Trends

  • The top attacker country was China with 398353 unique attackers (58.00%).
  • The top Trojan C&C servers detected were TrickBot and Heodo with 18 instances detected each.


Top Attackers By Country

CountryOccurencesPercentage
China39835358.00%
United States679449.00%
Australia635869.00%
South Africa192712.00%
Chile173122.00%
South Korea170942.00%
India127181.00%
France102231.00%
United Kingdom86691.00%
Canada81561.00%
Brazil78921.00%
Indonesia72211.00%
Russia52190%
Netherlands39030%
Iran21590%
Venezuela13970%
Ukraine13690%
Hong Kong8920%
Nepal7880%


Top Attackers by CountryChinaUnited StatesAustraliaSouth AfricaChileSouth KoreaOther10.8%9.7%10.4%60.9%
CountryPercentage of Attacks
China398,353
United States67,944
Australia63,586
South Africa19,271
Chile17,312
South Korea17,094
India12,718
France10,223
United Kingdom8,669
Canada8,156
Brazil7,892
Indonesia7,221
Russia5,219
Netherlands3,903
Iran2,159
Venezuela1,397
Ukraine1,369
Hong Kong892
Nepal788


Threat Geo-location

788398,353


Top Attacking Hosts

HostOccurrences
112.85.42.18742799
112.85.42.8834612
218.92.0.19015755
49.88.112.11513619
103.44.253.2412103
112.85.42.1898478
61.177.172.137021
112.85.42.2386170
27.106.60.1795842
222.186.175.1483637
222.186.169.1923470
222.186.173.2263430
222.186.173.2383400
222.186.173.1543310
Top Attackers112.8…112.8…218.9…49.88.…103.4…112.8…61.17…112.8…27.10…222.1…222.1…222.1…222.1…222.1…020,00040,00060,000
HostOccurences
112.85.42.18742,799
112.85.42.8834,612
218.92.0.19015,755
49.88.112.11513,619
103.44.253.2412,103
112.85.42.1898,478
61.177.172.137,021
112.85.42.2386,170
27.106.60.1795,842
222.186.175.1483,637
222.186.169.1923,470
222.186.173.2263,430
222.186.173.2383,400
222.186.173.1543,310


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
4816ChinaCHINANET-IDC-GD China Telecom (Group), CN
45194IndiaSIPL-AS Syscon Infoway Pvt. Ltd., IN
23650ChinaCHINANET-JIANGSU-PROVINCE-IDC AS Number for CHINANET jiangsu province backbone, CN


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Heodo18108.26.231.214 , 124.45.106.173 , 153.204.32.49 , 157.7.199.53 , 187.106.41.99 , 187.207.207.16 , 190.163.31.26 , 190.164.75.175 , 190.96.118.251 , 201.170.77.7 , 212.156.133.218 , 212.231.60.98 , 70.167.215.250 , 71.208.216.10 , 71.50.31.38 , 74.207.230.187 , 78.189.111.208 , 95.9.185.228
TrickBot18107.174.26.187 , 162.216.0.187 , 162.216.0.190 , 185.14.31.135 , 185.164.32.204 , 185.172.165.211 , 188.40.203.209 , 188.40.203.215 , 194.5.249.15 , 195.123.221.121 , 195.123.239.53 , 217.12.209.44 , 46.17.107.116 , 78.108.216.13 , 80.82.68.132 , 80.82.68.32 , 93.189.41.213 , 93.189.42.114
Trojan C&C Servers DetectedHeodoTrickBot50%50%
NameNumber Discovered
Heodo18
TrickBot18


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
34560233e751b7e95f155b6f61e7419ahttps://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/detailsSAService.exeSAServicePUA.Win.Dropper.Segurazo::tpd
179c09b866c9063254083216b55693e6https://www.virustotal.com/gui/file/449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8/detailsSAService.exeSAServicePUA.Win.File.Segurazo::95.sbx.tg
a10a6d9dfc0328a391a3fdb1a9fb18dbhttps://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/detailsFlashHelperServices.exeFlashHelperServicePUA.Win.Adware.Flashserv::100.sbx.vioc
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAntivirusService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsc3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.binN/AWin.Dropper.Agentwdcr::1201


Top Phishing Campaigns

Phishing TargetCount
Other1502
Facebook177
Three17
Blockchain1
RuneScape50
Apple2
Microsoft14
PayPal4
DHL3
TSB1
Westpac1
Twitter1
Amazon.com4
Caixa2
Virustotal1
Dropbox1


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-8605

Trend Micro Web Security Virtual Appliance Remote Code Execution Vulnerability

Trend Micro

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance may allow remote attackers to execute arbitrary code on affected installations. An attacker can leverage this vulnerability to disclose information in the context of the IWSS user. An authenticated remote attacker could exploit a command injection vulnerability in the product, leading to remote code execution vulnerability.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)05/27/202007/14/2020

CVE-2020-1350

Microsoft Windows DNS Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)07/14/202007/23/2020

CVE-2020-5902

F5 BIG-IP Remote Code Execution Vulnerability

F5

F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)07/01/202007/21/2020

CVE-2020-6287

SAP NetWeaver Application Server JAVA Multiple Vulnerabilities

SAP

SAP NetWeaver AS JAVA (LM Configuration Wizard) does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)07/14/202007/16/2020

CVE-2020-15363

WordPress Theme NexosReal Estate 'search_order' SQL Injection Vulnerability

Nexos

NexosReal Estate Theme is exposed to remote SQL injection vulnerability that allows side-map/?search_order= SQL Injection.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)06/28/202007/22/2020

CVE-2020-13866

WinGate Privilege Escalation Vulnerability

qbik

WinGate has insecure permissions for the installation directory, which allows local users to gain privileges by replacing an executable file with a Trojan horse. The WinGate directory hands full control to authenticated users, who can then run arbitrary code as SYSTEM after a WinGate restart or system reboot.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)06/08/202006/11/2020

CVE-2020-2021

Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Palo Alto Networks

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)06/29/202007/06/2020

CVE-2020-3952

VMware vCenter vmdir Information Disclosure Vulnerability

VMware

Under certain conditions vmdir does not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/10/202006/02/2020
0 Comments
Monday, July 27, 2020 By john