Regional Threat Perspectives: Canada
Comparing ports targeted in Canada versus the US, Europe, or Australia, Canada was the only region where DNS port 53 and the UPnP port 37215 were on the top 20 targeted port list. The UPnP port relates to Huawei small office home office (SOHO) routers with a Remote Code Execution (RCE) vulnerability (CVE-2017-17215 and Exploit ID 43414) that is targeted in the Kaizen, Katrina_V1, Sora, Owari, Mirai, and Hakai IoT botnets, or “thingbots.” Similarly, Microtik routers over port 8291 (CVE-2018-14847) were targeted in US, Europe, and Australia.
Conclusion
Organizations should continually run external vulnerability scans to discover what systems are exposed publicly, and on which specific ports. Systems exposed publicly with the top attacked ports open should be prioritized for firewalling off, most notably the ports from this attack traffic that should never be exposed to the big bad Internet, including: SIP port 5060, secure SIP 5061, Microsoft Samba port 445, MS SQL port 1433, MySQL port 3306, SSH port 22, Microsoft RDP port 3389 and Telnet port 23. Web applications taking traffic on ports 80, 81, 8080, and 443 should be protected with a web application firewall, be continually scanned for web application vulnerabilities, and prioritized for vulnerability management, including but not limited to bug fixes and patching.
A lot of the attacks we see on ports supporting remote access services like SSH and Telnet are brute-force attacks with known vendor default credentials. For a list of the top 100 credential pairs used in SSH brute force attacks, see the Hunt for IoT Volume 5. Remote administrative login should be restricted to a management network and have adequate brute force protections in place.
Network administrators and security engineers should review network logs for any connections from the top attacking IP addresses. If you are experiencing attacks from any of these top IP addresses, you should submit abuse complaints to the owners of the ASNs and ISPs so they hopefully shut down the attacking systems.
For those interested in IP blocking, it can be troublesome to maintain large IP blocklists and also block IP addresses within ISPs that offer Internet service to residences that might be customers. In these cases, the attacking system is likely to be an infected IoT device that the resident doesn’t know is infected, and it likely won’t get cleaned up. Blocking traffic from entire ASNs or an entire ISP can be problematic for the same reason—blocking their entire network would block all of their customers from doing business with you. Unless, of course, it’s an ISP supporting a country you don’t do business with. In that case, geolocation blocking at a country level can be effective way to reduce a large amount of attack traffic and save your systems the unnecessary processing. For this reason, it is best to drop traffic based on the attack pattern using your web application firewall.
We will continue to monitor global attacks and analyze at a regional level quarterly. Future research in this series will include the Asia-Pacific, Middle East and North Africa, and Latin American regions. If you are an implicated ASN or ISP, please reach out to us at F5LabsTeam@F5.com and we’ll be happy to share further information with you.
Source link
lol
Comparing ports targeted in Canada versus the US, Europe, or Australia, Canada was the only region where DNS port 53 and the UPnP port 37215 were on the top 20 targeted port list. The UPnP port relates to Huawei small office home office (SOHO) routers with a Remote Code Execution (RCE) vulnerability (CVE-2017-17215 and Exploit…