Trends

  • The top attacker country was China with 372620 unique attackers (51.00%).
  • The top Trojan C&C server detected was TrickBot with 10 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China37262051.00%
Australia9970813.00%
United States8799812.00%
Canada330974.00%
United Kingdom157662.00%
India144972.00%
Chile142451.00%
France103171.00%
South Africa71851.00%
Netherlands62760%
Russia56570%
Fiji48470%
South Korea40530%
Vietnam39790%
Colombia37370%
Hong Kong25450%
Singapore22680%
Bulgaria21900%
Taiwan11480%


Top Attackers by CountryChinaAustraliaUnited StatesCanadaUnited KingdomIndiaChileOther7.8%12.7%14.4%53.8%
CountryPercentage of Attacks
China372,620
Australia99,708
United States87,998
Canada33,097
United Kingdom15,766
India14,497
Chile14,245
France10,317
South Africa7,185
Netherlands6,276
Russia5,657
Fiji4,847
South Korea4,053
Vietnam3,979
Colombia3,737
Hong Kong2,545
Singapore2,268
Bulgaria2,190
Taiwan1,148


Threat Geo-location

1,148372,620


Top Attacking Hosts

HostOccurrences
112.85.42.18748566
49.88.112.11547105
112.85.42.8817939
122.144.131.5415144
112.85.42.18814679
218.92.0.19014533
Top Attackers112.85.42.18749.88.112.115112.85.42.88122.144.131.54112.85.42.188218.92.0.190020,00040,00060,000
HostOccurences
112.85.42.18748,566
49.88.112.11547,105
112.85.42.8817,939
122.144.131.5415,144
112.85.42.18814,679
218.92.0.19014,533


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
17775ChinaSTN-CN shanghai science and technology network communication limited company, CN


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Heodo5181.120.79.227 , 186.250.52.226 , 189.218.165.63 , 190.194.242.254 , 93.156.165.186
Stealer1172.67.139.160
TrickBot10104.161.32.109 , 162.216.0.181 , 185.142.99.149 , 188.120.255.141 , 188.120.255.249 , 194.156.99.124 , 194.5.249.109 , 217.12.209.151 , 66.70.218.37 , 92.63.105.67
Trojan C&C Servers DetectedHeodoStealerTrickBot31.3%6.3%62.5%
NameNumber Discovered
Heodo5
Stealer1
TrickBot10


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
a10a6d9dfc0328a391a3fdb1a9fb18dbhttps://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/detailsFlashHelperServices.exeFlashHelperServicePUA.Win.Adware.Flashserv::100.sbx.vioc
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsFlashHelperServices.exeFlashHelperServicesWin.Exploit.Shadowbrokers::5A5226262.auto.talos
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detectionc3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.binN/AWin.Dropper.Agentwdcr::1201
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAntivirusService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg
47b97de62ae8b2b927542aa5d7f3c858https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/detailsqmreportupload.exeqmreportuploadWin.Trojan.Generic::95.sbx.tg


Top Phishing Campaigns

Phishing TargetCount
Other1614
Facebook60
PayPal46
Virustotal2
RuneScape25
Google9
Three8
Blockchain4
Microsoft13
Amazon.com11
Coinbase2
Americanas.com1
DHL1
Steam3
EE3
Netflix1
Yahoo2
Caixa2
Apple1


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-5902

F5 BIG-IP Remote Code Execution Vulnerability

F5

F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)07/01/202007/08/2020

CVE-2019-19781

Citrix Application Delivery Controller and Gateway Directory Traversal Vulnerability

Citrix

A vulnerability exists in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. This vulnerability exploits a directory traversal to execute an arbitrary command payload.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)12/27/201901/08/2020

CVE-2020-2021

Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Palo Alto Networks

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)06/29/202007/06/2020

CVE-2020-12828

AnchorFree OpenVPN SDK Privilege Escalation Vulnerability

Pango

An issue was discovered in AnchorFree VPN SDK. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)05/21/202006/02/2020

CVE-2020-2012

Palo Alto Networks PAN-OS XML External Entity Reference Vulnerability

Palo Alto Networks

Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)05/13/202005/14/2020

CVE-2020-0796

Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)03/12/202006/11/2020

CVE-2020-9497

Apache Guacamole Information Disclosure Vulnerability

Apache

Apache Guacamole do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.CVSSv3BaseScore:6.5(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)07/02/202007/07/2020
0 Comments
Tuesday, July 14, 2020 By john