Regional Threat Perspectives, Fall 2019: Middle East
IP Addresses Attacking the Middle East Compared to Other Regions
We looked at the volume of attack traffic Middle Eastern systems received per IP address and compared that to other regions of the world. Attack traffic destined for Middle Eastern systems had little overlap with the rest of the world except for a handful of IP addresses launching global attacks against RFB/VNC port 5900 (see the next section). Eighty percent of the top attacking IP addresses sending malicious traffic to the middle east were unique to the Middle East region, 16% of that top 50 were seen sending malicious attack traffic to all other regions in the world, and the remaining 4% were seen targeting 7/8 of the regions we looked at.
Attack Types of Top Attacking IP Addresses
Of the top 50 IP addresses attacking systems in the Middle East, most were Russian (64%). These IP addresses along with the remainder coming from the Netherlands (4%), Romania (4%), Moldova (6%), France (8%), Spain (2%), Germany (6%), Italy (2%), France (8%), and Ukraine (4%) are launching scans against multiple ports (49%), targeting port 80 and 8080 with HTTP attacks (5%), and targeting Remote Frame Buffer (RFB)/VNC port 5900 with brute force and credential stuffing attacks (19%).
The IP addresses in Moldova assigned to RM Engineering, as well as OVH SAS in France, were launching brute force and credential stuffing attacks against Remote Frame Buffer (RFB)/VNC port 5900, globally. All regions of the world are being hit with these same attacks from the following IP addresses:
- 185.153.197.251
- 185.153.198.197
- 46.105.144.48
- 193.188.22.114
- 185.156.177.44
- 185.153.196.159
- 5.39.39.49
- 185.40.13.3
These port 5900 attacks were new activity we noticed earlier in the summer and continued through October 31, 2019. We are conducting an investigation and will be looking to share our findings publicly on Twitter.
Eighty percent of the IP addresses seen sending malicious traffic to the Middle East exclusively targeted this region. The following list is in descending order starting with top attacking IP addresses.
| Source IP Address | ASN Organization | Country | Normalized Attack Count | Attacks Known For |
| 31.184.196.195 | Petersburg Internet Network | Russia | 1,830,560.5 | Multi-port scanning |
| 31.184.197.195 | Petersburg Internet Network | Russia | 1,743,359.4 | Multi-port scanning |
| 31.184.196.199 | Petersburg Internet Network | Russia | 1,713,624.0 | Multi-port scanning |
| 31.184.197.199 | Petersburg Internet Network | Russia | 1,709,400.9 | Multi-port scanning |
| 185.143.221.104 | Selectel | Netherlands | 1,205,687.1 | Multi-port scanning |
| 80.82.78.104 | IP Volume inc | Netherlands | 929,167.6 | Multi-port scanning |
| 185.176.27.250 | SS-Net | Russia | 922,830.2 | Multi-port scanning |
| 92.118.37.97 | Donner Oleg Alexeevich | Romania | 563,369.5 | Multi-port scanning |
| 185.153.197.251 | RM Engineering LLC | Moldova | 557,115.2 | Multi-port scanning |
| 185.176.27.6 | SS-Net | Russia | 544,818.3 | Multi-port scanning |
| 93.189.222.80 | DIANET Ltd. | Russia | 527,462.7 | Credential stuffing and HTTP attacks |
| 93.189.249.109 | Teleline Ltd. | Russia | 525,814.4 | Credential stuffing, multi-port scanning, and HTTP attacks |
| 185.153.198.197 | RM Engineering | Moldova | 503,611.6 | Credential stuffing and multi-port scanning |
| 92.119.160.90 | Selectel | Russia | 474,398.1 | Multi-port scanning |
| 185.58.204.69 | Marosnet Telecommunication Company LLC | Russia | 454,153.3 | Multi-port scanning |
| 185.58.206.51 | Marosnet Telecommunication Company LLC | Russia | 453,857.1 | Multi-port scanning |
| 185.58.206.15 | Marosnet Telecommunication Company LLC | Russia | 389,440.9 | Multi-port scanning |
| 185.87.48.104 | Marosnet Telecommunication Company LLC | Russia | 384,468.3 | Multi-port scanning |
| 93.189.147.162 | IMAQLIQ SERVICE Ltd | Russia | 374,878.9 | Credential stuffing, multi-port scanning, and HTTP attacks |
| 92.119.160.251 | Selectel | Russia | 356,754.9 | Multi-port scanning |
| 92.119.160.250 | Selectel | Russia | 347,531.5 | Multi-port scanning |
| 93.189.144.135 | IMAQLIQ SERVICE Ltd | Russia | 347,236.6 | Credential stuffing, multi-port scanning, and HTTP attacks |
| 93.189.204.162 | JSC ER-Telecom Holding | Russia | 256,840.9 | Credential stuffing, multi-port scanning, and HTTP attacks |
| 185.254.122.50 | UGB Hosting OU | Russia | 224,907.5 | Multi-port scanning |
| 185.153.196.159 | RM Engineering LLC | Republic of Moldova | 212,839.1 | Credential stuffing and multi-port scanning |
| 46.105.144.48 | OVH SAS | France | 202,142.7 | Credential stuffing and multi-port scanning |
| 185.176.27.246 | SS-Net | Russia | 198,532.4 | Multi-port scanning |
| 51.75.32.149 | OVH SAS | France | 198,274.3 | Multi-port scanning |
| 185.40.13.3 | GTECH S.p.A. | Italy | 192,255.5 | Multi-port scanning |
| 194.67.207.25 | MAROSNET Telecommunication Company LLC | Russia | 190,066.7 | Multi-port scanning |
| 62.210.220.217 | Online S.a.s. | France | 186,914.8 | Multi-port scanning |
| 91.217.254.37 | PE Taran Marina Vasil’evna | Ukraine | 186,263.8 | Multi-port scanning |
| 91.217.254.167 | PE Taran Marina Vasil’evna | Ukraine | 185,763.6 | Multi-port scanning |
| 5.39.39.49 | OVH SAS | France | 184,431.2 | Credential stuffing and multi-port scanning |
| 148.251.20.137 | Hetzner Online GmbH | Germany | 176,001.6 | Multi-port scanning |
| 148.251.20.134 | Hetzner Online GmbH | Germany | 175,726.6 | Multi-port scanning |
| 185.176.27.166 | SS-Net | Russia | 175,511.8 | Multi-port scanning |
| 194.67.202.109 | MAROSNET Telecommunication Company LLC | Russia | 172,302.0 | Multi-port scanning |
| 185.176.27.186 | SS-Net | Russia | 170,891.8 | Multi-port scanning |
| 185.175.93.105 | IP CHistyakov Mihail Viktorovich | Spain | 170,151.3 | Multi-port scanning |
| 92.118.37.86 | Donner Oleg Alexeevich | Romania | 169,713.6 | Multi-port scanning |
| 185.176.27.18 | SS-Net | Russia | 166,207.1 | Multi-port scanning |
| 62.173.145.112 | Internet-Cosmos LLC | Russia | 156,611.4 | Multi-port scanning |
| 62.173.139.141 | Internet-Cosmos LLC | Russia | 155,513.1 | Multi-port scanning |
| 62.173.149.167 | Internet-Cosmos LLC | Russia | 155,443.9 | Multi-port scanning |
| 185.176.27.42 | SS-Net | Russia | 152,556.9 | Multi-port scanning |
| 92.119.160.52 | Selectel | Russia | 145,908.0 | Multi-port scanning |
| 213.136.90.36 | Contabo GmbH | Germany | 143,881.3 | Credential stuffing and multi-port scanning |
| 193.188.22.114 | Hostkey B.v. | Russia | 142,707.9 | Credential stuffing and multi-port scanning |
Top Targeted Ports
Looking at the destination ports of the attacks helps us understanding what types of systems and services attackers are looking for. Microsoft SMB port 445 was the number one attacked port in the Middle East by a large margin. In a distant second was SSH port 22. Both of these ports are commonly targeted as exploiting a vulnerability, and either port can give a malicious actor access to the entire system. The third most attacked port, VNC 5900, was being attacked all over the world during this time period. This activity is not typical, hence the investigative threat hunting we are doing on Twitter mentioned previously.
What stands out the most in top attacked ports in the Middle East is the targeting of DNS port 53. That port does not show up in any other region we analyzed during the same time period.
In addition to some of the most commonly targeted ports, the number of non-standard HTTP ports (81, 8443, and 8080) and other application ports like Microsoft SMB port 445, and Microsoft CRM port 5555 makes it clear that attackers are targeting applications in the Middle East.
Also noteworthy is the apparent attempt to compromise IoT systems in the Middle East by targeting ports 7547 and 8291, both of which are only used by SOHO routers and are commonly attacked by IoT botnets (thingbots). We called out these ports in our 2017 report, The Hunt for IoT: The Rise of Thingbots.
Source link
lol
IP Addresses Attacking the Middle East Compared to Other Regions We looked at the volume of attack traffic Middle Eastern systems received per IP address and compared that to other regions of the world. Attack traffic destined for Middle Eastern systems had little overlap with the rest of the world except for a handful of…