Threat Intel Banner

   
   Trends

  • The top attacker country was China with 99917 unique attackers (30.00%).
  • The top Trojan C&C server detected was Lokibot with 14 instances detected.
  • The top phishing campaign detected was against Facebook with 21 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 99917 41.71%
United States 65443 27.32%
Russia 25836 10.78%
Romania 11225 4.69%
India 8648 3.61%
Vietnam 5787 2.42%
Hong Kong 5167 2.16%
Indonesia 5015 2.09%
South Korea 3631 1.52%
Bulgaria 1994 0.83%
Belize 1802 0.75%
Nepal 1220 0.51%
Pakistan 1146 0.48%
Egypt 919 0.38%
Bahamas 904 0.38%
Ukraine 901 0.38%
Top Attackers by CountryChinaUnited StatesRussiaRomaniaIndiaVietnamHong KongIndonesiaOther41.7%10.8%27.3%
Country Percentage of Attacks
China 99,917
United States 65,443
Russia 25,836
Romania 11,225
India 8,648
Vietnam 5,787
Hong Kong 5,167
Indonesia 5,015
South Korea 3,631
Bulgaria 1,994
Belize 1,802
Nepal 1,220
Pakistan 1,146
Egypt 919
Bahamas 904
Ukraine 901

   
   Threat Geo-location

90199,917

   
   Top Attacking Hosts

Host Occurrences
172.20.29.251 20134
218.92.0.204 13498
89.40.73.30 11225
61.177.173.17 9043
178.128.119.193 7736
112.85.42.72 6398
14.29.156.197 3705
91.241.19.81 3182
120.220.14.248 3159
91.241.19.86 2987
61.177.173.16 2917
86.27.113.91 2736
178.128.100.6 2705
94.232.40.58 2458
69.162.124.234 2272
87.251.75.149 2209
36.150.61.38 2174
61.177.173.31 2010


   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
48874 Romania HOSTMAZE HOSTMAZE, RO
14061 Singapore DIGITALOCEAN-ASN, US
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
207566 Russia HOSTWAY-AS, RU
24444 China CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
5089 United Kingdom NTL, GB
44477 Belarus WELLWEB, NL
46475 United States LIMESTONENETWORKS, US
56046 China CMNET-JIANGSU-AP China Mobile communications corporation, CN


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 2 103.114.107.28 , 172.67.216.60
Amadey 2 185.215.113.112 , 185.215.113.38
AthenaHTTP 1 5.101.153.29
Azorult 1 172.82.180.70
BlackNet 3 162.0.215.156 , 37.46.131.229 , 41.98.21.86
CobaltStrike 14 213.252.244.200 , 213.252.244.25 , 213.252.247.18 , 213.252.247.2 , 213.252.247.202 , 213.252.247.216 , 213.252.247.58 , 45.144.29.242 , agreement-of-work.com , automaticservicelk.com , bankofcountrysidegf.com , deliverypdi.com , healthcareclubdb.com , security-desk.com
Collector 4 141.8.192.151 , 141.8.192.169 , 141.8.193.236 , 31.31.196.239
Cryptbot 2 34.73.205.209 , 35.229.92.135
DiamondFox 2 8.208.85.25 , 8.209.68.49
EvilBear 2 203.28.246.111 , 2.57.90.16
Ficker 1 truzen.space
Inter 1 185.4.65.144
LokiBot 14 104.21.26.175 , 104.21.45.111 , 104.21.48.77 , 104.21.58.209 , 104.21.75.198 , 162.248.225.14 , 172.67.131.25 , 172.67.138.58 , 195.133.40.71 , 45.252.248.59 , 5.9.198.133 , 5.9.198.133 , 8.209.99.88 , 89.191.233.253
Lucifer 1 166.62.10.47
Oski 9 162.214.123.127 , 195.133.40.215 , 195.133.40.70 , 195.133.40.80 , 195.133.40.97 , 212.192.241.149 , 45.133.1.47 , 50.115.172.42 , 67.220.184.146
Plague 1 203.28.246.111
Predator 1 141.8.192.169
UAdmin 2 86.106.131.119 , 86.106.131.140
Zeus 1 45.147.230.209
Trojan C&C Servers DetectedAgentTeslaAmadeyBlackNetCobaltStrikeCollectorCryptbotDiamondFoxEvilBearLokibotOskiUAdminOther21.9%6.3%12.5%14.1%21.9%
Name Number Discovered
AgentTesla 2
Amadey 2
AthenaHTTP 1
Azorult 1
BlackNet 3
CobaltStrike 14
Collector 4
Cryptbot 2
DiamondFox 2
EvilBear 2
Ficker 1
Inter 1
Lokibot 14
Lucifer 1
Oski 9
Plague 1
Predator 1
UAdmin 2
UAdmin 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
29c8ba0d89a9265c270985b02572e693 https://www.virustotal.com/gui/file/7263ec6afa49dcb11ab9e3ee7e453e26b9ba91c3f8a440bcab3b92048175eb33/details 29C8BA0D89A9265C270985B02572E693.mlw N/A W32.7263EC6AFA.smokeloader.in11.Talos
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
4dd358e4af31fb9bf83c2078cd874ff4 https://www.virustotal.com/gui/file/d88b26b3699c3b02f8be712552185533d77d7866f1a9a723c1fbc40cdfc2287d/details smbscanlocal1805.exe N/A Auto.D88B26B369.241855.in07.Talos
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd


   Top Phishing Campaigns

Phishing Target Count
Other 1245
PayPal 2
Steam 12
Facebook 21
Amazon.com 4
Microsoft 5
Vodafone 1
RuneScape 4
Virustotal 2
Centurylink 1
Swedbank 1
DHL 1
Caixa 1
Rakuten 3
Allegro 1
Hotmail 1
Hermes 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2021-33509

Privilege Escalation Vulnerability in Plone

Plone

 Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) 05/21/2021 05/24/2021

CVE-2017-10818

Weak Authentication Vulnerability in MaLion

Intercom

 MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 08/04/2017 05/19/2021

CVE-2018-14718

Remote Code Execution Vulnerability in FasterXML Data Bind

Oracle, Redhat, NetApp, FasterXML, Debian

 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 01/02/2019 05/21/2021

CVE-2021-27135

Denial of Service Vulnerability in xTerm

Debian, Fedora Project, Invisible-Island

 xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 02/10/2021 05/21/2021

CVE-2020-36326

Object Injection Vulnerability in PHPMailer

PHPmailer_project

 PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/27/2021 05/21/2021

CVE-2021-26583

Remote Code Execution Vulnerability in HP Amplifier Pack

HP

 A potential security vulnerability was identified in HPE iLO Amplifier Pack. The vulnerabilities could be remotely exploited to allow remote code execution. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/10/2021 05/21/2021

CVE-2020-13873

SQL Injection Vulnerability in Codologic

Codologic

 A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the operating system.) 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/12/2021 05/20/2021
Details
Date Published
June 03, 2021
Category
Threat Intelligence