Threat Intel Banner

   
   Trends

  • The top attacker country was Russia with 212386 unique attackers (33.96%).
  • The top Trojan C&C server detected was Lokibot with 14 instances detected.
  • The top phishing campaign detected was against Facebook with 46 instances detected.


   Top Attackers By Country

Country Occurences Percentage
Russia 212386 33.96%
China 175371 28.04%
United States 88293 14.12%
India 70907 11.34%
Brazil 12172 1.95%
Indonesia 11665 1.87%
Germany 8981 1.44%
Vietnam 8458 1.35%
Canada 7756 1.24%
Hong Kong 7081 1.13%
Seychelles 5815 0%
Nigeria 4013 0%
Belize 3472 0%
Thailand 2806 0%
Isle of Man 2162 0%
Cambodia 2072 0%
Azerbaijan 2034 0%
 
Top Attackers by CountryRussiaChinaUnited StatesIndiaOther34%12.5%11.3%14.1%28%
Country Percentage of Attacks
Russia 212,386
China 175,371
United States 88,293
India 70,907
Brazil 12,172
Indonesia 11,665
Germany 8,981
Vietnam 8,458
Canada 7,756
Hong Kong 7,081
Seychelles 5,815
Nigeria 4,013
Belize 3,472
Thailand 2,806
Isle of Man 2,162
Cambodia 2,072
Azerbaijan 2,034

   
   Threat Geo-location

2,034212,386

   
  Top Attacking Hosts

Host Occurrences
92.63.196.13 51655
61.177.173.26 36282
45.146.165.123 29852
45.146.165.196 24003
45.146.164.84 23418
45.143.200.34 23289
195.54.161.152 17656
61.177.173.25 15601
61.177.173.18 14636
86.27.113.91 14155
89.248.165.44 13488
45.146.164.198 12228
202.103.149.100 9399
95.217.217.112 7064
185.40.4.115 5815
103.70.144.246 5518
103.4.237.53 5338
103.145.13.120 5061


   Top Network Attackers

ASN Country Name
47981 Netherlands FOPSERVER, UA
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
49505 Russia SELECTEL, RU
212283 Bulgaria ROZA-AS, BG
5089 United Kingdom NTL, GB
202425 Netherlands INT-NETWORK, SC
24940 Finland HETZNER-AS, DE
50113 Russia SUPERSERVERSDATACENTER, CZ
133647 India ELXIREDATA-AS-IN ELXIRE DATA SERVICES PVT. LTD., IN
131476 Australia FUSIONBB-AU 10/50 Market St, AU
213371 Netherlands SQUITTER-NETWORKS, NL


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 6 103.133.105.179 , 193.56.29.110 , 66.198.240.47 , 67.20.61.67 , 95.181.164.213 , 96.127.138.234
Amadey 1 185.215.113.28
Azorult 4 140.82.13.202 , 149.28.226.192 , 173.230.150.192 , 27.122.57.229
BlackNet 6 145.14.145.167 , 145.14.145.90 , 172.67.213.209 , 185.239.243.112 , 52.240.152.251 , 62.221.252.239
CobaltStrike 10 101.32.209.205 , 13.49.66.227 , 144.48.220.43 , 185.10.68.203 , 185.14.29.184 , 185.14.29.41 , 195.123.209.221 , 3.233.224.182 , 37.120.222.73 , 47.243.44.143
DiamondFox 4 176.111.174.118 , 176.111.174.123 , 213.159.203.232 , 92.63.97.22
KeitaroTDS 2 188.119.112.9 , 193.38.54.145
Kpot 1 162.0.219.161
LiteHTTP 1 217.28.222.80
Lokibot 14 104.168.140.79 , 108.167.188.182 , 185.209.1.110 , 192.185.113.23 , 203.159.80.29 , 27.122.57.229 , 31.210.20.71 , 34.65.83.88 , 34.75.102.212 , 5.180.186.227 , 5.2.75.32 , 74.119.195.169 , 8.209.69.174 , b2bseller.ga
Oski 6 104.168.138.96 , 45.144.225.118 , 45.85.90.220 , 45.85.90.86 , 95.217.40.222 , f0xnet.tk
Pony 1 110.5.109.60
Redirected 1 176.111.174.61
Redline 10 109.234.35.198 , 178.157.91.38 , 193.124.112.206 , 213.183.41.60 , 3.81.114.252 , 45.133.235.227 , 45.142.214.163 , 94.103.86.26 , 95.217.124.100 , heniav.xyz
Saint 1 31.210.20.4
Seth 1 35.199.126.54
Taurus 1 8.209.110.86
Trojan C&C Servers DetectedAgentTeslaAzorultBlackNetCobaltStrikeDiamondFoxKeitaroTDSLokibotOskiRedlineOther8.6%5.7%8.6%14.3%5.7%11.4%14.3%8.6%20%
Name Number Discovered
AgentTesla 6
Amadey 1
Azorult 4
BlackNet 6
CobaltStrike 10
DiamondFox 4
KeitaroTDS 2
Kpot 1
LiteHTTP 1
Lokibot 14
Oski 6
Pony 1
Redirected 1
Redline 10
Saint 1
Seth 1
Seth 1

   
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
96f8e4e2d643568cf242ff40d537cd85 https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details SAService.exe SAService PUA.Win.File.Segurazo::95.sbx.tg
34560233e751b7e95f155b6f61e7419a href="https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details" SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos


   Top Phishing Campaigns

Phishing Target Count
Facebook 46
Other 1325
Microsoft 7
PayPal 12
RuneScape 8
LinkedIn 2
Caixa 3
Adobe 1
Amazon.com 20
MyEtherWallet 2
Playfish 1
Nets 1
Vodafone 5
Halifax 1
DHL 3
WeTransfer 4
Allegro 1
VKontakte 1
Special 1
Netflix 1
TSB 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2021-30177

SQL Injection Vulnerability in PHPNuke

PHPNuke

 There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/07/2021 04/13/2021

CVE-2021-28925

SQL Injection Vulnerability in Nagios

Nagios

 SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/08/2021 04/13/2021

CVE-2021-24175

Authentication Bypass Vulnerability in Posimyth WP Plugin

Posimyth

 The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/05/2021 04/09/2021

CVE-2021-1871

Remote Code Execution Vulnerability in MacOS Big Sur

Apple

 A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/02/2021 04/12/2021

CVE-2020-17523

Authentication Bypass Vulnerability in Apache Shiro

Apache

 Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 02/03/2021 04/12/2021

CVE-2021-22986

Remote Code Execution Vulnerability in F5 Big IP system

F5

 This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 03/31/2021 04/05/2021

CVE-2021-21983

Privilege Escalation Vulnerability in VMware vRealize

VMware

 Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system. 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) 03/31/2021 04/05/2021
Details
Date Published
April 21, 2021
Category
Threat Intelligence