Threat Intel Banner

   
   Trends

  • The top attacker country was Russia with 235593 unique attackers (32.46%).
  • The top Trojan C&C server detected was Oski with 17 instances detected.
  • The top phishing campaign detected was against Facebook with 58 instances detected.


   Top Attackers By Country

Country Occurences Percentage
Russia 235593 32.46%
India 127310 17.54%
China 108557 14.96%
United Kingdom 60967 8.40%
Indonesia 29805 4.11%
Netherlands 26328 3.63%
Canada 13717 1.89%
Vietnam 8870 1.22%
Romania 5050 0.70%
Bangladesh 4984 0.69%
Ukraine 4891 0.67%
Singapore 4548 0.63%
Germany 3357 0.46%
Bulgaria 2596 0.36%
Taiwan 2184 0.30%
Latvia 1740 0.24%
Thailand 975 0.13%
Top Attackers by CountryRussiaIndiaChinaIndonesiaNetherlandsCanadaOther40.6%6.8%18.7%21.9%
Country Percentage of Attacks
Russia 235,593
India 127,310
China 108,557
Indonesia 29,805
Netherlands 26,328
Canada 13,717
Vietnam 8,870
Romania 5,050
Bangladesh 4,984
Ukraine 4,891
Singapore 4,548
Germany 3,357
Bulgaria 2,596
Taiwan 2,184
Latvia 1,740
Thailand 975

   
   Threat Geo-location

975235,593

   
   Top Attacking Hosts

Host Occurrences
45.146.164.198 37322
61.177.173.5 32306
185.191.34.206 27079
5.39.218.210 22071
185.191.34.204 20186
185.191.34.205 20095
185.191.34.212 20090
45.146.164.91 20066
45.146.164.94 19780
103.100.29.81 16587
103.70.144.246 13147
103.70.68.118 11968
185.153.196.165 11689
103.70.68.194 9546
91.132.58.3 9189


   Top Network Attackers

ASN Country Name
49505 Russia SELECTEL, RU
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
50340 Russia SELECTEL-MSK, RU
57043 Netherlands HOSTKEY-AS, NL
131476 Australia FUSIONBB-AU 10/50 Market St, AU
137549 Australia NODE1-AS-AP NODE1 Pty Ltd, AU
133647 India ELXIREDATA-AS-IN ELXIRE DATA SERVICES PVT. LTD., IN
135464 Indonesia IDNIC-WINETMEDIA-AS-ID Winet Media Persada, ID
49877 Moldova RMINJINERING, RU
23470 United Kingdom RELIABLESITE, US


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 2 103.133.105.179 , 209.124.66.16
Amadey 4 176.111.174.114 , 185.215.113.74 , 45.155.205.172 , 92.38.184.216
BlackNet 1 64.120.89.238
CobaltStrike 60 103.124.106.33 , 103.234.72.9 , 103.66.216.83 , 104.21.92.154 , 104.238.110.175 , 104.248.27.231 , 107.172.219.125 , 116.206.94.36 , 119.28.201.187 , 124.248.219.142 , 127.0.0.1 , 135.181.250.124 , 139.155.52.238 , 139.155.58.232 , 139.60.162.19 , 144.34.186.55 , 149.28.218.253 , 158.247.208.114 , 158.247.215.231 , 168.119.141.106 , 176.122.165.36 , 185.120.14.194 , 185.141.24.25 , 188.166.215.70 , 195.2.70.221 , 198.23.153.220 , 204.16.247.49 , 205.185.125.206 , 212.64.69.215 , 213.227.155.239 , 31.44.184.232 , 34.244.119.50 , 34.72.221.253 , 34.92.115.71 , 34.92.189.33 , 34.96.201.140 , 34.96.225.122 , 35.198.73.199 , 43.226.155.94 , 45.131.179.4 , 45.135.132.33 , 45.197.133.14 , 45.32.37.210 , 45.76.195.211 , 45.76.221.240 , 45.77.131.140 , 45.77.180.242 , 45.77.26.169 , 46.101.98.38 , 47.112.127.168 , 47.241.132.227 , 47.244.110.210 , 47.96.231.15 , 49.232.1.238 , 69.172.75.50 , 74.121.191.2 , 78.47.145.46 , 82.146.39.205 , 94.191.119.17 , 96.45.187.151
Collector 3 141.8.193.236 , 185.114.247.102 , 185.22.155.64
DiamondFox 2 8.211.6.123 , rusacenwaxalvi.xyz
Lokibot 5 103.74.123.18 , 113.20.29.235 , 185.212.131.80 , 31.210.21.248 , 47.91.76.92
Oski 17 176.123.0.55 , 178.175.148.83 , 198.98.49.140 , 198.98.60.43 , 205.185.120.57 , 31.210.20.147 , 31.210.20.99 , 31.210.21.181 , 3ssq.xyz , 45.144.225.118 , 45.85.90.14 , 5azc.club , 5azc.xyz , 92.204.132.28 , 95.216.102.241 , osiq.icu , vpsthree.xyz
Pony 1 31.210.21.236
RedLine 7 188.119.113.235 , 45.142.214.176 , 45.67.228.54 , 5.34.180.163 , 5.34.180.193 , 86.107.197.37 , 94.140.115.97
Taurus 10 104.21.1.201 , 104.21.23.214 , 104.21.26.24 , 104.21.9.41 , 172.67.141.246 , 185.92.148.230 , 45.138.72.240 , 62.109.25.144 , 95.181.157.82 , 95.181.163.85
Trojan C&C Servers DetectedAmadeyCobaltStrikeCollectorLokibotOskiRedLineRedLineOther5.4%8.9%6.3%15.2%53.6%
Name Number Discovered
AgentTesla 2
Amadey 4
BlackNet 1
CobaltStrike 60
Collector 3
DiamondFox 2
Lokibot 5
Oski 17
Pony 1
RedLine 7
RedLine 10

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
84291afce6e5cfd615b1351178d51738 https://www.virustotal.com/gui/file/bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208/details webnavigatorbrowser.exe WebNavigatorBrowser W32.BFBE7022A4.5A6DF6a61.auto.Talos
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos
96f8e4e2d643568cf242ff40d537cd85 https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details SAService.exe SAService PUA.Win.File.Segurazo::95.sbx.tg


   Top Phishing Campaigns

Phishing Target Count
Other 865
Facebook 58
Itau 1
Special 1
Allegro 4
WeTransfer 1
Vodafone 5
Microsoft 6
Amazon.com 5
Bradesco 1
Hotmail 2
DHL 1
RuneScape 1
Rakuten 1
Visa 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2021-27112

Remote Code Execution in Light CMS

Light CMS Project

LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images. This vulnerability can be exploited remotely and attackers can exploit this vulnerability to deliver malicious code to end users. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/15/2021 04/19/2021

CVE-2021-25360

Arbitrary Code Execution in Android Devices

Google Android

An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/09/2021 04/21/2021

CVE-2021-24223

Malicious File Upload Vulnerability in WP Library

Wordpress

The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/12/2021 04/19/2021

CVE-2021-22507

Authentication Bypass Vulnerability in MicroFocus Device

Microfocus

Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. The vulnerability could allow remote attackers to bypass user authentication and get unauthorized access. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/08/2021 04/14/2021

CVE-2021-20021

Privilege Escalation Vulnerability in SonicWall Email Security

PHPNuke

A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/09/2021 04/14/2021

CVE-2021-1479

Remote Code Execution Vulnerability in Cisco vManage Software

Cisco

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/08/2021 04/19/2021

CVE-2020-27236

SQL Injection Vulnerability in Openclinic

Openclinic

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/13/2021 04/14/2021