Threat Intel Banner

   
   Trends

  • The top attacker country was China with 142337 unique attackers (38.00%).
  • The top Trojan C&C server detected was Redline with 23 instances detected.
  • The top phishing campaign detected was against Facebook with 37 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 142337 57.37%
United States 63126 25.44%
India 8830 3.56%
Bulgaria 5182 2.09%
Singapore 4884 1.97%
France 4404 1.77%
Germany 2736 1.10%
Vietnam 2690 1.08%
Netherlands 2327 0.94%
Indonesia 2255 0.91%
Taiwan 1800 0.73%
Thailand 1499 0.60%
Ukraine 1438 0.58%
United Arab Emirates 1385 0.56%
Colombia 1316 0.53%
Pakistan 1025 0.41%
Mexico 881 0.36%
Ireland 664 0.27%
Top Attackers by CountryChinaUnited StatesIndiaBulgariaOther11.8%25.4%57.2%
Country Percentage of Attacks
China 142,337
United States 63,126
India 8,830
Bulgaria 5,182
Singapore 4,884
France 4,404
Germany 2,736
Vietnam 2,690
Netherlands 2,327
Indonesia 2,255
Taiwan 1,800
Thailand 1,499
Ukraine 1,438
United Arab Emirates 1,385
Colombia 1,316
Pakistan 1,025
Mexico 881
Ireland 664

   
   Threat Geo-location

664142,337

   
   Top Attacking Hosts

Host Occurrences
61.177.173.25 33368
61.177.173.13 18554
218.92.0.208 12239
183.240.204.10 9331
61.177.173.3 8717
172.20.29.251 7454
206.191.151.148 5680
79.124.62.10 5120
138.68.53.185 3319
69.162.124.234 2726
14.98.48.94 2324
94.23.6.189 2324
124.169.216.67 2131
5.39.218.210 1878
180.169.131.147 1655
49.88.112.76 1543
178.18.242.224 1536
125.24.230.183 1499
117.223.81.171 1440
217.165.246.66 1361


   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
56040 China CMNET-GUANGDONG-AP China Mobile communications corporation, CN
29791 United States VOXEL-DOT-NET, US
207812 Bulgaria DM_AUTO, BG
14061 United States DIGITALOCEAN-ASN, US
46475 United States LIMESTONENETWORKS, US
45820 India TTSL-MEISISP Tata Teleservices ISP AS, IN
16276 France OVH, FR
7545 Australia TPG-INTERNET-AP TPG Telecom Limited, AU
57043 Netherlands HOSTKEY-AS, NL
4812 China CHINANET-SH-AP China Telecom (Group), CN
51167 Germany CONTABO, DE
23969 Thailand TOT-NET TOT Public Company Limited, TH
9829 India BSNL-NIB National Internet Backbone, IN
5384 United Arab Emirates EMIRATES-INTERNET Emirates Internet, AE


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 5 103.212.121.57 , 107.180.27.178 , 31.220.2.200 , 70.32.23.32 , 95.217.195.80
Amadey 3 185.215.113.28 , 185.215.113.67 , 185.215.113.74
Azorult 7 103.15.226.14 , 110.5.109.60 , 172.94.18.243 , 190.61.250.140 , 209.133.222.158 , 216.10.249.157 , 45.144.225.131
BlackNet 4 145.14.145.115 , 34.70.128.92 , 52.240.152.251 , 82.163.176.128
CobaltStrike 8 185.153.199.161 , 185.153.199.162 , 185.153.199.164 , 185.153.199.168 , 185.153.199.169 , 23.106.215.179 , 23.106.223.85 , 87.251.70.112
Collector 6 141.8.192.151 , 141.8.193.236 , 145.14.144.49 , 178.208.83.27 , 188.225.40.162 , 23.254.253.92
Data-Collector 1 172.67.182.254
DiamondFox 5 176.111.174.118 , 176.111.174.123 , 213.159.203.232 , 31.210.20.72 , 45.133.1.155
Fickere 1 62.113.117.9
GachiSteal 1 178.208.83.27
Kpot 1 5.101.153.90
Lokibot 15 103.94.135.216 , 104.21.8.2 , 104.21.96.133 , 108.167.188.182 , 172.67.203.37 , 185.212.129.114 , 192.185.113.23 , 23.229.238.132 , 27.122.57.174 , 27.122.57.229 , 31.210.20.71 , 31.41.44.202 , 35.247.234.230 , 82.118.22.149 , bncoporations.tk
Oski 5 194.147.142.153 , 31.210.20.228 , 45.133.1.27 , 45.144.225.201 , novget.com
Redline 23 116.202.110.165 , 178.157.91.208 , 185.254.189.187 , 195.123.208.194 , 198.98.48.182 , 209.182.218.94 , 2.56.213.162 , 3.10.144.54 , 31.148.99.134 , 45.141.102.87 , 45.142.214.100 , 45.142.214.84 , 45.142.215.150 , 45.150.67.132 , 45.150.67.141 , 45.67.228.28 , 45.67.229.156 , 45.67.230.60 , 87.251.71.182 , 87.251.71.221 , 94.103.85.106 , faryna.xyz , venusbonus.tk
Seth 2 34.107.72.79 , 35.199.126.54
SmokeLoader 2 185.153.197.112 , 185.153.198.26
Taurus 7 104.21.1.201 , 104.21.23.214 , 104.21.74.189 , 172.67.141.246 , 172.67.194.75 , 185.92.148.230 , 51.38.218.39
Umbra 1 145.14.144.17
Trojan C&C Servers DetectedAgentTeslaAmadeyAzorultBlackNetCobaltStrikeCollectorDiamondFoxLokibotOskiRedlineSethSmokeLoader1/27.2%8.2%6.2%7.2%23.7%15.5%
Name Number Discovered
AgentTesla 5
Amadey 3
Azorult 7
BlackNet 4
CobaltStrike 8
Collector 6
Data-Collector 1
DiamondFox 5
Fickere 1
GachiSteal 1
Kpot 1
Lokibot 15
Oski 5
Redline 23
Seth 2
SmokeLoader 2
Taurus 7
Taurus 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
84291afce6e5cfd615b1351178d51738 https://www.virustotal.com/gui/file/bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208/details webnavigatorbrowser.exe WebNavigatorBrowser W32.BFBE7022A4.5A6DF6a61.auto.Talos
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos
96f8e4e2d643568cf242ff40d537cd85 https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details SAService.exe SAService PUA.Win.File.Segurazo::95.sbx.tg


   Top Phishing Campaigns

Phishing Target Count
Facebook 37
RuneScape 8
Other 965
Rakuten 3
Google 2
Caixa 2
LinkedIn 2
Amazon.com 10
Allegro 1
PayPal 2
Microsoft 5
Accurint 2
WeTransfer 2
AOL 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2021-27112

Remote Code Execution in Light CMS

Light CMS Project

LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images. This vulnerability can be exploited remotely and attackers can exploit this vulnerability to deliver malicious code to end users. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/15/2021 04/19/2021

CVE-2021-25360

Arbitrary Code Execution in Android Devices

Google Android

An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/09/2021 04/21/2021

CVE-2021-24223

Malicious File Upload Vulnerability in WP Library

Wordpress

The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/12/2021 04/19/2021

CVE-2021-22507

Authentication Bypass Vulnerability in MicroFocus Device

Microfocus

Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. The vulnerability could allow remote attackers to bypass user authentication and get unauthorized access. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/08/2021 04/14/2021

CVE-2021-20021

Privilege Escalation Vulnerability in SonicWall Email Security

PHPNuke

A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/09/2021 04/14/2021

CVE-2021-1479

Remote Code Execution Vulnerability in Cisco vManage Software

Cisco

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/08/2021 04/19/2021

CVE-2020-27236

SQL Injection Vulnerability in Openclinic

Openclinic

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/13/2021 04/14/2021
Details
Date Published
April 30, 2021