Red Piranha Threat Intelligence Report - August 12-18, 2019

Trends


  • The top attacker country was China with 1673 unique attackers (26%).
  • The top Exploit event was Authentication with 44% of occurrences.
  • The top Trojan C&C server detected was KeitaroTDS with 128 instances detected.


Top Attacker by Country


Country Occurrences Percentage
China 1673 25.71%
United States 1373 21.10%
Republic of Korea 357 5.49%
Brazil 343 5.27%
Vietnam 330 5.07%
Russian Federation 297 4.56%
France 296 4.55%
India 262 4.03%
United Kingdom 241 3.70%
Germany 235 3.61%
Netherlands 190 2.92%
Canada 182 2.80%
Taiwan 134 2.06%
Indonesia 120 1.84%
Egypt 113 1.74%
Italy 104 1.60%
Poland 93 1.43%
Thailand 87 1.34%
Singapore 77 1.18%

Top Cyber Attackers by Country August 12-18 2019


Threat Geo-location


Cyber Security Threat Geolocations August 12-18 2019


Top Attacking Hosts


Host Occurrences
31.52.181.224 164
218.92.1.131 145
112.85.42.237 87
218.92.0.210 51
49.88.112.71 50
112.85.42.194 49
218.92.0.138 32
46.101.43.235 27

Top Attacker Hosts August 12-18 2019


Top Network Attackers


Origin AS Announcement Description
AS2856 31.48.0.0/13 British Telecommunications PLC
AS4134 218.92.0.0/16 CHINANET Jiangsu Province Network
AS4837 112.80.0.0/13 China Unicom Jiangsu Province Network


Top Event NIDS and Exploits


Top Event NIDS August 12-18 2019

Top Event Exploits


Top Alarms


Type of Alarm Occurrences
Bruteforce Authentication 1941
Network Discovery 29
Network Anomaly 18


Comparison from last week 
 

Type of Alarm Occurrences
Bruteforce Authentication 30
Network Discovery 9
Network Anomaly 6

Top Cyber Security Alarms


Remote Access Trojan C&C Servers Found


Name Number Discovered Location
Arkei 1 185.212.129.171
Azorult 3 185.173.176.34 
213.159.208.51  
8.208.11.27
BetaBot 1 5.45.73.113
CryptBot 1 213.159.209.169
KeitaroTDS 128 109.234.34.64, 109.234.39.39, 109.237.108.158, 109.237.110.29, 109.248.202.30, 134.0.115.146, 134.0.115.60, 134.0.116.106,
134.0.116.183, 134.0.117.113,
134.0.117.41, 134.0.119.180,
149.154.71.82, 151.248.112.91, 151.248.114.187,
151.248.122.72, 176.113.83.131, 176.53.161.105, 176.53.161.220, 176.53.162.39, 176.53.163.121, 176.57.215.15, 176.57.217.159, 176.99.11.54, 176.99.11.72,
176.99.12.144, 176.99.12.228,
176.99.12.7, 178.21.10.169,
178.21.10.226, 185.117.155.45, 185.148.82.254, 185.178.44.106, 185.179.188.137, 185.179.188.152, 185.179.188.168, 185.179.188.170, 185.179.188.172, 185.179.188.178, 185.179.188.190, 185.179.188.205, 185.179.188.207. 185.179.188.209, 185.179.188.21, 185.179.188.232, 185.179.188.250, 185.179.188.66, 185.179.188.85, 185.179.188.94, 185.179.188.97, 185.179.188.98, 185.179.190.102, 185.179.190.103, 185.179.190.147, 185.179.190.148, 185.179.190.152, 185.179.190.153, 185.179.190.157, 185.179.190.158, 185.179.190.178, 185.179.190.195, 185.179.190.38, 185.179.190.41, 185.179.190.73, 185.179.190.96, 185.20.224.222, 185.20.224.54, 185.20.225.208, 185.93.109.185, 188.120.238.25, 188.120.248.52, 188.120.253.42, 188.127.239.60, 188.225.24.2, 188.225.26.108, 188.225.26.120, 188.225.26.84, 188.225.37.94, 188.225.38.93, 188.225.76.123, 188.68.210.126, 188.93.211.127, 188.93.211.64, 193.124.181.114, 193.124.18.182, 193.124.188.96, 193.124.200.12, 193.124.200.174, 193.124.200.57, 193.124.200.74, 193.124.201.227, 193.124.201.228, 193.124.204.245, 193.124.204.57, 193.124.204.79, 193.124.204.88, 193.124.206.143, 193.124.207.184, 193.124.207.19, 193.124.44.234, 193.124.44.55, 193.124.93.237, 193.176.78.64, 194.113.107.118, 194.113.107.139, 194.147.35.176, 194.58.100.158, 194.58.104.26, 194.58.107.70, 194.58.108.51, 194.58.111.35, 194.58.119.193, 194.58.122.56, 194.58.38.175, 194.58.38.190, 194.58.38.199, 194.58.38.204, 194.58.39.109, 194.58.39.215, 194.58.40.228, 194.58.40.235, 194.58.47.158, 194.67.87.251, 194.87.202.71, 31.31.201.47,
46.254.21.24, 5.23.55.239, 92.63.192.143
LokiBot 2 185.173.179.13
185.87.187.198
ParasiteHTTP 1 5.45.73.113
Pony 1 94.102.53.52
PredatorTheThief 48 109.94.110.157, 139.180.223.36, 178.62.188.204, 178.62.191.13, 178.62.191.173, 18.222.210.14, 18.222.227.101, 18.225.10.183, 185.14.186.39, 185.146.156.38, 185.193.126.123, 185.206.144.170, 185.244.217.108, 185.254.121.122, 185.254.121.126, 185.254.121.141, 185.254.121.161, 185.60.133.242, 190.97.167.143, 190.97.167.238, 192.81.220.183, 193.124.117.116, 193.37.212.107, 213.159.209.1, 2.56.214.102, 31.184.197.158,
3.15.40.147, 37.139.2.42, 45.10.219.20, 45.10.219.7, 45.12.212.187, 45.12.213.98, 46.101.160.184, 46.249.62.207, 47.89.189.85, 5.101.180.213, 51.15.228.96, 5.196.214.131, 79.124.8.105, 81.177.180.205, 8.208.9.124, 82.196.1.19, 82.196.9.220, 82.202.163.189, 83.220.174.244, 92.63.192.138, 92.63.192.144, 92.63.192.221
TrickBot 38 107.172.201.144, 107.174.71.44, 146.185.219.21, 178.170.189.117, 185.117.73.58, 185.142.99.39, 185.172.129.11, 185.183.99.159, 185.202.174.77, 185.241.53.109, 192.210.226.104, 193.124.185.113, 194.87.111.102, 195.123.233.35, 195.123.237.126, 195.123.238.54, 198.12.97.170, 198.12.97.204, 198.46.198.103, 198.46.198.12, 198.46.198.132, 212.80.217.182, 31.184.253.244, 37.228.117.142, 50.3.68.150, 51.79.57.148, 54.36.24.100, 54.37.195.102, 5.53.124.147, 5.53.124.49, 5.9.178.87, 79.143.31.94, 80.87.199.54, 81.177.136.17, 82.146.43.15, 89.105.203.182, 91.235.129.80, 94.103.95.91

Top Trojan August 12-18 2019


Common Malware


Malware Type MD5 Typical Filename

PUA.Osx.
Trojan.Amcleaner::
sbmt.talos

125ef5dc3
115bda09d
2cef1c5086
9205

PUA.Osx.
Trojan.Amcleaner::
sbmt.talos

Win.Trojan.
Generic::
in10.talos

47b97de62
ae8b2b927
542aa5d7f3
c858

Win.Trojan.
Generic::
in10.talos

Unix.Exploit.
Lotoor::
other.talos

f7145b132
e23e3a55d
2269a00839
5034

Unix.Exploit.
Lotoor::
other.talos

W32.39A87
5089A-
100.SBX.TG

df61f1384
09416736
d9b6f4ec72
ac0af

W32.39A87
5089A-
100.SBX.TG
W32.7ACF7
1AFA8-
95.SBX.TG

4a50780d
db3db16e
bab57b0ca
42da0fb

W32.7ACF7
1AFA8-
​​​​​​​95.SBX.TG


CVE


This is a list of recent vulnerabilities for which exploits are available.

ID:        CVE-2019-1181
Title:    Microsoft Remote Desktop Services Remote Code Execution Vulnerability
Vendor:    Microsoft
Description: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. More information is available - "https://blog.qualys.com/laws-of-vulnerabilities/2019/08/13/windows-remote-desktop-vulnerabilities-seven-monkeys-how-to-detect-and-patch". This CVE ID is unique from CVE-2019-1181, CVE-2019-1222, CVE-2019-1226.
CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1222
Title:    Microsoft Remote Desktop Services Remote Code Execution Vulnerability
Vendor:    Microsoft
Description: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. More infromation is available - "https://blog.qualys.com/laws-of-vulnerabilities/2019/08/13/windows-remote-desktop-vulnerabilities-seven-monkeys-how-to-detect-and-patch". This CVE ID is unique from CVE-2019-1181, CVE-2019-1182, CVE-2019-1222.
CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-5994
Title:    EOS Camera Picture Transfer Protocol Memory Corruption Vulnerability
Vendor:    Canon EOS
Description: A Buffer overflow vulnerability exist in PTP (Picture Transfer Protocol) of EOS series digital cameras that allows an attacker on the same network segment to trigger the affected product being unresponsive or to execute arbitrary code on the affected product via SendObjectInfo command.
CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)


ID:        CVE-2019-0193
Title:    Apache Solr Remote Code Execution Vulnerability
Vendor:    Apache
Description: A vulnerability exists in the DataImportHandler module of Apache Solr, a common module used to import data from databases or other sources. The whole DIH configuration of this module can come from the dataConfig parameter included in an external request. An attacker could exploit this vulnerability to cause arbitrary code execution via a malicious request that contains a carefully crafted dataConfig parameter.
CVSS v2 Base Score:    9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)


ID:        CVE-2019-14234
Title:    Django Index lookup SQL Injection Vulnerability
Vendor: Django
Description: Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. A remote attacker could possibly use this issue to perform SQL injection attacks.
CVSS v2 Base Score: AV:N/AC:L/Au:N/C:N/I:N/A:P  Base Score: 5


ID:        CVE-2018-13382
Title:    Fortinet FortiOS Authorization Bypass Vulnerability
Vendor:    Fortinet
Description: An Improper Authorization vulnerability in Fortinet FortiOS under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

0 Comments
Tuesday, August 20, 2019 By rayah.medina