threat-intelligence-report

Trends

  • The top attacker country was Australia with 75997 unique attackers (37%).
  • The top Trojan C&C server detected was Heodo with 75 instances detected.

Top Attackers By Country

CountryOccurencesPercentage
Australia7599737.00%
China7263835.00%
United States166198.00%
South Africa61363.00%
Italy35081.00%
France32071.00%
Russia26441.00%
South Korea23041.00%
Vietnam17170%
Indonesia16710%
Canada16460%
India15990%
United Kingdom15510%
Brazil14940%
Argentina14350%
Netherlands13470%
Singapore7630%
Chile7370%
Kyrgyzstan4800%


Top Attacking Hosts

HostOccurrences
112.85.42.18711435
68.183.236.1488280
112.85.42.1886672
49.88.112.1162803
218.92.0.1912677
121.201.38.2482189
192.34.62.2271150


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
14061SingaporeDIGITALOCEAN-ASN, US
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
58543ChinaCHINATELECOM-GUANGDONG-IDC Guangdong, CN


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Heodo75100.6.23.40 , 101.187.197.33 , 120.150.247.164 , 120.151.135.224 , 122.176.116.57 , 122.19.63.27 , 125.209.114.180 , 139.47.135.215 , 152.231.89.226 , 154.73.137.131 , 160.226.171.255 , 165.255.142.118 , 177.103.159.44 , 177.103.240.93 , 177.239.160.121 , 179.208.84.218 , 181.129.96.162 , 181.13.24.82 , 181.54.246.80 , 183.82.123.60 , 186.147.245.204 , 186.15.52.123 , 186.177.165.196 , 187.72.47.161 , 188.85.143.170 , 190.114.244.182 , 190.143.39.231 , 192.241.143.52 , 195.223.215.190 , 197.89.27.26 , 200.71.200.4 , 200.82.88.254 , 201.213.100.141 , 201.229.45.222 , 201.236.135.104 , 211.20.154.102 , 24.141.12.228 , 24.196.49.98 , 2.47.112.72 , 58.171.38.26 , 58.92.179.55 , 59.120.5.154 , 59.135.126.129 , 60.130.173.117 , 60.152.212.149 , 60.250.78.22 , 61.204.119.188 , 61.221.152.140 , 64.40.250.5 , 66.7.242.50 , 68.172.243.146 , 70.123.95.180 , 70.184.69.146 , 72.186.137.156 , 72.189.57.105 , 73.239.11.159 , 76.11.76.47 , 76.185.136.132 , 76.69.26.71 , 78.101.95.172 , 78.142.114.69 , 78.189.180.107 , 78.189.60.109 , 81.16.1.45 , 81.17.92.70 , 82.152.149.79 , 83.35.213.87 , 85.105.241.192 , 86.123.138.76 , 89.211.186.227 , 91.250.96.22 , 95.130.37.244 , 98.192.74.164 , 98.199.196.197 , 98.30.113.161
KPOT145.139.236.16
Pony1162.210.96.127
TrickBot27104.168.96.113 , 146.185.253.122 , 146.185.253.177 , 162.247.155.133 , 185.105.1.141 , 185.142.99.8 , 185.62.188.34 , 185.99.2.117 , 188.165.62.36 , 195.123.221.53 , 198.23.252.132 , 212.109.220.111 , 5.182.210.226 , 5.182.210.246 , 5.2.78.43 , 5.2.78.98 , 5.2.79.72 , 5.34.176.218 , 5.34.176.242 , 62.109.15.126 , 64.44.133.131 , 82.146.62.52 , 85.143.217.237 , 85.143.220.228 , 85.204.116.233 , 93.189.41.107 , 93.189.46.122


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailseternalblue-2.2.0.exeN/AW32.85B936960F.5A5226262.auto.Talos
c2406fc0fce67ae79e625013325e2a68https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/detailsSegurazoIC.exeDigitalCommunicationsInc.PUA.Win.Adware.Ursu::95.sbx.tg
47b97de62ae8b2b927542aa5d7f3c858https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/detailsqmreportupload.exeqmreportuploadWin.Trojan.Generic::in10.talos
7c38a43d2ed9af80932749f6e80fea6fhttps://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/detailsxme64-520.exeN/APUA.Win.File.Coinminer::1201
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detailsmf2016341595.exeN/AW32.Generic:Gen.22fz.1201


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v2 Base ScoreDate CreatedDate Updated

CVE-2019-19781

Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability

Citrix

A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the application.

7.5(AV:N/AC:L/Au:N/C:P/I:P/A:P)

12/27/2019

01/08/2020

CVE-2019-9730

Synaptics Audio Driver Vulnerability

Synaptics

Incorrect access control in the CxUtilSvc.exe component of the Synaptics (previously Conexant) Audio driver could allow a standard user to increase access privileges to the Windows Registry via an unpublished API.

7.2(AV:L/AC:L/Au:N/C:C/I:C/A:C)

06/05/2019

06/07/2019

CVE-2020-3941

VMWare Privilege Escalation Vulnerability

VMWare

A vulnerability exists in VMware Tools for windows, which may allow for privilege escalation in the Virtual Machine where Tools is installed. A malicious actor on the guest VM might exploit the race condition and escalate their privileges on a Windows VM.

7.2(AV:L/AC:L/Au:N/C:C/I:C/A:C)

01/15/2020

01/15/2020

CVE-2019-1547

OpenSSL vulnerability

Multi-Vendor

In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. A local attacker can recover a full key during an ECDSA signature operation.

1.9(AV:L/AC:M/Au:N/C:P/I:N/A:N)

09/10/2019

09/12/2019

Details
Date Published
February 04, 2020
Category
Threat Intelligence