Cyberthreats Targeting the United States, Winter 2019

2024 Cybersecurity Predictions


Attack Types of Top Attacking IP Addresses

Many of the IP addresses attacking American systems during the winter of 2019 were involved with abusive port scanning activity. As noted in the Top Target Ports section, Microsoft SMB port 445 was the highest targeted port. We continue to observe high levels of attack traffic pointed toward RFB/VNC port 5900, and as our sensor stacks evolve, we notice more IP addresses targeting SMB port 445 at higher rates.

Along with these attacks, we are also noticing a large amount of attack traffic in the United States directed toward databases and other web application protocols.

Source IP Address Attack Type ASN Source Country United States Count
104.238.194.34 Port Scanning: SMB port 445, MS SQL port 1433 Versaweb, LLC United States 1,397,377
193.188.22.114 Port Scanning: SMB port 445, MS SQL port 1433 Hostkey B.v. Russia 1,390,698
185.156.177.11 Port Scanning: RFB/VNC port 5900 Hostkey B.v. Russia 1,384,990
185.156.177.44 Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP Port MS RDP port 3389, Telnet Port 23 Hostkey B.v. Russia 1,370,536
212.80.217.139 Port Scanning: 48 unique ports Serverius Holding B.V. Netherlands 598,132
185.153.198.197 Credential Stuffing: RFB/VNC port 5900 RM Engineering Moldova 490,247
185.153.197.251 Port Scanning: 6 unique ports RM Engineering Moldova 486,688
104.238.221.65 Port Scanning: SMB port 445, MS SQL port 1433 ReliableSite.Net LLC   476,363
185.153.196.159 Credential Stuffing: RFB/VNC port 5900 RM Engineering Moldova 399,751
148.251.20.137 Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25 Hetzner Online GmbH Germany 373,181
148.251.20.134 Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25 Hetzner Online GmbH Germany 373,034
52.58.75.133 Port Scanning: 443, 445, HTTP port 80 Amazon.com Germany 278,175
185.40.13.3 Port Scanning: RFB/VNC port 5900 & 5901 GTECH S.p.A. Italy 233,258
212.83.172.140 Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22 Online S.a.s. France 232,718
211.44.226.158 Port Scanning: SMB port 445, MS SQL port 1433 SK Broadband Co Ltd South Korea 222,944
52.57.70.66 Port Scanning: 6 unique ports Amazon.com Germany 219,125
112.175.124.2 Port Scanning: 61 unique ports Korea Telecom South Korea 214,882
35.158.151.206 Port Scanning: 6 unique ports Amazon.com Germany 213,525
50.7.98.219 Port Scanning: ICB/SWX port 7326 Cogent Communications United States 160,217
185.234.218.16 Port Scanning: SMB port 445, WebLogic port 7001, 8080, MS SQL port 1433
HTTP Attacks: Alt-HTTP port 8080
Malware Uploads: SMB port 445
Sprint S.A. Ireland 159,383
185.56.252.57 Port Scanning: MS RDP port 3389, port 5909, RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Bellnet Limited Portugal 155,072
104.238.202.134 Port Scanning: MS SQL port 1433, SMB port 445 Essensys Inc.   142,692
89.248.174.201 Port Scanning: SMB port 445, MS SQL port 1433 IP Volume Netherlands 140,126
112.175.127.189 Port Scanning: 48 unique ports Korea Telecom South Korea 120,510
112.175.127.179 Port Scanning: 48 unique ports Korea Telecom South Korea 110,827

Table 1. Top attacking IP addresses and their attack types targeting U.S. systems, October 1, 2019–December 31, 2019

Uniquely Targeting U.S. Systems

Along with tracking the top attacking IP addresses, we also isolated the IP addresses that attacked only U.S. systems and gathered further information about what they might be. We noticed during this time period that the IP addresses that uniquely targeted U.S. systems were mostly located in the United States, with a few in Japan, one in Mexico, and one in Germany. Like the top attacking IP addresses, we noticed that these IP addresses were engaged in a range of behaviors, from abusive port scanning to credential stuffing. Notably, these IP addresses were mostly focused on attacking web application protocols.

Details from the Shodan search engine provided more color regarding what these attacking systems could be. In this case, the IP address geolocated in Mexico appears to belong to Alestra, a Mexican IT services company. Another attacking IP address appears to belong to Lone Car Rental Systems, a company that provides car rental reservation software. A range of different systems appears to be attacking U.S. systems, including one which seems to belong to Vultr, a VPN service.

IP Address ASN Country Attack Type IP Address Info (Shodan)
104.238.194.34 Versaweb, LLC United States Port Scanning: 445 (MS SMB), 1433 (MS SQL) None
104.238.221.65 ReliableSite.Net United States Port Scanning: 445 (MS SMB), 1433 (MS SQL) Host Name: lax01.hostwiki.net
Open Ports & Services: 8888
50.7.98.219 Cogent Communications United States Port Scanning: 445 (MS SMB), 1433 (MS SQL) None
104.238.202.134 essensys Inc. United States Port Scanning: 445 (MS SMB), 1433 (MS SQL) Host Name: host-104-238-202-134.essensys.co.uk
Open Ports & Services: 80 (Nginx), 81, 8080 (Apache, Coyote JSP)
104.238.220.225 ReliableSite.Net LLC United States Port Scanning: 7001, 445 (MS SMB), 1433 (MS SQL)
HTTP Attacks: 8080 (Alt-HTTP)
Open Ports & Services: 22 (OpenSSH), 111 (Portmap)
207.248.236.84 Alestra, S. de R.L. de C.V. Mexico Port Scanning: 445 (MS SMB), 1433 (MS SQL) Host Name: static-207-248-236-84.alestra.net.mx
Open Ports & Services: 80 (MS IIS), 88 (MS IIS), 137 (NetBIOS), 443 (MS IIS), 445 (SMB), 1433 (MS SQL Server) 1434 (MS SQL Server), 3389 (MS RDP), 
165.227.69.239 Digital Ocean United States Credential Stuffing: 23 (Telnet) 22 OpenSSH, 111 (Portmap)
140.82.24.119 Choopa, LLC United States Port Scanning: 22 (SSH), 161 (SNMP), 80 (HTTP) Hostname: 140.82.24.119.vultr.com
Open Ports: 1723 (Mikrotik PPTP)
66.194.167.76 Renaissance Systems United States Port Scanning: 5900 (RFB/VNC) OS: Window Server 2003
Hostname: crosspoint.
lonestarrentalsystems.com.c
Open Ports:  80 (MS IIS), 3389 (RDP)
47.74.56.139 Alibaba (US) Japan Port Scanning: 445 (MS SMB), 443 (HTTPS), 25 (SMTP), 22 (SSH), 80 (HTTP) None
47.245.2.225 Alibaba (US) Japan Port Scanning: 25 (SMTP), 443 (HTTPS), 445(MS SMB), 80 (HTTP), 22 (SSH)  
24.39.3.105 Charter Communications United States Port Scanning: 5900 (RFB/VNC)  
159.65.108.26 Digital Ocean United States Port Scanning: 5900 (RFB/VNC)  
52.57.6.67 Amazon.com, Inc. Germany Port Scanning: 443 (HTTPS), 445 (SMB), 80 (HTTP)  
50.7.98.218 Cogent Communications United States Port Scanning: 445 (MS SMB), 1433 (MS SQL)  

Table 2. Top attacking IP addresses and their attack types targeting only U.S. systems, October 1, 2019–December 31, 2019

Top Targeted Ports

SMB port 445 was the top attacked port in the United States from October 1 through December 31, 2019. This is a shift from the fall regional threat perspective we wrote about the United States, where RFB/VNC port 5900 was the top attacked port. This can be attributed to constantly updating and evolving our sensor stack regarding the current threat landscape. Unlike many other global regions, we saw a closer gap between first and second position for the top attacked ports. This may be attributed to our current perspective and the fact that more VNC port 5900 attacks were directed toward sensors in the United States than anywhere else in the world. VNC port 5900 does not typically appear in our top attacked ports lists, thus we continue to actively investigate this credential stuffing and IPv4 campaign.

In addition to remote access ports, including SMB port 445 and SSH port 22 (in position three), the number of nonstandard HTTP ports (8443, 8080, and 8088) targeted and other application ports, like Microsoft SMB port 445 and Microsoft CRM port 5555, make it clear that attackers are targeting applications in the United States.

Also noteworthy, the United States and Canada were the only regions in which PostgreSQL on port 5432 was targeted. This, along with the targeting of other database port 3306, indicates malicious actors are particularly interested in web applications and web application databases.



Source link
lol

Attack Types of Top Attacking IP Addresses Many of the IP addresses attacking American systems during the winter of 2019 were involved with abusive port scanning activity. As noted in the Top Target Ports section, Microsoft SMB port 445 was the highest targeted port. We continue to observe high levels of attack traffic pointed toward…

Leave a Reply

Your email address will not be published. Required fields are marked *