Trends

  • The top attacker country was Canada with 130713 unique attackers (70.00%).
  • The top Trojan C&C server detected was TrickBot with 29 instances detected.


Top Attackers By Country

CountryOccurencesPercentage
Canada13071370.00%
China2429813.00%
United States112896.00%
Australia36831.00%
France19091.00%
Netherlands18380%
Russia14180%
South Africa11720%
South Korea7900%
Kazakhstan7890%
United Kingdom7180%
Bulgaria6030%
India5950%
Singapore5150%
Vietnam3920%
Mexico3890%
Hungary2830%
Bangladesh2620%
United Arab Emirates2610%


Top Attackers by CountryCanadaChinaUnited StatesAustraliaOther6.6%13.4%71.9%
CountryPercentage of Attacks
Canada130,713
China24,298
United States11,289
Australia3,683
France1,909
Netherlands1,838
Russia1,418
South Africa1,172
South Korea790
Kazakhstan789
United Kingdom718
Bulgaria603
India595
Singapore515
Vietnam392
Mexico389
Hungary283
Bangladesh262
United Arab Emirates261


Threat Geo-location

261130,713


Top Attacking Hosts

HostOccurrences
216.245.221.864902
112.85.42.1884144
112.85.42.881784
222.186.52.1311632
185.116.194.36757
49.88.112.117593
178.128.30.222565
124.152.118.194504
Top Attackers216.245.221.86112.85.42.188112.85.42.88222.186.52.131185.116.194.3649.88.112.117178.128.30.222124.152.118.19402,0004,0006,000
HostOccurences
216.245.221.864,902
112.85.42.1884,144
112.85.42.881,784
222.186.52.1311,632
185.116.194.36757
49.88.112.117593
178.128.30.222565
124.152.118.194504


Top Network Attackers

ASNCountryName
46475United StatesLIMESTONENETWORKS, US
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
23650ChinaCHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone, CN
202958KazakhstanHOSTER-, KZ
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
14061SingaporeDIGITALOCEAN-ASN, US


Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
AgentTesla1178.62.14.31
Amadey3217.8.117.17 , 217.8.117.76 , 45.147.197.150
Anubis35.101.50.50 , 8.209.104.170 , 84.38.183.209
GodzillaLoader1217.8.117.45
Gozi2RM33195.2.71.175 , 94.103.91.32 , 95.174.65.226
Heodo2153.133.224.78 , 75.139.38.211
Keitaro288.119.171.152 , 88.119.171.153
KPOT663.250.47.170 , 8.209.79.7 , bumboxik.asia , dikiy.icu , dikiy.website , goodtemp.top
Lokibot12104.31.71.68 , 142.11.249.189 , 172.67.219.195 , 185.159.153.117 , 185.185.69.74 , 185.207.38.108 , 185.55.227.103 , 185.98.87.97 , 31.184.254.119 , 46.249.205.36 , 79.124.8.8 , 80.249.147.103
Oski14104.24.125.52 , 172.67.216.22 , 185.212.130.9 , 188.165.218.20 , 195.133.147.220 , 195.133.201.172 , 199.192.24.69 , 213.108.4.38 , 213.178.155.74 , 23.91.70.155 , 47.241.11.25 , 5.101.153.82 , 63.250.47.241 , 82.202.227.174
PredatorTheThief9141.8.192.151 , 141.8.197.42 , 172.105.52.237 , 185.238.138.146 , 185.50.25.51 , 81.16.141.225 , 81.177.141.241 , 95.211.16.66 , stranskl.site
RaccoonStealer1dq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh433qzaatyj5bid.onion
Taurus7104.18.49.141 , 104.24.105.6 , 172.67.184.127 , 45.138.72.7 , 45.153.241.9 , 49.51.169.175 , cloudstage.xyz
TrickBot29107.175.197.154 , 131.255.82.24 , 134.119.191.22 , 134.119.191.55 , 144.91.76.213 , 162.248.225.57 , 185.120.56.37 , 185.164.33.115 , 185.206.212.44 , 185.255.79.108 , 193.37.212.124 , 193.9.60.148 , 195.123.221.93 , 195.123.240.36 , 195.161.114.99 , 212.80.217.89 , 45.155.173.167 , 45.230.176.143 , 45.67.228.186 , 46.173.218.51 , 46.173.219.184 , 82.118.22.57 , 85.10.234.175 , 85.143.222.208 , 85.204.116.121 , 85.204.116.53 , 92.38.163.171 , 93.189.44.203 , 95.181.198.137
UAdmin181.29.134.76
Trojan C&C Servers DetectedAmadeyAnubisGozi2RM3HeodoKeitaroKPOTLokibotOskiPredatorTheThiefTaurusTrickBotOther6.4%12.8%14.9%30.9%7.4%9.6%
NameNumber Discovered
AgentTesla1
Amadey3
Anubis3
GodzillaLoader1
Gozi2RM33
Heodo2
Keitaro2
KPOT6
Lokibot12
Oski14
PredatorTheThief9
RaccoonStealer1
Taurus7
TrickBot29
UAdmin1


Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detailsFlashHelperServices.exeFlashHelperServicesWin.Exploit.Shadowbrokers::5A5226262.auto.talos
a10a6d9dfc0328a391a3fdb1a9fb18dbhttps://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/detailsFlashHelperServices.exeFlashHelperServicePUA.Win.Adware.Flashserv::100.sbx.vioc
4709a871ba0c0a3598eb78dadfe90aechttps://www.virustotal.com/gui/file/8bf5d91950033ef6f40ffbd2340d8b0add0ffdcbbb4cfd309218d6d0810d85be/detailstapout.exeN/AWin.Dropper.Zudochka::in03.talos
e2ea315d9a83e7577053f52c974f6a5ahttps://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detectionc3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.binN/AWin.Dropper.Agentwdcr::1201
799b30f47060ca05d80ece53866e01cchttps://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detectionmf2016341595.exeN/AWin.Downloader.Generic::1201


CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2020-9484

Apache Tomcat Remote Code Execution Vulnerability

Apache

When using Apache Tomcat versions if a) an attacker is able to control the contents and name of a file on the server and b)the server is configured to use the Persistence Manager with a FileStore7.0(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)05/20/202006/15/2020

CVE-2020-0796

Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)03/12/202006/11/2020

CVE-2020-3956

VMware Cloud Director Code Injection Vulnerability

VMware

VMware Cloud Director do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)05/20/202006/03/2020

CVE-2020-13401

Docker Engine IPv6 Address Spoofing Vulnerability

Docker

An issue exists in Docker Engine where an attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. A user is able to create containers with CAP_NET_RAW privileges on an affected cluster can intercept traffic from other containers on the host or from the host itself.9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)06/02/202006/10/2020

CVE-2020-1301

Microsoft Windows SMB Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.7.5(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)06/09/202006/15/2020

CVE-2020-1181

Microsoft SharePoint Server Remote Code Execution Vulnerability

Microsoft

A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process.8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)06/09/202006/12/2020

CVE-2020-1206

Microsoft Windows SMBv3 Client/Server Information Disclosure Vulnerability

Microsoft

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.8.6(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)06/09/202006/12/2020
0 Comments
Friday, June 19, 2020 By john