Trends

  • The top attacker country was China with 567852 unique attackers (58.00%).
  • The top Trojan C&C server detected was Trickbot with 23 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China56785258.00%
Australia9772910.00%
United States891849.00%
Russia380433.00%
South Africa268962.00%
Canada243752.00%
United Kingdom134031.00%
Chile125981.00%
India108761.00%
Vietnam103901.00%
Brazil79460%
France67700%
Indonesia39390%
Argentina36990%
Mexico24290%
Bulgaria15520%
Nigeria14960%
Paraguay12760%


Top Attackers by CountryChinaAustraliaUnited StatesRussiaSouth AfricaCanadaOther8.3%9.7%10.6%61.7%
CountryPercentage of Attacks
China567,852
Australia97,729
United States89,184
Russia38,043
South Africa26,896
Canada24,375
United Kingdom13,403
Chile12,598
India10,876
Vietnam10,390
Brazil7,946
France6,770
Indonesia3,939
Argentina3,699
Mexico2,429
Bulgaria1,552
Nigeria1,496
Paraguay1,276

Threat Geo-location

1,276567,852


Top Attacking Hosts

HostOccurrences
112.85.42.18765730
49.88.112.11557845
45.141.84.1030584
112.85.42.8817615
218.92.0.19014081
112.85.42.18813939
103.44.237.23410941
Top Attackers112.85.42.18749.88.112.11545.141.84.10112.85.42.88218.92.0.190112.85.42.188103.44.237.234025,00050,00075,000
HostOccurences
112.85.42.18765,730
49.88.112.11557,845
45.141.84.1030,584
112.85.42.8817,615
218.92.0.19014,081
112.85.42.18813,939
103.44.237.23410,941


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
206728RussiaMEDIALAND-AS, RU
4816ChinaCHINANET-IDC-GD China Telecom (Group), CN


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Amadey1188.120.233.19
Anubis4176.121.14.173 , 8.208.102.203 , 84.38.180.68 , 84.38.182.177
Azorult1185.212.148.78
Gozi2RM31195.123.245.212
Heodo224.1.189.87 , 41.215.92.157
KPOT18.208.102.118
LokIBot10101.50.1.17 , 103.17.8.47 , 104.27.162.37 , 172.67.192.52 , 176.223.209.5 , 194.180.224.87 , 45.143.138.143 , 79.124.8.8 , 84.38.182.128 , 94.199.200.248
Oski7109.94.208.119 , 195.133.197.142 , 199.192.24.69 , 217.8.117.45 , 45.143.93.28 , 45.147.198.62 , 5.101.50.55
PredatorTheThief3141.8.192.151 , 81.16.141.225 , 81.177.141.11
Taurus145.153.241.9
TrickBot23107.172.141.128 , 148.251.185.180 , 164.68.120.59 , 164.68.120.62 , 172.245.185.184 , 185.164.33.125 , 185.234.72.230 , 185.234.72.231 , 185.65.202.58 , 192.3.247.18 , 194.5.250.183 , 194.5.250.184 , 195.133.197.46 , 45.155.173.166 , 45.155.173.224 , 51.77.112.240 , 62.108.35.175 , 62.108.35.221 , 62.108.35.225 , 85.143.219.23 , 85.204.116.149 , 85.204.116.155 , 92.38.163.8
UAdmin146.29.161.2
Trojan C&C Servers DetectedAnubisHeodoLokIBotOskiPredatorTheThiefTrickBotOther7.3%18.2%12.7%5.5%10.9%41.8%
NameNumber Discovered
Amadey1
Anubis4
Azorult1
Gozi2RM31
Heodo2
KPOT1
LokIBot10
Oski7
PredatorTheThief3
Taurus1
TrickBot23
UAdmin1


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsFlashHelperServices.exeFlashHelperServicesWin.Exploit.Shadowbrokers::5A5226262.auto.talos
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAntivirusService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg
a10a6d9dfc0328a391a3fdb1a9fb18dbhttps://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/detailsFlashHelperServices.exeFlashHelperServicePUA.Win.Adware.Flashserv::100.sbx.vioc
73d1de319c7d61e0333471c82f2fc104https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/detailsSAntivirusService.exeAntivirusServiceWin.Dropper.Zudochka::in03.talos
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detectionc3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.binN/AWin.Dropper.Agentwdcr::1201


Top Phishing Campaigns

Phishing TargetCount
Other717
Twitter1
Facebook25
Microsoft4
Netflix1
Three10
PayPal5
Amazon.com3
Virustotal3
Blockchain1
ZML1
Dropbox1
Bradesco1
Steam1
RuneScape2


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-1300

Microsoft Windows Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)06/09/202006/16/2020

CVE-2020-1206

Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Microsoft

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a target.CVSSv3BaseScore:8.6(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)06/09/202006/12/2020

CVE-2020-1054

Microsoft Win32k Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.CVSSv3BaseScore:7.0(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)05/21/202005/27/2020

CVE-2020-5410

Spring Cloud Config Directory Traversal Vulnerability

VMWare

Spring Cloud Config allows applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)06/02/202006/04/2020

CVE-2020-1301

Microsoft Windows SMB Authenticated Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. To exploit the vulnerability an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.CVSSv3BaseScore:7.5(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)06/09/202006/15/2020

CVE-2020-1181

Microsoft SharePoint Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process. To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)06/09/202006/12/2020

CVE-2020-0796

Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)03/12/202006/11/2020

CVE-2020-13160

AnyDesk UDP Discovery Remote Code Execution Vulnerability

AnyDesk

A format string vulnerability exists in AnyDesk that can be exploited for remote code execution. By sending a single UDP packet to the target machine, an attacker can successfully exploit the discovered format string vulnerability to gain Remote Code Execution.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)06/09/202006/11/2020

CVE-2018-13379

Fortinet FortiOS Directory Traversal Vulnerability

Fortinet

Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)06/04/201901/22/2020
0 Comments
Monday, June 22, 2020 By john