threat-intelligence-report


Trends


  • The top attacker country was China with 2594 unique attackers (36%).
  • The top Exploit event was Authentication with 37% of occurrences.
  • The top Trojan C&C server detected was Heodo with 26 instances detected.
  • The most prevalent malware detected was Bitcoin Miner xme64-2141.exe, first seen 10th March 2019.

Top Attacker by Country


CountryOccurrencesPercentage
China259434.55%
United States130117.33%
India4335.77%
France3594.78%
Korea3274.35%
Brazil3254.33%
Russian Federation3104.13%
Vietnam2483.30%
United Kingdom2433.24%
Canada1952.60%
Indonesia1942.58%
Germany1732.30%
Taiwan1652.20%
Italy1281.70%
Hong Kong1261.68%
Netherlands1061.41%
Thailand1041.39%
Mexico941.25%
Singapore841.12%
Top Cyber Attackers by Country Nov 4-10 2019



Threat Geolocation



Cyber Security Threat Geolocations Nov 4-10 2019



Top Attacking Hosts


HostOccurrences
5.79.74.216405
1.129.109.250217
5.39.93.158121
1.144.104.241113
5.149.205.151113
5.39.79.48112
5.135.179.17887
2.228.163.15783
1.221.192.14938
1.203.115.6420
5.189.176.25017
Top Attacker Hosts Nov 4-10 219



Top Network Attackers


Origin ASAnnouncementDescription
AS607815.79.64.0/18LeaseWeb Netherlands B.V.
AS12211.128.0.0/11Telstra
AS162765.39.0.0/17OVH SAS
AS504775.149.204.0/22Svyaz-Energo Ltd.

Top Events Nids and Exploits





Top Alarms


Type of AlarmOccurences
Bruteforce Authentication1402
Intrusion Detection85
Network Discovery2


Comparison from last week 

Type of AlarmOccurences
Bruteforce Authentication3174
Intrusion Detection83
Network Discovery361
Top Cyber Security Alarms Nov 4-10 2019

Remote Access Trojan C&C Servers Found


NameNumber DiscoveredLocation
PredatorTheThief345.139.236.64, 93.189.47.184, 92.63.197.173
DarkLoader1104.27.174.139
Anubis4193.32.161.89, 193.32.161.87,
193.32.161.89, 45.141.84.36
Loader3

83.166.246.53, 45.128.187.231,
193.187.175.176

TrickBot23194.5.250.162, 103.219.213.102,
195.123.238.214, 195.123.220.151,
95.181.198.94, 185.177.59.41,
5.2.77.5, 51.89.115.98, 66.55.71.129,
190.142.200.108, 170.84.78.224,
91.108.150.213, 181.113.28.162,
194.5.250.136, 189.28.185.50,
184.95.51.5, 192.3.247.117,
185.252.144.145, 195.133.145.141,
185.99.2.181, 85.204.116.74,
193.26.217.24, 185.117.75.112
Heodo26181.57.193.14, 190.4.50.26,
190.128.222.14, 189.252.102.40,
74.208.125.192, 189.173.113.67,
193.34.144.138, 179.12.170.148,
190.79.228.89, 170.130.31.177,
104.239.175.211, 165.227.156.155,
211.110.229.161, 171.101.153.86,
67.225.179.64, 105.228.98.115,
188.220.235.237, 187.147.152.244,
189.189.56.216, 74.208.173.91,
186.18.224.149, 201.190.133.235,
190.210.184.138, 51.255.165.160,
217.160.19.232, 111.119.233.65
Trojan C&C Servers Nov 4-10 2019

Common Malware


Malware TypeMD5Typical Filename
W32.7AC
F71AFA8-
95.SBX.TG
4a5078
0ddb3d
b16eba
b57b0c
a42da0
fb
xme64-2141.exe
Win.Trojan.
Generic
47b97d
e62ae8
b2b927
542aa5
d7f3c8
58
qmreportupload
W32.Generic
KD:Attribute.
22lk.1201

74f4e2
2e5be9
0d1525
21125e
af4da6
35

jsonMerge.exe
W32.46B
241E3D3-
95.SBX.TG
db69ea
aea4d4
9703f1
61c81e
6fdd03
6f
xme32-2141-gcc.exe
W32.WNC
ryLdrA:Trojan.
22k2.1201
8c80dd
97c375
25927c
1e549c
b59bcb
f3
Eternalblue-2.2.0.exe



CVEs For Which Public Exploits Have Been Detected


ID:        CVE-2019-2114
Title:    NFC Beaming Android Security Control Bypass Vulnerability
Vendor:    Google
Description: NFC beaming of applications between devices using Android OS bypasses some security controls (the "install unknown application" prompt). This could lead to local escalation of privilege by installing an application with no additional execution privileges needed. This means, that an Android phone that has NFC and Android Beam enabled, then touching a malicious phone or a malicious NFC payment terminal to the device may allow malware to be installed by bypassing the "install unknown apps" prompt.
CVSS v2 Base Score:    4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-11932
Title:    Whatsapp Remote Code Execution Vulnerability
Vendor:    Whatsapp
Description: A double free vulnerability exists in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif as used in WhatsApp for Android before 2.19.244. Successful exploitation allows remote attackers to execute arbitrary code or cause a denial of service.
CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-11043
Title:    PHP 7 Remote Code Execution Vulnerability
Vendor:    Multi-Vendor
Description: A vulnerability exists in PHP where insufficient validation in the path handling code of FPM module could result in the execution of arbitrary code and to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system.
CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-16662
Title:    rConfig Remote Code Execution Vulnerability
Vendor:    Multi-Vendor
Description: An issue was discovered in rConfig where an attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution
CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1414
Title:    Visual Studio Code Elevation of Privilege Vulnerability
Vendor:    Microsoft
Description: An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer. A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system.
CVSS v2 Base Score:    6.3 (AV:L/AC:M/Au:N/C:C/I:C/A:N)


ID:        CVE-2019-2888
Title:    Oracle WebLogic Server EJBTaglibDescriptor XXE Vulnerability
Vendor:    Oracle
Description: A vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data.
CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)