Cyberthreats Targeting the United States, Winter 2019
Attack Types of Top Attacking IP Addresses
Many of the IP addresses attacking American systems during the winter of 2019 were involved with abusive port scanning activity. As noted in the Top Target Ports section, Microsoft SMB port 445 was the highest targeted port. We continue to observe high levels of attack traffic pointed toward RFB/VNC port 5900, and as our sensor stacks evolve, we notice more IP addresses targeting SMB port 445 at higher rates.
Along with these attacks, we are also noticing a large amount of attack traffic in the United States directed toward databases and other web application protocols.
| Source IP Address | Attack Type | ASN | Source Country | United States Count |
| 104.238.194.34 | Port Scanning: SMB port 445, MS SQL port 1433 | Versaweb, LLC | United States | 1,397,377 |
| 193.188.22.114 | Port Scanning: SMB port 445, MS SQL port 1433 | Hostkey B.v. | Russia | 1,390,698 |
| 185.156.177.11 | Port Scanning: RFB/VNC port 5900 | Hostkey B.v. | Russia | 1,384,990 |
| 185.156.177.44 | Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP Port MS RDP port 3389, Telnet Port 23 | Hostkey B.v. | Russia | 1,370,536 |
| 212.80.217.139 | Port Scanning: 48 unique ports | Serverius Holding B.V. | Netherlands | 598,132 |
| 185.153.198.197 | Credential Stuffing: RFB/VNC port 5900 | RM Engineering | Moldova | 490,247 |
| 185.153.197.251 | Port Scanning: 6 unique ports | RM Engineering | Moldova | 486,688 |
| 104.238.221.65 | Port Scanning: SMB port 445, MS SQL port 1433 | ReliableSite.Net LLC | 476,363 | |
| 185.153.196.159 | Credential Stuffing: RFB/VNC port 5900 | RM Engineering | Moldova | 399,751 |
| 148.251.20.137 | Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25 | Hetzner Online GmbH | Germany | 373,181 |
| 148.251.20.134 | Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25 | Hetzner Online GmbH | Germany | 373,034 |
| 52.58.75.133 | Port Scanning: 443, 445, HTTP port 80 | Amazon.com | Germany | 278,175 |
| 185.40.13.3 | Port Scanning: RFB/VNC port 5900 & 5901 | GTECH S.p.A. | Italy | 233,258 |
| 212.83.172.140 | Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22 | Online S.a.s. | France | 232,718 |
| 211.44.226.158 | Port Scanning: SMB port 445, MS SQL port 1433 | SK Broadband Co Ltd | South Korea | 222,944 |
| 52.57.70.66 | Port Scanning: 6 unique ports | Amazon.com | Germany | 219,125 |
| 112.175.124.2 | Port Scanning: 61 unique ports | Korea Telecom | South Korea | 214,882 |
| 35.158.151.206 | Port Scanning: 6 unique ports | Amazon.com | Germany | 213,525 |
| 50.7.98.219 | Port Scanning: ICB/SWX port 7326 | Cogent Communications | United States | 160,217 |
| 185.234.218.16 | Port Scanning: SMB port 445, WebLogic port 7001, 8080, MS SQL port 1433 HTTP Attacks: Alt-HTTP port 8080 Malware Uploads: SMB port 445 |
Sprint S.A. | Ireland | 159,383 |
| 185.56.252.57 | Port Scanning: MS RDP port 3389, port 5909, RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Bellnet Limited | Portugal | 155,072 |
| 104.238.202.134 | Port Scanning: MS SQL port 1433, SMB port 445 | Essensys Inc. | 142,692 | |
| 89.248.174.201 | Port Scanning: SMB port 445, MS SQL port 1433 | IP Volume | Netherlands | 140,126 |
| 112.175.127.189 | Port Scanning: 48 unique ports | Korea Telecom | South Korea | 120,510 |
| 112.175.127.179 | Port Scanning: 48 unique ports | Korea Telecom | South Korea | 110,827 |
Table 1. Top attacking IP addresses and their attack types targeting U.S. systems, October 1, 2019–December 31, 2019
Uniquely Targeting U.S. Systems
Along with tracking the top attacking IP addresses, we also isolated the IP addresses that attacked only U.S. systems and gathered further information about what they might be. We noticed during this time period that the IP addresses that uniquely targeted U.S. systems were mostly located in the United States, with a few in Japan, one in Mexico, and one in Germany. Like the top attacking IP addresses, we noticed that these IP addresses were engaged in a range of behaviors, from abusive port scanning to credential stuffing. Notably, these IP addresses were mostly focused on attacking web application protocols.
Details from the Shodan search engine provided more color regarding what these attacking systems could be. In this case, the IP address geolocated in Mexico appears to belong to Alestra, a Mexican IT services company. Another attacking IP address appears to belong to Lone Car Rental Systems, a company that provides car rental reservation software. A range of different systems appears to be attacking U.S. systems, including one which seems to belong to Vultr, a VPN service.
| IP Address | ASN | Country | Attack Type | IP Address Info (Shodan) |
| 104.238.194.34 | Versaweb, LLC | United States | Port Scanning: 445 (MS SMB), 1433 (MS SQL) | None |
| 104.238.221.65 | ReliableSite.Net | United States | Port Scanning: 445 (MS SMB), 1433 (MS SQL) | Host Name: lax01.hostwiki.net Open Ports & Services: 8888 |
| 50.7.98.219 | Cogent Communications | United States | Port Scanning: 445 (MS SMB), 1433 (MS SQL) | None |
| 104.238.202.134 | essensys Inc. | United States | Port Scanning: 445 (MS SMB), 1433 (MS SQL) | Host Name: host-104-238-202-134.essensys.co.uk Open Ports & Services: 80 (Nginx), 81, 8080 (Apache, Coyote JSP) |
| 104.238.220.225 | ReliableSite.Net LLC | United States | Port Scanning: 7001, 445 (MS SMB), 1433 (MS SQL) HTTP Attacks: 8080 (Alt-HTTP) |
Open Ports & Services: 22 (OpenSSH), 111 (Portmap) |
| 207.248.236.84 | Alestra, S. de R.L. de C.V. | Mexico | Port Scanning: 445 (MS SMB), 1433 (MS SQL) | Host Name: static-207-248-236-84.alestra.net.mx Open Ports & Services: 80 (MS IIS), 88 (MS IIS), 137 (NetBIOS), 443 (MS IIS), 445 (SMB), 1433 (MS SQL Server) 1434 (MS SQL Server), 3389 (MS RDP), |
| 165.227.69.239 | Digital Ocean | United States | Credential Stuffing: 23 (Telnet) | 22 OpenSSH, 111 (Portmap) |
| 140.82.24.119 | Choopa, LLC | United States | Port Scanning: 22 (SSH), 161 (SNMP), 80 (HTTP) | Hostname: 140.82.24.119.vultr.com Open Ports: 1723 (Mikrotik PPTP) |
| 66.194.167.76 | Renaissance Systems | United States | Port Scanning: 5900 (RFB/VNC) | OS: Window Server 2003 Hostname: crosspoint. lonestarrentalsystems.com.c Open Ports: 80 (MS IIS), 3389 (RDP) |
| 47.74.56.139 | Alibaba (US) | Japan | Port Scanning: 445 (MS SMB), 443 (HTTPS), 25 (SMTP), 22 (SSH), 80 (HTTP) | None |
| 47.245.2.225 | Alibaba (US) | Japan | Port Scanning: 25 (SMTP), 443 (HTTPS), 445(MS SMB), 80 (HTTP), 22 (SSH) | |
| 24.39.3.105 | Charter Communications | United States | Port Scanning: 5900 (RFB/VNC) | |
| 159.65.108.26 | Digital Ocean | United States | Port Scanning: 5900 (RFB/VNC) | |
| 52.57.6.67 | Amazon.com, Inc. | Germany | Port Scanning: 443 (HTTPS), 445 (SMB), 80 (HTTP) | |
| 50.7.98.218 | Cogent Communications | United States | Port Scanning: 445 (MS SMB), 1433 (MS SQL) |
Table 2. Top attacking IP addresses and their attack types targeting only U.S. systems, October 1, 2019–December 31, 2019
Top Targeted Ports
SMB port 445 was the top attacked port in the United States from October 1 through December 31, 2019. This is a shift from the fall regional threat perspective we wrote about the United States, where RFB/VNC port 5900 was the top attacked port. This can be attributed to constantly updating and evolving our sensor stack regarding the current threat landscape. Unlike many other global regions, we saw a closer gap between first and second position for the top attacked ports. This may be attributed to our current perspective and the fact that more VNC port 5900 attacks were directed toward sensors in the United States than anywhere else in the world. VNC port 5900 does not typically appear in our top attacked ports lists, thus we continue to actively investigate this credential stuffing and IPv4 campaign.
In addition to remote access ports, including SMB port 445 and SSH port 22 (in position three), the number of nonstandard HTTP ports (8443, 8080, and 8088) targeted and other application ports, like Microsoft SMB port 445 and Microsoft CRM port 5555, make it clear that attackers are targeting applications in the United States.
Also noteworthy, the United States and Canada were the only regions in which PostgreSQL on port 5432 was targeted. This, along with the targeting of other database port 3306, indicates malicious actors are particularly interested in web applications and web application databases.
Source link
lol
Attack Types of Top Attacking IP Addresses Many of the IP addresses attacking American systems during the winter of 2019 were involved with abusive port scanning activity. As noted in the Top Target Ports section, Microsoft SMB port 445 was the highest targeted port. We continue to observe high levels of attack traffic pointed toward…