Trends

  • The top attacker country was Italy with 243846 unique attackers (26.00%).
  • The top Trojan C&C server detected was Trickbot with 28 instances detected.
  • The top phishing campaign detected was against Facebook accounts with 35 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
Italy24384626.00%
China20528622.00%
Australia19310320.00%
Netherlands747788.00%
United States509025.00%
France407374.00%
India173461.00%
United Kingdom172941.00%
Russia152371.00%
Germany106561.00%
Switzerland96331.00%
Canada93991.00%
Chile46570%
South Korea42090%
Ukraine35640%
Hong Kong34270%
Philippines19870%
Estonia7530%
Panama5240%
Top Attackers by CountryItalyChinaAustraliaNetherlandsUnited StatesFranceOther26.9%22.6%10.9%8.2%21.3%
CountryPercentage of Attacks
Italy243,846
China205,286
Australia193,103
Netherlands74,778
United States50,902
France40,737
India17,346
United Kingdom17,294
Russia15,237
Germany10,656
Switzerland9,633
Canada9,399
Chile4,657
South Korea4,209
Ukraine3,564
Hong Kong3,427
Philippines1,987
Estonia753
Panama524


Threat Geo-location

524243,846


Top Attacking Hosts

HostOccurrences
149.132.54.49243104
112.85.42.18871809
188.165.203.9338693
163.172.101.4810940
36.22.187.2347953
218.65.30.247164
112.85.42.1026549
94.102.51.956281
94.102.57.1353608
80.82.64.983600
94.102.57.1793563
94.102.57.1533561
185.39.10.893547
94.102.57.1723540
Top Attackers149.1…112.8…188.1…163.1…36.22.…218.6…112.8…94.10…94.10…80.82.…94.10…94.10…185.3…94.10…0100,000200,000300,000
HostOccurences
149.132.54.49243,104
112.85.42.18871,809
188.165.203.9338,693
163.172.101.4810,940
36.22.187.2347,953
218.65.30.247,164
112.85.42.1026,549
94.102.51.956,281
94.102.57.1353,608
80.82.64.983,600
94.102.57.1793,563
94.102.57.1533,561
185.39.10.893,547
94.102.57.1723,540


Top Network Attackers

ASNCountryName
137ItalyASGARR Consortium GARR, EU
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
16276FranceOVH, FR
12876FranceOnline SAS, FR
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
202425NetherlandsINT-NETWORK, SC
62355SwitzerlandNETWORKDEDICATED, CH


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
CobaltStrike245.141.84.218 , 45.141.84.234
Heodo23104.131.123.136 , 104.193.103.61 , 105.186.233.33 , 109.169.12.78 , 128.92.203.42 , 130.0.132.242 , 181.74.0.251 , 187.49.206.134 , 189.35.44.221 , 190.188.245.242 , 202.22.141.45 , 202.29.239.162 , 203.205.28.68 , 37.187.161.206 , 38.18.235.242 , 5.196.108.189 , 70.169.17.134 , 71.15.245.148 , 76.175.162.101 , 78.188.106.53 , 80.241.255.202 , 80.87.201.221 , 91.146.156.228
Oski145.141.84.143
SmokeLoader145.141.84.247
TrickBot28104.161.32.10 , 185.105.1.149 , 185.164.32.108 , 185.234.72.147 , 185.99.2.180 , 194.156.98.172 , 194.5.249.107 , 194.5.249.156 , 194.5.249.31 , 195.123.239.59 , 195.123.241.157 , 195.123.241.182 , 195.2.93.227 , 212.80.219.98 , 45.141.103.194 , 45.155.173.196 , 45.8.230.108 , 45.89.127.27 , 51.89.177.18 , 62.108.35.179 , 62.108.35.204 , 85.143.219.36 , 88.150.197.186 , 91.200.101.192 , 91.210.171.82 , 93.189.40.214 , 94.250.254.84 , 94.250.255.217
UAdmin145.141.84.163
Trojan C&C Servers DetectedCobaltStrikeHeodoTrickBotOther41.1%5.4%50%
NameNumber Discovered
CobaltStrike2
Heodo23
Oski1
SmokeLoader1
TrickBot28
UAdmin1


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsEter.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos
29f47c2f15d6421bdd813be27a2e3b25https://www.virustotal.com/gui/file/be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063/detailsFlashHelperServices.exeN/AFlashHelperService
01a607b4d69c549629e6f0dfd3983956https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/detailswupxarch.exeN/AW32.Auto:1eef72aa56.in03.Talos
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsTempmf582901854.exeN/AWin.Dropper.Agentwdcr::1201
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detailsmf2016341595.exeN/AWin.Downloader.Generic::1201


Top Phishing Campaigns

Phishing TargetCount
Other1391
Citibank1
Vodafone3
Facebook35
Microsoft8
Halifax23
PayPal8
Amazon.com28
Special3
Caixa4
Instagram1
VKontakte1
RuneScape2
AOL1
Netflix1
DHL2
Orange2
Virustotal17


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-1472

Microsoft Netlogon Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)08/17/202010/03/2020

CVE-2020-1895

Instagram App Heap Buffer Overflow Vulnerability

Facebook

A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)04/09/202004/10/2020

CVE-2020-0688

Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)02/11/202002/20/2020

CVE-2020-1350

Microsoft Windows DNS Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)07/14/202007/23/2020

CVE-2020-4486

IBM QRadar Arbitrary File Overwrite Vulnerability

IBM

IBM QRadar allows an authenticated user to overwrite or delete arbitrary files due to a flaw after WinCollect installation.CVSSv3BaseScore:8.1(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)08/11/202008/11/2020

CVE-2020-8437

BitTorrent uTorrent Denial of Service Vulnerability

bittorrent

The bencoding parser in BitTorrent uTorrent misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service.CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)03/02/202009/30/2020

CVE-2020-6506

Google Chrome on Android Insufficient Bounds Check Vulnerability

Google

Insufficient policy enforcement in WebView in Google Chrome on Android allows a remote attacker to bypass site isolation via a crafted HTML page. An Android WebView instance with default configuration and JavaScript enabled allows an iframe on a different origin to bypass same-origin policies and execute arbitrary JavaScript in the top document.CVSSv3BaseScore:6.5(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)07/22/202010/01/2020
0 Comments
Monday, October 5, 2020 By john