Threat Intel Banner

   
   Trends

  • The top attacker country was Russia with 92067 unique attackers (43.33%).
  • The top Trojan C&C server detected was Redline with 20 instances detected.
  • The top phishing campaign detected was against Facebook with 11 instances detected.


   Top Attackers By Country

CountryOccurencesPercentage
Russia9206743.33%
China4794722.56%
United States4336320.41%
Panama48382.28%
Indonesia38871.83%
India33051.56%
Netherlands32311.52%
Belize26781.26%
Pakistan20770.98%
Spain19050.90%
Hong Kong16090.76%
Trinidad and Tobago14530.68%
Saudi Arabia12090.57%
Mexico10380.49%
Colombia10170.48%
Ukraine8730.41%

​​​​​​​
Top Attackers by CountryRussiaChinaUnited StatesPanamaOther43.3%11.4%20.4%22.6%
CountryPercentage of Attacks
Russia92,067
China47,947
United States43,363
Panama4,838
Indonesia3,887
India3,305
Netherlands3,231
Belize2,678
Pakistan2,077
Spain1,905
Hong Kong1,609
Trinidad and Tobago1,453
Saudi Arabia1,209
Mexico1,038
Colombia1,017
Ukraine873

   
   Threat Geo-location

87392,067

   
   Top Attacking Hosts

HostOccurrences
61.177.173.1613600
91.241.19.8112463
91.241.19.8611923
185.153.199.8411907
91.241.19.2388614
185.137.234.488161
91.241.19.2445257
91.241.19.594662
91.241.19.574651
45.227.253.1244641
91.241.19.854470
61.68.15.294393
120.220.14.2494057
77.161.85.803231
14.203.92.2142792
77.247.110.1842678
149.167.140.1552544
66.96.238.612351
63.143.42.2422308
202.47.41.492077


   Top Network Attackers

ASNCountryName
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
207566RussiaHOSTWAY-AS, RU
49877MoldovaRMINJINERING, RU
49505RussiaSELECTEL, RU
49453PanamaGLOBALLAYER, NL
7545AustraliaTPG-INTERNET-AP TPG Telecom Limited, AU
24444ChinaCMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
1136NetherlandsKPN KPN National, NL
213371NetherlandsSQUITTER-NETWORKS, NL
135887AustraliaTELSTRA-BELONG-AP Belong Telstra Corporation, AU
63859IndonesiaMYREPUBLIC-AS-ID PT. Eka Mas Republik, ID
46475United StatesLIMESTONENETWORKS, US
9541PakistanCYBERNET-AP Cyber Internet Services Pvt Ltd., PK


   Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
AgentTesla2103.153.182.50 , 141.8.192.151
Amadey5185.215.113.53 , 185.215.113.79 , 194.26.29.220 , 37.1.203.90 , 94.140.115.70
Azorult2195.133.40.176 , 2.56.59.196
BlackNet2172.93.121.8 , 185.212.44.211
Collector5141.8.192.151 , 141.8.193.236 , 185.137.235.119 , 81.177.135.251 , 95.181.163.143
Cypress1185.114.247.102
DiamondFox1195.133.40.146
Ficker2109.234.38.213 , 195.2.85.152
HiddenTear194.199.200.45
login.php1matixx.xyz
Lokibot4104.21.2.166 , 104.21.88.207 , 172.67.138.58 , 206.189.114.152
Oski2173.231.206.89 , 45.180.174.39
Raccoon134.105.169.29
Redline20103.246.147.66 , 129.146.180.22 , 129.146.47.51 , 149.202.7.96 , 176.111.174.254 , 185.173.36.104 , 185.215.113.15 , 185.215.113.50 , 185.215.113.62 , 185.215.113.64 , 185.237.165.42 , 185.241.54.128 , 185.92.148.234 , 193.0.61.155 , 193.38.54.101 , 45.139.236.24 , 46.29.114.16 , 85.192.56.21 , 85.192.56.35 , 86.107.197.64
Vidar1159.69.20.131
Zeus1212.192.241.97
Trojan C&C Servers DetectedAgentTeslaAmadeyAzorultBlackNetCollectorFickerLokibotOskiRedlineOther9.8%9.8%7.8%13.7%39.2%
NameNumber Discovered
AgentTesla2
Amadey5
Azorult2
BlackNet2
Collector5
Cypress1
DiamondFox1
Ficker2
HiddenTear1
login.php1
Lokibot4
Oski2
Raccoon1
Redline20
Vidar1
Vidar1

    
   Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
9a4b7b0849a274f6f7ac13c7577daad8https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/detailsww31.exeN/AW32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg
f2c1aa209e185ed50bf9ae8161914954https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/detailswebnavigatorbrowser.exeWebNavigatorBrowserW32.5524FEE1BB.5A6DF6a61.auto.Talos
6be10a13c17391218704dc24b34cf736https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/detailssmbscanlocal0906.exeN/AWin.Dropper.Ranumbot::in03.talos
34560233e751b7e95f155b6f61e7419ahttps://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/detailsSAntivirusService.exeA n t i v i r u s S e r v i c ePUA.Win.Dropper.Segurazo::tpd


   Top Phishing Campaigns

Phishing TargetCount
Other412
Visa1
Facebook11
PayPal2
Steam3
Netflix2
Microsoft1
Amazon.com2
Rakuten1
RuneScape1
Bancasa1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated
CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-14871

Remote Code Execution Vulnerability in Oracle Solaris

Oracle

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris.10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)10/21/202006/22/2021

CVE-2020-14871

Buffer Overflow Vulnerability in Oracle Solaris

Oracle

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases.10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)10/21/202006/22/2021

CVE-2021-31950

Remote Code Execution Vulnerability in Microsoft Sharepoint

Microsoft

Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-31948, CVE-2021-31964.Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)06/08/202106/15/2021

CVE-2013-4988

Buffer Overflow Vulnerability in IcoFX

Icofx

Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCount value in an ICONDIR structure in an ICO file. NOTE: some of these details are obtained from third party information.9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)12/13/201306/07/2021

CVE-2020-13927

Weak Authentication Vulnerability in Apache Airflow

Apache

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/apache-airflow/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)11/10/202006/02/2021

CVE-2020-11978

Code Injection Vulnerability in Apache Airflow

Apache

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)07/16/202006/02/2021