Threat Intel Banner

   
   Trends

  • The top attacker country was China with 136851 unique attackers (29.86%).
  • The top Trojan C&C server detected was CobaltStrike with 60 instances detected.
  • The top phishing campaign detected was against Facebook with 35 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 136851 29.86%
United States 116220 25.36%
Russia 88247 19.26%
India 45559 9.94%
Germany 18481 4.03%
Canada 14412 3.14%
Vietnam 7726 1.69%
South Korea 7658 1.67%
Indonesia 4733 1.03%
Thailand 4214 0.92%
Netherlands 3341 0.73%
Poland 2702 0.59%
Guatemala 2077 0.45%
Ukraine 1894 0.41%
Iraq 1706 0.37%
Egypt 1525 0.33%
Bangladesh 936 0.20%
 
Top Attackers by CountryChinaUnited StatesRussiaIndiaGermanyCanadaOther29.9%8.4%9.9%19.3%25.4%
Country Percentage of Attacks
China 136,851
United States 116,220
Russia 88,247
India 45,559
Germany 18,481
Canada 14,412
Vietnam 7,726
South Korea 7,658
Indonesia 4,733
Thailand 4,214
Netherlands 3,341
Poland 2,702
Guatemala 2,077
Ukraine 1,894
Iraq 1,706
Egypt 1,525
Bangladesh 936

   
   Threat Geo-location

936136,851

   
   Top Attacking Hosts

Host Occurrences
61.177.173.24 43165
94.232.40.61 16714
135.181.118.232 15450
87.251.75.44 11315
61.177.172.13 10111
120.220.14.249 8521
185.202.1.183 8402
89.248.165.34 8001
162.0.227.31 7554
92.63.197.68 7491
162.0.227.30 7219
198.187.28.89 6828
45.146.164.198 5959
86.27.113.91 5929
218.75.205.242 5808
142.93.160.121 5188
60.213.133.50 4947


   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
44477 Belarus WELLWEB, NL
24940 Germany HETZNER-AS, DE
24444 China CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
202425 Netherlands INT-NETWORK, SC
22612 United States NAMECHEAP-NET, US
44446 Ukraine SIBIRINVEST, NL
49505 Russia SELECTEL, RU
5089 United Kingdom NTL, GB
14061 Germany DIGITALOCEAN-ASN, US
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 3 103.133.105.179 , 185.55.225.19 , 209.124.66.16
Amadey 4 176.111.174.114 , 185.215.113.74 , 45.155.205.172 , 92.38.184.216
Azorult 2 185.176.43.80 , 5.144.130.35
BlackNet 1 64.120.89.238
CobaltStrike 60 103.124.106.33 , 103.234.72.9 , 103.66.216.83 , 104.21.92.154 , 104.238.110.175 , 104.248.27.231 , 107.172.219.125 , 116.206.94.36 , 119.28.201.187 , 124.248.219.142 , 127.0.0.1 , 135.181.250.124 , 139.155.52.238 , 139.155.58.232 , 139.60.162.19 , 144.34.186.55 , 149.28.218.253 , 158.247.208.114 , 158.247.215.231 , 168.119.141.106 , 176.122.165.36 , 185.120.14.194 , 185.141.24.25 , 188.166.215.70 , 195.2.70.221 , 198.23.153.220 , 204.16.247.49 , 205.185.125.206 , 212.64.69.215 , 213.227.155.239 , 31.44.184.232 , 34.244.119.50 , 34.72.221.253 , 34.92.115.71 , 34.92.189.33 , 34.96.201.140 , 34.96.225.122 , 35.198.73.199 , 43.226.155.94 , 45.131.179.4 , 45.135.132.33 , 45.197.133.14 , 45.32.37.210 , 45.76.195.211 , 45.76.221.240 , 45.77.131.140 , 45.77.180.242 , 45.77.26.169 , 46.101.98.38 , 47.112.127.168 , 47.241.132.227 , 47.244.110.210 , 47.96.231.15 , 49.232.1.238 , 69.172.75.50 , 74.121.191.2 , 78.47.145.46 , 82.146.39.205 , 94.191.119.17 , 96.45.187.151
Collector 8 137.74.3.247 , 141.8.192.151 , 141.8.193.236 , 185.114.247.102 , 185.176.43.80 , 217.107.34.191 , 37.140.192.94 , 5.23.51.195
Cypress 1 185.70.186.145
DiamondFox 3 5.206.224.22 , 8.211.6.123 , rusacenwaxalvi.xyz
Ficker 1 62.113.117.9
Lokibot 7 103.74.123.18 , 113.20.29.235 , 148.66.138.116 , 185.212.131.80 , 27.122.57.174 , 31.210.21.236 , 47.91.76.92
ModernLoader 1 185.70.186.149
Oski 23 176.123.0.55 , 178.175.148.83 , 193.142.59.33 , 198.98.49.140 , 198.98.60.43 , 203.159.80.65 , 203.159.80.72 , 205.185.120.57 , 209.141.40.19 , 209.141.49.199 , 31.210.20.147 , 31.210.20.99 , 31.210.21.181 , 3ssq.xyz , 45.144.225.118 , 45.144.225.173 , 45.85.90.14 , 5azc.club , 5azc.xyz , 92.204.132.28 , 95.216.102.241 , osiq.icu , vpsthree.xyz
Pony 1 31.210.21.236
Redirected 2 176.111.174.59 , 176.111.174.60
RedLine 7 188.119.113.235 , 45.142.214.176 , 45.144.29.19 , 45.67.228.54 , 5.34.180.163 , 5.34.180.193 , 86.107.197.37
SupremeMiner 1 203.28.246.111
Taurus 10 104.21.1.201 , 104.21.23.214 , 104.21.26.24 , 104.21.9.41 , 172.67.141.246 , 185.92.148.230 , 45.138.72.240 , 62.109.25.144 , 95.181.157.82 , 95.181.163.85
Vidar 1 188.34.193.205
Trojan C&C Servers DetectedAgentTeslaAmadeyCobaltStrikeCollectorDiamondFoxLokibotOskiRedLineTaurusOther44.1%8.1%7.4%16.9%5.9%
Name Number Discovered
AgentTesla 3
Amadey 4
Azorult 2
BlackNet 1
CobaltStrike 60
Collector 8
Cypress 1
DiamondFox 3
Ficker 1
Lokibot 7
ModernLoader 1
Oski 23
Pony 1
Redirected 2
RedLine 7
SupremeMiner 1
Taurus 10
Taurus 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
ec26aef08313a27cfa06bfa897972fc1 https://www.virustotal.com/gui/file/cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587/details N/A N/A Win.Worm.Dunihi::tpd
f2c1aa209e185ed50bf9ae8161914954 https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/details webnavigatorbrowser_exe WebNavigatorBrowser W32.5524FEE1BB.5A6DF6a61.auto.Talos
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos


   Top Phishing Campaigns

Phishing Target Count
Other 1156
Facebook 35
Instagram 1
PayPal 4
RuneScape 15
Allegro 9
Amazon.com 9
Vodafone 3
Orange 2
Special 1
Coinbase 1
Hotmail 2
Live 2
Yahoo 1
DHL 1
Microsoft 5
WeTransfer 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2021-2248

Remote Code Execution Vulnerability in Oracle Secure Product

Oracle

Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Server). The supported version that is affected is 5.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via SKID to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 04/22/2021 04/29/2021

CVE-2021-31572

Denial of Service Vulnerability in AWS

Amazon

The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/09/2021 05/03/2021

CVE-2017-3167

Authentication Bypass Vulnerability in Apache httpd

Apache and multiple other vendors

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/19/2017 05/04/2021

CVE-2021-21346

Deserialization Vulnerability in XStream Library

XStream_project

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 03/22/2021 04/30/2021

CVE-2020-11975

Privilege Escalation Vulnerability in Apache Unomi

Apache

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/09/2021 04/14/2021

CVE-2021-1479

Remote Code Execution Vulnerability in Cisco vManage Software

Cisco

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/05/2020 05/03/2021

CVE-2020-11857

Authorization Bypass Vulnerability in Micro Focus Operation Bridge

Microfocus

An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 09/22/2020 04/30/2021

CVE-2020-11857

Remote Code Execution in Oracle Fusion

Oracle

Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in takeover of Oracle Platform Security for Java. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/22/2021 04/30/2021
Details
Date Published
May 13, 2021