A remote server-side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/29/202105/10/2021