Trends

  • The top attacker country was China with 110475 unique attackers (47.40%).
  • The top Trojan C&C server detected was Heodo with 53 instances detected.
  • The top phishing campaign detected was against Facebook accounts with 29 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China11047547.40%
United States4837020.75%
Germany177547.61%
United Kingdom88003.77%
Netherlands84653.63%
France75203.22%
Canada71613.07%
Russia67342.88%
Indonesia63082.70%
Japan22930.98%
Brazil19600%
Sweden19100%
Chile14230%
Turkey11860%
Singapore11100%
Italy10220%
Colombia5570%
Top Attackers by CountryChinaUnited StatesGermanyUnited KingdomNetherlandsFranceCanadaRussiaIndonesiaOther47.4%7.6%20.8%
CountryPercentage of Attacks
China110,475
United States48,370
Germany17,754
United Kingdom8,800
Netherlands8,465
France7,520
Canada7,161
Russia6,734
Indonesia6,308
Japan2,293
Brazil1,960
Sweden1,910
Chile1,423
Turkey1,186
Singapore1,110
Italy1,022
Colombia557


Threat Geo-location

557110,475


Top Attacking Hosts

HostOccurrences
112.85.42.18832916
45.129.33.816744
45.129.33.215666
43.252.145.425350
122.194.229.1205045
195.54.161.1223836
222.141.207.2462555
51.178.184.2262481
94.102.51.952203
34.200.247.1582157
193.0.14.1291959
198.97.190.531957
192.5.5.2411950
199.7.91.131925
192.203.230.101924
Top Attackers112.8…45.12…45.12…43.25…122.1…195.5…222.1…51.17…94.10…34.20…193.0.…198.9…192.5.…199.7.…192.2…020,00040,000
HostOccurences
112.85.42.18832,916
45.129.33.816,744
45.129.33.215,666
43.252.145.425,350
122.194.229.1205,045
195.54.161.1223,836
222.141.207.2462,555
51.178.184.2262,481
94.102.51.952,203
34.200.247.1582,157
193.0.14.1291,959
198.97.190.531,957
192.5.5.2411,950
199.7.91.131,925
192.203.230.101,924


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
202425NetherlandsINT-NETWORK, SC
2856United KingdomBT-UK-AS BTnet UK Regional network, GB
56233IndonesiaATSINDO-AS-ID PT Asia Teknologi Solusi, ID
49505RussiaSELECTEL, RU
16276RomaniaOVH, FR
14618United StatesAMAZON-AES, US
25152NetherlandsK-ROOT-SERVER Reseaux IP Europeens Network Coordination Centre (RIPE NCC), EU


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Heodo50104.251.33.179 , 108.46.29.236 , 109.206.139.119 , 110.142.236.207 , 111.89.241.139 , 115.79.59.157 , 116.202.23.3 , 118.33.121.37 , 118.83.154.64 , 119.106.216.84 , 12.163.208.58 , 121.7.31.214 , 142.112.10.95 , 153.229.219.1 , 159.203.116.47 , 173.249.6.108 , 174.106.122.139 , 175.103.38.146 , 177.129.17.170 , 180.148.4.130 , 181.169.235.7 , 185.232.182.218 , 185.80.172.199 , 190.117.79.209 , 190.191.171.72 , 192.81.38.31 , 195.7.12.8 , 202.4.58.197 , 216.139.123.119 , 220.106.127.191 , 223.135.30.189 , 27.73.70.219 , 2.84.135.163 , 37.157.196.117 , 38.111.46.46 , 45.177.120.36 , 45.33.35.74 , 51.75.33.127 , 60.108.144.104 , 60.93.23.51 , 66.65.136.14 , 67.10.155.92 , 68.252.26.78 , 70.116.143.84 , 73.55.128.120 , 76.168.54.203 , 78.186.65.230 , 85.96.199.93 , 93.20.157.143 , 94.124.59.22
Lokibot1185.209.1.124
Taurus1195.2.78.152
TrickBot33103.76.169.213 , 117.222.63.145 , 117.252.214.138 , 125.165.20.104 , 148.251.185.165 , 179.127.88.41 , 179.97.246.23 , 181.143.186.42 , 185.172.129.173 , 185.234.72.35 , 185.99.2.243 , 190.99.97.42 , 194.5.249.143 , 194.87.110.144 , 195.123.240.104 , 195.123.240.113 , 195.123.241.242 , 200.24.67.161 , 213.32.84.27 , 36.91.87.227 , 45.224.213.234 , 45.237.241.97 , 45.67.231.68 , 45.89.125.148 , 5.152.210.188 , 5.182.210.156 , 51.89.163.40 , 85.204.116.173 , 86.104.194.38 , 86.104.194.77 , 88.150.180.32 , 88.150.197.172 , 89.223.126.186
Trojan C&C Servers DetectedHeodoTrickBotOther38.8%58.8%
NameNumber Discovered
Heodo50
Lokibot1
Taurus1
TrickBot33


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
bd4b03e6127a34ecab890f6eb1546634VirusTotal:https://www.virustotal.com/gui/file/52c8cff981e5d541e4b2930a4a5e0b0a495d62c8237e91538d94c03a048dd51d/detailswupxarch.exeN/AWin.Dropper.Ranumbot::95.sbx.tg
8c80dd97c37525927c1e549cb59bcbf3VirusTotal:https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsEter.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos
73d1de319c7d61e0333471c82f2fc104VirusTotal:https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/detailsSAntivirusService.exeAntivirusServiceWin.Dropper.Segurazo::tpd
e2ea315d9a83e7577053f52c974f6a5aVirusTotal:https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsTempmf582901854.exeN/AWin.Dropper.Agentwdcr::1201
bc26fd7a0b7fe005e116f5ff2227ea4dVirusTotal:https://www.virustotal.com/gui/file/60b6d7664598e6a988d9389e6359838be966dfa54859d5cb1453cbc9b126ed7d/detailssvchost.exeN/AWin.Dropper.Python::1201


Top Phishing Campaigns

Phishing Target (Users)Count
Other1299
Facebook29
PayPal9
Halifax3
Amazon.com11
Netflix1
AOL2
Google10
Microsoft7
Visa1
Adobe1
LinkedIn1
Virustotal2


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-1472

Microsoft Netlogon Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)08/17/202009/28/2020

CVE-2020-14386

Linux kernel "af_packet.c" Memory Corruption Vulnerability

Multi-Vendor

A Memory corruption vulnerability exists in the Linux kernel that can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.CVSSv3BaseScore:6.7(AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)09/16/202009/28/2020

CVE-2020-4486

IBM QRadar Arbitrary File Overwrite Vulnerability

IBM

IBM QRadar allows an authenticated user to overwrite or delete arbitrary files due to a flaw after WinCollect installation.CVSSv3BaseScore:8.1(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)08/11/202008/11/2020

CVE-2020-8437

BitTorrent uTorrent Denial of Service Vulnerability

bittorrent

The bencoding parser in BitTorrent uTorrent misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service.CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)03/02/202003/05/2020

CVE-2020-1350

Microsoft Windows DNS Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)07/14/202007/23/2020

CVE-2020-9496

Apache OFBiz XML-RPC Cross-Site Scripting Vulnerability

Apache

Apache OFBiz XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting vulnerability.CVSSv3BaseScore:6.1(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)07/15/202008/17/2020

CVE-2020-16875

Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.CVSSv3BaseScore:8.4(AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)09/11/202009/17/2020

CVE-2020-2037

PAN-OS Management Interface Command Injection Vulnerability

PAN-OS

An OS Command Injection vulnerability exists in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue affects some unknown processing of the component Management Interface. The manipulation with an unknown input leads to a privilege escalation vulnerability.CVSSv3BaseScore:7.2(V:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)09/09/202009/15/2020

CVE-2020-1380

Microsoft Scripting Engine Memory Corruption Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.CVSSv3BaseScore:7.5(AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)08/17/202008/21/2020
0 Comments
Tuesday, September 29, 2020 By john