Trends

  • The top attacker country was China with 488742 unique attackers (57.00%).
  • The top Trojan C&C server detected was Trickbot with 38 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China48874257.00%
Australia10132611.00%
South Africa8538910.00%
United States408644.00%
United Kingdom369104.00%
Russia213972.00%
India96561.00%
Chile95541.00%
Canada91201.00%
South Korea60120%
Germany40460%
Netherlands40400%
France38840%
Vietnam37490%
Italy32810%
Japan11860%
Hong Kong11440%
Pakistan8160%
Bulgaria7740%


Top Attackers by CountryChinaAustraliaSouth AfricaUnited StatesUnited KingdomRussiaOther6.9%10.3%12.2%58.8%
CountryPercentage of Attacks
China488,742
Australia101,326
South Africa85,389
United States40,864
United Kingdom36,910
Russia21,397
India9,656
Chile9,554
Canada9,120
South Korea6,012
Germany4,046
Netherlands4,040
France3,884
Vietnam3,749
Italy3,281
Japan1,186
Hong Kong1,144
Pakistan816
Bulgaria774


Threat Geo-location

774488,742


Top Attacking Hosts

HostOccurrences
222.186.15.3390445
112.85.42.18736528
112.85.42.18819269
49.88.112.7519035
49.88.112.11714662
49.88.112.7613707
112.85.42.8812025
49.88.112.11610331
181.43.57.959320
206.189.24.677796
45.141.86.1286456
185.211.247.1426259
49.88.112.1124888
222.186.175.1824194
222.186.175.2164143


Top Attackers222.1…112.8…81.13…112.8…49.88.…49.88.…49.88.…112.8…49.88.…181.4…206.1…45.14…185.2…49.88.…222.1…222.1…050,000100,000
HostOccurences
222.186.15.3390,445
112.85.42.18736,528
81.132.145.3734,662
112.85.42.18819,269
49.88.112.7519,035
49.88.112.11714,662
49.88.112.7613,707
112.85.42.8812,025
49.88.112.11610,331
181.43.57.959,320
206.189.24.677,796
45.141.86.1286,456
185.211.247.1426,259
49.88.112.1124,888
222.186.175.1824,194
222.186.175.2164,143


Top Network Attackers

ASNCountryName
23650ChinaCHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone, CN
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
2856United KingdomBT-UK-AS BTnet UK Regional network, GB
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
6471ChileENTEL CHILE S.A., CL
206728RussiaMEDIALAND-AS, RU
202984RussiaTEAM-HOST AS, RU


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
DiamondFox1192.99.34.204
Heodo21101.187.104.105 , 137.25.7.112 , 142.105.151.124 , 170.82.195.50 , 177.230.81.0 , 180.222.165.169 , 186.188.152.177 , 186.208.123.210 , 190.108.228.62 , 190.181.235.46 , 190.229.148.144 , 190.251.235.239 , 201.214.229.79 , 201.91.28.210 , 221.133.46.86 , 46.214.11.172 , 61.197.37.169 , 65.24.85.214 , 82.223.70.24 , 94.130.171.231 , 95.180.25.146
Lokibot11103.143.173.20 , 104.223.170.93 , 136.243.90.101 , 162.213.253.111 , 185.159.153.129 , 192.3.202.210 , 35.246.219.215 , 45.252.248.29 , 50.31.174.86 , 89.38.241.83 , 91.215.169.52
Nexus1193.109.84.165
ParasiteStealer1104.24.107.129
Pony1103.143.173.20
PredatorTheThief5104.27.173.77 , 141.8.192.151 , 185.178.208.129 , 190.97.162.37 , 51.38.140.2
TrickBot38103.69.216.86 , 107.155.137.10 , 107.175.87.113 , 109.94.110.79 , 139.60.163.56 , 146.185.219.29 , 146.185.253.157 , 151.80.212.114 , 178.157.82.127 , 185.105.1.187 , 185.11.146.101 , 185.14.29.63 , 185.161.211.215 , 185.186.77.216 , 185.203.119.173 , 185.68.93.105 , 185.90.61.62 , 185.98.87.70 , 185.99.2.53 , 195.123.239.194 , 195.133.196.151 , 195.54.162.120 , 23.227.206.170 , 31.131.20.159 , 45.142.215.235 , 5.1.74.249 , 51.81.113.25 , 5.182.210.178 , 5.182.211.24 , 51.89.115.104 , 5.2.78.118 , 62.109.28.101 , 62.109.30.83 , 64.44.133.153 , 81.177.3.88 , 85.204.116.139 , 91.235.129.60 , 93.189.44.131


Trojan C&C Servers DetectedHeodoLokibotPredatorTheThiefTrickBotOther26.6%13.9%6.3%48.1%
NameNumber Discovered
DiamondFox1
Heodo21
Lokibot11
Nexus1
ParasiteStealer1
Pony1
PredatorTheThief5
TrickBot38



Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
5d34464531ddbdc7b0a4dba5b4c1cfeahttps://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/detailsFlashHelperServices.exeFlashHelperServicePUA.Win.Adware.Flashserv::in03.talos
5fb477098fc975fd1b314c8fb0e4ec06https://www.virustotal.com/gui/file/8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325/detailsupxarch.exeN/AWin.Dropper.Ranumbot::in07.talos
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsc3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.binN/AW32.AgentWDCR:Gen.21gn.1201
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsEternalblue-2.2.0.exeN/AW32.85B936960F.5A5226262.auto.Talos
42143a53581e0304b08f61c2ef8032d7https://www.virustotal.com/gui/file/64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b/detailsmyfile.exeN/APdf.Phishing.Phishing::malicious.tht.talos


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v2 Base ScoreDate CreatedDate Updated

CVE-2020-0796

Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)03/12/202003/31/2020

CVE-2020-0041

Google Android Privilege Escalation Vulnerability

Android

In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)03/10/202003/11/2020

CVE-2020-7982

OpenWrt's opkg Man In The Middle Attack Vulnerability

OpenWrt

A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).CVSSv3BaseScore:8.1(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)03/16/202003/25/2020

CVE-2019-13495

Zyxel Cross Site Scripting Vulnerability

Zyxel

In firmware version of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.CVSSv3BaseScore:5.4(AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)03/31/202004/01/2020

CVE-2020-10189

Zoho ManageEngine Desktop Central Remote Code Execution Vulnerability

zohocorp

An issue was discovered in Zoho ManageEngine Desktop Central. Remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. An attacker could exploit this vulnerability to escalate privilege on the target system.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)03/06/202003/09/2020

CVE-2019-18634

Sudo Buffer Overflow Vulnerability

Multi-Vendor

In Sudo versions, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for up stream and many other packages, and would exist only if enabled by anadministrator.) The attacker needs to deliver along string to the stdin of get ln()int get pass.c.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)01/29/202002/07/2020
0 Comments
Tuesday, April 7, 2020 By john