Trends

  • The top attacker country was China with 327247 unique attackers (44.00%).
  • The top Trojan C&C server detected was TrickBot with 28 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China32724744.00%
Australia17097923.00%
South Africa10965914.00%
United Kingdom232143.00%
United States206212.00%
Canada123081.00%
India116731.00%
Chile97911.00%
Netherlands69080%
South Korea64220%
France55280%
Vietnam55130%
Russia44250%
Italy35300%
Romania30570%
Hong Kong14420%
Pakistan13000%
Bulgaria8050%
Top Attackers by CountryChinaAustraliaSouth AfricaUnited KingdomUnited StatesOther45.2%10%15.1%23.6%
CountryPercentage of Attacks
China327,247
Australia170,979
South Africa109,659
United Kingdom23,214
United States20,621
Canada12,308
India11,673
Chile9,791
Netherlands6,908
South Korea6,422
France5,528
Vietnam5,513
Russia4,425
Italy3,530
Romania3,057
Hong Kong1,442
Pakistan1,300
Bulgaria805


Threat Geo-location

805327,247


Top Attacking Hosts

HostOccurrences
103.70.234.545119
112.85.42.18735044
49.88.112.11731504
81.132.145.3718054
103.100.29.8112304
218.92.0.19010380
181.43.58.479573
112.85.42.887095
112.85.42.1885598
49.88.112.1164662
61.157.207.924576
222.186.175.1544364
156.155.162.2263877
Top Attackers103.7…112.8…49.88.…81.13…103.1…218.9…181.4…112.8…59.16…112.8…49.88.…61.15…222.1…156.1…020,00040,00060,000
HostOccurences
103.70.234.545,119
112.85.42.18735,044
49.88.112.11731,504
81.132.145.3718,054
103.100.29.8112,304
218.92.0.19010,380
181.43.58.479,573
112.85.42.887,095
59.167.111.465,749
112.85.42.1885,598
49.88.112.1164,662
61.157.207.924,576
222.186.175.1544,364
156.155.162.2263,877


Top Network Attackers

ASNCountryName


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Heodo6152.170.222.65 , 189.154.128.205 , 190.161.45.112 , 190.196.143.58 , 220.213.79.166 , 91.73.197.186
TinyNuke145.141.86.213
TrickBot28103.12.161.194 , 107.155.137.19 , 108.170.61.186 , 134.255.221.55 , 148.251.185.164 , 164.132.255.19 , 164.68.120.58 , 172.245.159.116 , 185.14.29.141 , 185.234.72.193 , 185.234.72.50 , 185.99.2.44 , 185.99.2.67 , 188.119.113.60 , 194.5.250.118 , 194.5.250.200 , 194.5.250.201 , 195.123.237.105 , 217.12.209.148 , 217.12.209.159 , 217.12.209.176 , 51.89.115.108 , 85.204.116.193 , 91.200.102.6 , 91.235.129.199 , 92.223.79.48 , 94.250.249.170 , 94.250.250.69
Trojan C&C Servers DetectedHeodoTinyNukeTrickBot17.1%80%
NameNumber Discovered
Heodo6
TinyNuke1
TrickBot28


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
47b97de62ae8b2b927542aa5d7f3c858https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/detailsqmreportupload.exeqmreportuploadWin.Trojan.Generic::in10.talos
5d34464531ddbdc7b0a4dba5b4c1cfeahttps://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/detailsFlashHelperServices.exeFlashHelperServicePUA.Win.Adware.Flashserv::in03.talos
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsc3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.binN/AW32.AgentWDCR:Gen.21gn.1201
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detailsf2016341595.exeN/AW32.Generic:Gen.22fz.1201
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsEternalblue-2.2.0.exeN/AW32.85B936960F.5A5226262.auto.Talos


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v2 Base ScoreDate CreatedDate Updated

CVE-2020-0674

Microsoft Scripting Engine Memory Corruption Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.CVSSv3BaseScore:7.5(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)02/11/202002/12/2020

CVE-2020-0796

Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)03/12/202003/31/2020

CVE-2020-0041

Google Android Privilege Escalation Vulnerability

Android

In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)03/10/202003/11/2020

CVE-2020-10204

Sonatype Nexus Repository Remote Code Execution Vulnerability

Sonatype

A Remote Code Execution vulnerability exists in Nexus Repository Manager. The vulnerability allows for an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)04/01/202004/02/2020

CVE-2020-3947

VMWare Workstation vmnetdhcp Denial of Service Vulnerability

VMWare

VMware Workstation contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial of service condition of the vmnetdhcp service running on the host machine.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)03/16/202003/20/2020

CVE-2020-3919

Apple MacOS Privilege Escalation Vulnerability

Apple

A memory initialization issue was addressed with improved memory handling. A malicious application may be able to execute arbitrary code with kernel privileges.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)04/01/202004/02/2020

CVE-2020-7982

OpenWrt's opkg Man In The Middle Attack Vulnerability

OpenWrt

A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).CVSSv3BaseScore:8.1(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)03/16/202003/25/2020

CVE-2020-8515

DrayTek pre-auth Remote Code Execution Vulnerability

DrayTek

DrayTek devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)02/01/202003/31/2020
0 Comments
Wednesday, April 15, 2020 By john