F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in Europe during the winter of 2019 was characterized by a large amount of traffic coming from inside the region, specifically Switzerland, conducting aggressive port scanning.
- U.K. Internet infrastructure services provider M247 Ltd., with IP addresses geographically located in Switzerland, launched the most attack traffic directed toward systems in Europe, characterized by aggressive port scanning.
- Nine out of 10 of the top attacking IP addresses in Europe originated in Europe. The only IP address that did not originate within the region was an IP address from South Korea. Notably, most of these IP addresses took part in credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, and which continued during this time period. These attacks were felt around the world.
- Fifty percent of the countries in the top 20 attacking source countries list were geographically within European boundaries; 70% of the top 10 source traffic countries were located in Europe. IP addresses located in Switzerland targeted only systems in Europe.
- The top targeted port, SMB port 445, was commonly targeted globally because exploiting a vulnerability on this service can give a malicious actor access to the entire system. The European threat landscape also saw significant attack traffic directed toward SSH and alternate SSH ports.
For the purposes of this research series, “Europe” comprises most of the countries that geographically fall within what is commonly referred to as Europe. Turkey is included in our Middle East article. Russia, which falls within both Europe and Asia, is covered in a separate article, so this article does not reference attack traffic targeting Russian systems; however, we do include data about attack traffic from IP addresses assigned in Russia that targeted European systems.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia. Notably, Russia also appears in the top source traffic countries for Europe. However, we cannot assign attribution on this traffic, because we only have the geolocation of the IP addresses. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries attacked all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign
When zooming in on Europe specifically, 80% of the top 10 source traffic countries were in-region. Expanding the scope to the top 20 source traffic countries, we noted that 50% of the nations appeared within European geographic boundaries. The number of in-region attacks poses a challenge to defenders. This type of behavior can be more difficult for enterprises to filter out, as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region.
Notably, Switzerland, in third position of the top source traffic countries, targeted only systems in Europe. This can be further distilled to note that this targeting did not include systems in Russia. The top attacking IP address, along with one other IP address, was geolocated in Switzerland. There was not a lot of distribution among resources for these attacks.
Conversely, seven IP addresses located in Russia and seven in South Korea conducted aggressive port scanning and credential stuffing attacks against RFB/VNC port 5900. These IP addresses did not account for the total attack traffic seen by either top source traffic country. This distributed style of attack was deliberate and took more resources (systems and human effort) to carry out, and therefore was often attributed to more sophisticated threat actors.