Threat Intel Banner

   
   Trends

  • The top attacker country was China with 121684 unique attackers (47.98%).
  • The top Trojan C&C server detected was Oski with 11 instances detected.
  • The top phishing campaign detected was against Facebook with 53 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 121684 47.98%
United States 81662 32.20%
Vietnam 9515 3.75%
Russia 7696 3.03%
India 6348 2.50%
Singapore 5246 2.07%
Thailand 4776 1.88%
Indonesia 4050 1.60%
Ukraine 2414 0.95%
Georgia 2369 0.93%
Brazil 1914 0.75%
Argentina 1887 0.74%
Lithuania 1383 0.55%
Isle of Man 989 0.39%
Cape Verde 756 0.30%
Poland 485 0.19%
Moldova 458 0.18%
Top Attackers by CountryChinaUnited StatesVietnamRussiaIndiaSingaporeOther48%8.5%32.2%
Country Percentage of Attacks
China 121,684
United States 81,662
Vietnam 9,515
Russia 7,696
India 6,348
Singapore 5,246
Thailand 4,776
Indonesia 4,050
Ukraine 2,414
Georgia 2,369
Brazil 1,914
Argentina 1,887
Lithuania 1,383
Isle of Man 989
Cape Verde 756
Poland 485
Moldova 458

   
   Threat Geo-location

458121,684

   
   Top Attacking Hosts

Host Occurrences
218.92.0.190 25242
61.177.173.16 14822
192.227.150.13 14416
61.177.173.24 5504
183.61.19.75 4547
69.162.124.234 4196
112.85.42.72 2463
85.114.30.150 2389
146.255.233.10 2369
113.189.5.63 2342
167.99.72.57 2208
92.124.161.197 2099
103.165.22.78 2092
46.98.108.70 2073
36.74.44.98 2050
1.20.154.54 2049
171.251.26.14 1644
216.245.221.84 1609
182.52.67.37 1486
171.251.22.24 1330
181.46.139.96 1078


   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
55286 United States SERVER-MANIA, CA
46475 United States LIMESTONENETWORKS, US
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
8492 Russia OBIT-AS OBIT Ltd., RU
15491 Georgia SILKNET, GE
45899 Vietnam VNPT-AS-VN VNPT Corp, VN
14061 Singapore DIGITALOCEAN-ASN, US
12389 Russia ROSTELECOM-AS, RU
141799 India INDTEL-AS-IN INDTEL INFRA PRIVATE LIMITED, IN
15377 Ukraine FREGAT, UA
7713 Indonesia TELKOMNET-AS-AP PT Telekomunikasi Indonesia, ID
23969 Thailand TOT-NET TOT Public Company Limited, TH
7552 Vietnam VIETEL-AS-AP Viettel Group, VN
27747 Argentina Telecentro S.A., AR


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 2 103.153.76.164 , 37.0.8.76
Azorult 1 93.99.104.96
BlackNet 1 194.87.139.107
Channel 1 128.1.32.84
Collector 5 141.8.192.151 , 141.8.193.236 , 185.22.155.64 , 217.197.240.183 , 81.177.141.36
Cypress 1 141.8.193.236
Lokibot 4 104.21.0.135 , 104.21.2.122 , 172.67.167.105 , 209.97.171.241
Lu0bot 1 5.188.206.211
Oski 11 103.153.76.164 , 104.21.47.182 , 104.21.73.122 , 108.167.188.148 , 172.67.171.204 , 172.67.203.175 , 184.171.244.113 , 192.185.104.204 , 67.227.191.194 , 91.151.93.127 , 93.157.63.225
Qudox 1 134.209.203.126
Redline 1 78.155.222.147
StealthWorker 1 185.191.34.170
Vertex 1 134.209.203.126
Vertex 1
Vertex 2 194.36.191.17 , 195.2.93.135
Vidar 1 116.202.183.50
Trojan C&C Servers DetectedAgentTeslaCollectorLokibotOskiVertexAgentTeslaCollectorLokibotOskiVertexOther7.4%5.9%16.2%7.4%27.9%16.2%5.9%
Name Number Discovered
AgentTesla 2
Azorult 1
BlackNet 1
Channel 1
Collector 5
Cypress 1
Lokibot 4
Lu0bot 1
Oski 11
Qudox 1
Redline 1
StealthWorker 1
Vertex 3
Vertex 1
AgentTesla 2
Azorult 1
BlackNet 1
Channel 1
Collector 5
Cypress 1
Lokibot 4
Lu0bot 1
Oski 11
Qudox 1
Redline 1
StealthWorker 1
Vertex 1
1 0
Vertex 2
Vertex 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
6be10a13c17391218704dc24b34cf736 https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
2915b3f8b703eb744fc54c81f4a9c67f https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details VID001.exe N/A Win.Worm.Coinminer::1201
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg


   Top Phishing Campaigns

Phishing Target Count
Other 860
Facebook 53
PayPal 3
Microsoft 11
DHL 2
Steam 12
Amazon.com 15
Instagram 1
Halifax 1
Sparkasse 1
Apple 1
Rakuten 1
Vodafone 1
Scotiabank 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2017-5461

Denial of Service Vulnerability in Mozilla NSS

Mozilla

Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/10/2017 07/20/2021

CVE-2018-15686

Privilege Escalation Vulnerability in Ubuntu

Canonical

A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 10/26/2018 07/20/2021

CVE-2021-27198

Remote Code Execution Vulnerability in VisualWare

Visualware

An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 02/26/2021 07/15/2021

CVE-2021-21344

Arbitrary Code Execution in XStream Library

XStream_project

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 03/22/2021 07/20/2021

CVE-2020-18544

SQL Injection Vulnerability in WMS

WMS_project

SQL Injection in WMS v1.0 allows remote attackers to execute arbitrary code via the "username" parameter in the component "chkuser.php". 9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 07/12/2021 07/14/2021