Threat Intel Banner

   
   Trends

  • The top attacker country was Russia with 212386 unique attackers (33.96%).
  • The top Trojan C&C server detected was Lokibot with 14 instances detected.
  • The top phishing campaign detected was against Facebook with 46 instances detected.


   Top Attackers By Country

CountryOccurencesPercentage
Russia21238633.96%
China17537128.04%
United States8829314.12%
India7090711.34%
Brazil121721.95%
Indonesia116651.87%
Germany89811.44%
Vietnam84581.35%
Canada77561.24%
Hong Kong70811.13%
Seychelles58150%
Nigeria40130%
Belize34720%
Thailand28060%
Isle of Man21620%
Cambodia20720%
Azerbaijan20340%

Top Attackers by CountryRussiaChinaUnited StatesIndiaOther34%12.5%11.3%14.1%28%
CountryPercentage of Attacks
Russia212,386
China175,371
United States88,293
India70,907
Brazil12,172
Indonesia11,665
Germany8,981
Vietnam8,458
Canada7,756
Hong Kong7,081
Seychelles5,815
Nigeria4,013
Belize3,472
Thailand2,806
Isle of Man2,162
Cambodia2,072
Azerbaijan2,034

   
   Threat Geo-location

2,034212,386

   
  Top Attacking Hosts

HostOccurrences
92.63.196.1351655
61.177.173.2636282
45.146.165.12329852
45.146.165.19624003
45.146.164.8423418
45.143.200.3423289
195.54.161.15217656
61.177.173.2515601
61.177.173.1814636
86.27.113.9114155
89.248.165.4413488
45.146.164.19812228
202.103.149.1009399
95.217.217.1127064
185.40.4.1155815
103.70.144.2465518
103.4.237.535338
103.145.13.1205061


   Top Network Attackers

ASNCountryName
47981NetherlandsFOPSERVER, UA
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
49505RussiaSELECTEL, RU
212283BulgariaROZA-AS, BG
5089United KingdomNTL, GB
202425NetherlandsINT-NETWORK, SC
24940FinlandHETZNER-AS, DE
50113RussiaSUPERSERVERSDATACENTER, CZ
133647IndiaELXIREDATA-AS-IN ELXIRE DATA SERVICES PVT. LTD., IN
131476AustraliaFUSIONBB-AU 10/50 Market St, AU
213371NetherlandsSQUITTER-NETWORKS, NL


   Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
AgentTesla6103.133.105.179 , 193.56.29.110 , 66.198.240.47 , 67.20.61.67 , 95.181.164.213 , 96.127.138.234
Amadey1185.215.113.28
Azorult4140.82.13.202 , 149.28.226.192 , 173.230.150.192 , 27.122.57.229
BlackNet6145.14.145.167 , 145.14.145.90 , 172.67.213.209 , 185.239.243.112 , 52.240.152.251 , 62.221.252.239
CobaltStrike10101.32.209.205 , 13.49.66.227 , 144.48.220.43 , 185.10.68.203 , 185.14.29.184 , 185.14.29.41 , 195.123.209.221 , 3.233.224.182 , 37.120.222.73 , 47.243.44.143
DiamondFox4176.111.174.118 , 176.111.174.123 , 213.159.203.232 , 92.63.97.22
KeitaroTDS2188.119.112.9 , 193.38.54.145
Kpot1162.0.219.161
LiteHTTP1217.28.222.80
Lokibot14104.168.140.79 , 108.167.188.182 , 185.209.1.110 , 192.185.113.23 , 203.159.80.29 , 27.122.57.229 , 31.210.20.71 , 34.65.83.88 , 34.75.102.212 , 5.180.186.227 , 5.2.75.32 , 74.119.195.169 , 8.209.69.174 , b2bseller.ga
Oski6104.168.138.96 , 45.144.225.118 , 45.85.90.220 , 45.85.90.86 , 95.217.40.222 , f0xnet.tk
Pony1110.5.109.60
Redirected1176.111.174.61
Redline10109.234.35.198 , 178.157.91.38 , 193.124.112.206 , 213.183.41.60 , 3.81.114.252 , 45.133.235.227 , 45.142.214.163 , 94.103.86.26 , 95.217.124.100 , heniav.xyz
Saint131.210.20.4
Seth135.199.126.54
Taurus18.209.110.86
Trojan C&C Servers DetectedAgentTeslaAzorultBlackNetCobaltStrikeDiamondFoxKeitaroTDSLokibotOskiRedlineOther8.6%5.7%8.6%14.3%5.7%11.4%14.3%8.6%20%
NameNumber Discovered
AgentTesla6
Amadey1
Azorult4
BlackNet6
CobaltStrike10
DiamondFox4
KeitaroTDS2
Kpot1
LiteHTTP1
Lokibot14
Oski6
Pony1
Redirected1
Redline10
Saint1
Seth1
Seth1

   
   Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
8193b63313019b614d5be721c538486bhttps://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/detailsSAService.exeSAServicePUA.Win.Dropper.Segurazo::95.sbx.tg
9a4b7b0849a274f6f7ac13c7577daad8https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/detailsww31.exeN/AW32.GenericKD:Attribute.24ch.1201
96f8e4e2d643568cf242ff40d537cd85https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/detailsSAService.exeSAServicePUA.Win.File.Segurazo::95.sbx.tg
34560233e751b7e95f155b6f61e7419ahref="https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details"SAntivirusService.exeA n t i v i r u s S e r v i c ePUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detectionEternalblue-2.2.0.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos


   Top Phishing Campaigns

Phishing TargetCount
Facebook46
Other1325
Microsoft7
PayPal12
RuneScape8
LinkedIn2
Caixa3
Adobe1
Amazon.com20
MyEtherWallet2
Playfish1
Nets1
Vodafone5
Halifax1
DHL3
WeTransfer4
Allegro1
VKontakte1
Special1
Netflix1
TSB1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2021-30177

SQL Injection Vulnerability in PHPNuke

PHPNuke

There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/07/202104/13/2021

CVE-2021-28925

SQL Injection Vulnerability in Nagios

Nagios

SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/08/202104/13/2021

CVE-2021-24175

Authentication Bypass Vulnerability in Posimyth WP Plugin

Posimyth

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/05/202104/09/2021

CVE-2021-1871

Remote Code Execution Vulnerability in MacOS Big Sur

Apple

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/02/202104/12/2021

CVE-2020-17523

Authentication Bypass Vulnerability in Apache Shiro

Apache

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)02/03/202104/12/2021

CVE-2021-22986

Remote Code Execution Vulnerability in F5 Big IP system

F5

This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)03/31/202104/05/2021

CVE-2021-21983

Privilege Escalation Vulnerability in VMware vRealize

VMware

Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)03/31/202104/05/2021