threat-intel-report

Trends

  • The top attacker country was China with 278795 unique attackers (35.00%).
  • The top Trojan C&C server detected was TrickBot with 15 instances detected.
  • The top phishing campaign detected was against Facebook accounts with 65 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
China27879535.00%
Australia26975034.00%
United States7900210.00%
Canada637718.00%
United Kingdom186772.00%
Indonesia177612.00%
Hong Kong49630%
South Korea48540%
Chile43340%
France32750%
Netherlands30630%
India30550%
Japan21880%
Italy19590%
Germany17930%
Romania15070%
Vietnam12170%
Bulgaria7190%


Top Attackers by CountryChinaAustraliaUnited StatesCanadaUnited KingdomIndonesiaOther36.7%8.4%10.4%35.5%
CountryPercentage of Attacks
China278,795
Australia269,750
United States79,002
Canada63,771
United Kingdom18,677
Indonesia17,761
Hong Kong4,963
South Korea4,854
Chile4,334
France3,275
Netherlands3,063
India3,055
Japan2,188
Italy1,959
Germany1,793
Romania1,507
Vietnam1,217
Bulgaria719




Threat Geo-location

719278,795


Top Attacking Hosts

HostOccurrences
112.85.42.18745782
218.92.0.21026722
112.85.42.8821710
43.252.145.4213990
218.92.0.19013003
124.225.208.94104
106.52.153.2304055
103.218.242.803064
222.186.169.1922937
211.104.20.1452890
222.186.180.1472767
222.186.175.2162687
222.186.175.1542650
Top Attackers112.8…218.9…112.8…43.25…218.9…124.2…106.5…103.2…222.1…211.1…222.1…222.1…222.1…020,00040,00060,000
HostOccurences
112.85.42.18745,782
218.92.0.21026,722
112.85.42.8821,710
43.252.145.4213,990
218.92.0.19013,003
124.225.208.94,104
106.52.153.2304,055
103.218.242.803,064
222.186.169.1922,937
211.104.20.1452,890
222.186.180.1472,767
222.186.175.2162,687
222.186.175.1542,650


Top Network Attackers

ASNCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
56233IndonesiaATSINDO-AS-ID PT Asia Teknologi Solusi, ID
45090ChinaCNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN
135377Hong Kong SAR ChinaUHGL-AS-AP UCloud (HK) Holdings Group Limited, HK
23650ChinaCHINANET-JIANGSU-PROVINCE-IDC AS Number for CHINANET jiangsu province backbone, CN
4766South KoreaKIXS-AS-KR Korea Telecom, KR


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
AgentTesla145.141.84.146
Amadey4104.27.174.136 , 172.67.211.220 , 217.8.117.102 , 217.8.117.112
CobaltStrike445.141.84.212 , 45.141.84.233 , 45.141.84.241 , 45.141.84.49
Heodo2185.178.10.77 , 219.74.18.66
Keitaro145.141.84.197
KPOT3194.180.224.129 , 46.17.98.128 , 78.142.29.185
Lokibot14103.253.212.225 , 103.27.62.62 , 142.11.195.130 , 192.185.185.16 , 192.236.199.171 , 193.142.59.80 , 195.22.153.121 , 195.69.140.147 , 40.71.100.104 , 45.143.138.128 , 5.56.134.77 , 79.124.8.8 , 95.181.172.13 , 95.181.172.13
Nexus1162.213.253.54
Oski2188.127.249.228 , 194.87.237.143
SmokeLoader3148.251.72.21 , 95.215.108.15 , vot552.com
TrickBot15185.172.129.67 , 188.225.9.82 , 195.123.240.196 , 195.123.241.124 , 195.123.241.134 , 195.123.241.194 , 195.123.241.58 , 23.95.8.136 , 37.220.6.101 , 37.220.6.98 , 85.143.221.6 , 85.204.116.158 , 91.200.103.111 , 93.189.43.80 , 93.189.46.41
Uadmin145.11.19.246
Trojan C&C Servers DetectedAmadeyCobaltStrikeHeodoKPOTLokiBotOskiSmokeLoaderTrickBotOther7.8%7.8%5.9%7.8%29.4%5.9%27.5%
NameNumber Discovered
AgentTesla1
Amadey4
CobaltStrike4
Heodo2
Keitaro1
KPOT3
LokiBot14
Nexus1
Oski2
SmokeLoader3
TrickBot15
UAdmin1


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
adad179db8c67696ac24e9e11da2d075https://www.virustotal.com/gui/file/7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36/detailsFlashHelperServices.exeFlashHelperServiceW32.7F9446709F-100.SBX.VIOC
73d1de319c7d61e0333471c82f2fc104https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/detailsSAntivirusService.exeAntivirusServiceWin.Dropper.Segurazo::tpd
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detailsTempmf582901854.exeN/AWin.Dropper.Agentwdcr::1201
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detailsmf2016341595.exeN/AWin.Downloader.Generic::1201
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg


Top Phishing Campaigns

Phishing TargetCount
Other1640
Facebook65
PayPal13
Amazon.com12
Google8
Microsoft8
Virustotal8
RuneScape4
Adobe3
ZML2
Apple2
Three2
Halifax2
AT&T1
Vodafone1
Orange1
Caixa1
Netflix1
Instagram1


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-3495

Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability

Cisco

A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution.CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)09/03/202009/09/2020

CVE-2020-0986

Microsoft Windows Kernel Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.CVSSv3BaseScore:7.8(V:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)06/09/202006/12/2020

CVE-2020-9715

Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability

Adobe

Adobe Reader and Acrobat are applications for handling PDF files. Adobe Reader and Acrobat have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution. An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.CVSSv3BaseScore:7.8(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)08/19/202008/19/2020

CVE-2020-17496

vBulletin Remote Code Execution Vulnerability

vBulletin

vBulletin allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. vBulletin is vulnerable to a remote code execution vulnerability caused by incomplete patching of the previous "CVE-2019-16759" remote code execution vulnerability.CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)08/12/202008/17/2020

CVE-2020-8218

Pulse Connect Secure Arbitrary Code Execution Vulnerability

PulseSecure

A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.CVSSv3BaseScore:7.2(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)07/30/202009/01/2020

CVE-2020-1247

Microsoft Win32k Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.CVSSv3BaseScore:7.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)06/09/202006/11/2020

CVE-2020-3398

PAN-OS Management Interface Command Injection Vulnerability

PAN-OS

An OS Command Injection vulnerability exists in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue affects some unknown processing of the component Management Interface. The manipulation with an unknown input leads to a privilege escalation vulnerability.CVSSv3BaseScore:7.2(V:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)08/27/202009/03/2020
Details
Date Published
September 14, 2020
Category
Threat Intelligence