Trends

  • The top attacker country was China with 217627 unique attackers (46.00%).
  • The top Trojan C&C server detected was Heodo with 58 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China21762746.00%
South Africa5746612.00%
Australia5529611.00%
United States181543.00%
France168593.00%
Russia140643.00%
Indonesia137252.00%
India130982.00%
United Kingdom62151.00%
South Korea48981.00%
Netherlands40040%
Italy32220%
Canada27510%
Costa Rica22140%
Europe20040%
Hong Kong17530%
Mexico12130%
Philippines11270%
Chile7180%
Top Attackers by CountryChinaSouth AfricaAustraliaUnited StatesFranceRussiaIndonesiaIndiaOther49.9%6.9%12.7%13.2%
CountryPercentage of Attacks
China217,627
South Africa57,466
Australia55,296
United States18,154
France16,859
Russia14,064
Indonesia13,725
India13,098
United Kingdom6,215
South Korea4,898
Netherlands4,004
Italy3,222
Canada2,751
Costa Rica2,214
Europe2,004
Hong Kong1,753
Mexico1,213
Philippines1,127
Chile718


Threat Geo-location

718217,627


Top Attacking Hosts

HostOccurrences
112.85.42.18724082
27.115.13.24515495
112.85.42.18612419
49.88.112.11711865
103.85.63.25310287
45.141.84.258244
218.92.0.1907230
212.47.244.2356691
112.85.42.1885959
218.92.0.1924877
103.71.76.454714
27.106.63.1144430
49.88.112.1163579
Top Attackers112.8…27.11…112.8…49.88.…103.8…45.14…218.9…212.4…112.8…218.9…103.7…27.10…49.88.…138.9…010,00020,00030,000
HostOccurences
112.85.42.18724,082
27.115.13.24515,495
112.85.42.18612,419
49.88.112.11711,865
103.85.63.25310,287
45.141.84.258,244
218.92.0.1907,230
212.47.244.2356,691
112.85.42.1885,959
218.92.0.1924,877
103.71.76.454,714
27.106.63.1144,430
49.88.112.1163,579
138.94.58.1332,214


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
17621ChinaCNCGROUP-SH China Unicom Shanghai network, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
23947IndonesiaMORATELINDONAP-AS-ID PT.Mora Telematika Indonesia, ID
206728RussiaMEDIALAND-AS, RU
12876FranceOnline SAS, FR


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Azorult2185.98.87.59 , 193.32.188.146
BetaBot1185.14.31.230
Heodo58102.182.229.224 , 103.61.109.13 , 103.77.100.32 , 110.145.77.103 , 113.193.29.98 , 115.160.150.86 , 115.75.6.2 , 116.90.230.98 , 117.7.236.115 , 118.69.70.109 , 120.150.142.241 , 125.99.17.181 , 14.141.203.150 , 14.190.157.56 , 152.169.32.195 , 152.170.196.157 , 153.181.212.155 , 162.255.112.157 , 163.139.237.65 , 173.31.172.11 , 173.79.107.84 , 177.66.190.130 , 181.225.24.251 , 181.52.73.233 , 181.54.245.85 , 182.184.29.137 , 185.10.202.137 , 186.138.210.130 , 187.162.250.23 , 187.188.163.98 , 189.123.239.235 , 189.173.177.96 , 189.220.246.167 , 190.111.215.3 , 190.13.215.114 , 190.2.31.172 , 190.52.207.190 , 198.58.119.85 , 203.153.216.182 , 212.174.19.87 , 24.196.13.216 , 24.249.73.48 , 49.176.162.90 , 59.120.228.67 , 61.195.228.54 , 67.215.46.58 , 68.202.51.4 , 74.105.117.118 , 81.215.14.128 , 82.39.42.86 , 88.249.1.225 , 88.250.201.40 , 89.211.112.137 , 89.216.23.167 , 93.147.157.195 , 94.182.203.158 , 94.206.82.254 , 95.6.84.189
Lokibot29103.116.16.173 , 103.21.59.27 , 103.74.123.3 , 104.18.48.122 , 104.18.49.122 , 104.28.16.182 , 107.175.150.73 , 111.118.215.98 , 158.69.39.138 , 165.227.16.98 , 185.126.201.167 , 185.98.87.59 , 192.185.13.60 , 192.185.76.26 , 192.3.182.247 , 192.3.183.226 , 193.142.59.88 , 193.142.59.90 , 198.27.81.31 , 209.127.19.34 , 209.127.19.34 , 35.181.65.162 , 45.10.90.162 , 46.21.147.206 , 89.208.229.55 , 94.100.18.21 , 94.100.18.4 , 95.142.44.87 , ms-owa.host
TrickBot10178.156.202.120 , 178.156.202.130 , 178.156.202.143 , 185.183.96.43 , 185.62.188.10 , 195.133.145.31 , 212.80.216.209 , 5.188.168.136 , 5.34.177.97 , 85.143.216.206
Unknown15.188.60.11
ZLoader1193.32.188.138
Trojan C&C Servers DetectedHeodoLokibotTrickBotOther9.8%28.4%56.9%
NameNumber Discovered
Azorult2
BetaBot1
Heodo58
Lokibot29
TrickBot10
Unknown1
ZLoader1

Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
88cbadec77cf90357f46a3629b6737e6https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/detailsFlashHelperServices.exeFlashHelperServicesPUA.Win.File.2144flashplayer::tpd
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailseternalblue-2.2.0.exeN/AW32.85B936960F.5A5226262.auto.Talos
be52a2a3074a014b163096055df127a0https://www.virustotal.com/gui/file/97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7/detailsxme64-553.exeN/AWin.Trojan.Coinminer::tpd
d45699f36a79b9d4ef91f5db1980d27bhttps://www.virustotal.com/gui/file/9e9d85d9e29d6a39f58f4db3617526b92a5200225d41d0ab679a90c0167321b4/detailsprofile-6.exe
N/A
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detailsmf2016341595.exeN/AW32.Generic:Gen.22fz.1201


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v2 Base ScoreDate CreatedDate Updated

CVE-2020-0618

Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted page request to an affected Reporting Services instance.6.5(AV:N/AC:L/Au:S/C:P/I:P/A:P)02/11/202002/13/2020

CVE-2020-0668

Microsoft Windows Kernel Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'4.6(AV:L/AC:L/Au:N/C:P/I:P/A:P)02/11/202002/20/2020

CVE-2019-18683

Linux kernel vulnerability in the V4L2 subsystem

Multi-Vendor

These vulnerabilities are caused by incorrect mutex locking in the vivid driver of the V4L2 subsystem (drivers/media/platform/vivid). This driver doesn't require any special hardware. It is shipped in Ubuntu, Debian, Arch Linux, SUSE Linux Enterprise, and openSUSE as a kernel module (CONFIG_VIDEO_VIVID=m).6.9(AV:L/AC:M/Au:N/C:C/I:C/A:C)11/04/201912/05/2019

CVE-2020-0601

Microsoft Windows CryptoAPI Spoofing Vulnerability

Microsoft

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.5.8(AV:N/AC:M/Au:N/C:P/I:P/A:N)01/14/202001/16/2020

CVE-2019-19781

Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability

Citrix

A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the application.7.5(AV:N/AC:L/Au:N/C:P/I:P/A:P)12/27/201901/08/2020

CVE-2020-0683

Microsoft Windows Installer Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files.7.2(AV:L/AC:L/Au:N/C:C/I:C/A:C)02/11/202002/17/2020

CVE-2020-7247

OpenBSD OpenSMTPD Arbitrary Commands Execution Vulnerability

OpenBSD

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.10.0(AV:N/AC:L/Au:N/C:C/I:C/A:C)01/29/202001/31/2020

CVE-2019-11510

Pulse Secure Arbitrary File Disclosure Vulnerability

Pulse Secure

Pulse Connect Secure is exposed to arbitrary file disclosure vulnerability. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, or can send a specially crafted URI to perform an arbitrary file reading vulnerability.7.5(AV:N/AC:L/Au:N/C:P/I:P/A:P)05/08/201910/03/2019
0 Comments
Wednesday, February 26, 2020 By john