Trends

  • The top attacker country was China with 1973468 unique attackers (46.00%).
  • The top Trojan C&C server detected was Lokibot with 10 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China197346846.00%
Australia81426919.00%
United States2534795.00%
South Africa2059224.00%
Russia1572693.00%
India1409883.00%
France1152132.00%
South Korea984872.00%
Chile966542.00%
United Kingdom947022.00%
Germany642411.00%
Brazil578691.00%
Vietnam429961.00%
Thailand415070%
Italy290840%
Romania130520%
Estonia101310%
Taiwan78760%
Dominican Republic33020%


Top Attackers by CountryChinaAustraliaUnited StatesSouth AfricaRussiaIndiaFranceSouth KoreaChileUnited KingdomOther46.8%6.4%4.9%6%19.3%
CountryPercentage of Attacks
China1,973,468
Australia814,269
United States253,479
South Africa205,922
Russia157,269
India140,988
France115,213
South Korea98,487
Chile96,654
United Kingdom94,702
Germany64,241
Brazil57,869
Vietnam42,996
Thailand41,507
Italy29,084
Romania13,052
Estonia10,131
Taiwan7,876
Dominican Republic3,302


Threat Geo-location

3,3021,973,468


Top Attacking Hosts

HostOccurrences
112.85.42.18718341
49.88.112.1148885
116.153.32.2124583
181.43.56.2443336
61.166.128.1142829
45.143.222.1962737
14.152.73.141855
112.85.42.881847
Top Attackers112.85.42.18749.88.112.114116.153.32.212181.43.56.24461.166.128.11445.143.222.19614.152.73.14112.85.42.88010,00020,000
HostOccurences
112.85.42.18718,341
49.88.112.1148,885
116.153.32.2124,583
181.43.56.2443,336
61.166.128.1142,829
45.143.222.1962,737
14.152.73.141,855
112.85.42.881,847


Top Network Attackers

ASNCountryName


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Anubis634.105.152.77 , 47.241.106.208 , 47.74.186.248 , 8.208.90.79 , 82.148.17.30 , 91.210.104.212
AzorUlt1185.90.59.42
Flexnet247.241.116.41 , 8.209.112.8
Heodo2181.92.244.156 , 186.226.226.116
LokiBot10104.237.252.54 , 104.237.252.91 , 172.67.139.186 , 176.223.209.5 , 185.55.227.103 , 40.87.23.196 , 45.143.138.65 , 5.53.124.78 , 79.124.8.8 , 81.29.134.72
Oski3172.67.222.246 , 193.164.150.15 , 194.87.93.125
Taurus5104.27.188.245 , 172.67.141.69 , 172.67.158.157 , 202.59.9.104 , toughpalms.top
TrickBot8134.119.191.45 , 134.119.191.46 , 162.244.32.199 , 185.14.28.122 , 185.234.52.125 , 192.3.247.122 , 23.92.93.227 , 45.148.120.145
UAdmin180.89.235.67
Trojan C&C Servers DetectedAnubisAzorUltFlexnetHeodoLokibotOskiTaurusTrickBotUAdmin15.8%5.3%5.3%21.1%13.2%7.9%26.3%
NameNumber Discovered
Anubis6
AzorUlt1
Flexnet2
Heodo2
Lokibot10
Oski3
Taurus5
TrickBot8
UAdmin1


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsFlashHelperServices.exeFlashHelperServicesWin.Exploit.Shadowbrokers::5A5226262.auto.talos
42143a53581e0304b08f61c2ef8032d7https://www.virustotal.com/gui/file/64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b/detailsJPMorganChaseInstructionsSMG
82749206.pdfN/APdf.Phishing.Phishing::malicious.tht.talos

3409ff801cb177f6df26cfec8f4528aehttps://www.virustotal.com/gui/file/dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a/detailsFlashHelperServices.exeFlashHelperServicesPUA.Win.Adware.Flashserv::100.sbx.vioc
b065af93b5fd551526705b5968d0ca10https://www.virustotal.com/gui/file/28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e/detailsvscekgp.exeNTLMSharedFunctionalityW32.28C33A9676-100.SBX.TG
5d34464531ddbdc7b0a4dba5b4c1cfeahttps://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/detailsFlashHelperServices.exeFlashHelperServicesPUA.Win.Adware.Flashserv::in03.talos


Top Phishing Campaigns

Phishing TargetCount


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v2 Base ScoreDate CreatedDate Updated

CVE-2020-0096

Google Android Elevation of Privilege Vulnerability

Google

Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. In startActivities of ActivityStartController.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)05/14/202005/18/2020

CVE-2020-9484

Apache Tomcat Remote Code Execution Vulnerability

Apache

When using Apache Tomcat versions if a) an attacker is able to control the contents and name of a file on the server and b) the server is configured to use the Persistence Manager with a FileStoreCVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H05/20/202005/28/2020

CVE-2020-1048

Microsoft Windows Print Spooler Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)05/21/202005/26/2020

CVE-2020-3153

Cisco AnyConnect Secure Mobility Client Vulnerability

Cisco

A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges.CVSSv3BaseScore:6.5(AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)02/19/202004/21/2020

CVE-2020-8617

ISC BIND Denial of Service Vulnerability

Multi-Vendor

Using a specially crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service, or possibly perform other attacks.CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)05/19/202006/01/2020

CVE-2019-7192

QNAP Pre-Auth Root Remote Code Execution Vulnerability

Qnap

QTS (QNAP Turbo NAS System) is a Turbo NAS Operating System, providing file storage, backup, disaster recovery, security management and virtualization applications for businesses multimedia applications. This improper access control vulnerability allows remote attackers to gain unauthorized access to the system.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)12/05/201905/28/2020

CVE-2020-12720

vBulletin Remote SQL Injection Vulnerability

vBulletin

A remote SQL injection vulnerability exists in vBulletin. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)05/07/202006/02/2020

CVE-2020-1048

Microsoft Windows Print Spooler Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)05/21/202005/26/2020
0 Comments
Thursday, June 4, 2020 By john