Threat Intelligence Report - 3rd May to 9th May 2021 | Red Piranha

Threat Intel Banner

Trends

The top attacker country was China with 136851 unique attackers (29.86%).
The top Trojan C&C server detected was CobaltStrike with 60 instances detected.
The top phishing campaign detected was against Facebook with 35 instances detected.

Top Attackers By Country

Country	Occurences	Percentage
China	136851	29.86%
United States	116220	25.36%
Russia	88247	19.26%
India	45559	9.94%
Germany	18481	4.03%
Canada	14412	3.14%
Vietnam	7726	1.69%
South Korea	7658	1.67%
Indonesia	4733	1.03%
Thailand	4214	0.92%
Netherlands	3341	0.73%
Poland	2702	0.59%
Guatemala	2077	0.45%
Ukraine	1894	0.41%
Iraq	1706	0.37%
Egypt	1525	0.33%
Bangladesh	936	0.20%

Country	Percentage of Attacks
China	136,851
United States	116,220
Russia	88,247
India	45,559
Germany	18,481
Canada	14,412
Vietnam	7,726
South Korea	7,658
Indonesia	4,733
Thailand	4,214
Netherlands	3,341
Poland	2,702
Guatemala	2,077
Ukraine	1,894
Iraq	1,706
Egypt	1,525
Bangladesh	936

Threat Geo-location

Top Attacking Hosts

Host	Occurrences
61.177.173.24	43165
94.232.40.61	16714
135.181.118.232	15450
87.251.75.44	11315
61.177.172.13	10111
120.220.14.249	8521
185.202.1.183	8402
89.248.165.34	8001
162.0.227.31	7554
92.63.197.68	7491
162.0.227.30	7219
198.187.28.89	6828
45.146.164.198	5959
86.27.113.91	5929
218.75.205.242	5808
142.93.160.121	5188
60.213.133.50	4947

Top Network Attackers

ASN	Country	Name
4134	China	CHINANET-BACKBONE No.31,Jin-rong Street, CN
44477	Belarus	WELLWEB, NL
24940	Germany	HETZNER-AS, DE
24444	China	CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
202425	Netherlands	INT-NETWORK, SC
22612	United States	NAMECHEAP-NET, US
44446	Ukraine	SIBIRINVEST, NL
49505	Russia	SELECTEL, RU
5089	United Kingdom	NTL, GB
14061	Germany	DIGITALOCEAN-ASN, US
4837	China	CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN

Remote Access Trojan C&C Servers Found

Name	Number Discovered	Location
AgentTesla	3	103.133.105.179 , 185.55.225.19 , 209.124.66.16
Amadey	4	176.111.174.114 , 185.215.113.74 , 45.155.205.172 , 92.38.184.216
Azorult	2	185.176.43.80 , 5.144.130.35
BlackNet	1	64.120.89.238
CobaltStrike	60	103.124.106.33 , 103.234.72.9 , 103.66.216.83 , 104.21.92.154 , 104.238.110.175 , 104.248.27.231 , 107.172.219.125 , 116.206.94.36 , 119.28.201.187 , 124.248.219.142 , 127.0.0.1 , 135.181.250.124 , 139.155.52.238 , 139.155.58.232 , 139.60.162.19 , 144.34.186.55 , 149.28.218.253 , 158.247.208.114 , 158.247.215.231 , 168.119.141.106 , 176.122.165.36 , 185.120.14.194 , 185.141.24.25 , 188.166.215.70 , 195.2.70.221 , 198.23.153.220 , 204.16.247.49 , 205.185.125.206 , 212.64.69.215 , 213.227.155.239 , 31.44.184.232 , 34.244.119.50 , 34.72.221.253 , 34.92.115.71 , 34.92.189.33 , 34.96.201.140 , 34.96.225.122 , 35.198.73.199 , 43.226.155.94 , 45.131.179.4 , 45.135.132.33 , 45.197.133.14 , 45.32.37.210 , 45.76.195.211 , 45.76.221.240 , 45.77.131.140 , 45.77.180.242 , 45.77.26.169 , 46.101.98.38 , 47.112.127.168 , 47.241.132.227 , 47.244.110.210 , 47.96.231.15 , 49.232.1.238 , 69.172.75.50 , 74.121.191.2 , 78.47.145.46 , 82.146.39.205 , 94.191.119.17 , 96.45.187.151
Collector	8	137.74.3.247 , 141.8.192.151 , 141.8.193.236 , 185.114.247.102 , 185.176.43.80 , 217.107.34.191 , 37.140.192.94 , 5.23.51.195
Cypress	1	185.70.186.145
DiamondFox	3	5.206.224.22 , 8.211.6.123 , rusacenwaxalvi.xyz
Ficker	1	62.113.117.9
Lokibot	7	103.74.123.18 , 113.20.29.235 , 148.66.138.116 , 185.212.131.80 , 27.122.57.174 , 31.210.21.236 , 47.91.76.92
ModernLoader	1	185.70.186.149
Oski	23	176.123.0.55 , 178.175.148.83 , 193.142.59.33 , 198.98.49.140 , 198.98.60.43 , 203.159.80.65 , 203.159.80.72 , 205.185.120.57 , 209.141.40.19 , 209.141.49.199 , 31.210.20.147 , 31.210.20.99 , 31.210.21.181 , 3ssq.xyz , 45.144.225.118 , 45.144.225.173 , 45.85.90.14 , 5azc.club , 5azc.xyz , 92.204.132.28 , 95.216.102.241 , osiq.icu , vpsthree.xyz
Pony	1	31.210.21.236
Redirected	2	176.111.174.59 , 176.111.174.60
RedLine	7	188.119.113.235 , 45.142.214.176 , 45.144.29.19 , 45.67.228.54 , 5.34.180.163 , 5.34.180.193 , 86.107.197.37
SupremeMiner	1	203.28.246.111
Taurus	10	104.21.1.201 , 104.21.23.214 , 104.21.26.24 , 104.21.9.41 , 172.67.141.246 , 185.92.148.230 , 45.138.72.240 , 62.109.25.144 , 95.181.157.82 , 95.181.163.85
Vidar	1	188.34.193.205

Name	Number Discovered
AgentTesla	3
Amadey	4
Azorult	2
BlackNet	1
CobaltStrike	60
Collector	8
Cypress	1
DiamondFox	3
Ficker	1
Lokibot	7
ModernLoader	1
Oski	23
Pony	1
Redirected	2
RedLine	7
SupremeMiner	1
Taurus	10
Taurus	1

Common Malware

MD5	VirusTotal	FileName	Claimed Product	Detection Name
9a4b7b0849a274f6f7ac13c7577daad8	https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details	ww31.exe	N/A	W32.GenericKD:Attribute.24ch.1201
ec26aef08313a27cfa06bfa897972fc1	https://www.virustotal.com/gui/file/cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587/details	N/A	N/A	Win.Worm.Dunihi::tpd
f2c1aa209e185ed50bf9ae8161914954	https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/details	webnavigatorbrowser_exe	WebNavigatorBrowser	W32.5524FEE1BB.5A6DF6a61.auto.Talos
8193b63313019b614d5be721c538486b	https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details	SAService.exe	SAService	PUA.Win.Dropper.Segurazo::95.sbx.tg
8c80dd97c37525927c1e549cb59bcbf3	https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection	Eternalblue-2.2.0.exe	N/A	Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Top Phishing Campaigns

Phishing Target	Count
Other	1156
Facebook	35
Instagram	1
PayPal	4
RuneScape	15
Allegro	9
Amazon.com	9
Vodafone	3
Orange	2
Special	1
Coinbase	1
Hotmail	2
Live	2
Yahoo	1
DHL	1
Microsoft	5
WeTransfer	1

CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor	Description	CVSS v3.1 Base Score	Date Created	Date Updated
CVE-2021-2248 Remote Code Execution Vulnerability in Oracle Secure Product Oracle	Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Server). The supported version that is affected is 5.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via SKID to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop.	10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)	04/22/2021	04/29/2021
CVE-2021-31572 Denial of Service Vulnerability in AWS Amazon	The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer.	9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	04/09/2021	05/03/2021
CVE-2017-3167 Authentication Bypass Vulnerability in Apache httpd Apache and multiple other vendors	In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.	9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	06/19/2017	05/04/2021
CVE-2021-21346 Deserialization Vulnerability in XStream Library XStream_project	XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.	9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	03/22/2021	04/30/2021
CVE-2020-11975 Privilege Escalation Vulnerability in Apache Unomi Apache	Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.	9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	04/09/2021	04/14/2021
CVE-2021-1479 Remote Code Execution Vulnerability in Cisco vManage Software Cisco	Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.	9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	06/05/2020	05/03/2021
CVE-2020-11857 Authorization Bypass Vulnerability in Micro Focus Operation Bridge Microfocus	An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user	9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	09/22/2020	04/30/2021
CVE-2020-11857 Remote Code Execution in Oracle Fusion Oracle	Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in takeover of Oracle Platform Security for Java.	9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	04/22/2021	04/30/2021

Details

Date Published

May 13, 2021

Category

Threat Intelligence