F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varied regionally in terms of sources, targets, and attack types. In addition, targeted ports exposed regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Australia, Europe, Russia, Asia, Latin America, and the Middle East. Australian systems were probed for vulnerabilities on the ports most commonly used by applications, but these attacks were outweighed by a global campaign targeting VNC port 5900.

• IP addresses assigned in Europe were the primary source of attacks targeting systems in Australia in the fall of 2019. Specifically, IP addresses assigned to OVH SAS in France launched the most malicious traffic to the region.
• The top five IP addresses launching attacks against systems in Australia were engaged in a global campaign targeting RFB/VNC port 5900 that began in June 2019. Because of this large global campaign, VNC port 5900 was the top targeted port in Australia during this period.
• The RFB/VNC port 5900 attacks brought a new threat actor network onto the scene: RM Engineering LLC out of Moldova.
• Attackers launched reconnaissance scans against Internet facing applications in Australia, looking for vulnerabilities in commonly used services (VNC, HTTP, HTTPS, SMB, RDP, MySQL). They also conducted credential stuffing attacks against SSH and Telnet remote access.

Top Source Traffic Countries

Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic” countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”

IP addresses assigned to France launched the most malicious traffic against systems in Australia from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:

1. France
2. Moldova
3. Russia
4. Italy
5. Netherlands
6. China
7. United States
8. South Korea
9. Turkey
10. Germany

All of the top 10, with the exception of Venezuela and Costa Rica, were also the top malicious source traffic countries globally. The top 5 source traffic countries, all within the European continent, is a threat profile only shared with Asia during this period. All other global regions had either the US, Canada or an Asian country in their top 5 source traffic countries list.