Trends

  • The top attacker country was China with 71942 unique attackers (37.00%).
  • The top Trojan C&C server detected was TrickBot with 16 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China7194237.00%
United States2409112.00%
Australia1943110.00%
Canada161938.00%
India80034.00%
France69743.00%
Fiji47592.00%
Brazil37981.00%
Russia34321.00%
Thailand31901.00%
South Korea27671.00%
South Africa26451.00%
Indonesia24271.00%
Germany18020%
United Kingdom17670%
Hong Kong14540%
Bulgaria14110%
Mexico7480%
Macao6190%

 

Top Attackers by CountryChinaUnited_StatesAustraliaCanadaIndiaFranceFijiBrazilOther40.5%12.5%9.1%10.9%13.6%
CountryPercentage of Attacks
China71,942
United_States24,091
Australia19,431
Canada16,193
India8,003
France6,974
Fiji4,759
Brazil3,798
Russia3,432
Thailand3,190
South_Korea2,767
South_Africa2,645
Indonesia2,427
Germany1,802
United_Kingdom1,767
Hong_Kong1,454
Bulgaria1,411
Mexico748
Macao619


Threat Geo-location

61971,942


Top Attacking Hosts

HostOccurrences
112.85.42.1876531
49.88.112.1156135
112.85.42.1895211
112.85.42.885061
210.7.22.744759
203.151.47.262495
45.145.66.2501661
51.15.152.611156
51.158.24.2551126
218.92.0.1921007
185.135.74.60951
79.124.62.74863
Top Attackers112.8…49.88.…203.2…112.8…112.8…210.7.…203.1…45.14…51.15.…51.15…218.9…185.1…79.12…52.18…02,5005,0007,500
HostOccurences
112.85.42.1876,531
49.88.112.1156,135
203.206.223.455,791
112.85.42.1895,211
112.85.42.885,061
210.7.22.744,759
203.151.47.262,495
45.145.66.2501,661
51.15.152.611,156
51.158.24.2551,126
218.92.0.1921,007
185.135.74.60951
79.124.62.74863
52.187.10.133856


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
4638FijiIS-FJ-AS Telecom Fiji Limited, FJ
4618ThailandINET-TH-AS Internet Thailand Company Limited, TH
50340RussiaSELECTEL-MSK, RU
12876FranceOnline SAS, FR
55720IranGIGABIT-MY Gigabit Hosting Sdn Bhd, MY
207812BulgariaDM_AUTO, BG


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Azorult2mmakaronagre.xyz , wildberriesqa.xyz
Heodo5109.117.53.230 , 181.134.9.162 , 186.70.127.199 , 198.27.69.201 , 58.153.68.176
TrickBot16162.216.0.186 , 185.14.31.44 , 185.164.32.148 , 185.99.2.183 , 185.99.2.191 , 194.5.249.157 , 194.87.145.86 , 195.123.221.37 , 195.123.221.77 , 204.155.30.121 , 45.155.173.211 , 5.182.211.223 , 5.188.133.193 , 85.204.116.144 , 85.204.116.198 , 86.104.194.82
Trojan C&C Servers DetectedAzorultHeodoTrickBot8.7%21.7%69.6%
NameNumber Discovered
Azorult2
Heodo5
TrickBot16


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
179c09b866c9063254083216b55693e6https://www.virustotal.com/gui/file/449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8/detailsSAService.exeSAServicePUA.Win.File.Segurazo::95.sbx.tg
34560233e751b7e95f155b6f61e7419ahttps://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/detailsSAService.exeSAServicePUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsFlashHelperServices.exeFlashHelperServicesWin.Exploit.Shadowbrokers::5A5226262.auto.talos
a10a6d9dfc0328a391a3fdb1a9fb18dbhttps://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/detailsFlashHelperServices.exeFlashHelperServicePUA.Win.Adware.Flashserv::100.sbx.vioc
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAntivirusService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg


Top Phishing Campaigns

Phishing TargetCount
Other530
Facebook20
RuneScape8
Google7
Americanas.com2
Yahoo2
Twitter1
Steam1
Microsoft1
Mastercard1


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-6287

SAP NetWeaver Application Server JAVA Multiple Vulnerabilities

SAP

SAP NetWeaver AS JAVA (LM Configuration Wizard) does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)07/14/202007/16/2020

CVE-2020-1350

Microsoft Windows DNS Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)07/14/202007/20/2020

CVE-2020-14664

Oracle Java SE Critical Vulnerability

Oracle

A vulnerability exists in the Java SE product of Oracle Java SE. In order to exploit the vulnerability, it allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.CVSSv3BaseScore:8.3(AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)07/15/202007/20/2020

CVE-2020-5902

F5 BIG-IP Remote Code Execution Vulnerability

F5

F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)07/01/202007/21/2020

CVE-2019-19781

Citrix Application Delivery Controller and Gateway Directory Traversal Vulnerability

Citrix

A vulnerability exists in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. This vulnerability exploits a directory traversal to execute an arbitrary command payload.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)12/27/201901/08/2020

CVE-2020-2021

Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Palo Alto Networks

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)06/29/202007/06/2020

CVE-2020-1421

Microsoft LNK Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker's choice, on the target system.CVSSv3BaseScore:7.5(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)07/14/202007/15/2020
0 Comments
Wednesday, July 22, 2020 By john