Thursday, December 3, 2020

threat_intel_report

Trends

  • The top attacker country was China with 36459 unique attackers (48.25%).
  • The top Trojan C&C server detected was RedLine with 25 instances detected.
  • The top phishing campaign detected was against Amazon accounts with 20 instances detected.
     

Late last month Delaware Country in Pennsylvania was the latest victim of renown ransomware gang DoppelPaymer, who brought down critical parts of their systems including police reports, payroll, purchasing
and other sensitive databases. Upon payment of the $500,000 ransom, DoppelPaymer unusually advised the Country to update all their system passwords and modify their Windows domain configuration in addition to other security precautions.
 

 

   Top Attackers By Country

Country Occurences Percentage
China 36459 48.25%
United States 21323 28.22%
Brazil 3217 4.26%
India 2799 3.70%
Russia 2763 3.66%
South Korea 2300 3.04%
Singapore 1290 1.71%
Indonesia 1285 1.70%
Italy 765 1.01%
Iran 580 0.77%
Mexico 560 0.74%
Philippines 558 0.74%
Portugal 458 0.61%
Japan 318 0.42%
Peru 297 0.39%
Saudi Arabia 295 0.39%
Honduras 288 0.38%
 

   Top Attackers By Country

  •  China
  •  United States
  •  Brazil
  •  India
  •  Russia
  •  South Korea
  •  Other
 

   Threat Geo-location

28836,459
 

   Top Attacking Hosts

Host Occurrences
49.88.112.118 2223
206.189.200.15 967
190.83.84.208 923
68.183.110.49 776
174.138.35.201 586
43.254.156.48 580
106.12.97.104 563
222.173.82.126 558
104.131.166.150 540
216.245.221.84 473
202.83.25.83 465
157.230.57.43 405
195.19.102.173 403
201.91.86.28 398
109.194.174.78 378
167.99.172.154 364
106.54.74.83 360
49.235.241.211 359
171.221.217.145 350


Top Attackers

 

   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
14061 United States DIGITALOCEAN-ASN, US
270340 Brazil EDEILTON LIMA DOS SANTOS - ME, BR
59072 China ESINNET Shenzhen ESIN Technology Co., Ltd, CN CT-DONGGUAN-IDC CHINANET Guangdong province network, CN
38365 China BAIDU Beijing Baidu Netcom Science and Technology Co., Ltd., CN
46475 United States LIMESTONENETWORKS, US
24309 India CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN
12389 Russia ROSTELECOM-AS, RU
10429 Brazil TELEFONICA BRASIL S.A, BR
41682 Russia ERTH-TMN-AS, RU
45090 China CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN
 

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 1 72.9.135.10
Amadey 7 176.123.8.254 , 217.8.117.168 , 217.8.117.177 , 217.8.117.62 , 217.8.117.81 , ixlosa.com , vintrsi.com
ATSEngine 2 170.106.35.220 , 94.100.28.209
BlackNet 1 51.254.73.16
BlueBotNet 1 158.247.208.239
CryptBot 2 185.209.1.123 , 185.252.146.49
DT-Stealer 1 45.13.252.21
Heodo 8 108.21.72.56 , 175.145.248.25 , 190.251.216.100 , 191.223.36.170 , 202.79.24.136 , 45.184.103.73 , 45.4.32.50 , 54.36.185.60
KeitaroTDS 2 213.226.100.238 , 87.236.16.241
Lokibot 12 103.83.81.68 , 104.31.64.98 , 137.59.52.154 , 172.67.188.73 , 172.67.201.179 , 185.243.215.88 , 193.106.175.41 , 209.59.188.68 , 209.59.188.68 , 45.144.2.145 , 45.144.2.145 , 46.17.98.105
Oski 1 45.137.67.174
Pony 1 103.20.212.86
Qudox 1 188.120.228.107
Redirected 2 209.250.255.176 , 209.97.175.120
RedLine 25 104.31.68.21 , 138.124.180.187 , 168.119.175.149 , 172.67.192.79 , 176.119.158.210 , 185.250.148.63 , 188.119.113.157 , 195.93.173.94 , 206.166.251.156 , 2.56.214.31 , 45.142.215.39 , 45.144.29.87 , 45.150.67.48 , 45.67.228.55 , 45.67.231.94 , 5.252.194.139 , 84.38.183.201 , 86.105.252.12 , 86.106.181.103 , 93.115.18.189 , 93.115.20.250 , 94.103.95.7 , 94.140.115.81 , 94.23.199.195 , 95.181.155.62
Rurat 1 46.17.98.47
Taurus 2 172.67.171.50 , 172.67.220.64
TrickBot 17 156.96.156.165 , 185.14.29.119 , 185.163.45.140 , 185.234.72.75 , 185.244.151.107 , 187.62.208.234 , 192.119.171.218 , 194.5.249.29 , 195.123.240.108 , 195.123.242.176 , 212.8.251.21 , 23.237.137.66 , 45.12.110.179 , 86.104.194.16 , 94.140.114.99 , 94.140.115.150 , 94.140.115.189
TriumphLoader 3 1193.106.175.51 , 45.129.2.130 , 78.155.205.58
Zloader 1 185.240.102.113


Trojan C&C Servers Detected

  •  Amadey
  •  ATSEngine
  •  CryptBot
  •  Heodo
  •  KeitaroTDS
  •  Lokibot
  •  Redirected
  •  RedLine
  •  Taurus
  •  Trickbot
  •  TriumphLoader
  •  Other
 

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
dd726d5e223ca762dc2772f40cb921d3 https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection ww24.exe N/A W32.TR:Attribute.23ln.1201
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos
920823d1c5cb5ce57a7c69c42b60959c https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details FlashHelperService.exe FlashHelperService W32.Variant.23mj.1201
6423f6d49466f739d4eaa2a30759c46a https://www.virustotal.com/gui/file/7bd78114e61ae332e9e9d67b66cdab4a4db4e0c74dc43a0582ab1aecb13d7f0f/details Xerox_Device_060214.exe N/A Win.Dropper.Upatre::1201
5ca36dec01d06ab7ded640f7ecf74302 https://www.virustotal.com/gui/file/23c9f0de513ce4632965291b8adbaa9d228b04d74ab695a412603a1e49dcff18/details Xerox_Device_060214.zip N/A Win.Dropper.Upatre::tpd
 

   Top Phishing Campaigns

Phishing Target Count
Amazon 20
Other 1244
Rakuten 3
Instagram 3
Facebook 19
Steam 2
Google 1
Netflix 2
Rabobank 1
PayPal 2
Microsoft 4
RuneScape 1
Vodafone 1
Halifax 2
 
 

   CVEs with Recently Discovered Exploits

     This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2018-13379

Fortinet FortiOS Directory Traversal Vulnerability

Fortinet

Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/04/2019 11/19/2020

CVE-2020-13671

Drupal Core Remote Code Execution Vulnerability (SA-CORE-2020-012)

Multi-Vendor

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. Successful exploitation of these vulnerabilities could affect Confidentiality, Integrity and Availability. CVSSv3BaseScore:7.9(AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L) 11/20/2020 11/20/2020

CVE-2017-5638

Apache Struts Remote Code Execution Vulnerability (S2-045)

Apache

The Jakarta Multipart parser in Apache Struts has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. CVSSv3BaseScore:10.0AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 03/10/2017 03/03/2018

CVE-2020-3470

Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities

Cisco

Multiple vulnerabilities in the API subsystem of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges. The vulnerabilities are due to improper boundary checks for certain user-supplied input. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the API subsystem of an affected system. When this request is processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying operating system (OS). CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 11/18/2020 11/19/2020

CVE-2020-1034

Microsoft Windows Kernel Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 09/11/2020 09/15/2020

CVE-2020-15647

Mozilla Firefox Arbitrary Local File Access Vulnerability

Mozilla

A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins. CVSSv3BaseScore:7.8(AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N) 08/10/2020 08/12/2020

CVE-2020-1380

Microsoft Scripting Engine Memory Corruption Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. CVSSv3BaseScore:7.5(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) 08/17/2020 08/21/2020