threat-intelligence-report_web


Trends


  • The top attacker country was China with 1809 unique attackers (25%).
  • The top Exploit event was Authentication with 46% of occurrences.
  • The top Trojan C&C server detected was TrickBot with 21 instances detected.



Top Attacker by Country


CountryOccurrencesPercentage
China180925.01%
United States165822.93%
Vietnam4786.61%
Brazil3865.34%
France3364.65%
Republic of Korea3254.49%
India3214.44%
Russian Federation3174.38%
United Kingdom2323.21%
Egypt2082.88%
Canada1702.35%
Thailand1572.17%
Taiwan1431.98%
Singapore1421.96%
Germany1401.94%
Netherlands1231.70%
Indonesia1121.55%
Australia981.36%
Italy771.06%


Top Cyber Attackers by Country  August 26 - September 1 2019




Threat Geo-location


Cyber Security Threat Geolocations August 26-September 1 2019



Top Attacking Hosts


HostOccurrences
1.128.109.71224
1.132.106.92629
1.217.98.44577
1.56.207.131487
1.203.115.140483
1.132.106.152346
1.235.192.218263
1.132.106.64231


Top Attacker Hosts August 25 - September 1 2019



Top Network Attackers


Origin ASAnnouncementDescription
AS12211.128.0.0/11Telstra
AS37861.208.0.0/12LG DACOM Corporation
AS48371.56.0.0/13China Unicom Heilongjiang province net



Top Event NIDS and Exploits




Top Event NIDS August 25 - September 1 2019



Top Event Exploits August 25 - September 1 2019




Top Alarms


Type of AlarmOccurrences
Bruteforce Authentication2294
Network Anomaly2695
Network Discovery8


Comparison from last week 

Type of AlarmOccurrences
Bruteforce Authentication3846
Network Discovery995
Network Anomaly131



Top Cyber Security Alarms August 25 - September 1 2019

Remote Access Trojan C&C Servers Found


NameNumber DiscoveredLocation
Anubis1130.0.235.205
Azorult4176.119.159.153, 62.109.17.122, 194.67.90.196, 47.88.102.244
CryptBot262.173.154.208, 37.140.199.197
Kpot185.143.217.98
LokiBot5101.99.90.11, 47.88.102.244, 194.67.90.196, 149.154.69.146, 194.209.228.127
LaturoStealer1176.121.14.128
PredatorTheThief2185.25.50.227, 47.88.159.181
TrickBot21

195.123.237.52, 85.217.171.98, 185.183.98.237, 54.38.127.24, 79.124.49.203, 81.177.6.144,
81.177.6.224, 37.72.168.154, 185.183.99.134, 37.228.117.90, 185.65.202.159, 5.101.51.246, 51.75.254.122, 45.138.157.13, 212.22.75.120, 176.103.62.201, 85.143.221.0, 107.174.254.153, 51.68.247.46, 92.38.171.125,
94.156.35.232



Trojan C&C Servers August 25 - September 1 2019



Common Malware



Malware TypeMD5Typical Filename

Win.Trojan.
Generic::
in10.talos

47b97de6
2ae8b2b9
27542aa5
d7f3c858

qmreportupload.exe

W32.7ACF7
1AFA8-95.
SBX.TG

4a50780
ddb3db1
6ebab57
b0ca42da
0fb

xme64-2141.exe

W32.1755C
179F0-100.
SBX.TG

c785a8b
0be77a2
16a5223
c41d8dd
937f

cslast.gif

W32.46B2
41E3D3-95.
SBX.TG

db69eaa
ea4d497
03f161c8
1e6fdd036f
invoice.exe

W32.093CC
39350-100.
SBX.TG

3c7be1d
be9eecf
c73f4476bf
18d1df3f

sayext.gif




CVEs For Which Public Exploits Have Been Detected


ID:        CVE-2019-11510
Title:    Pulse Secure Arbitrary File Disclosure Vulnerability
Vendor:    Pulse Secure
Description: Pulse Connect Secure is exposed to arbitrary file disclosure vulnerability. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, or can send a specially crafted URI to perform an arbitrary file reading vulnerability .
CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-8605
Title:    Apple MacOS Information Disclosure Vulnerability
Vendor:    Apple
Description: A remote attacker could exploit this vulnerability to cause disclosure of information, unauthorized modification and arbitrary code execution  with system privileges. A malicious application may be able to execute arbitrary code with system privileges," reads the advisory published by Apple. "A use after free issue was addressed with improved memory management." The vulnerability was initially reported by Google Project Zero white hacker Ned Williamson, who also published an exploit for iOS 12.2, dubbed "SockPuppet," after the first patch was released.
CVSS v2 Base Score:    9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-12527
Title:    Squid Buffer Overflow Vulnerability
Vendor:    Squid
Description: Squid is exposed to a heap based buffer overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.When checking Basic Authentication with HttpHeader, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length is not greater than the buffer, leading to a heap-based buffer overflow with user controlled data. Successfully exploiting this issue allow attackers to execute arbitrary code in the context of the affected application.
CVSS v2 Base Score:    6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-15107
Title:    Webmin Unauhenticated Remote Command Execution Vulnerability
Vendor:    Webmin
Description: Webmin is exposed to a vulnerability that allows remote command execution. The parameter old in password_change.cgi contains a command injection vulnerability. Webmin versions are only vulnerable if changing of expired passwords is enabled. Successful exploitation may allow remote attacker to execute arbitrary commands on target system.
CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-15092
Title:    Wordpress Plugin Remote code Execution Vulnerability
Vendor:    WordPress
Description: Wordpress Plugin is exposed to CSV injection vulnerability. This allows any application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine. The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Details