Threat Intel Banner

   
   Trends

  • The top attacker country was China with 142337 unique attackers (38.00%).
  • The top Trojan C&C server detected was Redline with 23 instances detected.
  • The top phishing campaign detected was against Facebook with 37 instances detected.


   Top Attackers By Country

CountryOccurencesPercentage
China14233757.37%
United States6312625.44%
India88303.56%
Bulgaria51822.09%
Singapore48841.97%
France44041.77%
Germany27361.10%
Vietnam26901.08%
Netherlands23270.94%
Indonesia22550.91%
Taiwan18000.73%
Thailand14990.60%
Ukraine14380.58%
United Arab Emirates13850.56%
Colombia13160.53%
Pakistan10250.41%
Mexico8810.36%
Ireland6640.27%
Top Attackers by CountryChinaUnited StatesIndiaBulgariaOther11.8%25.4%57.2%
CountryPercentage of Attacks
China142,337
United States63,126
India8,830
Bulgaria5,182
Singapore4,884
France4,404
Germany2,736
Vietnam2,690
Netherlands2,327
Indonesia2,255
Taiwan1,800
Thailand1,499
Ukraine1,438
United Arab Emirates1,385
Colombia1,316
Pakistan1,025
Mexico881
Ireland664

   
   Threat Geo-location

664142,337

   
   Top Attacking Hosts

HostOccurrences
61.177.173.2533368
61.177.173.1318554
218.92.0.20812239
183.240.204.109331
61.177.173.38717
172.20.29.2517454
206.191.151.1485680
79.124.62.105120
138.68.53.1853319
69.162.124.2342726
14.98.48.942324
94.23.6.1892324
124.169.216.672131
5.39.218.2101878
180.169.131.1471655
49.88.112.761543
178.18.242.2241536
125.24.230.1831499
117.223.81.1711440
217.165.246.661361


   Top Network Attackers

ASNCountryName
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
56040ChinaCMNET-GUANGDONG-AP China Mobile communications corporation, CN
29791United StatesVOXEL-DOT-NET, US
207812BulgariaDM_AUTO, BG
14061United StatesDIGITALOCEAN-ASN, US
46475United StatesLIMESTONENETWORKS, US
45820IndiaTTSL-MEISISP Tata Teleservices ISP AS, IN
16276FranceOVH, FR
7545AustraliaTPG-INTERNET-AP TPG Telecom Limited, AU
57043NetherlandsHOSTKEY-AS, NL
4812ChinaCHINANET-SH-AP China Telecom (Group), CN
51167GermanyCONTABO, DE
23969ThailandTOT-NET TOT Public Company Limited, TH
9829IndiaBSNL-NIB National Internet Backbone, IN
5384United Arab EmiratesEMIRATES-INTERNET Emirates Internet, AE


   Remote Access Trojan C&C Servers Found

NameNumber DiscoveredLocation
AgentTesla5103.212.121.57 , 107.180.27.178 , 31.220.2.200 , 70.32.23.32 , 95.217.195.80
Amadey3185.215.113.28 , 185.215.113.67 , 185.215.113.74
Azorult7103.15.226.14 , 110.5.109.60 , 172.94.18.243 , 190.61.250.140 , 209.133.222.158 , 216.10.249.157 , 45.144.225.131
BlackNet4145.14.145.115 , 34.70.128.92 , 52.240.152.251 , 82.163.176.128
CobaltStrike8185.153.199.161 , 185.153.199.162 , 185.153.199.164 , 185.153.199.168 , 185.153.199.169 , 23.106.215.179 , 23.106.223.85 , 87.251.70.112
Collector6141.8.192.151 , 141.8.193.236 , 145.14.144.49 , 178.208.83.27 , 188.225.40.162 , 23.254.253.92
Data-Collector1172.67.182.254
DiamondFox5176.111.174.118 , 176.111.174.123 , 213.159.203.232 , 31.210.20.72 , 45.133.1.155
Fickere162.113.117.9
GachiSteal1178.208.83.27
Kpot15.101.153.90
Lokibot15103.94.135.216 , 104.21.8.2 , 104.21.96.133 , 108.167.188.182 , 172.67.203.37 , 185.212.129.114 , 192.185.113.23 , 23.229.238.132 , 27.122.57.174 , 27.122.57.229 , 31.210.20.71 , 31.41.44.202 , 35.247.234.230 , 82.118.22.149 , bncoporations.tk
Oski5194.147.142.153 , 31.210.20.228 , 45.133.1.27 , 45.144.225.201 , novget.com
Redline23116.202.110.165 , 178.157.91.208 , 185.254.189.187 , 195.123.208.194 , 198.98.48.182 , 209.182.218.94 , 2.56.213.162 , 3.10.144.54 , 31.148.99.134 , 45.141.102.87 , 45.142.214.100 , 45.142.214.84 , 45.142.215.150 , 45.150.67.132 , 45.150.67.141 , 45.67.228.28 , 45.67.229.156 , 45.67.230.60 , 87.251.71.182 , 87.251.71.221 , 94.103.85.106 , faryna.xyz , venusbonus.tk
Seth234.107.72.79 , 35.199.126.54
SmokeLoader2185.153.197.112 , 185.153.198.26
Taurus7104.21.1.201 , 104.21.23.214 , 104.21.74.189 , 172.67.141.246 , 172.67.194.75 , 185.92.148.230 , 51.38.218.39
Umbra1145.14.144.17
Trojan C&C Servers DetectedAgentTeslaAmadeyAzorultBlackNetCobaltStrikeCollectorDiamondFoxLokibotOskiRedlineSethSmokeLoader1/27.2%8.2%6.2%7.2%23.7%15.5%
NameNumber Discovered
AgentTesla5
Amadey3
Azorult7
BlackNet4
CobaltStrike8
Collector6
Data-Collector1
DiamondFox5
Fickere1
GachiSteal1
Kpot1
Lokibot15
Oski5
Redline23
Seth2
SmokeLoader2
Taurus7
Taurus1

    
​​​​​​​    Common Malware

MD5VirusTotalFileNameClaimed ProductDetection Name
9a4b7b0849a274f6f7ac13c7577daad8https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/detailsww31.exeN/AW32.GenericKD:Attribute.24ch.1201
34560233e751b7e95f155b6f61e7419ahttps://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/detailsSAntivirusService.exeA n t i v i r u s S e r v i c ePUA.Win.Dropper.Segurazo::tpd
84291afce6e5cfd615b1351178d51738https://www.virustotal.com/gui/file/bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208/detailswebnavigatorbrowser.exeWebNavigatorBrowserW32.BFBE7022A4.5A6DF6a61.auto.Talos
8c80dd97c37525927c1e549cb59bcbf3https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detectionEternalblue-2.2.0.exeN/AWin.Exploit.Shadowbrokers::5A5226262.auto.talos
96f8e4e2d643568cf242ff40d537cd85https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/detailsSAService.exeSAServicePUA.Win.File.Segurazo::95.sbx.tg


   Top Phishing Campaigns

Phishing TargetCount
Facebook37
RuneScape8
Other965
Rakuten3
Google2
Caixa2
LinkedIn2
Amazon.com10
Allegro1
PayPal2
Microsoft5
Accurint2
WeTransfer2
AOL1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, VendorDescriptionCVSS v3.1 Base ScoreDate CreatedDate Updated

CVE-2021-27112

Remote Code Execution in Light CMS

Light CMS Project

LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images. This vulnerability can be exploited remotely and attackers can exploit this vulnerability to deliver malicious code to end users.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/15/202104/19/2021

CVE-2021-25360

Arbitrary Code Execution in Android Devices

Google Android

An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/09/202104/21/2021

CVE-2021-24223

Malicious File Upload Vulnerability in WP Library

Wordpress

The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/12/202104/19/2021

CVE-2021-22507

Authentication Bypass Vulnerability in MicroFocus Device

Microfocus

Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. The vulnerability could allow remote attackers to bypass user authentication and get unauthorized access.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/08/202104/14/2021

CVE-2021-20021

Privilege Escalation Vulnerability in SonicWall Email Security

PHPNuke

A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/09/202104/14/2021

CVE-2021-1479

Remote Code Execution Vulnerability in Cisco vManage Software

Cisco

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/08/202104/19/2021

CVE-2020-27236

SQL Injection Vulnerability in Openclinic

Openclinic

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)04/13/202104/14/2021