Threat Intel Banner

   
   Trends

  • The top attacker country was China with 83020 unique attackers (37.23%).
  • The top Trojan C&C server detected was CobaltStrike with 17 instances detected.
  • The top phishing campaign detected was against Facebook with 35 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 83020 37.23%
United States 62205 27.89%
Poland 23689 10.62%
Russia 11261 5.05%
Singapore 10766 4.83%
India 8586 3.85%
Hong Kong 8034 3.60%
Vietnam 4715 2.11%
Indonesia 3255 1.46%
Germany 2157 0.97%
Colombia 1314 0.59%
Myanmar 1211 0.54%
Tunisia 877 0.39%
Romania 683 0.31%
Mexico 664 0.30%
Chile 568 0.25%
 
Top Attackers by CountryChinaUnited StatesPolandRussiaSingaporeIndiaHong KongVietnamOther37.2%5%10.6%27.9%
Country Percentage of Attacks
China 83,020
United States 62,205
Poland 23,689
Russia 11,261
Singapore 10,766
India 8,586
Hong Kong 8,034
Vietnam 4,715
Indonesia 3,255
Germany 2,157
Colombia 1,314
Myanmar 1,211
Tunisia 877
Romania 683
Mexico 664
Chile 568

   
   Threat Geo-location

56883,020

   
   Top Attacking Hosts

Host Occurrences
185.244.158.56 23689
61.177.173.17 16612
61.177.173.12 8776
198.199.66.47 7188
45.112.206.218 6763
139.59.108.147 6199
219.138.163.115 6098
61.177.173.15 4614
103.100.29.81 3087
103.145.13.120 2953
104.152.52.32 2929
205.185.223.175 2380
122.170.155.239 2369
180.178.94.85 2350
178.128.48.218 2091
61.177.173.3 1887
69.162.124.234 1759
116.110.68.228 1637
116.98.164.231 1454
45.146.164.225 1321
45.146.165.52 1309
103.217.159.205 1211


   Top Network Attackers

ASN Country Name
41985 Ukraine STARGROUP-UA-AS, UA
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
14061 United States DIGITALOCEAN-ASN, US
133115 Hong Kong SAR China HKKFGL-AS-AP HK Kwaifong Group Limited, HK
213371 Netherlands SQUITTER-NETWORKS, NL
14987 United States RETHEMHOSTING, US
33438 United States HIGHWINDS2, US
24560 India AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN
45722 Indonesia INTERSATNET-AS-ID Widya Intersat Nusantara, PT, ID
46475 United States LIMESTONENETWORKS, US
24086 Vietnam VIETTEL-AS-VN Viettel Corporation, VN
49505 Russia SELECTEL, RU
135405 Myanmar (Burma) TMHTTWTL-AS-AP WELINK, MM


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 4 103.133.105.179 , 104.21.35.90 , 185.164.72.13 , 185.55.225.19
Amadey 5 176.111.174.114 , 185.215.113.118 , 185.215.113.57 , 31.192.105.20 , 45.141.84.111
Azorult 5 103.155.92.153 , 104.219.251.247 , 195.123.215.85 , 31.210.20.160 , 91.107.126.97
BlackNet 4 167.172.170.114 , 185.101.105.100 , 185.239.243.112 , 41.96.85.216
BlackRock 1 185.215.113.60
CobaltStrike 17 103.145.86.3 , 103.72.164.76 , 106.54.69.144 , 1.15.138.133 , 129.211.89.72 , 160.119.66.118 , 172.28.37.102 , 175.27.137.79 , 185.64.104.9 , 199.115.230.71 , 35.220.148.106 , 39.106.122.248 , 43.128.230.174 , 45.144.29.242 , 45.63.5.69 , 78.47.203.165 , 79.141.165.44
Collector 3 141.8.192.151 , 141.8.192.169 , 141.8.193.236
Cypress 2 178.208.83.35 , 185.114.247.102
DiamondFox 2 176.111.174.118 , 176.111.174.123
Lokibot 8 104.21.52.161 , 154.120.66.157 , 172.67.201.81 , 172.67.208.203 , 185.180.198.252 , 2.57.89.36 , 45.252.248.59 , 66.29.134.137
Oski 5 158.101.119.84 , 195.133.40.216 , 195.133.40.70 , 195.133.40.93 , 45.133.1.223
Pony 1 45.133.1.152
Redirected 1 176.111.174.80
SupremeMiner 1 31.31.198.206
VKeyLogger 1 178.63.120.107
Trojan C&C Servers DetectedAgentTeslaAmadeyAzorultBlackNetCobaltStrikeCollectorCypressDiamondFoxLokibotOskiOther6.7%8.3%8.3%6.7%8.3%8.3%13.3%5%28.3%
Name Number Discovered
AgentTesla 4
Amadey 5
Azorult 5
BlackNet 4
BlackRock 1
CobaltStrike 17
Collector 3
Cypress 2
DiamondFox 2
Lokibot 8
Oski 5
Pony 1
Redirected 1
SupremeMiner 1
SupremeMiner 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos
0a13d106fa3997a0c911edd5aa0e147a https://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/details mg20201223-1.exe N/A RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos


   Top Phishing Campaigns

Phishing Target Count
Other 1195
Rakuten 8
Facebook 35
Instagram 2
Microsoft 8
Vodafone 3
Steam 20
Amazon.com 17
RuneScape 20
Adobe 1
PayPal 3
Allegro 1
Itau 2
DHL 1
Hermes 2
Caixa 2
Bradesco 4
bitFlyer 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-17510

Authentication Bypass Vulnerability in Apache Shiro

Apache

 Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 11/05/2021 05/04/2021

CVE-2020-13942

Code Injection Vulnerability in Apache Unomi

Apache

 It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 11/24/2021 05/05/2021

CVE-2020-24636

Remote Code Execution Vulnerability in Aruba IAP

Aruba Networks

 A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 03/29/2021 05/11/2021

CVE-2021-30642

Input Validation Vulnerability in Symantec Security Analytics

Symantec

 An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/27/2021 05/07/2021

CVE-2020-18020

SQL Injection Vulnerability in PHPSHE Mail System

PHPSHE

 SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user phone" parameter of a crafted HTTP request to the "admin.php" component. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/28/2021 05/05/2021

CVE-2021-29145

SSRF RCE in Aruba Policy Manager

Weak Authentication Vulnerability in Dell EMC Firmware

 Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/30/2021 05/10/2021

CVE-2021-21507

SSRF RCE in Aruba Policy Manager

Aruba Networks

 A remote server-side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/29/2021 05/10/2021
Details
Date Published
May 27, 2021
Category
Threat Intelligence