Threat Intel Banner

   
   Trends

  • The top attacker country was Russia with 92067 unique attackers (43.33%).
  • The top Trojan C&C server detected was Redline with 20 instances detected.
  • The top phishing campaign detected was against Facebook with 11 instances detected.


   Top Attackers By Country

Country Occurences Percentage
Russia 92067 43.33%
China 47947 22.56%
United States 43363 20.41%
Panama 4838 2.28%
Indonesia 3887 1.83%
India 3305 1.56%
Netherlands 3231 1.52%
Belize 2678 1.26%
Pakistan 2077 0.98%
Spain 1905 0.90%
Hong Kong 1609 0.76%
Trinidad and Tobago 1453 0.68%
Saudi Arabia 1209 0.57%
Mexico 1038 0.49%
Colombia 1017 0.48%
Ukraine 873 0.41%
 
Top Attackers by CountryRussiaChinaUnited StatesPanamaOther43.3%11.4%20.4%22.6%
Country Percentage of Attacks
Russia 92,067
China 47,947
United States 43,363
Panama 4,838
Indonesia 3,887
India 3,305
Netherlands 3,231
Belize 2,678
Pakistan 2,077
Spain 1,905
Hong Kong 1,609
Trinidad and Tobago 1,453
Saudi Arabia 1,209
Mexico 1,038
Colombia 1,017
Ukraine 873

   
   Threat Geo-location

87392,067

   
   Top Attacking Hosts

Host Occurrences
61.177.173.16 13600
91.241.19.81 12463
91.241.19.86 11923
185.153.199.84 11907
91.241.19.238 8614
185.137.234.48 8161
91.241.19.244 5257
91.241.19.59 4662
91.241.19.57 4651
45.227.253.124 4641
91.241.19.85 4470
61.68.15.29 4393
120.220.14.249 4057
77.161.85.80 3231
14.203.92.214 2792
77.247.110.184 2678
149.167.140.155 2544
66.96.238.61 2351
63.143.42.242 2308
202.47.41.49 2077


   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
207566 Russia HOSTWAY-AS, RU
49877 Moldova RMINJINERING, RU
49505 Russia SELECTEL, RU
49453 Panama GLOBALLAYER, NL
7545 Australia TPG-INTERNET-AP TPG Telecom Limited, AU
24444 China CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
1136 Netherlands KPN KPN National, NL
213371 Netherlands SQUITTER-NETWORKS, NL
135887 Australia TELSTRA-BELONG-AP Belong Telstra Corporation, AU
63859 Indonesia MYREPUBLIC-AS-ID PT. Eka Mas Republik, ID
46475 United States LIMESTONENETWORKS, US
9541 Pakistan CYBERNET-AP Cyber Internet Services Pvt Ltd., PK


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 2 103.153.182.50 , 141.8.192.151
Amadey 5 185.215.113.53 , 185.215.113.79 , 194.26.29.220 , 37.1.203.90 , 94.140.115.70
Azorult 2 195.133.40.176 , 2.56.59.196
BlackNet 2 172.93.121.8 , 185.212.44.211
Collector 5 141.8.192.151 , 141.8.193.236 , 185.137.235.119 , 81.177.135.251 , 95.181.163.143
Cypress 1 185.114.247.102
DiamondFox 1 195.133.40.146
Ficker 2 109.234.38.213 , 195.2.85.152
HiddenTear 1 94.199.200.45
login.php 1 matixx.xyz
Lokibot 4 104.21.2.166 , 104.21.88.207 , 172.67.138.58 , 206.189.114.152
Oski 2 173.231.206.89 , 45.180.174.39
Raccoon 1 34.105.169.29
Redline 20 103.246.147.66 , 129.146.180.22 , 129.146.47.51 , 149.202.7.96 , 176.111.174.254 , 185.173.36.104 , 185.215.113.15 , 185.215.113.50 , 185.215.113.62 , 185.215.113.64 , 185.237.165.42 , 185.241.54.128 , 185.92.148.234 , 193.0.61.155 , 193.38.54.101 , 45.139.236.24 , 46.29.114.16 , 85.192.56.21 , 85.192.56.35 , 86.107.197.64
Vidar 1 159.69.20.131
Zeus 1 212.192.241.97
Trojan C&C Servers DetectedAgentTeslaAmadeyAzorultBlackNetCollectorFickerLokibotOskiRedlineOther9.8%9.8%7.8%13.7%39.2%
Name Number Discovered
AgentTesla 2
Amadey 5
Azorult 2
BlackNet 2
Collector 5
Cypress 1
DiamondFox 1
Ficker 2
HiddenTear 1
login.php 1
Lokibot 4
Oski 2
Raccoon 1
Redline 20
Vidar 1
Vidar 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg
f2c1aa209e185ed50bf9ae8161914954 https://www.virustotal.com/gui/file/5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243/details webnavigatorbrowser.exe WebNavigatorBrowser W32.5524FEE1BB.5A6DF6a61.auto.Talos
6be10a13c17391218704dc24b34cf736 https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd


   Top Phishing Campaigns

Phishing Target Count
Other 412
Visa 1
Facebook 11
PayPal 2
Steam 3
Netflix 2
Microsoft 1
Amazon.com 2
Rakuten 1
RuneScape 1
Bancasa 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated
CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-14871

Remote Code Execution Vulnerability in Oracle Solaris

Oracle

 Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 10/21/2020 06/22/2021

CVE-2020-14871

Buffer Overflow Vulnerability in Oracle Solaris

Oracle

 Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 10/21/2020 06/22/2021

CVE-2021-31950

Remote Code Execution Vulnerability in Microsoft Sharepoint

Microsoft

 Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-31948, CVE-2021-31964. Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) 06/08/2021 06/15/2021

CVE-2013-4988

Buffer Overflow Vulnerability in IcoFX

Icofx

 Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCount value in an ICONDIR structure in an ICO file. NOTE: some of these details are obtained from third party information. 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 12/13/2013 06/07/2021

CVE-2020-13927

Weak Authentication Vulnerability in Apache Airflow

Apache

 The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/apache-airflow/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 11/10/2020 06/02/2021

CVE-2020-11978

Code Injection Vulnerability in Apache Airflow

Apache

 An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 07/16/2020 06/02/2021
Details
Date Published
July 05, 2021
Category
Threat Intelligence