Threat Intel Banner

   
   Trends

  • The top attacker country was China with 136851 unique attackers (29.86%).
  • The top Trojan C&C server detected was CobaltStrike with 60 instances detected.
  • The top phishing campaign detected was against Facebook with 35 instances detected.


   Top Attackers By Country

CountryOccurencesPercentage
China13685129.86%
United States11622025.36%
Russia8824719.26%
India455599.94%
Germany184814.03%
Canada144123.14%
Vietnam77261.69%
South Korea76581.67%
Indonesia47331.03%
Thailand42140.92%
Netherlands33410.73%
Poland27020.59%
Guatemala20770.45%
Ukraine18940.41%
Iraq17060.37%
Egypt15250.33%
Bangladesh9360.20%

Top Attackers by CountryChinaUnited StatesRussiaIndiaGermanyCanadaOther29.9%8.4%9.9%19.3%25.4%
CountryPercentage of Attacks
China136,851
United States116,220
Russia88,247
India45,559
Germany18,481
Canada14,412
Vietnam7,726
South Korea7,658
Indonesia4,733
Thailand4,214
Netherlands3,341
Poland2,702
Guatemala2,077
Ukraine1,894
Iraq1,706
Egypt1,525
Bangladesh936

   
   Threat Geo-location

936136,851

   
   Top Attacking Hosts

HostOccurrences
61.177.173.2443165
94.232.40.6116714
135.181.118.23215450
87.251.75.4411315
61.177.172.1310111
120.220.14.2498521
185.202.1.1838402
89.248.165.348001
162.0.227.317554
92.63.197.687491
162.0.227.307219
198.187.28.896828
45.146.164.1985959
86.27.113.915929
218.75.205.2425808
142.93.160.1215188
60.213.133.504947


   Top Network Attackers

ASNCountryName
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
44477BelarusWELLWEB, NL
24940GermanyHETZNER-AS, DE
24444ChinaCMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
202425NetherlandsINT-NETWORK, SC
22612United StatesNAMECHEAP-NET, US
44446UkraineSIBIRINVEST, NL
49505RussiaSELECTEL, RU
5089United KingdomNTL, GB
14061GermanyDIGITALOCEAN-ASN, US
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN


   Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
AgentTesla3103.133.105.179 , 185.55.225.19 , 209.124.66.16
Amadey4176.111.174.114 , 185.215.113.74 , 45.155.205.172 , 92.38.184.216
Azorult2185.176.43.80 , 5.144.130.35
BlackNet164.120.89.238
CobaltStrike60103.124.106.33 , 103.234.72.9 , 103.66.216.83 , 104.21.92.154 , 104.238.110.175 , 104.248.27.231 , 107.172.219.125 , 116.206.94.36 , 119.28.201.187 , 124.248.219.142 , 127.0.0.1 , 135.181.250.124 , 139.155.52.238 , 139.155.58.232 , 139.60.162.19 , 144.34.186.55 , 149.28.218.253 , 158.247.208.114 , 158.247.215.231 , 168.119.141.106 , 176.122.165.36 , 185.120.14.194 , 185.141.24.25 , 188.166.215.70 , 195.2.70.221 , 198.23.153.220 , 204.16.247.49 , 205.185.125.206 , 212.64.69.215 , 213.227.155.239 , 31.44.184.232 , 34.244.119.50 , 34.72.221.253 , 34.92.115.71 , 34.92.189.33 , 34.96.201.140 , 34.96.225.122 , 35.198.73.199 , 43.226.155.94 , 45.131.179.4 , 45.135.132.33 , 45.197.133.14 , 45.32.37.210 , 45.76.195.211 , 45.76.221.240 , 45.77.131.140 , 45.77.180.242 , 45.77.26.169 , 46.101.98.38 , 47.112.127.168 , 47.241.132.227 , 47.244.110.210 , 47.96.231.15 , 49.232.1.238 , 69.172.75.50 , 74.121.191.2 , 78.47.145.46 , 82.146.39.205 , 94.191.119.17 , 96.45.187.151
Collector8137.74.3.247 , 141.8.192.151 , 141.8.193.236 , 185.114.247.102 , 185.176.43.80 , 217.107.34.191 , 37.140.192.94 , 5.23.51.195
Cypress1185.70.186.145
DiamondFox35.206.224.22 , 8.211.6.123 , rusacenwaxalvi.xyz
Ficker162.113.117.9
Lokibot7103.74.123.18 , 113.20.29.235 , 148.66.138.116 , 185.212.131.80 , 27.122.57.174 , 31.210.21.236 , 47.91.76.92
ModernLoader1185.70.186.149
Oski23176.123.0.55 , 178.175.148.83 , 193.142.59.33 , 198.98.49.140 , 198.98.60.43 , 203.159.80.65 , 203.159.80.72 , 205.185.120.57 , 209.141.40.19 , 209.141.49.199 , 31.210.20.147 , 31.210.20.99 , 31.210.21.181 , 3ssq.xyz , 45.144.225.118 , 45.144.225.173 , 45.85.90.14 , 5azc.club , 5azc.xyz , 92.204.132.28 , 95.216.102.241 , osiq.icu , vpsthree.xyz
Pony131.210.21.236
Redirected2176.111.174.59 , 176.111.174.60
RedLine7188.119.113.235 , 45.142.214.176 , 45.144.29.19 , 45.67.228.54 , 5.34.180.163 , 5.34.180.193 , 86.107.197.37
SupremeMiner1203.28.246.111
Taurus10104.21.1.201 , 104.21.23.214 , 104.21.26.24 , 104.21.9.41 , 172.67.141.246 , 185.92.148.230 , 45.138.72.240 , 62.109.25.144 , 95.181.157.82 , 95.181.163.85
Vidar1188.34.193.205
Trojan C&C Servers DetectedAgentTeslaAmadeyCobaltStrikeCollectorDiamondFoxLokibotOskiRedLineTaurusOther44.1%8.1%7.4%16.9%5.9%
NameNumber Discovered
AgentTesla3
Amadey4
Azorult2
BlackNet1
CobaltStrike60
Collector8
Cypress1
DiamondFox3
Ficker1
Lokibot7
ModernLoader1
Oski23
Pony1
Redirected2
RedLine7
SupremeMiner1
Taurus10
Taurus1

    
   Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
9a4b7b0849a274f6f7ac13c7577daad8https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/detailsww31.exeN/AW32.GenericKD:Attribute.24ch.1201
ec26aef08313a27cfa06bfa897972fc1https://www.virustotal.com/gui/file/cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587/detailsN/AN/AWin.Worm.Dunihi::tpd
f2c1aa209e185ed50bf9ae8161914954https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/detailswebnavigatorbrowser_exeWebNavigatorBrowserW32.5524FEE1BB.5A6DF6a61.auto.Talos
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detectionEternalblue-2.2.0.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos


   Top Phishing Campaigns

Phishing TargetCount
Other1156
Facebook35
Instagram1
PayPal4
RuneScape15
Allegro9
Amazon.com9
Vodafone3
Orange2
Special1
Coinbase1
Hotmail2
Live2
Yahoo1
DHL1
Microsoft5
WeTransfer1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2021-2248

Remote Code Execution Vulnerability in Oracle Secure Product

Oracle

Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Server). The supported version that is affected is 5.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via SKID to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop.10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)04/22/202104/29/2021

CVE-2021-31572

Denial of Service Vulnerability in AWS

Amazon

The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/09/202105/03/2021

CVE-2017-3167

Authentication Bypass Vulnerability in Apache httpd

Apache and multiple other vendors

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)06/19/201705/04/2021

CVE-2021-21346

Deserialization Vulnerability in XStream Library

XStream_project

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)03/22/202104/30/2021

CVE-2020-11975

Privilege Escalation Vulnerability in Apache Unomi

Apache

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/09/202104/14/2021

CVE-2021-1479

Remote Code Execution Vulnerability in Cisco vManage Software

Cisco

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)06/05/202005/03/2021

CVE-2020-11857

Authorization Bypass Vulnerability in Micro Focus Operation Bridge

Microfocus

An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)09/22/202004/30/2021

CVE-2020-11857

Remote Code Execution in Oracle Fusion

Oracle

Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in takeover of Oracle Platform Security for Java.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/22/202104/30/2021