F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019 through December 31, 2019—in the United States (U.S.), Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensor and tracking system is constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in Asia during the winter of 2019 was characterized by a large volume of traffic coming from within the region, specifically Singapore.
- French cloud computing company OVH SAS, with IP addresses geographically located in Singapore, launched the most attack traffic directed towards systems in Asia.
- Credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, continued during this time period. They were launched through networks in Russia, France, and Moldova and targets were not unique to systems in Asia; these attacks were felt all over the world.
- Fifty percent of the countries in the top attacking source countries list are in Asia, with IP addresses located in Singapore only targeting systems in Asia.
- The top targeted port, SMB port 445, and the third most attacked port, SSH port 22, were commonly targeted across the world because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have been coming through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia. However, we cannot do any kind of attribution on this traffic, because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the U.S., and the Netherlands round out the top 5 for sources of global attack traffic. The full top ten source traffic countries were seen attacking all regions of the world. Moldova is a relative newcomer to this list, again due to the global VNC port 5900 attack campaign.
When zooming in on Asia specifically, 50% of the top source traffic countries are in region. This type of behavior can be more difficult for enterprises to filter out as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region.
Singapore, the top source traffic country in Asia was only seen targeting Asia. The top four attacking IP addresses in Asia all came from Singapore. Along with this, 16 of the top 50 IP addresses targeting systems in Asia were geographically located in Singapore. This distributed style of attack is deliberate and takes more resources (systems and manpower) to carry out, and therefore is often attributed to more sophisticated threat actors. The other countries in the top ten were all seen attacking all regions of the world.
Top Attacking Organizations (ASNs)
The cloud computing company OVH SAS, registered in France, accounted for a majority of the attacks launched towards systems in Asia from October 1, 2019 through December 31, 2019. OVH SAS is the hosting ASN for the top four IP addresses launching port scanning and SMB attacks out of Singapore towards Asian systems. The traffic seen from Hostkey B.v was conducting multi-port scanning and targeted SMB port 445 attacks. These IP addresses were primarily hosted in Russia. The attacks coming from RM Engineering targeted RFB port 5900 with credential stuffing attacks and were received by systems all over the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB began, unlike OVH SAS, which has routinely shown up on top attacking network lists in our Hunt for IoT Report series for years. GTECH, the network in fourth position that is driving Italy into the top source traffic countries list, targeted Asian systems with only a few IP addresses conducting large volumes of attacks. Rounding out the top ten ASNs were those that often used more distributed IP addresses in order to conduct abusive port scanning, which is typically associated with network reconnaissance looking for vulnerabilities.
Top Attacking IP Addresses
Out of the top IP addresses attacking Asian systems, 40% only targeted systems in Asia. This includes the Singaporean IP addresses that make up the top four attacking IP addresses in the region. The large drop in traffic from the top 3 attacking IP addresses to the rest of the top 50 can be attributed to the malicious SMB port 445 activity.
Attack Types of Top Attacking IP addresses
Many of the IP addresses attacking Asian systems during the winter of 2019 were involved in abusive port scanning activity. As noted in the top attacked ports section, Microsoft SMB on port 445 is the highest targeted port, and that was seen across all of the top attacking IP addresses. We’ve continued to observe high levels of attack traffic pointed towards VNC/RFB port 5900. As our sensor stack has evolved, we’re noticing more IP addresses which are targeted on SMB port 445 at higher rates.
|Source IP||Attack Type||ASN||Source Country||Normalized Attack Count|
|184.108.40.206||Port Scanning: MS SMB port 445, MS SQL port 1433||OVH SAS||Singapore||3,410,388|
|220.127.116.11||Port Scanning: MS SMB port 445, MS SQL port 1433, NetBIOS port 139
Malware Uploads: SMB port 445
|18.104.22.168||Port Scanning: MS SQL port 1433, MS SMB port 445, NetBIOS port 139
Malware Uploads: SMB port 445
|22.214.171.124||Port Scanning: MS SQL port 1433, MS SMB port 445||OVH SAS||Singapore||699,710|
|126.96.36.199||Port Scanning: 48 unique ports||Serverius Holding||Netherlands||685,312|
|188.8.131.52||Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP port 3389, Telnet Port 23||Hostkey B.v.||Russia||585,094|
|184.108.40.206||Port Scanning: SMB port 445, MS SQL port 1433||Hostkey B.v.||Russia||584,222|
|220.127.116.11||Port Scanning: RFB/VNC port 5900||Hostkey B.v.||Russia||578,072|
|18.104.22.168||Port Scanning: 6 unique ports||RM Engineering||Moldova||528,387|
|22.214.171.124||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||495,852|
|126.96.36.199||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||471,717|
|188.8.131.52||Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25||Hetzner Online GmbH||Germany||240,094|
|184.108.40.206||Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25||Hetzner Online GmbH||Germany||240,062|
|220.127.116.11||Port Scanning: 443, 445, HTTP port 80||Amazon.com||Germany||201,034|
|18.104.22.168||Port Scanning: RFB/VNC port 5900 & 5901||GTECH S.p.A.||Italy||158,917|
|22.214.171.124||Port Scanning: 6 unique ports||Amazon.com||Germany||158,905|
|126.96.36.199||Port Scanning: SMB port 445, MS SQL port 1433||Elyzium Technologies||India||157,162|
|188.8.131.52||Port Scanning: 6 unique ports||Amazon.com||Germany||154,701|
|184.108.40.206||Port Scanning: SMB port 445, MS SQL port 1433||IP Volume||Netherlands||146,586|
|220.127.116.11||Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22||Online S.a.s.||France||134,809|
|18.104.22.168||Port Scanning: SMB port 445, MS SQL port 1433||SK Broadband Co Ltd||South Korea||131,185|
|22.214.171.124||Port Scanning: 61 unique ports||Korea Telecom||South Korea||123,845|
|126.96.36.199||Port Scanning: MS RDP port 3389, port 5909, RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
|188.8.131.52||Port Scanning: MS SMB port 445, MS SQL port 1433||OVH SAS||Singapore||110,852|
|184.108.40.206||Port Scanning: MS SMB port 445, MS SQL port 1433, WebLogic port 7001, Alt-HTTP port 8080, Malware Uploads: SMB port 445||Elyzium Technologies||India||97,204|
Table 1. Top Attacking IP addresses and their attack types targeting Asian Systems, October 1, 2019 – December 31, 2019
Top Targeted Ports
SMB port 445 was the number one attacked port in Asia during the winter of 2019. In a distant second place was VNC port 5900, which was attacked all over the world during this time period. Looking back to the fall 2019 regional threat perspectives, Asia, the volume of SMB traffic is significantly lower then. This could be due to the fact that we constantly update and evolve our sensor stack—and typically we do expect SMB port 445 to be a top targeted port (it has been a top targeted port since the release of the Eternal Blue exploit in April 2017). However, targeting of VNC port 5900 is not typically at the top of the list. We first noticed this activity in May 2019, and we have an ongoing investigation on this worldwide IPv4 activity. SSH port 22, which followed in position 3, is activity we see globally on a consistent basis. This activity is typically associated with credential stuffing attacks (see top attacked SSH credentials) and IoT botnet building.
Both SMB and SSH are commonly targeted because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system. SMTP port 25 follows SSH port 22 in the fourth most attacked position. Other commonly attacked ports include HTTP port 80 and the encrypted HTTP port 443, rounding out the top 6 attacked ports. Similar to the fall 2019 data, the only port uniquely targeted in Asia during this time period was the unassigned TCP port 22225. Given all the ports that were targeted and the attacks that were conducted during the winter months of 2019, it’s clear that applications were a top priority for attackers.
In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic position backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because default vendor credentials are known by attackers, all systems should be hardened before being deployed and protected with multi-factor authentication.
Additionally, the volume of credentials that were breached in 2017 was so large that usernames and passwords should be considered “public,” therefore all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more data on these breached passwords.
To mitigate the types of attacks discussed here, we recommend the following security controls be put in place: