threat_intel_report

 
Trends

  • The top attacker country was China with 125529 unique attackers (77.97%).

  • The top Trojan C&C server detected was Trickbot with 16 instances detected.

  • The top phishing campaign detected was against Facebook accounts with 26 instances detected.
     

Ransomware Hackers target Campari Group with Facebook Advertising Campaign reminding them to pay

This week has seen a dramatic increase in data dumps from ransomware attackers. Earlier this month the Campari Group experienced a ransomware attack allegedly shutting down the companies servers and stealing over two terabytes of data. What is unusual is the approach the cybercriminals took to remind the organisation the ransom was due. Campari employees were targeted with a Facebook advertising campaign reminding them that their account was expected or they would find their corporate data on the dark web.

Smishing attack targeting Australian mobile devices

We’ve detected an active smishing campaign targeting Australian mobile phone numbers from multiple providers, including Optus and Vodafone. The link within the text message redirects the mobile phone user to a cost-per-acquisition landing page, which collects personally identifiable information and upon submission generates the cyber-gang a small sum of money.   It unknown how this information is currently being utilised or if the data is stored in a third-party location. However, the data will likely be used in a follow-up attack with an associated payload.

For more information, please visit: Security Alert Smishing Attack Targeting Australian Mobile Devices

  Top Attackers By Country

Country

Occurences

Percentage

China

125529

77.97%

Russia

5913

3.67%

Netherlands

4268

2.65%

France

4149

2.58%

Germany

4127

2.56%

India

3292

2.04%

Brazil

2798

1.74%

Singapore

2433

1.51%

South Korea

2087

1.30%

Indonesia

1879

1.17%

Philippines

1792

1.11%

Mexico

1336

0.83%

Italy

1060

0.66%

Romania

331

0.21%

  Top Attackers By Country

  •  China
  •  Russia
  •  Netherlands
  •  France
  •  Germany
  •  India
  •  Other

  Threat Geo-location

331125,529

  Top Attacking Hosts

Host

Occurrences

49.88.112.118

24342

218.92.0.206

15086

49.88.112.117

4394

49.88.112.111

3012

51.75.131.235

2818

64.225.112.216

2447

103.145.13.143

1987

45.146.164.229

1829

45.146.165.79

1561

89.248.174.203

1459

49.88.112.77

1350

174.222.10.127

1241

112.85.42.47

1163

104.143.92.93

1111

183.201.252.68

1104

Top Attackers

  Top Network Attackers

ASN

Country

Name

4134

China

CHINANET-BACKBONE No.31,Jin-rong Street, CN

4134

France

OVH, FR

207566

United States

DIGITALOCEAN-ASN, US

51167

Netherlands

SQUITTER-NETWORKS, NL

4766

Russia

SELECTEL, RU

20473

Netherlands

INT-NETWORK, SC

63991

United States

CELLCO, US

2856

China

CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN

39465

United States

SOFTLAYER, US

202325

China

SHANXIMCC-IDC IDC ShanXi China Mobile communications corporation, CN

  Remote Access Trojan C&C Servers Found

Name

Number Discovered

Location

AzoruIt

1

104.237.252.41

CobaltStrike

1

80.249.146.211

DiamondFox

1

213.159.203.230

Heodo

4

113.163.216.135 , 181.165.68.127 , 189.55.48.40 , 99.247.33.186

LiteHTTP

2

185.239.242.244 , 93.115.21.167

Loader

1

88.119.171.179

Lokibot

14

103.83.81.68 , 104.18.57.249 , 104.27.135.89 , 162.215.253.15 , 172.67.214.61 , 185.209.1.127 , 192.185.138.19 , 192.185.138.193 , 192.185.91.41 , 31.41.44.163 , 45.138.72.74 , 45.252.248.42 , 84.16.234.228 , 92.242.40.167

Phobos

1

j5zujlxrhuorruy6.onion

Predator

3

141.8.192.151 , 172.67.132.216 , 185.50.25.35

ProxyCB

2

185.158.114.14 , 185.158.115.191

Redirected

1

207.154.235.218

RedLine

15

104.31.93.207 , 138.124.180.188 , 185.107.237.53 , 185.209.1.127 , 185.87.50.113 , 193.38.55.97 , 45.139.236.86 , 45.142.212.28 , 45.150.67.34 , 45.156.24.237 , 45.66.250.102 , 45.67.228.250 , 86.105.252.12 , 91.235.129.40 , 93.114.128.198

Trickbot

16

144.172.64.26 , 156.96.62.82 , 194.5.249.196 , 195.123.240.119 , 195.123.240.40 , 195.123.241.22 , 195.123.241.222 , 195.123.241.226 , 43.245.216.190 , 45.230.8.34 , 49.156.41.74 , 91.200.103.193 , 91.200.103.217 , 94.140.115.229 , 94.140.115.91 , 94.140.115.99

ZLoader

1

8.208.97.5

Trojan C&C Servers Detected
  •  ProxyCB
  •  Predator
  •  Heodo
  •  LiteHTTP
  •  RedLine
  •  Lokibot
  •  Trickbot
  •  Other

  Common Malware

MD5

VirusTotal

FileName

Claimed Product

Detection Name

ce4395edbbf9869a5e276781af2e0fb5

https://www.virustotal.com/gui/file/f059a5358c24cc362c2f74b362c75e02035fdf82f9ffae8d553afee1a271afd0/details

wupxarch635.exe

N/A

W32.Auto:f059a5358c.in03.Talos

dd726d5e223ca762dc2772f40cb921d3

https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection

ww24.exe

N/A

W32.TR:Attribute.23ln.1201

e2ea315d9a83e7577053f52c974f6a5a

https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

N/A

Win.Dropper.Agentwdcr::1201

8c80dd97c37525927c1e549cb59bcbf3

https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Eternalblue-2.2.0.exe

N/A

Win.Exploit.Shadowbrokers::5A5226262.auto.talos

0cd267df5b55552a6589f4e67164fd3d

https://www.virustotal.com/gui/file/97511b671c29a6c04c9c80658428b4ce55010d9dfe6ee5d813595d37fbe5500a/details

FlashHelperService.exe

FlashHelperService

Auto.97511B.232354.in02

  Top Phishing Campaigns

Phishing Target

Count

Other

1564

PayPal

2

Facebook

26

DocuSign

1

Google

1

Amazon

14

Halifax

24

Virustotal

6

Caixa

1

Microsoft

1

Itau

2

Apple

1

RuneScape

1

  CVEs with Recently Discovered Exploits

  This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor

Description

CVSS v3.1 Base Score

Date Created

Date Updated

CVE-2020-14882

Oracle WebLogic Server Remote Code Execution Vulnerability

Oracle

Oracle Weblogic server is exposed to a critical vulnerability. The vulnerability could be exploited by an unauthenticated attacked with a single HTTP request. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

10/21/2020

11/10/2020

CVE-2019-5544

VMware Horizon DaaS OpenSLP Remote Code Execution Vulnerability

VMware

OpenSLP as used in Horizon DaaS is exposed to heap overwrite issue. A malicious actor with network access to port 427 on an ESXi host may be able to overwrite the heap of the OpenSLP service resulting in remote code execution.

CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

12/06/2019

05/14/2020

CVE-2020-14871

Oracle Solaris Remote Code Execution Vulnerability

Oracle

Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris.

CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

10/21/2020

11/09/2020

CVE-2020-27955

Git for Windows Large File Storage Remote Code Execution Vulnerability

Git

On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program is executed, permitting the attacker to execute arbitrary code. Successful exploitation allows attacker to execute remote code and compromise the system.

CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

11/05/2020

11/10/2020

CVE-2020-17087

Microsoft Windows Kernel Privilege Escalation Vulnerability

Microsoft

Security researchers from Google's Project Zero have disclosed a zero-day vulnerability in the Windows operating system which is currently being exploited in the wild. The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug.

CVSSv3BaseScore:7.1(AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

11/11/2020

11/12/2020

CVE-2020-15999

Google Chrome Freetype Heap Buffer Overflow Vulnerability

Google

Google Chrome issued an update announcement for the browser across all platforms. Google confirmed that the "stable channel" desktop Chrome browser is being updated across Windows, Mac, and Linux platforms. As per Google's official sources, this urgent update will start rolling out over the coming few days or weeks.

CVSSv3BaseScore:8.8(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

11/02/2020

11/11/2020

CVE-2020-14750

Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability

Oracle

Oracle released critical October update to patch CVE-2020-14882 earlier in October. Oracle WebLogic Server has now observed that attackers can now bypass this patch exposing an unauthenticated Remote Code Execution vulnerability. Unauthorized attackers can continue to bypass the WebLogic background login restrictions and control the server even after WebLogic is patched for CVE-2020-14882.

CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

11/02/2020

11/10/2020

CVE-2020-1472

Microsoft Netlogon Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

08/17/2020

10/05/2020

Details
Date Published
November 19, 2020
Category
Threat Intelligence