Trends

  • The top attacker country was China with 299392 unique attackers (45.50%).
  • The top Trojan C&C server detected was Heodo with 49 instances detected.
  • The top phishing campaign detected was against Halifax accounts with 75 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China29939245.50%
Russia16219024.65%
United States8482212.89%
Netherlands236013.58%
Chile225143.42%
Germany119671.81%
United Kingdom100251.52%
France96161.46%
Philippines63240.96%
Canada55110.83%
Romania44920.68%
Estonia41360.62%
Brazil38160.58%
Cambodia30150.45%
Vietnam28630.43%
Taiwan21000.31%
Ukraine15730.23%
Top Attackers by CountryChinaRussiaUnited StatesNetherlandsChileOther45.5%9.9%12.9%24.7%
CountryPercentage of Attacks
China299,392
Russia162,190
United States84,822
Netherlands23,601
Chile22,514
Germany11,967
United Kingdom10,025
France9,616
Philippines6,324
Canada5,511
Romania4,492
Estonia4,136
Brazil3,816
Cambodia3,015
Vietnam2,863
Taiwan2,100
Ukraine1,573


Threat Geo-location

1,573299,392


Top Attacking Hosts

HostOccurrences
49.88.112.6876423
218.92.0.20451203
218.92.0.21023201
218.92.0.19010518
94.102.51.297622
183.201.252.685904
45.146.167.2084855
185.193.90.2224780
185.193.90.1824768
185.193.90.384748
185.193.90.1704733
185.193.90.2464733
185.193.90.264700
185.193.90.2264693
185.193.90.2184685
Top Attackers49.88.…218.9…218.9…218.9…94.10…183.2…45.14…185.1…185.1…185.1…185.1…185.1…185.1…185.1…185.1…050,000100,000
HostOccurences
49.88.112.6876,423
218.92.0.20451,203
218.92.0.21023,201
218.92.0.19010,518
94.102.51.297,622
183.201.252.685,904
45.146.167.2084,855
185.193.90.2224,780
185.193.90.1824,768
185.193.90.384,748
185.193.90.1704,733
185.193.90.2464,733
185.193.90.264,700
185.193.90.2264,693
185.193.90.2184,685


Top Network Attackers

ASNCountryName
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
202425NetherlandsINT-NETWORK, SC
132510ChinaSHANXIMCC-IDC IDC ShanXi China Mobile communications corporation, CN
49505RussiaSELECTEL, RU
204428NetherlandsSS-NET, BG


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Heodo49103.236.179.162 , 104.161.32.111 , 109.190.249.106 , 167.114.153.111 , 169.50.76.149 , 172.86.186.21 , 175.143.12.123 , 177.23.7.151 , 183.176.82.231 , 184.180.181.202 , 186.222.250.115 , 188.157.101.114 , 188.166.220.180 , 189.223.16.99 , 190.108.228.27 , 190.117.101.56 , 190.164.135.81 , 190.190.219.184 , 192.175.111.214 , 200.127.14.97 , 208.180.207.205 , 209.54.13.14 , 213.52.74.198 , 218.147.193.146 , 24.232.228.233 , 2.45.176.233 , 37.179.145.105 , 42.200.96.63 , 45.89.127.140 , 45.89.127.182 , 45.89.127.92 , 46.105.114.137 , 47.154.85.229 , 47.36.140.164 , 49.50.209.131 , 5.2.72.199 , 5.89.33.136 , 61.33.119.226 , 69.206.132.149 , 74.135.120.91 , 74.214.230.200 , 75.143.247.51 , 76.171.227.238 , 79.118.74.90 , 81.215.230.173 , 86.104.194.30 , 94.212.52.40 , 95.85.33.23 , 96.245.227.43
TrickBot18104.161.32.112 , 107.174.254.216 , 131.153.22.145 , 148.251.27.76 , 185.117.73.50 , 185.125.46.53 , 194.5.249.241 , 194.5.250.113 , 195.123.237.37 , 198.8.91.44 , 212.80.217.69 , 37.228.117.217 , 45.141.103.31 , 46.30.42.239 , 5.101.51.112 , 85.204.116.204 , 86.104.194.102 , 93.189.43.168
Trojan C&C Servers DetectedHeodoTrickBot26.9%73.1%
NameNumber Discovered
Heodo49
TrickBot18


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsEter.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detailsmf2016341595.exeN/AWin.Downloader.Generic::1201
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsTempmf582901854.exeN/AWin.Dropper.Agentwdcr::1201
01a607b4d69c549629e6f0dfd3983956https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/detailswupxarch.exeN/AW32.Auto:1eef72aa56.in03.Talos
88781be104a4dcb13846189a2b1ea055https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/detailsUltraSearchAppN/AWin.Trojan.Generic::sso.talos


Top Phishing Campaigns

Phishing TargetCount
Other1736
Facebook22
Amazon.com27
Instagram2
DHL1
Adobe3
Three1
Mastercard25
Microsoft4
PayPal6
Bradesco1
Halifax75
Netflix6
Google8
Alibaba.com2
RuneScape2
Apple1
Virustotal5


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-16898

Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)10/16/202010/16/2020

CVE-2020-1472

Microsoft Netlogon Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)08/17/202010/05/2020

CVE-2020-3452

Cisco ASA and FTD Path Traversal Vulnerability

Cisco

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)07/22/202010/12/2020

CVE-2020-13943

Apache Tomcat Unexpected Resource Response Vulnerability

Apache

If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.CVSSv3BaseScore:5.3(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)10/12/202010/16/2020

CVE-2020-9746

Adobe Flash Player Arbitrary Code Execution Vulnerability

Adobe

Adobe Flash Player is affected by an exploitable NULL pointer dereference vulnerability that could result in a crash and arbitrary code execution. Exploitation of this issue requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL.CVSSv3BaseScore:7.0(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)10/14/202010/14/2020

CVE-2020-16951

Microsoft SharePoint Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.CVSSv3BaseScore:8.6(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)10/16/202010/16/2020
0 Comments
Tuesday, October 20, 2020 By john