Trends

  • The top attacker country was China with 458440 unique attackers (44.00%).
  • The top Trojan C&C server detected was Oski with 7 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China45844044.00%
Canada24402323.00%
Australia1001909.00%
United States893018.00%
South Africa286432.00%
United Kingdom164071.00%
Chile121821.00%
South Korea94950%
India94650%
Hong Kong55600%
Netherlands52910%
France48100%
Japan40900%
Indonesia38280%
Germany21880%
Morocco18740%
Bulgaria15710%
Mexico13340%


Top Attackers by CountryChinaCanadaAustraliaUnited StatesSouth AfricaOther45.9%7.8%8.9%10%24.4%
CountryPercentage of Attacks
China458,440
Canada244,023
Australia100,190
United States89,301
South Africa28,643
United Kingdom16,407
Chile12,182
South Korea9,495
India9,465
Hong Kong5,560
Netherlands5,291
France4,810
Japan4,090
Indonesia3,828
Germany2,188
Morocco1,874
Bulgaria1,571
Mexico1,334


Threat Geo-location

1,334458,440


Top Attacking Hosts

HostOccurrences
103.82.53.11655856
112.85.42.18730663
49.88.112.11525011
112.85.42.8820243
103.139.212.2114668
218.92.0.19011758
Top Attackers103.82.53.116112.85.42.18749.88.112.115112.85.42.88103.139.212.21218.92.0.190020,00040,00060,000
HostOccurences
103.82.53.11655,856
112.85.42.18730,663
49.88.112.11525,011
112.85.42.8820,243
103.139.212.2114,668
218.92.0.19011,758


Top Network Attackers

ASNCountryName
136160ChinaBSYNTCL-AS-AP Beijing Shijihulian Yuntong Network Technology Co., Ltd., CN
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
4847ChinaCNIX-AP China Networks Inter-Exchange, CN


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Anubis5176.121.14.173 , 8.208.102.203 , 8.208.83.128 , 8.211.9.122 , 84.38.183.65
Heodo1173.91.22.41
KPOT4104.24.110.184 , 92.119.112.32 , karnaval.bar , karnaval.casa
LokiStealer145.147.197.180
Oski7194.87.111.188 , 217.8.117.45 , 45.141.84.184 , 47.241.11.25 , 80.85.157.41 , 80.89.228.202 , thekurva.xyz
PredatorTheThief1141.8.192.151
Taurus6104.18.47.219 , 104.18.51.158 , 47.241.131.180 , 64.225.22.106 , 85.217.171.72 , blogstat28.xyz
TrickBot3185.180.198.69 , 45.148.120.164 , 45.155.173.223
UAdmin137.46.130.159
Trojan C&C Servers DetectedAnubisHeodoKPOTLokiStealerOskiPredatorTheThiefTaurusTrickBotUAdmin17.2%13.8%10.3%20.7%24.1%
NameNumber Discovered
Anubis5
Heodo1
KPOT4
LokiStealer1
Oski7
PredatorTheThief1
Taurus6
TrickBot3
UAdmin1


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsFlashHelperServices.exeFlashHelperServicesWin.Exploit.Shadowbrokers::5A5226262.auto.talos
a10a6d9dfc0328a391a3fdb1a9fb18dbhttps://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/detailsFlashHelperServices.exeFlashHelperServicePUA.Win.Adware.Flashserv::100.sbx.vioc
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detectionc3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.binN/AWin.Dropper.Agentwdcr::1201
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAntivirusService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg
60ba2a4b8ea5982a3a671a9e84f9268chttps://www.virustotal.com/gui/file/8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e/detailsDiagnostics.txtN/AWin.Dropper.Shadowbrokers::222044.in02


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-0022

Google Android Bluetooth Remote Denial Of Service Vulnerability

Google

A remote denial of service vulnerability exists in Google Android. In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed.CVSSv3BaseScore:8.8(AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)02/13/202005/13/2020

CVE-2020-10189

WPA and WPA2 Disassociation Vulnerability ("Kr00k")

Multi-Vendor

An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.CVSSv3BaseScore:9.8(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)03/06/202003/09/2020

CVE-2020-1170

Microsoft Windows Defender Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)06/09/202006/12/2020

CVE-2020-1181

Microsoft SharePoint Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process. To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)06/09/202006/12/2020

CVE-2020-12388

Firefox Default Content Process DACL Sandbox Escape Vulnerability

Mozilla

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Firefox ESR. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged-on user.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)05/26/202005/28/2020

CVE-2020-3347

Cisco Webex Meetings Desktop App for Windows Shared Memory Information Disclosure Vulnerability

Cisco

A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. The vulnerability is due to unsafe usage of shared memory that is used by the affected software. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens that could aid the attacker in future attacks.CVSSv3BaseScore:5.5AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N06/17/202006/24/2020

CVE-2020-1054

Microsoft Win32k Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.CVSSv3BaseScore:7.0(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)05/21/202005/27/2020
0 Comments
Monday, June 29, 2020 By john