Thursday, December 10, 2020

threat_intel_report

Trends

  • The top attacker country was United States with 171766 unique attackers (24.73%).

  • The top Trojan C&C server detected was Lokibot with 17 instances detected.

  • The top phishing campaign detected was against Facebook accounts with 32 instances detected.

    Cybercriminal gangs are now utilising outsourced call centres operations to apply additional pressure on their victims to pay their ransom demands. Our Crystal Eye Security Operations Centre has noted a trend appearing over the last few months, where victims who try and restore their compromised data from backups are targeted.
     

 

   Top Attackers By Country

Country Occurences Percentage
United States 171766 24.73%
Russia 161605 23.27%
China 159111 22.91%
India 113316 16.32%
Germany 36066 5.19%
Netherlands 21868 3.14%
Hong Kong 9708 1.39%
Canada 6517 0.93%
Belize 6054 0.87%
France 1989 0.28%
Italy 1716 0.24%
Jordan 1146 0.16%
Goergia 975 0.14%
Bulgaria 864 0.12%
Palestinian Territory 837 0.12%
Croatia 780 0.11%
 

   Top Attackers By Country

  •  United States
  •  Russia
  •  China
  •  India
  •  Germany
  •  Netherlands
  •  Other
 

   Threat Geo-location

780171,766
 

   Top Attacking Hosts

Host Occurrences
195.54.161.122 86478
43.252.145.42 62777
49.88.112.118 34100
198.199.124.117 26358
45.146.165.41 26339
218.92.0.206 26299
218.92.0.208 17854
149.7.16.206 16259
92.63.197.86 10815
218.92.0.190 7666
193.27.228.188 6912
37.49.229.202 6054
45.125.65.84 5919


Top Attackers

 

   Top Network Attackers

ASN Country Name
49505 Russia SELECTEL, RU
32329 United States MONKEYBRAINS, US
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
14061 Ukraine DIGITALOCEAN-ASN, US
63023 Spain AS-GLOBALTELEHOST, US
204655 Ukraine NOVOGARA-AS, NL
213371 Netherlands SQUITTER-NETWORKS, NL
133398 Hong Kong SAR China TELE-AS Tele Asia Limited, HK
 

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Anubis 1 46.173.214.227
Azorult 4 158.101.98.57 , 209.124.88.217 , 52.58.209.130 , 75.98.175.122
BlackNet 1 104.28.11.161
Kpot 1 168.119.70.107
Loader 1 8.208.92.202
Lokibot 17 103.83.81.68 , 104.168.146.103 , 104.223.143.21 , 104.27.157.45 , 137.59.52.154 , 139.162.106.29 , 172.67.204.202 , 185.17.141.58 , 192.185.138.190 , 192.185.144.196 , 192.185.146.65 , 192.185.79.31 , 198.44.96.228 , 198.44.96.231 , 198.57.149.40 , 49.12.47.176 , 95.213.224.87
Predator 3 141.8.192.58 , 141.8.193.236 , 5.101.153.171
Stealer 1 8.208.77.2
SupremeMiner 1 141.8.193.236
TrickBot 2 191.7.201.200 , 36.74.73.136
Uadmin 1 47.254.128.33
Zloader 1 185.240.102.113


Trojan C&C Servers Detected

  •  Anubis
  •  Azorult
  •  Blacknet
  •  Kpot
  •  Loader
  •  Lokibot
  •  Predator
  •  Stealer
  •  Supreme Miner
  •  Trickbot
  •  Uadmin
  •  Zloader
 

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
2915b3f8b703eb744fc54c81f4a9c67f https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details id001.exe N/A Win.Worm.Coinminer::1201
7e0bc1c01f44c7a663d82e4aff71ee6c https://www.virustotal.com/gui/file/586d6b581a868f71c903097a3b7046f61a0797cda090a36687767189483e2360/details fsvc.exe N/A Auto.586D6B.232349.in02
920823d1c5cb5ce57a7c69c42b60959c https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details FlashHelperService.exe FlashHelperService W32.Variant.23mj.1201
920823d1c5cb5ce57a7c69c42b60959c ttps://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe AntivirusService PUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos
 

   Top Phishing Campaigns

Phishing Target Count
Other 1606
Virustotal 6
Facebook 32
Amazon.com 15
Itau 3
Adobe 7
Vodafone 2
Google 2
WhatsApp 1
Steam 3
Rakuten 6
UniCredit 2
PayPal 8
Caixa 3
DHL 2
Microsoft 5
Halifax 3
WeTransfer 1
 

   CVEs with Recently Discovered Exploits

     This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2018-13379

Fortinet FortiOS Directory Traversal Vulnerability

Fortinet

Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/04/2019 11/19/2020

CVE-2020-14882

Oracle WebLogic Server Remote Code Execution Vulnerability

Oracle

Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services. A remote code execution vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 10/21/2020 11/19/2020

CVE-2020-15505

MobileIron Core and Connector Remote Code Execution Vulnerability

MobileIron

A remote code execution vulnerability exists in MobileIron Core and Connector, and Sentry, that allows remote attackers to execute arbitrary code via unspecified vectors. The manipulation with an unknown input leads to a privilege escalation vulnerability. The UK's National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability to compromise the networks. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 07/06/2020 11/10/2020

CVE-2020-5902

F5 BIG-IP Remote Code Execution Vulnerability

F5

F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 07/01/2020 08/07/2020

CVE-2020-9844

MacOS Catalina Memory Corruption Vulnerability

Apple

A double free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory. CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6/09/2020 10/16/2020

CVE-2018-12809

Adobe Experience Manager Server-Side Request Forgery Vulnerability

Adobe

Adobe Experience Manager is exposed to server-side request forgery vulnerability. Successful exploitation could lead to sensitive information disclosure. CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 07/20/2018 09/17/2018

CVE-2020-1472

Microsoft Netlogon Elevation of Privilege Vulnerability

Microsoft

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 08/17/2020 11/23/2020