Regional Threat Perspectives: Australia
The table in Figure 4 shows the top 50 ASNs attacking Australia from Dec 1, 2018 to March 1, 2019 in order of highest to lowest number of attacks. Interestingly, these top 50 networks were split fifty-fifty between ISPs and hosting companies whereas the company types attacking other regions lean heavier towards ISPs. For comparison, ISPs accounted for 90% of attacks against US systems and 72% of European systems in the same time period. Attacks coming from a system in a hosting network are more likely to be launched by a threat actor either renting or maliciously controlling a server in the hosting environment. Systems residing in an ISP network are more likely to be a compromised residential or small office IoT devices, unless the attacker does nothing to disguise their activities (like using a proxy or VPN).
| ASN | ASN Organization | Country | Industry |
| 4837 | China Unicom (China169 Backbone) | China | ISP |
| 4134 | Chinanet | China | ISP |
| 133229 | HostPalace Web Solution PVT LTD | Netherlands | Hosting |
| 58271 | FOP Gubina Lubov Petrivna | Ukraine | ISP |
| 43513 | Nano IT | Latvia | Hosting |
| 1241 | Forthnet | Greece | ISP |
| 34011 | Host Europe GmbH | Germany | Hosting |
| 53667 | FranTech Solutions | United States | Hosting |
| 38283 | Chinanet (SiChuan Telecom Data Center) | China | ISP |
| 45090 | Shenzhen Tencent Computer Systems Company Limited | China | Hosting |
| 4515 | PCCW IMSBiz | Hong Kong | Hosting |
| 8075 | Microsoft Corporation | United States | Hosting |
| 45102 | Alibaba (China) Technology Co., Ltd. | China | ISP |
| 201229 | Digital Ocean, Inc. | United Kingdom | Hosting |
| 56046 | China Mobile communications corporation | China | ISP |
| 25092 | PE Tetyana Mysyk | Ukraine | ISP |
| 33387 | DataShack, LC | United States | Hosting |
| 49877 | RM Engineering LLC | Moldova | Hosting |
| 19817 | DSL Extreme | United States | ISP |
| 12876 | Online S.a.s. | France | Hosting |
| 44050 | Petersburg Internet Network ltd. | Russia | ISP |
| 45899 | VNPT Corp | Vietnam | ISP |
| 3462 | Data Communication Business Group | Taiwan | ISP |
| 206792 | IP Khnykin Vitaliy Yakovlevich | Russia | Hosting |
| 6939 | Hurricane Electric, Inc. | United States | ISP |
| 60781 | LeaseWeb Netherlands B.V. | Netherlands | Hosting |
| 4766 | Korea Telecom | South Korea | ISP |
| 50968 | Hostmaster, Ltd. | Ukraine | Hosting |
| 4808 | China Unicom (Beijing Province Network) | China | ISP |
| 17974 | PT Telekomunikasi Indonesia | Indonesia | ISP |
| 16276 | OVH SAS | France | Hosting |
| 14987 | Rethem Hosting LLC | United States | Hosting |
| 237 | Merit Network Inc. | United States | ISP |
| 27699 | TELEFÔNICA BRASIL S.A | Brazil | ISP |
| 4812 | China Telecom (Group) | China | ISP |
| 43350 | NForce Entertainment B.V. | Netherlands | Hosting |
| 8151 | Uninet S.A. de C.V. | Mexico | ISP |
| 7552 | Viettel Corporation | Vietnam | ISP |
| 63949 | Linode, LLC | United States | Hosting |
| 10439 | CariNet, Inc. | United States | Hosting |
| 29073 | Quasi Networks LTD. | N/A | Hosting |
| 8452 | TE Data | Norway | ISP |
| 63199 | Capitalonline Data Service Co.,LTD | China | Hosting |
| 9299 | Philippine Long Distance Telephone Company | Philippians | ISP |
| 36352 | ColoCrossing | United States | Hosting |
| 51852 | Private Layer INC | Switzerland | Hosting |
| 12083 | WideOpenWest Finance LLC | United States | ISP |
| 199883 | ArubaCloud Limited | United Kingdom | Hosting |
| 40065 | CNSERVERS LLC | United States | Hosting |
| 12389 | PJSC Rostelecom | Russia | ISP |
Figure 4: Top 50 ASNs attacking Australian systems
Most of the top 50 attacking ASNs were seen attacking European and Canadian systems in the same time period with very little overlap with the US. The exception was Chinese networks that were seen consistently attacking systems across the entire world. The following 19 networks exclusively targeted Australian systems, most of which were hosting companies:
| ASN | ASN Organization | Country | Industry |
| 43513 | Nano IT | Latvia | Hosting |
| 1241 | Forthnet | Greece | ISP |
| 53667 | FranTech Solutions | United States | Hosting |
| 4515 | PCCW IMSBiz | Hong Kong | Hosting |
| 8075 | Microsoft Corporation | United States | Hosting |
| 45102 | Alibaba (China) Technology Co., Ltd. | China | ISP |
| 25092 | PE Tetyana Mysyk | Ukraine | ISP |
| 33387 | DataShack, LC | United States | Hosting |
| 19817 | DSL Extreme | United States | ISP |
| 206792 | IP Khnykin Vitaliy Yakovlevich | Russia | Hosting |
| 6939 | Hurricane Electric, Inc. | United States | ISP |
| 50968 | Hostmaster, Ltd. | Ukraine | Hosting |
| 14987 | Rethem Hosting LLC | United States | Hosting |
| 237 | Merit Network Inc. | United States | ISP |
| 10439 | CariNet, Inc. | United States | Hosting |
| 63199 | Capitalonline Data Service Co.,LTD | China | Hosting |
| 51852 | Private Layer INC | Switzerland | Hosting |
| 199883 | ArubaCloud Limited | United Kingdom | Hosting |
| 40065 | CNSERVERS LLC | United States | Hosting |
Figure 5: Networks targeting Australian systems not seen targeting other regions
Top Attacking IP Addresses
Unlike the consistency seen between networks attacking Australian, European, and Canadian systems, there was no consistency in the IP addresses used in those networks to attack. Forty-eight (96%) of the top 50 attacking IP addresses were unique to attacks against Australia. The number one attacking IP address (58.242.83.26), resolving to ISP China Unicom, also attacked systems in the US in the same time period. The other IP address (185.107.80.31), resolving to NForce Entertainment, a hosting provider in the Netherlands, also attacked systems in Canada during the same time period.
This can indicate that attackers are using specific (hosting) networks from which they know they can successfully launch attacks (and spinning up new systems or getting dynamic IP addresses from which to launch attacks), or they are exploiting vulnerabilities in systems resolving to ISPs, like residential or commercial IoT devices, and keep using new systems. Both scenarios result in new IP addresses from the same networks. And both scenarios are likely in the attacks against Australia, given the attacking ASNs are a fifty-fifty split between hosting providers and ISPs. The chart in Figure 6 below shows the top 50 IP addresses attacking destinations in Australia from Dec 1, 2018 through March 1, 2019 by count.
Source link
lol
The table in Figure 4 shows the top 50 ASNs attacking Australia from Dec 1, 2018 to March 1, 2019 in order of highest to lowest number of attacks. Interestingly, these top 50 networks were split fifty-fifty between ISPs and hosting companies whereas the company types attacking other regions lean heavier towards ISPs. For comparison,…