Threat Intel Banner

   
   Trends

  • The top attacker country was China with 172304 unique attackers (43.8%).
  • The top Trojan C&C server detected was Oski with 32 instances detected.
  • The top phishing campaign detected was against Facebook with 35 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 172304 43.8%
United States 88408 22.73%
Russia 74668 19.20%
India 14028 3.61%
Brazil 9967 2.56%
Germany 5631 1.45%
Iran 5256 1.35%
Bangladesh 4019 1.03%
Spain 3646 0.94%
Thailand 3187 0.82%
Indonesia 2706 0.70%
Vietnam 2667 0.69%
Singapore 2414 0.62%
Luxembourg 2029 0.52%
Pakistan 1101 0.28%
Ukraine 1083 0.28%
 
Top Attackers by CountryChinaUnited StatesRussiaIndiaBrazilOther43.8%8.6%19%22.5%
Country Percentage of Attacks
China 172,304
United States 88,408
Russia 74,668
India 14,028
Brazil 9,967
Germany 5,631
Iran 5,256
Bangladesh 4,019
Spain 3,646
Thailand 3,187
Indonesia 2,706
Vietnam 2,667
Singapore 2,414
Luxembourg 2,029
Pakistan 1,101
Ukraine 1,083

   
   Threat Geo-location

1,083172,304

   
   Top Attacking Hosts

Host Occurrences
92.63.197.68 55678
222.186.160.214 45437
61.177.173.16 34746
61.177.172.158 25058
172.20.29.251 20275
104.193.171.124 12094
134.122.44.28 7800
103.100.29.81 6988
45.143.200.34 6409
103.145.13.120 6374
92.63.197.94 5261
75.119.139.108 4976
149.167.140.155 3902
68.183.202.4 3898
123.209.88.98 3842
217.219.156.179 3829
69.162.124.234 2970
87.241.1.186 2881
182.34.33.223 2743
134.122.39.145 2559
91.116.34.181 2366


   Top Network Attackers

ASN Country Name
44446 Ukraine SIBIRINVEST, NL
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
32329 United States MONKEYBRAINS, US
14061 United States DIGITALOCEAN-ASN, US
212283 Bulgaria ROZA-AS, BG
213371 Netherlands SQUITTER-NETWORKS, NL
51167 Germany CONTABO, DE
58224 Iran TCI, IR
46475 United States LIMESTONENETWORKS, US
8220 Italy COLT COLT Technology Services Group Limited, GB
12338 Spain EUSKALTEL, ES


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 1 199.188.205.46
Amadey 3 47.91.72.80 , 78.46.187.68 , 94.140.115.70
Anubis 1 35.247.231.63
Azorult 1 80.85.136.155
BlackNet 2 145.14.144.77 , 45.138.72.239
Collector 5 141.8.192.151 , 141.8.193.236 , 141.8.195.33 , 145.14.144.235 , 217.107.34.191
Cypress 2 185.114.247.102 , 185.117.155.248
EvilBear 1 212.192.241.97
GrimAgent 1 8.208.126.243
LiteHTTP 2 63.141.229.42 , 67.211.219.228
LokiBot 3 104.21.47.38 , 104.21.93.53 , 172.67.152.37
Oski 32 141.136.35.234 , 159.69.42.212 , 162.241.24.134 , 176.113.82.180 , 176.119.156.8 , 178.32.145.141 , 185.203.118.123 , 192.185.26.241 , 194.87.101.31 , 194.87.101.74 , 194.87.236.221 , 212.192.241.220 , 212.192.241.91 , 45.133.1.134 , 45.141.100.3 , 45.141.103.162 , 45.147.196.205 , 45.147.198.109 , 45.153.240.64 , 45.87.2.131 , 51.222.56.151 , 79.124.8.8 , 89.223.123.133 , 91.198.123.38 , 91.228.154.138 , 95.181.172.86 , 95.215.207.101 , airlydia.com , beautyveins.com , mlcrost.xyz , veinsart.com , yrhealth.life
Redline 3 195.2.92.125 , 77.246.145.4 , 85.192.56.35
Zeus 1 212.192.241.97
 
Trojan C&C Servers DetectedAmadeyBlackNetCollectorCypressLiteHTTPLokibotOskiRedlineOther8.6%5.2%10.3%55.2%
Name Number Discovered
AgentTesla 1
Amadey 3
Anubis 1
Azorult 1
BlackNet 2
Collector 5
Cypress 2
EvilBear 1
GrimAgent 1
LiteHTTP 2
Lokibot 3
Oski 32
Redline 3
Redline 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
f2c1aa209e185ed50bf9ae8161914954 https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/details webnavigatorbrowser.exe WebNavigatorBrowser W32.5524FEE1BB.5A6DF6a61.auto.Talos
6be10a13c17391218704dc24b34cf736 https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd


   Top Phishing Campaigns

Phishing Target Count
Other 1381
Facebook 35
Microsoft 9
Allegro 3
Apple 3
PayPal 4
Special 3
Virustotal 3
Google 3
Yahoo 1
Amazon.com 8
Rakuten 4
Caixa 1
Steam 5
Adobe 2
Optus 2
MyEtherWallet 1
ATAT&T 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-6364

Code Injection Vulnerability in SAP Solution Manager

SAP

SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 10/14/2020 06/17/2021

CVE-2021-32637

Authentication Bypass Vulnerability in Authelia

Authelia

Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be relatively straightforward to apply to any version, the git patches for specific versions can be found in the references. The most relevant workaround is upgrading. You can also add a block which fails requests that contains a malformed URI in the internal location block. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 05/28/2021 06/09/2021

CVE-2021-27905

Server Side Request Forgery Vulnerability in Apache Solr Core

Apache

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/13/2021 06/11/2021

CVE-2021-33574

Buffer Overflow Vulnerability in GNU

Gnu

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/25/2021 06/13/2021

CVE-2021-30461

Remote Code Execution Vulnerability in VoIP Monitor

Voip Monitor

A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/29/2021 06/09/2021

CVE-2021-25641

Deserialization Vulnerability in Apache Dubbo Server

Apache

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/01/2021 06/10/2021

CVE-2021-33180

SQL Injection Vulnerability in Synology Media Server

Synology

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/01/2021 06/08/2021
Details
Date Published
June 18, 2021