Threat Intel Banner

   
   Trends

  • The top attacker country was Canada with 78078 unique attackers (36.23%).
  • The top Trojan C&C server detected was Collector with 6 instances detected.
  • The top phishing campaign detected was against Facebook with 36 instances detected.


   Top Attackers By Country

Country Occurences Percentage
Canada 78078 36.23%
United States 55177 25.60%
China 42482 19.71%
Russia 13245 6.15%
Brazil 4117 1.91%
India 3127 1.45%
Indonesia 2729 1.27%
Vietnam 2560 1.19%
South Korea 2235 1.04%
France 2169 1.01%
Honduras 2078 0.96%
Hong Kong 2013 0.93%
Singapore 1700 0.79%
Egypt 1251 0.58%
Thailand 1197 0.56%
Belize 772 0.36%
Tunisia 568 0.26%
 
Top Attackers by CountryCanadaUnited StatesChinaRussiaOther36.2%12.3%19.7%25.6%
Country Percentage of Attacks
Canada 78,078
United States 55,177
China 42,482
Russia 13,245
Brazil 4,117
India 3,127
Indonesia 2,729
Vietnam 2,560
South Korea 2,235
France 2,169
Honduras 2,078
Hong Kong 2,013
Singapore 1,700
Egypt 1,251
Thailand 1,197
Belize 772
Tunisia 568

   
   Threat Geo-location

56878,078

   
   Top Attacking Hosts

Host Occurrences
94.12.69.32 18679
61.177.173.17 18670
63.143.42.242 3658
115.85.129.125 3102
45.146.164.235 2624
179.84.126.82 2340
195.54.161.152 2213
201.220.128.85 2078
125.167.180.9 1999
61.177.173.24 1808
103.248.31.50 1687
101.180.27.194 1536
209.141.45.127 1459
61.177.173.3 1322
14.169.10.193 1284
125.26.183.11 1197
41.34.167.66 1191
134.175.126.108 1078
69.162.124.234 1055


   Top Network Attackers

ASN Country Name
5607 United Kingdom BSKYB-BROADBAND-AS, GB
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
46475 United States LIMESTONENETWORKS, US
49505 Russia SELECTEL, RU
26599 Brazil TELEFONICA BRASIL S.A, BR
27884 Honduras CABLECOLOR S.A., HN
7713 Indonesia TELKOMNET-AS-AP PT Telekomunikasi Indonesia, ID
133720 India SOFTCALLCOC-AS SOFT CALL CUST-O-CARE PRIVATE LIMITED, IN
53667 United States PONYNET, US
45899 Vietnam VNPT-AS-VN VNPT Corp, VN
23969 Thailand TOT-NET TOT Public Company Limited, TH
8452 Egypt TE-AS TE-AS, EG
45090 China CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 4 103.133.105.179 , 103.151.125.220 , 172.96.185.195 , 185.55.225.19
Amadey 2 185.215.113.118 , 31.192.105.20
Azorult 1 45.87.81.117
Cerberus 1 185.215.113.25
CobaltStrike 1 194.26.29.202
Collector 6 141.8.192.151 , 141.8.193.236 , 185.114.247.102 , 195.161.41.50 , 81.91.178.23 , 95.142.37.63
DiamondFox 2 103.245.19.107 , 5.206.224.22
DT-Stealer 1 145.14.145.74
Godzilla 1 185.215.113.77
Lokibot 5 104.21.48.181 , 172.67.155.186 , 172.67.222.40 , 203.159.80.209 , 45.252.248.59
Oski 4 209.141.61.124 , 31.210.20.5 , 31.210.21.193 , 45.144.225.201
Predator 1 141.8.192.151
Qudox 1 141.8.192.169
Sh1zo1der 1 178.47.141.153
 
Trojan C&C Servers DetectedAgentTeslaAmadeyAzorultCerberusCobaltStrikeCollectorDiamondFoxDT-StealerGodzillaLokibotOskiPredator1/212.9%6.5%19.4%12.9%16.1%6.5%
Name Number Discovered
AgentTesla 4
Amadey 2
Azorult 1
Cerberus 1
CobaltStrike 1
Collector 6
DiamondFox 2
DT-Stealer 1
Godzilla 1
Lokibot 5
Oski 4
Predator 1
Qudox 1
Qudox 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos
0a13d106fa3997a0c911edd5aa0e147a https://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/details mg20201223-1.exe N/A RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos


   Top Phishing Campaigns

Phishing Target Count
Other 1298
Facebook 36
PayPal 12
Instagram 1
Itau 2
RuneScape 2
Steam 20
Google 1
Amazon.com 6
Hermes 2
Vodafone 1
Rakuten 1
Allegro 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-17510

Authentication Bypass Vulnerability in Apache Shiro

Apache

 Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 11/05/2021 05/04/2021

CVE-2020-13942

Code Injection Vulnerability in Apache Unomi

Apache

 It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 11/24/2021 05/05/2021

CVE-2020-24636

Remote Code Execution Vulnerability in Aruba IAP

Aruba Networks

 A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 03/29/2021 05/11/2021

CVE-2021-30642

Input Validation Vulnerability in Symantec Security Analytics

Symantec

 An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/27/2021 05/07/2021

CVE-2020-18020

SQL Injection Vulnerability in PHPSHE Mail System

PHPSHE

 SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user phone" parameter of a crafted HTTP request to the "admin.php" component. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/28/2021 05/05/2021

CVE-2021-29145

SSRF RCE in Aruba Policy Manager

Weak Authentication Vulnerability in Dell EMC Firmware

 Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/30/2021 05/10/2021

CVE-2021-21507

SSRF RCE in Aruba Policy Manager

Aruba Networks

 A remote server-side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/29/2021 05/10/2021
Details
Date Published
May 20, 2021
Category
Threat Intelligence