Threat Intel Banner

Trends

  • The top attacker country was China with 1471 unique attackers (26%).
  • The top Exploit event was Authentication with 25% of occurrences.
  • The top Trojan C&C server detected was TrickBot with 32 instances detected.


Top Attacker by Country

CountryOccurrencesPercentage
China147126.24%
United States120621.51%
Vietnam3916.97%
Brazil3416.08%
Republic of Korea2875.12%
Russian Federation2494.44%
India2374.23%
Egypt2183.89%
United Kingdom1522.71%
Germany1282.28%
Canada1242.21%
Taiwan1132.02%
Netherlands1041.86%
Thailand891.59%
Italy771.37%
Indonesia681.21%
Australia671.20%
Singapore651.16%


Top Cyber Attackers by Country September 2-8 2019


Threat Geo-location

Cyber Security Threat Geolocations Sept. 2-8 2019



Top Attacking Hosts

HostOccurrences
5.152.159.31746
5.135.244.117466
2.136.131.36320
1.179.137.10288
3.105.202.31259
3.8.75.184240
3.9.77.138237
2.32.86.50234


Top Attacker Hosts September 2-8 2019


Top Network Attackers

Origin ASAnnouncementDescription
AS1990265.152.159.0/24alternatYva S.r.l.
AS162765.135.0.0/16OVH SAS
AS33522.136.0.0/16Red de servicios IP


Top Event NIDS and Exploits

Top Event NIDS September 2-8 2019



Top Event Exploits September 2-8 2019



Top Alarms

Type of AlarmOccurrences
Bruteforce Authentication2294
Network Anomaly1463
Network Discovery324


Comparison from last week 

Type of AlarmOccurrences
Bruteforce Authentication2294
Network Anomaly2695
Network Discovery8



Top Cyber Security Alarms September 2-8 2019



Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
Azorult3185.213.211.34, 194.67.78.6,
82.202.173.113
BabyBotNet177.222.62.31
KPOT15.188.231.105
KpotStealer247.88.102.244, 8.209.72.105
LokiBot3104.24.122.167, 104.27.157.100,
194.67.78.6
Pony2104.144.198.27, 116.0.23.168
PredatorTheThief131.184.196.206
TrickBot32

107.155.137.12, 107.160.141.53,
107.173.160.18, 107.173.160.19,
107.173.160.22, 107.173.90.220,
107.174.66.214, 172.106.131.104,
184.164.142.51, 185.142.99.59,
185.183.99.146, 185.222.202.29,
185.235.130.84, 185.45.193.76,
190.109.189.119, 190.144.89.82,
192.3.104.38,
193.26.217.140,
194.5.250.53, 
194.87.147.184,
212.73.150.188, 217.12.210.216,
31.202.132.179, 45.138.157.55,
45.80.148.53,
51.254.69.225,
66.55.71.112,
68.168.123.85,
79.124.49.206, 85.143.216.155,
95.174.65.246, 95.181.198.140



Trojan C&C Servers September 2-8 2019


Common Malware


Malware TypeMD5Typical Filename

Win.Trojan.
Generic:
:in10.talos

47b97de
62ae8b2
b927542
aa5d7f3
c858

qmreportupload.exe

W32.9A08
2883AD-100.
SBX.TG

7a6f7f93
0217521
e47c7b8
d91fb7
9649

DHL Scan File.img

W32.7ACF
71AFA8-95.
SBX.TG

4a50780
ddb3db1
6ebab57
b0ca42
da0fb		xme64-2141.exe

W32.1755
C179F0-100.
SBX.TG

c785a8b
0be77a2
16a5223
c41d8dd
937f		cslast.gif
W32.093C
C39350-100.
SBX.TG		3c7be1d
be9eecfc
73f4476b
f18d1df3f		sayext.gif


CVEs For Which Public Exploits Have Been Detected

ID:        CVE-2019-0708
Title:    Microsoft Remote Desktop Services Remote Code Execution Vulnerability
Vendor:    Microsoft
Description: A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-12643
Title:    Cisco IOS XE REST API Container Software Authentication Bypass Vulnerability
Vendor:    Cisco
Description: This vulnerability resides in the Cisco REST API virtual service container, however, it affects devices running Cisco IOS XE Software when exploited. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The security issue is tracked as CVE-2019-12643 and has received a maximum severity rating score of 10 based on CVSS v3 Scoring system.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1663
Title:    Cisco Routers Remote Command Execution Vulnerability
Vendor:    Cisco
Description: A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. A remote attacker can exploit this issue to execute arbitrary commands on the host operating system with escalated privileges.
CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-1622
Title:    Cisco Data Center Network Manager Information Disclosure Vulnerability
Vendor:    Cisco
Description: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.
CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


ID:        CVE-2019-1935
Title:    Cisco UCS Director Unauthenticated Remote Access Vulnerability
Vendor:    Cisco
Description: A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Due to several coding errors, it is possible for an unauthenticated remote attacker with no privileges to bypass authentication and abuse a password change function to inject arbitrary commands and execute code
as root. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account.
CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Details
Date Published
September 09, 2019
Category
Threat Intelligence