Attacks Types of Top Attacking IP Addresses

Of the top 50 IP addresses attacking systems in the U.S., the most IP addresses were assigned in the U.S. (40%). The remainder of the top 50 attacking IP addresses were geographically distributed around the globe with 14% coming from South Korea, 6% each coming from Russia and Moldova, and 12% coming from the Netherlands. These were seen launching scans against multiple ports (72%), conducting credential stuffing activity (25%), sending spam (1%), and launching attacks against HTTP and HTTPS (1%) Many of the IP addresses conducting abusive port scanning and credential stuffing are specifically targeting Remote Frame Buffer (RFB)/VNC port 5900 with brute force and credential stuffing attacks.

The IP addresses in Moldova assigned to RM Engineering, as well as OVH SAS in France, were launching brute force and credential stuffing attacks against Remote Frame Buffer (RFB)/VNC port 5900, globally. All regions of the world are being hit with these same attacks from these IP addresses:

• 185.153.197.251
• 185.153.198.197
• 46.105.144.48
• 193.188.22.114
• 185.156.177.44
• 185.153.196.159
• 5.39.39.49
• 185.40.13.3

These port 5900 attacks were new activity we noticed earlier in the summer and continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.

Twenty-six percent of the IP addresses seen sending malicious traffic to Europe exclusively targeted this region. The following list is in descending order starting with top attacking IP addresses.

Table 2. Top attacking IP addresses in descending order.

Top Targeted Ports

VNC port 5900 was the top attacked port in the U.S. from August 1, 2019 through October 31, 2019. It is being attacked all over the world during this time period (see Figure 7). This activity is not typical, hence the investigative threat hunting we are doing on Twitter mentioned previously. SMB port 445 was in a distant second position for service/port attacked in the U.S. This activity was followed closely by SSH port 22. After SSH, HTTP port 80 and HTTPS port 443 are some of the top attacked services. These ports are commonly targeted as exploiting a vulnerability on port 445, 22, or 23 can give a malicious actor access to the entire system.

What stands out the most in top attacked ports in the U.S. threat landscape is the targeting of port 45. Port 45 does not have an official designation, but appears to have something to do with messaging, and it may be an alternate use for SNMP or used in conjunction with SNMP. That port does not show up in any other region we analyzed during the same time period.

In addition to some of the most commonly targeted ports, the number of non-standard HTTP ports (8443, and 8080, and 8088) targeting, and other application ports like Microsoft SMB port 445, and Microsoft CRM port 5555 makes it clear that attackers are targeting applications in the U.S.

Also noteworthy, the U.S. and the Middle East were the only regions in which SQL on port 1433 was targeted. This along with the targeting of other database ports such as 3389 and 3306 indicate malicious actors are particularly interested in web applications and web application databases.