Threat Intel Banner

   
   Trends

  • The top attacker country was Russia with 43845 unique attackers (18.00%).
  • The top Trojan C&C server detected was Cryptbot with 38 instances detected.
  • The top phishing campaign detected was against Facebook with 36 instances detected.


   Top Attackers By Country

]
Country Occurences Percentage
Russia 43845 18.00%
India 37496 15.00%
China 36232 14.00%
United States 24977 10.00%
Vietnam 5398 2.00%
Brazil 3805 1.00%
Hong Kong 2583 1.00%
Indonesia 2341 0%
Bulgaria 2149 0%
Canada 2038 0%
Singapore 2015 0%
France 1225 0%
Colombia 707 0%
Mexico 526 0%
Netherlands 478 0%
Ireland 362 0%
Ecuador 346 0%


   Top Attackers By Country

   
   Threat Geo-location

   Top Attacking Hosts

Host Occurrences
92.63.196.13 27636
86.27.113.91 8703
61.177.173.28 7514
45.146.164.198 6477
117.6.198.13 3904
103.70.144.246 3176
103.4.237.53 3168
103.70.61.110 2503
103.70.147.218 2331
79.124.62.86 1353
218.92.0.200 1302
103.70.39.69 1283
103.70.147.67 1218
103.70.146.229 1204
103.70.147.234 1196
103.70.146.146 1194
103.70.146.226 1183
103.70.145.237 1143


Top Attackers


   Top Network Attackers

ASN Country Name
47981 Netherlands FOPSERVER, UA
5089 United Kingdom NTL, GB
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
49505 Russia SELECTEL, RU
7552 Vietnam VIETEL-AS-AP Viettel Group, VN
133647 India ELXIREDATA-AS-IN ELXIRE DATA SERVICES PVT. LTD., IN
131476 Australia FUSIONBB-AU 10/50 Market St, AU
132215 India POWERGRID-IN Power Grid Corporation of India Limited, IN
207812 Bulgaria DM_AUTO, BG
137653 India DSTECH-AS-IN Dstech Cyberspace Pvt Ltd, IN


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Amadey 2 185.215.113.49 , 185.215.113.67
Azorult 2 164.68.96.136 , 27.122.57.229
BlackNet 4 145.14.145.167 , 145.14.145.90 , 185.239.243.112 , 62.221.252.239
Bloody 1 178.208.83.35
CobaltStrike 35 101.32.209.205 , 106.75.249.46 , 111.229.81.74 , 13.49.66.227 , 138.68.131.250 , 139.196.153.6 , 144.48.220.43 , 147.135.78.119 , 149.28.14.175 , 149.91.89.121 , 155.138.227.139 , 180.215.220.187 , 185.10.68.203 , 185.14.29.184 , 185.14.29.41 , 186.202.57.168 , 192.99.178.145 , 195.123.209.221 , 195.123.233.206 , 212.114.52.170 , 23.98.34.144 , 3.233.224.182 , 34.92.195.182 , 37.120.222.71 , 37.120.222.73 , 42.192.85.158 , 43.242.201.130 , 45.138.172.57 , 45.76.194.237 , 45.76.202.203 , 46.161.27.203 , 47.243.44.143 , 54.167.46.196 , 5.61.50.106 , 58.87.90.151
Cryptbot 38 34.118.72.185 , 34.65.214.4 , 8.209.67.151 , axload01.top , dybvl36.top , dycxj34.top , dydvs24.top , dyfma74.top , dyfzw22.top , dygip25.top , dyhhz23.top , dyhsf63.top , dyklb27.top , dylyl31.top , dynbh37.top , dypbg21.top , dyrvy77.top , dyvck35.top , dyxlx33.top , dyzcd32.top , esjes042.top , esqvc02.top , esrhf04.top , essoa10.top , esvje022.top , frttload01.top , margye02.top , marjkc03.top , marlqj05.top , maroiv05.top , maropi06.top , morfhtr02.top , motdtrs03.top , needioern17.top , porkte05.top , sdaurr02.top , serfrload03.top , serfrload08.top
Cypress 2 104.21.11.22 , 178.208.83.35
DiamondFox 5 109.235.70.186 , 185.193.88.150 , 34.77.68.192 , 8.209.113.52 , 92.63.97.22
KeitaroTDS 4 185.220.32.94 , 188.119.112.9 , 193.38.54.145 , 87.236.16.241
Kpot 1 162.0.219.161
LiteHTTP 1 217.28.222.80
Lokibot 15 104.168.140.79 , 172.67.209.115 , 194.5.178.163 , 203.159.80.29 , 2.57.89.36 , 31.210.20.71 , 34.65.83.88 , 34.75.102.212 , 35.195.167.237 , 45.144.29.218 , 5.180.186.227 , 5.2.75.32 , 74.119.195.169 , 8.209.69.174 , b2bseller.ga
Oski 7 104.168.138.96 , 162.241.244.25 , 203.28.246.111 , 45.85.90.220 , 45.85.90.86 , 92.53.124.88 , f0xnet.tk
Redirected 1 176.111.174.61
Redline 8 109.234.35.198 , 178.157.91.38 , 193.124.112.206 , 213.183.41.60 , 3.81.114.252 , 45.142.214.163 , 94.103.86.26 , heniav.xyz


Trojan C&C Servers Detected

    Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
96f8e4e2d643568cf242ff40d537cd85 https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details SAService.exe SAService PUA.Win.File.Segurazo::95.sbx.tg
34560233e751b7e95f155b6f61e7419a href="https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details" SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos


   Top Phishing Campaigns

Phishing Target Count
Other 919
Facebook 36
Microsoft 9
VKontakte 1
PayPal 9
WeTransfer 2
Special 1
Vodafone 3
Netflix 1
Amazon.com 16
Rakuten 4
Bradesco 1
RuneScape 5
DHL 1
TSB 1
LinkedIn 1
Blockchain 1
Yahoo 1
Caixa 2
Halifax 1
Apple 2
MyEtherWallet 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2021-30177

SQL Injection Vulnerability in PHPNuke

PHPNuke

 There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/07/2021 04/13/2021

CVE-2021-28925

SQL Injection Vulnerability in Nagios

Nagios

 SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/08/2021 04/13/2021

CVE-2021-24175

Authentication Bypass Vulnerability in Posimyth WP Plugin

Posimyth

 The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/05/2021 04/09/2021

CVE-2021-1871

Remote Code Execution Vulnerability in MacOS Big Sur

Apple

 A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/02/2021 04/12/2021

CVE-2020-17523

Authentication Bypass Vulnerability in Apache Shiro

Apache

 Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 02/03/2021 04/12/2021

CVE-2021-22986

Remote Code Execution Vulnerability in F5 Big IP system

F5

 This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 03/31/2021 04/05/2021

CVE-2021-21983

Privilege Escalation Vulnerability in VMware vRealize

VMware

 Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system. 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) 03/31/2021 04/05/2021
Details
Date Published
April 16, 2021
Category
Threat Intelligence