Red Piranha Threat Intelligence Report - December 3-9 2018

 

Trends


  • United States is on top of the list with 1481 unique attackers (24.7%)
  • OTX Pulse was the Top Alarm of the week with 90 occurrences
  • The exploit event type on top this week was Command Execution with 77% occurrences.


Top Attacker by Country


Country No. of Attackers
United States 1481
China 1292
France 398
Brazil 363
Russian Federation 330
India 258
United Kingdom 199
Netherlands 199
Republic of Korea 194
Vietnam 194
Germany 163
Taiwan 150
Canada 147
Australia 138
Ukraine 116
Indonesia 108
Italy 104
Singapore 94
Colombia 78

Top Cyber Attackers by Country  December 3-9 2018


Threat Geo-location


Cyber Security Threat Geolocations December 3-9 2018


Top Attacking Hosts


Host Occurrences
13.107.4.50 19
185.10.68.153 17
185.244.25.165 16
185.244.25.167 16
185.244.25.228 16
117.18.237.29 16
37.48.76.51 15
159.203.169.16 15

Top Attacker Hosts December 3-9 2018


Top Alarms


Alarm No. of Occurrences
OTX Indicators of Compromise - PULSE 90
Bruteforce Authentication - SSH 32
Attack Tool Detected - Attack 1

 

Comparison from Previous Report

Alarm No. of Occurrences
Bruteforce Authentication - SSH 239
OTX Indicators of Compromise - PULSE 107
Attack Tool Detected - Attack 8
WebServer Attack - Attack 3

Top Cyber Security Alarms December 3-9 2018


Exploit Event Types and Top Event NIDS


Top Event NIDS and Exploits December 3-9 2018


CVE


CVE-2018-20029
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
https://nvd.nist.gov/vuln/detail/CVE-2018-20029

CVE-2018-1279
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
https://nvd.nist.gov/vuln/detail/CVE-2018-1279

CVE-2018-15800
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
https://nvd.nist.gov/vuln/detail/CVE-2018-15800

CVE-2018-20029
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
https://nvd.nist.gov/vuln/detail/CVE-2018-20029

CVE-2018-1279
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
https://nvd.nist.gov/vuln/detail/CVE-2018-1279

CVE-2018-15800
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
https://nvd.nist.gov/vuln/detail/CVE-2018-15800

CVE-2018-15805
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
https://nvd.nist.gov/vuln/detail/CVE-2018-15805

CVE-2018-16635
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.
https://nvd.nist.gov/vuln/detail/CVE-2018-16635

CVE-2018-16636
Nucleus CMS 3.70 allows HTML Injection via the index.php body parameter.
https://nvd.nist.gov/vuln/detail/CVE-2018-16636

CVE-2018-20029
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
https://nvd.nist.gov/vuln/detail/CVE-2018-20029

CVE-2018-1279
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
https://nvd.nist.gov/vuln/detail/CVE-2018-1279

CVE-2018-15800
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
https://nvd.nist.gov/vuln/detail/CVE-2018-15800

CVE-2018-15805
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
https://nvd.nist.gov/vuln/detail/CVE-2018-15805

CVE-2018-16635
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.
https://nvd.nist.gov/vuln/detail/CVE-2018-16635

CVE-2018-16636
Nucleus CMS 3.70 allows HTML Injection via the index.php body parameter.
https://nvd.nist.gov/vuln/detail/CVE-2018-16636

CVE-2018-15805
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
https://nvd.nist.gov/vuln/detail/CVE-2018-15805

CVE-2018-16635
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.
https://nvd.nist.gov/vuln/detail/CVE-2018-16635

CVE-2018-16636
Nucleus CMS 3.70 allows HTML Injection via the index.php body parameter.
https://nvd.nist.gov/vuln/detail/CVE-2018-16636


Vulnerabilities


Vuln: PHP CVE-2018-19935 Denial of Service Vulnerability 


0 Comments
Tuesday, December 11, 2018 By rayah.medina