Figure 1: Trendline of attacks against Finland
To get a sense of how infrequently Finland is attacked, we compared a week of attacks from 7/10/2018 – 7/16/2018, against what Canada received in that same time period (Canada is routinely a top 10 attacked country, but not typically in the top 3–5). Aside from the attacks on 7/12 and 7/14, Finland doesn’t even register on the chart.
Figure 2: Finland attack traffic in comparison to Canada
Top Attack Source Countries
China is typically the top attacking country on a regular basis (see 5/12/2018 – 7/13/2018 in the table below). This was also the case during the spike in attack traffic around the Trump-Putin meeting (7/14/2018 – 7/16/2018), however during that time, China launched a higher percentage of the attacks than normal. The US was consistently in the number two attacking position. Russia fell from its #3 baseline position to #5 during the attack spike. Given that the targeted meeting included Putin, it is not surprising that Russia would back off their attacks. Noticeably, Italy and Germany jumped from their 13th and 14th positions into the 4th and 7th positions respectively during the Trump-Putin traffic spike.
| Top 20 Finland Attacking Countries | |||||
| 5/12/2018 – 7/13/2018 | 7/14/2018 – 7/16/2018 | ||||
| Pos # | Country | % of Total | Pos # | Country | % of Total |
| 1 | China | 29% | 1 | China | 34% |
| 2 | United States | 14% | 2 | United States | 12% |
| 3 | Russia | 14% | 3 | France | 9% |
| 4 | France | 10% | 4 | Italy | 8% |
| 5 | Canada | 4% | 5 | Russia | 7% |
| 6 | United Kingdom | 4% | 6 | Netherlands | 5% |
| 7 | Netherlands | 4% | 7 | Germany | 4% |
| 8 | Vietnam | 3% | 8 | Vietnam | 3% |
| 9 | Republic of Korea | 3% | 9 | Canada | 3% |
| 10 | Hong Kong | 2% | 10 | United Kingdom | 3% |
| 11 | India | 2% | 11 | India | 2% |
| 12 | Indonesia | 2% | 12 | Greece | 2% |
| 13 | Italy | 2% | 13 | Indonesia | 1% |
| 14 | Germany | 1% | 14 | Republic of Korea | 1% |
| 15 | Brazil | 1% | 15 | Brazil | 1% |
| 16 | Singapore | 1% | 16 | Poland | 1% |
| 17 | Ukraine | 1% | 17 | Singapore | 1% |
| 18 | Taiwan | 1% | 18 | Mexico | 1% |
| 19 | Thailand | 1% | 19 | Ukraine | 1% |
| 20 | Poland | 1% | 20 | Hong Kong | 1% |
Attacking Networks
F5 Labs continually monitors top attacking networks. A handful of networks shown in the table below (highlighted in yellow) are not consistently top threat actor networks (see F5 Labs IoT Hunt research series). This indicates consistency of threat actors, and the networks they choose to launch their attacks from.
ChinaNet was the top attacking network both before the Trump-Putin meeting and during the attack spike. ChinaNet is also consistently at the top of the threat actor network list globally. It is our opinion that since attacks from China go unpunished, threat actors from around the world feel confident to use their networks to launch attacks, as well.
| Pos # | ASN Name | Country | % of Total | Pos # | ASN Name | Country | % of Total |
| 1 | Chinanet | China | 19% | 1 | Chinanet | China | 34% |
| 2 | OVH SAS | France | 18% | 2 | Aruba S.p.A. | Italy | 11% |
| 3 | JSC Internet-Cosmos | Russia | 11% | 3 | OVH SAS | France | 10% |
| 4 | Chinanet (SiChuan DC) | China | 9% | 4 | CNCGROUP China169 Backbone | China | 7% |
| 5 | Online S.a.s. | France | 7% | 5 | Online S.a.s. | France | 7% |
| 6 | Henan Telcom Union Technology Co., LTD | China | 5% | 6 | Paradise Networks LLC | US | 6% |
| 7 | Kassir, Ltd. | Russia | 4% | 7 | myLoc managed IT AG | Germany | 3% |
| 8 | CNCGROUP China169 Backbone | China | 3% | 8 | Forthnet | Greece | 2% |
| 9 | EDIS GmbH | Austria | 2% | 9 | Netversor GmbH | Germany | 2% |
| 10 | Korea Telecom | Korea | 2% | 10 | ChinaNet (Jiangx DC) | China | 2% |
| 11 | Digital Ocean, Inc. | Netherlands | 2% | 11 | Hostkey B.v. | Netherlands | 2% |
| 12 | Aruba S.p.A. | Italy | 2% | 12 | HostPalace Web Solution PVT LTD | India | 2% |
| 13 | VNPT Corp | Vietnam | 2% | 13 | VNPT Corp | Vietnam | 2% |
| 14 | ColoCrossing | US | 2% | 14 | Digital Ocean, Inc. | Netherlands | 2% |
| 15 | MediaServicePlus LLC | Russia | 2% | 15 | NForce Entertainment B.V. | Netherlands | 1% |
| 16 | Henan Mobile Communications | China | 2% | 16 | MediaServicePlus LLC | Russia | 1% |
| 17 | PT Telekomunikasi Indonesia | Indonesia | 2% | 17 | Wowrack.com | US | 1% |
| 18 | B2 Net Solutions Inc. | Canada | 2% | 18 | PT Telekomunikasi Indonesia | Indonesia | 1% |
| 19 | Wowrack.com | US | 2% | 19 | IT Expert LLC | Ukraine | 1% |
| 20 | Hostkey B.v. | Netherlands | 2% | 20 | PJSC Rostelecom | Russia | 1% |
Attacked Ports
The top 5 attacked ports before and during the Finland attack spike were SSH, SMB, SIP, HTTP, and MySQL. SSH brute force attacks are commonly used to exploit systems and IoT devices online. They accounted for the majority of the attacks against Finland and are something we see consistently across global attack traffic. This is why we choose to publish the top 50 admin credentials used in SSH brute force attacks in our Hunt for IoT report series.
Note: We have no data to suggest the attacks against Finland were successful. That would require access to the targeted systems, which is illegal. We collect attack data and publish the threat intelligence in an effort to educate the security community on attackers’ efforts and targets so they can protect themselves.
| 5/12/2018 – 7/13/2018 | 7/14/2018 – 7/16/2018 | ||||||
| Pos # | Port | Protocol | % of Total | Pos # | Port | Protocol | % of Total |
| 1 | 22 | SSH | 50% | 1 | 22 | SSH | 62% |
| 2 | 5060 | SIP | 21% | 2 | 445 | SMB | 12% |
| 3 | 445 | SMB | 16% | 3 | 5060 | SIP | 10% |
| 4 | 80 | HTTP | 4% | 4 | 80 | HTTP | 6% |
| 5 | 3306 | MySQL | 3% | 5 | 3306 | MySQL | 4% |
| 6 | 1433 | SQL | 3% | 6 | 1433 | SQL | 2% |
| 7 | 23 | Telnet | 1% | 7 | 5061 | SIP-TLS | 1% |
| 8 | 8080 | HTTP | < 1% | 8 | 8090 | HTTP | 1% |
| 9 | 3389 | RDP | < 1% | 9 | 23 | Telnet | 1% |
| 10 | 25 | SMTP | < 1% | 10 | 3389 | RDP | < 1% |
| 11 | 21 | FTP | < 1% | 11 | 8291 | TCP | < 1% |
| 12 | 8291 | TCP | < 1% | 12 | 25 | SMTP | < 1% |
| 13 | 8088 | TCP | < 1% | 13 | 443 | HTTPS | < 1% |
| 14 | 443 | HTTPS | < 1% | 14 | 53 | DNS | < 1% |
| 15 | 7547 | TCP | < 1% | 15 | 7547 | TCP | < 1% |
| 16 | 81 | UDP/TCP | < 1% | 16 | 21 | FTP | < 1% |
| 17 | 9200 | UDP/TCP | < 1% | 17 | 135 | RCP | < 1% |
| 18 | 53 | DNS | < 1% | 18 | 8080 | HTTP | < 1% |
| 19 | 135 | RCP | < 1% | 19 | 9200 | UDP/TCP | < 1% |
| 20 | 8089 | TCP | < 1% | 20 | 81 | UDP/TCP | < 1% |
The common use of the ports shown in the table below is an indicator of what the attackers are after. IoT devices are moving to SSH for remote administration because it’s more secure than Telnet—although “protecting” with default admin credentials doesn’t secure anything. Just check out the top attacked admin credentials list, which typically includes default username and passwords that are the name of the manufacturer or software provider. The SIP protocol, although in the top 3, did not account for a large percentage of the attacks in the Finland attacks. Since we are not aware of a SIP vulnerability that would give attackers instant access to a phone inside a meeting room, we’re not surprised SSH attacks accounted for the majority of the attacks surrounding the Trump-Putin meeting.
| Port | Protocol | Description |
| 21 | FTP | File Transfer Protocol (FTP) |
| 22 | SSH | SSH remote management port |
| 23 | Telnet | Remote management port |
| 25 | SMTP | Simple Message Transfer Protocol (SMTP) |
| 53 | DNS | DNS and facetime |
| 80 | HTTP | HTTP |
| 81 | UDP/TCP | Alternate web server port for host-host communication |
| 135 | RCP | Remote Procedure Call (RCP) |
| 443 | HTTPS | HTTPS |
| 445 | SMB | Server Message Block (SMB) port |
| 1433 | SQL | SQL database port |
| 3306 | MySQL | MySQL database port |
| 3389 | RDP | Remote Desktop Protocol |
| 5060 | SIP | Clear text Session Initiation Protocol (SIP) port commonly used by VoIP phones and video conferencing systems |
| 5061 | SIP-TLS | Secure SIP |
| 7547 | TCP | TCP port used by ISP’s to remotely manage routers via the TR-069 protocol |
| 8080 | HTTP | Alternate web server port often used for a proxy or caching, some routers use for remote management. |
| 8088 | TCP | Apple software update and Lord of the Rings game |
| 8089 | TCP | Mac OS X Web email rules, Splunk management port, MyDiskServer |
| 8090 | HTTP | Alternate web server port often used for Webcams |
| 8291 | TCP | Remote management port commonly used by MikroTik routers |
| 9200 | UDP/TCP | WAP Connectionless Wireless Session Protocol |
Conclusion
Using technology—most specifically, IoT devices—to target people of interest or spy on large portions of populations isn’t new. This practice should be expected, but we write the stories to prove a point about the necessity for security that impacts everyone from the President of the United States to an unassuming civilian standing by a hacked wireless IP camera. You don’t need a smart home to be personally impacted by insecure technology. Every business is impacted by insecure technology as they become attack pivots, relays, and botnet hosts that attack businesses, which drives up the costs of doing business for everyone.
All businesses should be securing all of their Internet connected infrastructure. All? This spans from servers in a rack in a data center (and everything installed on them), to security cameras, wireless access points, phone systems (including mobile devices), video conferencing systems, entertainment systems, TVs, DVRs, HVAC systems, fish tanks, vending machines, etc. Every “thing” that is Internet-connected.
At a minimum, securing means:
- Protect remote administration to any device on your network with a firewall, VPN, or restrict to a specified management network. Never allow open communication to the entire Internet.
- For home IoT, leverage network address translation (NAT) if you can’t install a home firewall (note that home firewalls have also been targeted by thingbots).
- Always change vendor default administration credentials.
- Stay up to date with any security patches released by the manufacturer.
