Regional Threat Perspectives, Fall 2019: United States
- by nlqip
Attacks Types of Top Attacking IP Addresses
Of the top 50 IP addresses attacking systems in the U.S., the most IP addresses were assigned in the U.S. (40%). The remainder of the top 50 attacking IP addresses were geographically distributed around the globe with 14% coming from South Korea, 6% each coming from Russia and Moldova, and 12% coming from the Netherlands. These were seen launching scans against multiple ports (72%), conducting credential stuffing activity (25%), sending spam (1%), and launching attacks against HTTP and HTTPS (1%) Many of the IP addresses conducting abusive port scanning and credential stuffing are specifically targeting Remote Frame Buffer (RFB)/VNC port 5900 with brute force and credential stuffing attacks.
The IP addresses in Moldova assigned to RM Engineering, as well as OVH SAS in France, were launching brute force and credential stuffing attacks against Remote Frame Buffer (RFB)/VNC port 5900, globally. All regions of the world are being hit with these same attacks from these IP addresses:
- 185.153.197.251
- 185.153.198.197
- 46.105.144.48
- 193.188.22.114
- 185.156.177.44
- 185.153.196.159
- 5.39.39.49
- 185.40.13.3
These port 5900 attacks were new activity we noticed earlier in the summer and continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.
Twenty-six percent of the IP addresses seen sending malicious traffic to Europe exclusively targeted this region. The following list is in descending order starting with top attacking IP addresses.
Source IP Address | AS Organization | Country | Normalized Count | Atttack type known for |
193.188.22.114 | HOSTKEY B.v. | Russia | 637,316.30 | Credential stuffing, multi-port scanning |
185.156.177.44 | HOSTKEY B.v. | Russia | 625,738.50 | Credential stuffing, multi-port scanning |
185.156.177.11 | HOSTKEY B.v. | Russia | 622,451.50 | Credential stuffing, multi-port scanning |
185.153.197.251 | RM Engineering LLC | Republic of Moldova | 538,027.20 | Credential stuffing, multi-port scanning |
185.153.198.197 | RM Engineering LLC | Republic of Moldova | 532,990.70 | Credential stuffing, multi-port scanning |
212.83.172.140 | Online S.a.s. | France | 515,359.20 | Credential stuffing, multi-port scanning |
46.105.144.48 | OVH SAS | France | 440,409.00 | Credential stuffing, multi-port scanning |
104.238.194.34 | Versaweb, LLC | U.S. | 358,251.30 | Port scanning (ports 445, 1433) |
5.39.108.50 | OVH SAS | France | 292,101.50 | Credential stuffing, multi-port scanning |
148.251.20.137 | Hetzner Online GmbH | Germany | 241,383.50 | Port scanning (ports 25, 80, 443, 22) |
148.251.20.134 | Hetzner Online GmbH | Germany | 241,288.10 | Port scanning (ports 443, 22, 25, 80) |
185.153.196.159 | RM Engineering LLC | Republic of Moldova | 213,563.40 | Credential stuffing, multi-port scanning |
212.80.217.139 | Serverius Holding B.V. | Netherlands | 198,583.10 | Credential stuffing, multi-port scanning |
5.39.39.49 | OVH SAS | France | 183,993.20 | Credential stuffing, multi-port scanning |
198.245.60.31 | OVH SAS | Canada | 172,980.60 | Credential stuffing, multi-port scanning |
185.40.13.3 | GTECH S.p.A. | Italy | 150,877.20 | Port scanning (51 unique ports) |
211.44.226.158 | SK Broadband Co Ltd | South Korea | 144,206.20 | Port scanning (48 unique ports) |
112.175.124.2 | Korea Telecom | South Korea | 138,991.40 | Port scanning (61 unique ports) |
129.213.47.10 | Oracle Corporation | U.S. | 135,213.00 | Spam (ports: 25) |
218.237.65.80 | SK Broadband Co Ltd | South Korea | 123,029.60 | Port scanning (ports 53, 80, 22, 443) |
185.234.218.16 | sprint S.A. | Ireland | 121,521.00 | Credential stuffing, multi-port scanning |
112.175.127.189 | Korea Telecom | South Korea | 115,887.80 | Port scanning (many ports: 48 unique ports) |
192.250.197.246 | CNSERVERS LLC | U.S. | 115,696.50 | Credential stuffing, multi-port scanning |
50.7.98.219 | Cogent Communications | U.S. | 103,632.70 | Port scanning (ports 1433, 445) |
24.181.29.254 | Charter Communications | U.S. | 88,894.40 | Port scanning (port 45) |
91.121.67.195 | OVH SAS | France | 78,244.40 | Credential stuffing, multi-port scanning |
66.194.167.76 | Renaissance Systems, Inc. | U.S. | 78,052.50 | Port scanning (port 5900) |
112.175.127.179 | Korea Telecom | South Korea | 71,686.00 | Port scanning (48 unique ports) |
194.187.175.68 | GTECH S.p.A. | Italy | 69,338.90 | Port scanning (45 unique ports) |
139.60.163.68 | HOSTKEY | U.S. | 63,769.90 | Credential stuffing, multi-port scanning |
112.175.127.186 | Korea Telecom | South Korea | 63,201.00 | Port scanning (46 unique ports) |
112.175.126.18 | Korea Telecom | South Korea | 60,488.30 | Port scanning (42 unique ports) |
212.32.233.178 | LeaseWeb Netherlands B.V. | Netherlands | 60,459.50 | Port scanning (ports 80, 25, 443) |
104.238.220.225 | ReliableSite.Net LLC | U.S. | 56,063.40 | HTTP attacks, multi-port scanning |
159.65.108.26 | DigitalOcean, LLC | U.S. | 51,599.30 | Port scanning (port 5900) |
140.82.24.119 | Choopa, LLC | U.S. | 48,775.80 | Port scanning (ports 80, 22, 161) |
165.22.187.191 | DigitalOcean, LLC | U.S. | 47,067.80 | Port scanning (port 5900) |
165.227.193.81 | DigitalOcean, LLC | U.S. | 47,053.80 | Port scanning (port 5900) |
165.22.179.197 | DigitalOcean, LLC | U.S. | 47,022.40 | Port scanning (port 5900) |
165.22.187.187 | DigitalOcean, LLC | U.S. | 46,266.50 | Port scanning (port 5900) |
134.209.204.225 | DigitalOcean, LLC | Netherlands | 42,677.10 | Port scanning (ports 80, 445, 53, 443, 22) |
134.209.206.170 | DigitalOcean, LLC | Netherlands | 42,582.60 | Port scanning (6 unique ports) |
165.22.6.17 | DigitalOcean, LLC | U.S. | 42,326.30 | Port scanning (port 5900) |
94.102.51.117 | IP Volume inc | Netherlands | 42,003.90 | Credential stuffing, multi-port scanning |
134.209.196.85 | DigitalOcean, LLC | Netherlands | 41,063.40 | Port scanning (7 unique ports) |
165.22.6.170 | DigitalOcean, LLC | U.S. | 40,638.00 | Port scanning (port 5900) |
165.22.10.222 | DigitalOcean, LLC | U.S. | 39,692.70 | Port scanning (port 5900) |
165.22.6.18 | DigitalOcean, LLC | U.S. | 39,211.40 | Port scanning (port 5900) |
165.22.6.161 | DigitalOcean, LLC | U.S. | 38,726.20 | Port scanning (port 5900) |
165.22.187.190 | DigitalOcean, LLC | U.S. | 38,507.60 | Port scanning (port 5900) |
Table 2. Top attacking IP addresses in descending order.
Top Targeted Ports
VNC port 5900 was the top attacked port in the U.S. from August 1, 2019 through October 31, 2019. It is being attacked all over the world during this time period (see Figure 7). This activity is not typical, hence the investigative threat hunting we are doing on Twitter mentioned previously. SMB port 445 was in a distant second position for service/port attacked in the U.S. This activity was followed closely by SSH port 22. After SSH, HTTP port 80 and HTTPS port 443 are some of the top attacked services. These ports are commonly targeted as exploiting a vulnerability on port 445, 22, or 23 can give a malicious actor access to the entire system.
What stands out the most in top attacked ports in the U.S. threat landscape is the targeting of port 45. Port 45 does not have an official designation, but appears to have something to do with messaging, and it may be an alternate use for SNMP or used in conjunction with SNMP. That port does not show up in any other region we analyzed during the same time period.
In addition to some of the most commonly targeted ports, the number of non-standard HTTP ports (8443, and 8080, and 8088) targeting, and other application ports like Microsoft SMB port 445, and Microsoft CRM port 5555 makes it clear that attackers are targeting applications in the U.S.
Also noteworthy, the U.S. and the Middle East were the only regions in which SQL on port 1433 was targeted. This along with the targeting of other database ports such as 3389 and 3306 indicate malicious actors are particularly interested in web applications and web application databases.
Source link
lol
Attacks Types of Top Attacking IP Addresses Of the top 50 IP addresses attacking systems in the U.S., the most IP addresses were assigned in the U.S. (40%). The remainder of the top 50 attacking IP addresses were geographically distributed around the globe with 14% coming from South Korea, 6% each coming from Russia and…