Trends

  • The top attacker country was China with 374452 unique attackers (57.04%).
  • The top Trojan C&C server detected was TrickBot with 21 instances detected.
  • The top phishing campaign detected was against Halifax accounts with 62 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China37445257.04%
Russia12531519.09%
United_States7870311.99%
United_Kingdom219113.33%
Netherlands128941.96%
Canada95061.44%
France80181.22%
Germany63150.96%
South_Korea49110.74%
Vietnam34500.52%
Indonesia31550.48%
Romania20270.30%
Cambodia14630.22%
Singapore13110.19%
Italy13060.19%
Philippines9370.14%
Macedonia7130.10%
Top Attackers by CountryChinaRussiaUnited StatesUnited KingdomOther8.5%12%19.1%57%
CountryPercentage of Attacks
China374,452
Russia125,315
United States78,703
United Kingdom21,911
Netherlands12,894
Canada9,506
France8,018
Germany6,315
South Korea4,911
Vietnam3,450
Indonesia3,155
Romania2,027
Cambodia1,463
Singapore1,311
Italy1,306
Philippines937
Macedonia713


Threat Geo-location

713374,452


Top Attacking Hosts

HostOccurrences
120.210.208.13783620
49.88.112.6839687
218.92.0.20430129
218.92.0.19023540
218.92.0.21015690
103.85.25.2277369
94.102.51.956131
117.185.95.1225846
51.91.116.1505525
111.21.208.2044608
45.146.167.2193919
45.146.167.1833914
185.193.90.1823906
45.146.167.2013891
185.193.90.383864
Top Attackers120.2…49.88.…218.9…218.9…218.9…103.8…94.10…117.1…51.91.…111.21…45.14…45.14…185.1…45.14…185.1…050,000100,000
HostOccurences
120.210.208.13783,620
49.88.112.6839,687
218.92.0.20430,129
218.92.0.19023,540
218.92.0.21015,690
103.85.25.2277,369
94.102.51.956,131
117.185.95.1225,846
51.91.116.1505,525
111.21.208.2044,608
45.146.167.2193,919
45.146.167.1833,914
185.193.90.1823,906
45.146.167.2013,891
185.193.90.383,864


Top Network Attackers

ASNCountryName
9808
CMNET-GD Guangdong Mobile Communication Co.Ltd., CN
4134
CHINANET-BACKBONE No.31,Jin-rong Street, CN
134835
SNL-HK Starry Network Limited, HK
202425NetherlandsINT-NETWORK, SC
24400
CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd., CN
16276
OVH, FR
49505
SELECTEL, RU
204428
SS-NET, BG


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Heodo7120.150.218.241 , 162.241.140.129 , 186.74.215.34 , 191.191.23.135 , 192.232.229.54 , 46.101.58.37 , 72.143.73.234
TrickBot21185.117.73.190 , 185.14.30.247 , 185.99.2.176 , 194.5.249.126 , 194.5.249.136 , 194.5.249.216 , 194.5.249.224 , 195.123.240.130 , 35.164.230.208 , 37.220.6.115 , 45.89.127.118 , 45.89.127.119 , 45.89.127.128 , 51.77.112.255 , 51.89.177.8 , 62.108.35.29 , 62.108.35.36 , 80.85.156.116 , 82.146.54.254 , 85.99.2.140 , 92.242.40.12
Trojan C&C Servers DetectedHeodoTrickBot25%75%
NameNumber Discovered
Heodo7
TrickBot21


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
01a607b4d69c549629e6f0dfd3983956https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/detailswupxarch.exeN/AW32.Auto:1eef72aa56.in03.Talos
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsEter.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detailsmf2016341595.exeN/AWin.Downloader.Generic::1201
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsTempmf582901854.exeN/AWin.Dropper.Agentwdcr::1201
88781be104a4dcb13846189a2b1ea055https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/detailsUltraSearchAppN/AWin.Trojan.Generic::sso.talos


Top Phishing Campaigns

Phishing TargetCount
Halifax62
Other1417
PayPal37
Facebook34
Virustotal26
Amazon.com33
DocuSign1
Microsoft16
Apple1
Bradesco3
Orange2
Instagram2
Special2
VKontakte1
DHL4
Three3
Netflix3
Adobe1
RuneScape3
Google4
Steam1
Vodafone3
Caixa2
Binance1


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-1350

Microsoft Windows DNS Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)07/14/202007/23/2020

CVE-2020-1472

Microsoft Netlogon Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)08/17/202010/05/2020

CVE-2020-0688

Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)02/11/202002/20/2020
0 Comments
Wednesday, October 14, 2020 By john