Threat Intelligence Report January 18th

Trends

The top attacker country was China with 84790 unique attackers (48.42%).
The top Trojan C&C server detected was Lokibot with 87 instances detected.
The top phishing campaign detected was against Facebook accounts with 47 instances detected.

Singapore increases Cybersecurity labelling scheme to include all IoT devices.

Singapore has widened its cybersecurity labelling scheme (CSL) to include all consumer Internet of Things (IoT) devices such as smart lights, smart door locks, smart printers, and IP cameras. 

It was launched last October as a part of the Singaporean Government's Safer Cyberspace Master Plan, focusing on enhancing IoT security, boosting cyber hygiene, and safeguarding the countries' cyberspace. 

The CLS marks a first in the Asia Pacific region and compromises different levels of cybersecurity ratings designed to help consumers make informed decisions about the security features of any smart devices they purchase. 

Hacker leaks data of 2.28 million dating users on the dark web

The infamous ShineyHunters has published the personally identifiable (PII) data of over 2.28 million MeetMindful users. According to our Security Researchers, the data is currently freely available for download on popular hacking forums renowned for its trade-in hacked databases. 

The leaked data includes a wealth of highly sensitive information including users’ real names, marital status, email addresses, Facebook User IDs, IP addresses, birth dates and geographical location. Enabling cybercriminals to trace back the user profiles to their real-world identities easily.

Top Attackers By Country

Country	Occurences	Percentage
China	84790	48.42%
United States	58854	33.61%
France	5115	2.92%
India	3995	2.28%
Russia	3417	1.95%
South Korea	2948	1.68%
Czech Republic	2751	1.57%
Peru	2529	1.44%
Iran	2467	1.40%
Colombia	2368	1.35%
Hong Kong	1527	0.87%
Japan	1431	0.81%
Vietnam	1234	0.70%
Taiwan	928	0.53%
Ukraine	732	0.41%

Top Attackers By Country

China
United States
France
India
Others

Threat Geo-location

Top Attacking Hosts

Host	Occurrences
49.88.112.117	16006
124.133.230.74	8554
34.200.247.158	4844
112.85.42.67	4831
63.143.42.242	4407
146.158.59.197	2382
101.53.155.115	2299
179.6.32.192	2083
69.162.124.234	1412
106.75.251.169	1275
210.10.195.62	1254
218.92.0.202	1229
218.93.225.150	1156
43.226.152.45	1021
140.143.233.218	945

Top Attackers

Top Network Attackers

ASN	Country	Name
4134	China	CHINANET-BACKBONE No.31,Jin-rong Street, CN
4837	China	CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
14618	United States	AMAZON-AES, US
46475	United States	LIMESTONENETWORKS, US
60754	Ukraine	DIANET-NET, UA
17439	India	NETMAGIC-AP Netmagic Datacenter Mumbai, IN
12252	Peru	America Movil Peru S.A.C., PE
4812 17621	China	CHINANET-SH-AP China Telecom (Group), CN CNCGROUP-SH China Unicom Shanghai network, CN
134762	China	CHINANET-LIAONING-DALIAN-MAN CHINANET Liaoning province Dalian MAN network, CN
45090	China	CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN

Remote Access Trojan C&C Servers Found

Name	Number Discovered	Location
AgentTesla	1	104.21.61.246
Amadey	2	34.91.107.182 , 45.143.137.155
Anubis	1	91.203.193.126
Azorult	1	140.238.70.203
Azorut	12	aziri.xyz , dragonfire.ac.ug , dsadasq1.xyz , gobigonbig.info , googlmail.ml , hophip.pw , marachushka.ac.ug , mogila.ac.ug , nicehache.pw , rollscar.pk , rossbellfort.hk , topbelporn.online
BlackRock	1	91.214.124.196
DiamondFox	2	35.228.195.166 , 5.101.218.70
Heodo	22	108.53.88.101 , 115.21.224.117 , 12.175.220.98 , 143.0.85.206 , 162.241.204.233 , 180.222.161.85 , 181.10.46.92 , 195.159.28.230 , 201.212.61.66 , 201.48.121.65 , 209.33.120.130 , 217.160.169.110 , 2.58.16.88 , 51.255.203.164 , 65.32.168.171 , 69.38.130.14 , 75.113.193.72 , 78.182.254.231 , 79.130.130.240 , 84.232.229.24 , 88.58.209.2 , 91.233.197.70
Lokibot	88	0.0.0.0 , 104.21.39.32 , 104.237.252.85 , 13.248.196.204 , 154.85.217.221 , 185.212.131.52 , 185.219.41.233 , 185.252.147.215 , 192.42.116.41 , 192.53.126.66 , 192.64.119.61 , 195.123.245.250 , 198.58.118.167 , 204.11.56.48 , 23.81.215.233 , 3.140.151.209 , 3.16.142.83 , 41.185.20.130 , 45.128.206.183 , 45.138.72.171 , 45.142.202.11 , 45.33.23.183 , 45.33.2.79 , 45.56.79.23 , 45.79.19.196 , 79.124.78.43 , 89.235.184.237 , 95.181.152.82 , 96.126.123.244 , acptw.icu , arctech--vn.com , babaseoa.com , baiksan-kr.com , bazenga.icu , birlesikmetal-pt.com , birn.xyz , biznatvigator.com , bridgecornenterprises.com , bundasteels.com , clogwars.com , cqoserve.com , dell2.ug , doosantax.com , eurotachdev.com , everest--sh.com , flexpak-th.com , gruputsk.com , gtigtex.info , gxd3fp7fe7cac6jzn2sac.online , hfktichen.com , hotkey--cn.com , illinosblower.com , kataoka.icu , kibcorporete.com , lapphuongshoe.com , leadiingstar-vn.com , lronman4x4.com , mairon-hk.com , memitzrl.com , mirka-sg.com , nedlep.com , nileloqistics.com , onecommerce-ph.com , oppws.cn , palacegrades.com , papanwa.com , plikerss.hk , premacorceb.com , qasaklazik.xyz , rikolexx.com , sbszipperlh.com , sibarzz.xyz , sieqwarteg.com , skity.hk , st-enq.com , suksez-ab.com , suzhuogz.com , traucotravel.com , tsq-hk.com , unimasa.icu , unimase.icu , vancelogistics-au.com , vicomdistribucion.top , videce.com , wilfredzaha.cf , wohinqfood.com , zdwallcoveing.com , zjgkft.com
MassLogger	1	144.91.112.76
Redirected	2	172.104.129.156 , 172.104.136.122
RedLine	4	gtf0ymewg.xyz , huesosinaebanayanahuiblyat.xyz , saftopl34.top , yuttttttttttttttttrrrrrrhhhhhhvbhjgfhj.xyz
TrickBot	7	149.56.80.31 , 3.14.70.198 , 3.19.60.159 , 34.224.74.175 , 54.227.41.29 , 64.74.160.233 , 85.204.116.83
Zloader	1	185.240.102.113

Trojan C&C Servers Detected

Azorut
Heodo
Lokibot
Redline
Trickbot
Other

Common Malware

MD5	VirusTotal	FileName	Claimed Product	Detection Name
176e303bd1072273689db542a7379ea9	https://www.virustotal.com/gui/file/8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4/details	FlashHelperService.exe	FlashHelperService	W32.Variant.24cl.1201
34560233e751b7e95f155b6f61e7419a	https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details	SAntivirusService.exe	AntivirusService	PUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3	https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection	Eternalblue-2.2.0.exe	N/A	Win.Exploit.Shadowbrokers::5A5226262.auto.talos
8193b63313019b614d5be721c538486b	https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details	SAService.exe	SAService	PUA.Win.Dropper.Segurazo::95.sbx.tg
0083bc511149ebc16109025b8b3714d7	https://www.virustotal.com/gui/file/6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30/details	webnavigatorbrowser.exe	WebNavigatorBrowser	W32.763D0F405C-100.SBX.VIOC

Top Phishing Campaigns

Phishing Target	Count
Other	988
Facebook	47
Allegro	12
Caixa	2
Amazon.com	9
Netflix	7
Yahoo	1
Vodafone	9
Skype	1
Special	1
Microsoft	3
Adobe	2
Rakuten	2
Halifax	14
PayPal	4
Orange	1
Google	1
TSB	4
Apple	2
Instagram	1
Virustotal	1

CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor	Description	CVSS v3.1 Base Score	Date Created	Date Updated
CVE-2020-29583 Zyxel Firewalls And AP Controller Hardcoded Credential Vulnerability Zyxel	Firmware version Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.	CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	12/22/2020	01/14/2021
CVE-2021-3007 Zend Framework Remote Code Execution Vulnerability Zend	Zend Framework has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the ZendHttpResponseStream class in Stream.php.	CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	01/03/2021	01/19/2021
CVE-2020-25681 DNS Forwarder dnsmasq multiple Vulnerabilities Multi-Vendor	A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine.	CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	01/20/2021	01/26/2021
CVE-2020-29015 FortiWeb Blind SQL Injection Vulnerability Fortinet	A blind SQL injection in the user interface of FortiWeb that may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.	CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	01/14/2021	01/20/2021
CVE-2020-10148 SolarWinds Orion API Authentication Bypass Vulnerability SolarWinds	The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.	CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	12/29/2020	12/31/2020
CVE-2020-3452 Cisco ASA Remote File Disclosure Vulnerability Cisco	A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.	CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)	07/22/2020	12/15/2020
CVE-2020-17096 Microsoft Windows NTFS Remote Code Execution Vulnerability Microsoft	Microsoft Windows is exposed to NTFS remote code execution vulnerability. A local attacker could run a specially crafted application that would elevate the attacker's privileges. A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.	CVSSv3BaseScore:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)	12/09/2020	12/10/2020
CVE-2021-2109 Oracle WebLogic Server Vulnerability Oracle	A vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.	CVSSv3BaseScore:7.2(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)	01/20/2021	01/26/2021

Details

Date Published

January 28, 2021

Threat Intelligence Report January 18th - January 24th 2021

Trends

Top Attackers By Country

Top Attackers By Country

Threat Geo-location

Top Attacking Hosts

Top Attackers

Top Network Attackers

Remote Access Trojan C&C Servers Found

Trojan C&C Servers Detected

Common Malware

Top Phishing Campaigns

CVEs with Recently Discovered Exploits

CVE-2020-29583

Zyxel

CVE-2021-3007

Zend

CVE-2020-25681

Multi-Vendor

CVE-2020-29015

Fortinet

CVE-2020-10148

SolarWinds

CVE-2020-3452

Cisco

CVE-2020-17096

Microsoft

CVE-2021-2109

Oracle

Search

Categories

Questions?
Get in Touch

Subscribe to our weekly
Threat Intelligence Report

Subscribe to our
Newsletter

Trends

Top Attackers By Country

Top Attackers By Country

Threat Geo-location

Top Attacking Hosts

Top Attackers

Top Network Attackers

Remote Access Trojan C&C Servers Found

Trojan C&C Servers Detected

Common Malware

Top Phishing Campaigns

CVEs with Recently Discovered Exploits

CVE-2020-29583

Zyxel

CVE-2021-3007

Zend

CVE-2020-25681

Multi-Vendor

CVE-2020-29015

Fortinet

CVE-2020-10148

SolarWinds

CVE-2020-3452

Cisco

CVE-2020-17096

Microsoft

CVE-2021-2109

Oracle

Categories

Questions?​​​​​​​Get in Touch

Subscribe to our weekly Threat Intelligence Report

Subscribe to our Newsletter

Questions?
Get in Touch

Subscribe to our weekly
Threat Intelligence Report

Subscribe to our
Newsletter