Threat Intel Banner

   
   Trends

  • The top attacker country was China with 206495 unique attackers (54.3%).
  • The top Trojan C&C server detected was Collector with 3 instances detected.
  • The top phishing campaign detected was against Facebook with 48 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 206495 54.26%
United States 91355 24.01%
India 16650 4.38%
Russia 14989 3.94%
Indonesia 9225 2.42%
Brazil 8329 2.19%
Singapore 6697 1.76%
Vietnam 5738 1.51%
Pakistan 4308 1.13%
Colombia 3496 0.92%
South Korea 3049 0.80%
Bulgaria 2359 0.62%
Thailand 2196 0.58%
Mexico 1871 0.49%
France 1593 0.42%
Belize 1484 0.39%
Bangladesh 698 0.18%
Top Attackers by CountryChinaUnited StatesIndiaRussiaIndonesiaBrazilOther8.8%24%54.3%
Country Percentage of Attacks
China 206,495
United States 91,355
India 16,650
Russia 14,989
Indonesia 9,225
Brazil 8,329
Singapore 6,697
Vietnam 5,738
Pakistan 4,308
Colombia 3,496
South Korea 3,049
Bulgaria 2,359
Thailand 2,196
Mexico 1,871
France 1,593
Belize 1,484
Bangladesh 698

   
   Threat Geo-location

698206,495

   
   Top Attacking Hosts

Host Occurrences
61.177.172.158 40733
61.177.173.16 35364
117.132.2.75 18684
120.224.242.183 18301
94.3.233.253 16399
61.68.15.29 13086
165.22.247.223 8783
103.145.13.120 8384
185.153.196.230 7643
222.186.59.190 6708
222.186.150.95 6240
165.22.247.41 6064
112.85.42.72 5332
103.45.140.109 4719
69.162.124.234 4115
134.209.106.173 2619
182.70.230.115 2350
140.0.122.23 2347
87.241.1.186 2189
179.176.121.144 2081
116.111.86.230 2048
39.40.36.99 2046


   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
24444 China CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
5607 United Kingdom BSKYB-BROADBAND-AS, GB
7545 Australia TPG-INTERNET-AP TPG Telecom Limited, AU
14061 United States DIGITALOCEAN-ASN, US
213371 Netherlands SQUITTER-NETWORKS, NL
49877 Moldova RMINJINERING, RU
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
63612 China XIAONIAOYUN Shenzhen Qianhai bird cloud computing Co. Ltd., CN
46475 United States LIMESTONENETWORKS, US
24560 India AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN
23700 Indonesia FASTNET-AS-ID Linknet-Fastnet ASN, ID
8220 Italy COLT COLT Technology Services Group Limited, GB
18881 Brazil TELEFONICA BRASIL S.A, BR
7552 Vietnam VIETEL-AS-AP Viettel Group, VN
17557 Pakistan PKTELECOM-AS-PK Pakistan Telecommunication Company Limited, PK


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 1 104.21.35.90
Amadey 1 193.164.16.141
Collector 3 141.8.192.151 , 141.8.193.236 , 185.50.25.35
DiamondFox 1 212.192.241.97
Lokibot 1 172.67.185.42
Trojan C&C Servers DetectedAgentTeslaAmadeyCollectorDiamondFoxDiamondFox14.3%14.3%14.3%14.3%42.9%
Name Number Discovered
AgentTesla 1
Amadey 1
Collector 3
DiamondFox 1
DiamondFox 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
f2c1aa209e185ed50bf9ae8161914954 https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/details webnavigatorbrowser.exe WebNavigatorBrowser W32.5524FEE1BB.5A6DF6a61.auto.Talos
6be10a13c17391218704dc24b34cf736 https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd


   Top Phishing Campaigns

Phishing Target Count
PayPal 6
Other 1360
Adobe 6
Facebook 48
Microsoft 8
Accurint 1
Google 3
Steam 23
DHL 3
Amazon.com 5
Hermes 2
Visa 2
Allegro 2
Rakuten 1
Orange 1
MyEtherWallet 1
Nets 1
Caixa 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-6364

Code Injection Vulnerability in SAP Solution Manager

SAP

SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 10/14/2020 06/17/2021

CVE-2021-32637

Authentication Bypass Vulnerability in Authelia

Authelia

Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be relatively straightforward to apply to any version, the git patches for specific versions can be found in the references. The most relevant workaround is upgrading. You can also add a block which fails requests that contains a malformed URI in the internal location block. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 05/28/2021 06/09/2021

CVE-2021-27905

Server Side Request Forgery Vulnerability in Apache Solr Core

Apache

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/13/2021 06/11/2021

CVE-2021-33574

Buffer Overflow Vulnerability in GNU

Gnu

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/25/2021 06/13/2021

CVE-2021-30461

Remote Code Execution Vulnerability in VoIP Monitor

Voip Monitor

A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/29/2021 06/09/2021

CVE-2021-25641

Deserialization Vulnerability in Apache Dubbo Server

Apache

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/01/2021 06/10/2021

CVE-2021-33180

SQL Injection Vulnerability in Synology Media Server

Synology

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/01/2021 06/08/2021
Details
Date Published
June 24, 2021