Regional Threat Perspectives, Fall 2019: Canada
Attacks Types of the Top Attacking IP Addresses
The top 50 IP addresses attacking systems in Canada were geographically spread fairly evenly. Eight percent are assigned to South Korea, and closely following, with 7% are assigned in the U.S. Though smaller in number, the three Canadian IP addresses in the top attacking IP address list are responsible for 17% of all attack traffic that targeted Canadian systems. These IP addresses were conducting a variety of activities, but most were scanning or doing some sort of credential stuffing.
Out of the top 50 attacking IP addresses, 65% were engaging in aggressive multi-port scanning ,32% participated in aggressive credential stuffing activity, and the remaining 2% were evenly distributed conducting HTTP attacks against port 8080, 8443, and 2375 and attempting to upload malware through SMB shares on port 445. The IP addresses in Moldova assigned to RM Engineering, as well as OVH SAS in France were launching brute force attacks and credential stuffing attacks against Remote Frame Buffer (RFB) / VNC port 5900, globally. All regions of the world were being hit with these same attacks from these IP addresses:
- 185.153.197.251
- 185.153.198.197
- 46.105.144.48
- 193.188.22.114
- 185.156.177.44
- 185.153.196.159
- 5.39.39.49
- 185.40.13.3
These port 5900 attacks were new activity we noticed earlier in the summer and continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.
As mentioned, only 10% of IP addresses seen targeting Canada were exclusively targeting the region. This indicates that Canadian systems were likely not being geographically targeted but instead were being targeted based on the services they were providing. The following list is in descending order starting with top attacking IP addresses.
| Source IP Address | AS Organization | Country | Normalized Count | Attacks Known For |
| 192.99.222.16 | OVH SAS | Canada | 716,690.60 | Multi-port scanning |
| 185.153.197.251 | RM Engineering LLC | Republic of Moldova | 518,482.80 | Credential stuffing, multi-port scanning |
| 185.153.198.197 | RM Engineering LLC | Republic of Moldova | 481,153.40 | Credential stuffing, multi-port scanning |
| 46.105.144.48 | OVH SAS | France | 414,766.50 | Credential stuffing, multi-port scanning |
| 192.99.140.91 | OVH SAS | Canada | 324,049.60 | Malware uploads |
| 5.39.108.50 | OVH SAS | France | 294,705.10 | Credential stuffing, multi-port scanning |
| 193.188.22.114 | HOSTKEY B.v. | Russia | 283,938.30 | Credential stuffing, multi-port scanning |
| 185.156.177.44 | HOSTKEY B.v. | Russia | 280,945.30 | Credential stuffing, multi-port scanning |
| 185.156.177.11 | HOSTKEY B.v. | Russia | 279,985.70 | Credential stuffing, multi-port scanning |
| 212.83.172.140 | Online S.A.S. | France | 266,336.80 | Credential stuffing, multi-port scanning |
| 148.251.20.134 | Hetzner Online GmbH | Germany | 210,316.30 | Multi-port scanning |
| 148.251.20.137 | Hetzner Online GmbH | Germany | 210,280.10 | Multi-port scanning |
| 185.153.196.159 | RM Engineering LLC | Republic of Moldova | 207,474.80 | Credential stuffing, multi-port scanning |
| 92.223.85.77 | G-Core Labs S.A. | Singapore | 199,211.50 | Credential stuffing, multi-port scanning |
| 5.39.39.49 | OVH SAS | France | 179,829.60 | Credential stuffing, multi-port scanning |
| 212.80.217.139 | Serverius Holding B.V. | Netherlands | 152,250.90 | Credential stuffing, multi-port scanning |
| 185.40.13.3 | GTECH S.p.A. | Italy | 113,956.80 | Multi-port scanning |
| 211.44.226.158 | SK Broadband Co Ltd | South Korea | 102,566.10 | Multi-port scanning |
| 112.175.124.2 | Korea Telecom | South Korea | 99,799.20 | Multi-port scanning |
| 164.132.22.162 | OVH SAS | United Kingdom | 81,270.90 | HTTP attacks |
| 112.175.127.189 | Korea Telecom | South Korea | 76,341.30 | Multi-port scanning |
| 185.234.218.16 | Sprint S.A. | Ireland | 72,580.10 | Credential stuffing, multi-port scanning |
| 218.237.65.80 | SK Broadband Co Ltd | South Korea | 65,499.30 | Multi-port scanning |
| 198.245.60.31 | OVH SAS | Canada | 63,804.30 | Credential stuffing, multi-port scanning |
| 192.250.197.246 | CNSERVERS LLC | United States | 61,273.60 | Credential stuffing, multi-port scanning |
| 212.32.233.178 | LeaseWeb Netherlands B.V. | Netherlands | 53,482.70 | Multi-port scanning |
| 194.187.175.68 | GTECH S.p.A. | Italy | 52,261.80 | Multi-port scanning |
| 112.175.127.179 | Korea Telecom | South Korea | 51,100.60 | Multi-port scanning |
| 185.232.28.237 | PIN Hosting Europe GmbH | Estonia | 50,910.70 | Multi-port scanning |
| 206.189.209.142 | DigitalOcean, LLC | United States | 48,186.30 | Multi-port scanning |
| 112.175.127.186 | Korea Telecom | South Korea | 45,624.90 | Multi-port scanning |
| 164.160.130.141 | Garanntor-Hosting-AS | Nigeria | 44,467.40 | Multi-port scanning |
| 112.175.126.18 | Korea Telecom | South Korea | 43,702.00 | Multi-port scanning |
| 218.92.0.207 | No.31,Jin-rong Street | China | 42,711.20 | Credential stuffing, multi-port scanning |
| 139.60.163.68 | HOSTKEY | United States | 40,371.20 | Credential stuffing, multi-port scanning |
| 203.73.59.86 | Digital United Inc. | Taiwan | 38,481.60 | Multi-port scanning |
| 185.153.198.202 | RM Engineering LLC | Republic of Moldova | 34,002.00 | Multi-port scanning |
| 159.65.108.26 | DigitalOcean, LLC | United States | 33,952.40 | Multi-port scanning |
| 95.216.172.249 | Hetzner Online GmbH | Finland | 31,897.50 | Credential stuffing, multi-port scanning |
| 95.216.217.44 | Hetzner Online GmbH | Finland | 31,520.00 | Credential stuffing, multi-port scanning |
| 165.22.10.222 | DigitalOcean, LLC | United States | 31,148.70 | Multi-port scanning |
| 218.92.0.208 | No.31,Jin-rong Street | China | 31,049.70 | Credential stuffing, multi-port scanning |
| 193.188.22.46 | HOSTKEY B.v. | Russia | 30,470.30 | Credential stuffing, multi-port scanning |
| 185.156.177.55 | HOSTKEY B.v. | Russia | 29,556.70 | Credential stuffing, multi-port scanning |
| 61.177.172.158 | No.31,Jin-rong Street | China | 29,383.30 | Credential stuffing, multi-port scanning |
| 89.248.174.201 | IP Volume Inc. | Netherlands | 27,471.60 | Multi-port scanning |
| 94.102.51.117 | IP Volume Inc. | Netherlands | 26,113.80 | Credential stuffing, multi-port scanning |
| 183.110.242.142 | Korea Telecom | South Korea | 26,043.20 | Multi-port scanning |
| 165.22.6.170 | DigitalOcan, LLC | United States | 25,502.00 | Multi-port scanning |
| 165.22.6.17 | DigitalOcean, LLC | United States | 25,501.00 | Multi-port scanning |
Table 2. Top attacking IP addresses in descending order
Top Targeted Ports
VNC port 5900 was attacked all over the world during this time period and was the number one attacked port in Canada by a large margin. This activity is not typical, hence the investigative threat hunting F5 Labs is doing on Twitter mentioned previously. In a distant second position was SMB port 445, also attacked all over the world. SMB port 445 is a common port where threat actors attempt to upload malware. The third most attacked port is SSH port 22, another commonly attacked port.
What stands out the most in top attacked ports in Canada is the targeting of SOCKS port 1080. That port does not show up in any other region during the same period, nor is it typically on a top 50 attacked port list.
In addition to some of the most commonly targeted ports, the number of non-standard HTTP port (8443, and 8080) targeting, and other application ports like Microsoft SMB port 445, and Microsoft CRM port 5555 makes it clear that attackers are targeting applications
Also noteworthy was the apparent attempt to compromise non-standard use of SSH and database by the targeting of ports 2222 and 33899 (along with 22 and 3389).
Source link
lol
Attacks Types of the Top Attacking IP Addresses The top 50 IP addresses attacking systems in Canada were geographically spread fairly evenly. Eight percent are assigned to South Korea, and closely following, with 7% are assigned in the U.S. Though smaller in number, the three Canadian IP addresses in the top attacking IP address list…