threat-intelligence-report


Trends


  • The top attacker country was China with 282482 unique attackers (53%).
  • The top Exploit event was Authentication with 32% of occurrences.
  • The top Trojan C&C server detected was Heodo with 50 instances detected.

Top Attacker by Country


CountryOccurrencesPercentage
China28248253.36%
Australia10301819.46%
South Africa423458.00%
Singapore239644.53%
United States179223.39%
Chile123752.34%
France99521.88%
United Kingdom93551.77%
India78861.49%
Russia63581.20%
Italy45660.86%
Vietnam19680.37%
Indonesia19050.36%
Canada15490.29%
Romania12240.23%
Mexico9920.19%
Pakistan7850.15%
Serbia7560.14%
Argentina5830.11%
Top Cyber Attackers by Country Nov 25 - Dec 1 2019



Threat Geolocation



Cyber Security Threat Geolocations Nov 25 - Dec 1 2019



Top Attacking Hosts


HostOccurrences
112.85.42.18728615
49.88.112.11622206
223.25.69.9821704
196.250.0.11821122
202.161.116.14121055
222.186.52.7811780
218.92.0.19011622
181.43.131.25311570
218.92.0.19110493
Top Attacker Hosts Nov 25 - Dec 1 2019



Top Network Attackers


Origin ASCountryName
4837ChinaCHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134ChinaCHINANET-BACKBONE No.31,Jin-rong Street, CN
56300SingaporeMYREPUBLIC-SG MyRepublic Ltd., SG
37515South AfricaiCONNECT, ZA
7545AustraliaTPG-INTERNET-AP TPG Telecom Limited, AU
23650ChinaCHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone, CN

Top Events NIDS and Exploits




Remote Access Trojan C&C Servers Found


NameNumber DiscoveredLocation
Loader1185.204.2.218
AZORult283.166.251.55, 185.222.57.75
Heodo50107.2.2.28, 116.48.138.115,
118.200.218.193, 189.180.105.125,
122.11.164.183, 172.90.70.168, 
200.71.193.220, 47.50.251.130, 
197.90.159.42, 109.166.89.91, 
211.218.105.101, 190.12.119.180, 
120.150.246.241, 197.254.221.174, 
195.244.215.206, 190.186.164.23, 
47.187.70.124, 2.38.99.79, 
125.230.36.147, 72.27.212.209, 
85.105.183.228, 187.250.92.82, 
41.218.118.66, 95.219.199.225, 
81.213.145.45, 77.211.249.124, 
187.190.49.92, 12.229.155.122, 
5.88.182.250, 128.65.154.183, 
201.183.251.100, 195.226.144.249, 
186.0.68.43, 190.17.42.79, 
54.38.94.197, 45.56.88.91, 
59.110.18.236, 80.211.32.88, 
50.63.13.135, 51.68.220.244, 
185.234.72.64, 24.45.193.161, 
142.127.57.63, 186.66.224.182, 
203.130.0.69, 80.93.48.49, 
192.161.190.171, 104.236.137.72, 
206.189.112.148, 206.81.10.215
Lokibot4216.10.240.90, 107.175.150.73, 
80.249.144.204, 185.159.153.129
TrickBot45212.73.150.4, 188.165.62.47, 
146.185.253.175, 94.156.35.206, 
162.244.32.52, 162.247.155.113, 
167.86.123.83, 51.89.73.144, 
103.75.117.188, 45.141.100.190, 
107.181.187.221, 85.217.170.153, 
5.2.77.78, 192.227.173.100, 
5.2.72.102, 82.118.21.57, 
5.182.210.30, 66.55.71.151,
 85.204.116.154, 172.245.159.121, 
194.5.250.121, 192.227.232.46, 
198.15.119.79, 172.82.152.140, 
81.177.22.39, 85.143.221.75, 
37.46.135.95, 45.132.19.197, 
185.99.2.115, 146.185.219.50, 
146.185.253.174, 66.85.173.56, 
185.174.173.143, 195.123.221.232, 
51.89.73.148, 5.2.76.197, 
45.138.157.23, 188.225.10.47, 
81.177.181.222, 185.90.61.107, 
46.17.105.97, 188.120.251.251, 
2.57.184.9, 51.254.69.222, 5.34.176.212
Trojan C&C Servers Nov 25 - Dec 1 2019

Common Malware


MD5File
Name
Claimed
Product
Detection
Name
c5608e
40f6f4
7ad84e
298580
4957c3
42
FlashHelper
Services.exe
FlashHelper
Service
PUA:2144
Flash
Player-tpd
ef048c
07855b
3ef98b
d991c4
13bc73
b1
xme64-501.exeN/APUA.Win.
Dropper.
Razy::tpd
e2ea31
5d9a83
e75770
53f52c
974f6a
5a

c3e530cc0
05583b473
22b6649dd
c0dab1b64
bcf22b124
a4926067
63c52fb0
48f.bin

N/AW32.Agent
WDCR:
Gen.21
gn.1201
b77c0c
1ed4cf
f895bf
862cf4
6b601c
84
opCS.gifN/A

W32.C29D
A492E7-100.
SBX.TG

718d57
9ea6ea
48f952
25cc9c
794f97
03
opext.gifN/AW32.4DAC8
8A67B-100.
SBX.TG



CVEs For Which Public Exploits Have Been Detected


CVE,
Title,
Vendor
DescriptionCVSS
v2
Base Score
Date
Created
Date
Updated

CVE-
2019-
1429


Microsoft Windows Scripting Engine Memory Corruption Vulnerability


Microsoft

An information disclosure vulnerability exists when Microsoft Edge based on Edge HTML improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability.

7.611/12/1911/12/19

CVE-
2019-
18862


GNU Mailutils Privilege Escalation Vulnerability

GNU

The --url parameter included in the GNU Mailutils maidag utility can be used to write to arbitrary files on the host operating system. By default, maidag is set to execute with setuid root permissions, which can lead to local privilege escalation through code/command execution by writing to the system's crontab or by writing to other root owned files on the operating system.
11/11/1911/11/19
CVE-
2018-14665


Xorg X11
Server Local Privilege Escalation Vulnerability


Multi-Vendor
A flaw was found in xorg-x11-server where an incorrect permission check for
-modulepath and -logfile options are set when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.
7.210/25/1810/22/19
CVE-
2019-11539


Pulse Secure
VPN Arbitrary Command Execution Vulnerability


Pulse Secure
Pulse Secure VPN with admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application.6.504/25/1908/09/19
CVE-
2019-16113


Bludit
Directory Traversal
Image File Upload Vulnerability


Bludit
Bludit allows remote code execution via blkernel/ajax/
upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.
6.509/08/1911/12/19
CVE-
2019-11409


FusionPBX Operator Panel exec.php Command Execution Vulnerability

FusionPBX
app/
operator_panel/
exec.php in the Operator Panel module in FusionPBX suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.
6.506/17/1906/18/19
CVE-
2019-17671


WordPress Unauth'ed
view Posts Vulnerability


WordPress
Wordpress versions allows unauthenticated view of private/draft posts. Unauthenticated viewing of certain content is possible because the static query property is mishandled. This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.5.010/17/1911/05/19
Details
Date Published
December 03, 2019