Trends

  • The top attacker country was China with 176327 unique attackers (37.00%).
  • The top Trojan C&C server detected was Heodo with 49 instances detected.
  • The top phishing campaign detected was against Facebook accounts with 236 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China17632737.00%
Australia9968121.00%
United States7507216.00%
Canada226714.00%
India218064.00%
Netherlands65881.00%
Indonesia64391.00%
Hong Kong56951.00%
United Kingdom48461.00%
France40550%
Russia34090%
Sweden32420%
Japan32390%
Singapore21130%
Germany19230%
Malaysia17720%
Chile16230%
Thailand9500%


Top Attackers by CountryChinaAustraliaUnited StatesCanadaIndiaOther39.9%10.4%17%22.6%
CountryPercentage of Attacks
China176,327
Australia99,681
United States75,072
Canada22,671
India21,806
Netherlands6,588
Indonesia6,439
Hong Kong5,695
United_Kingdom4,846
France4,055
Russia3,409
Sweden3,242
Japan3,239
Singapore2,113
Germany1,923
Malaysia1,772
Chile1,623
Thailand950


Threat Geo-location

950176,327


Top Attacking Hosts

HostOccurrences
112.85.42.18720076
49.88.112.11518523
112.85.42.1898170
112.85.42.887767
222.186.30.595482
103.138.149.64859
34.200.247.1584735
222.186.52.1314189
198.97.190.533282
192.203.230.103251
192.36.148.173242
202.12.27.333239
192.228.79.2013234
192.33.4.123231
198.41.0.43227
Top Attackers112.8…49.88.…112.8…112.8…222.1…103.1…34.20…222.1…198.9…192.2…192.3…202.1…192.2…192.3…198.4…010,00020,00030,000
HostOccurences
112.85.42.18720,076
49.88.112.11518,523
112.85.42.1898,170
112.85.42.887,767
222.186.30.595,482
103.138.149.64,859
34.200.247.1584,735
222.186.52.1314,189
198.97.190.533,282
192.203.230.103,251
192.36.148.173,242
202.12.27.333,239
192.228.79.2013,234
192.33.4.123,231
198.41.0.43,227


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
23650ChinaCHINANET-JIANGSU-PROVINCE-IDC AS Number for CHINANET jiangsu province backbone, CN
133441South KoreaCLOUDITIDC-KR CloudITIDC Global, HK
14618United StatesAMAZON-AES, US
9105United KingdomTISCALI-UK TalkTalk Communications Limited, GB
1508United StatesDNIC-AS-01508, US
21556United StatesNARC-EROOT, US
29216SwedenI-ROOT DNS root name server i.root-servers.net., SE
7500JapanM-ROOT-DNS WIDE Project, JP
394353United StatesBROOT-AS, US
2149FranceCOGENT-2149, US
32651 396549 396566 396570 396571 396574 397197 397203United StatesVGRS-AC24, US VRSN-AC50-340, US VRSN-AC50-340, US VRSN-AC50-340, US VRSN-AC50-340, US VRSN-AC50-340, US VRSN-AC28, US VRSN-AC28, US


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Anubis3185.209.1.115 , 45.141.84.85 , 8.208.84.18
FlexNet18.209.97.194
Heodo49112.185.64.233 , 112.78.142.170 , 113.203.250.121 , 116.202.234.183 , 118.70.15.19 , 137.119.36.33 , 152.169.22.67 , 153.163.83.106 , 153.232.188.106 , 162.249.220.190 , 168.0.97.6 , 173.94.215.84 , 174.137.65.18 , 175.29.183.2 , 177.94.227.143 , 178.128.14.92 , 178.238.232.46 , 181.126.54.234 , 181.137.229.1 , 185.33.0.233 , 186.109.104.67 , 186.109.152.201 , 187.161.206.24 , 190.128.173.10 , 197.221.158.162 , 197.249.6.179 , 200.114.213.233 , 202.4.57.96 , 219.92.8.17 , 220.254.198.228 , 24.135.1.177 , 41.84.237.198 , 41.84.248.134 , 45.173.88.33 , 60.125.114.64 , 64.183.73.122 , 65.36.62.20 , 68.188.112.97 , 70.121.172.89 , 73.213.208.163 , 81.129.198.57 , 82.163.245.38 , 85.109.159.61 , 85.25.207.108 , 86.57.216.23 , 86.98.143.163 , 89.186.91.200 , 93.147.212.206 , 98.109.204.230
Nexus162.113.118.92
PurpleWave1188.120.235.130
TrickBot22.57.184.70 , 37.220.0.28
UAdmin13107.173.24.170 , 170.81.40.234 , 185.212.148.253 , 185.94.191.6 , 193.23.126.213 , 194.62.29.25 , 199.192.19.30 , 23.254.228.25 , 37.221.113.19 , 45.141.84.163 , 63.250.37.44 , 63.250.47.109 , 92.42.46.104


Trojan C&C Servers DetectedAnubisHeodoTrickBotUAdminOther18.6%70%
NameNumber Discovered
Anubis3
FlexNet1
Heodo49
Nexus1
PurpleWave1
TrickBot2
UAdmin13


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
179c09b866c9063254083216b55693e6https://www.virustotal.com/gui/file/449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8/detailsSAService.exeSAServicePUA.Win.File.Segurazo::95.sbx.tg
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsEter.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos
47b97de62ae8b2b927542aa5d7f3c858https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/detailsqmreportupload.exeqmreportuploadWin.Trojan.Generic::in10.talos
34560233e751b7e95f155b6f61e7419ahttps://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/detailsSAService.exeSAServicePUA.Win.Dropper.Segurazo::tpd
26b2996b69542d039c303e2fee6dac81https://www.virustotal.com/gui/file/9836cf123caa799eaf57a449ba6da0cdecf0445f58a8238fa0d98b19e93cdb22/details226a60f6-4340-45e9-9b01-d95106369b83N/AW32.9836CF123C-100.SBX.TG


Top Phishing Campaigns

Phishing TargetCount
PayPal21
Other1425
Amazon.com10
Microsoft8
RuneScape8
Facebook236
Netflix1
Halifax6
Virustotal14
Yahoo1
LinkedIn2
Adobe6
Google4
EE1
Apple3
Steam2


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-1147

Microsoft Sharepoint Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)07/14/202008/20/2020

CVE-2020-1464

Microsoft Windows Spoofing Vulnerability

Microsoft

A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loadedCVSSv3BaseScore:5.3(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)08/17/202008/21/2020

CVE-2020-9715

Adobe Acrobat Reader User After Free Vulnerability

Adobe

A use-after-free vulnerability could allow remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. The specific flaw exists within the handling of ESObject data objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)08/19/202008/19/2020

CVE-2020-3411

Cisco DNA Center Information Disclosure Vulnerability

Cisco

A vulnerability in Cisco DNA Center software could allow an unauthenticated remote attacker access to sensitive information on an affected system. The vulnerability is due to improper handling of authentication tokens by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files.CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)08/17/202008/21/2020

CVE-2020-3698

Qualcomm Out-Of-Bounds Memory Corruption Vulnerability

Qualcomm

An Out of bound write happens in the component QoS DSCP when mapping due to improper input validation for data received from association response frame in Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music and Snapdragon Wearables (ChipSoftware).CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)07/30/202007/30/2020

CVE-2019-16759

vBulletin Remote Code Execution Vulnerability

vBulletin

vBulletin allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. The vulnerability was disclosed through an 18-line exploit that was published on Monday by an unidentified person. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)09/24/201908/19/2020

CVE-2020-3433

Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability

Cisco

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)08/17/202008/20/2020
0 Comments
Wednesday, August 26, 2020 By john