F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in Europe during the winter of 2019 was characterized by a large amount of traffic coming from inside the region, specifically Switzerland, conducting aggressive port scanning.
- U.K. Internet infrastructure services provider M247 Ltd., with IP addresses geographically located in Switzerland, launched the most attack traffic directed toward systems in Europe, characterized by aggressive port scanning.
- Nine out of 10 of the top attacking IP addresses in Europe originated in Europe. The only IP address that did not originate within the region was an IP address from South Korea. Notably, most of these IP addresses took part in credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, and which continued during this time period. These attacks were felt around the world.
- Fifty percent of the countries in the top 20 attacking source countries list were geographically within European boundaries; 70% of the top 10 source traffic countries were located in Europe. IP addresses located in Switzerland targeted only systems in Europe.
- The top targeted port, SMB port 445, was commonly targeted globally because exploiting a vulnerability on this service can give a malicious actor access to the entire system. The European threat landscape also saw significant attack traffic directed toward SSH and alternate SSH ports.
For the purposes of this research series, “Europe” comprises most of the countries that geographically fall within what is commonly referred to as Europe. Turkey is included in our Middle East article. Russia, which falls within both Europe and Asia, is covered in a separate article, so this article does not reference attack traffic targeting Russian systems; however, we do include data about attack traffic from IP addresses assigned in Russia that targeted European systems.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia. Notably, Russia also appears in the top source traffic countries for Europe. However, we cannot assign attribution on this traffic, because we only have the geolocation of the IP addresses. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries attacked all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign
When zooming in on Europe specifically, 80% of the top 10 source traffic countries were in-region. Expanding the scope to the top 20 source traffic countries, we noted that 50% of the nations appeared within European geographic boundaries. The number of in-region attacks poses a challenge to defenders. This type of behavior can be more difficult for enterprises to filter out, as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region.
Notably, Switzerland, in third position of the top source traffic countries, targeted only systems in Europe. This can be further distilled to note that this targeting did not include systems in Russia. The top attacking IP address, along with one other IP address, was geolocated in Switzerland. There was not a lot of distribution among resources for these attacks.
Conversely, seven IP addresses located in Russia and seven in South Korea conducted aggressive port scanning and credential stuffing attacks against RFB/VNC port 5900. These IP addresses did not account for the total attack traffic seen by either top source traffic country. This distributed style of attack was deliberate and took more resources (systems and human effort) to carry out, and therefore was often attributed to more sophisticated threat actors.
Top Attacking Organizations (ASNs)
U.K.-based M247 Ltd., with infrastructure also registered in Zurich, Switzerland, accounted for the top ASN attacks destined for European systems launched from October 1, 2019, through December 31, 2019. In second position was RM Engineering targeting RFB/VNC port 5900 with credential stuffing attacks on systems around the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB/VNC port 5900 began, unlike other ASNs such as OVH SAS and Hostkey B.v., which have routinely shown up on top attacking network lists in our Hunt for IoT Report series for years. The traffic seen from Hostkey B.v. (in 11th position) was multiport scanning attacks targeted at SMB port 445. These IP addresses were primarily hosted in Russia. GTECH, the network in third position that placed Italy in the top source traffic countries list, targeted in-region systems, with only a few IP addresses conducting large volumes of attacks. Rounding out the top 10 ASNs were those in Europe and South Korea conducting abusive port scanning, which is typically associated with network reconnaissance looking for vulnerabilities.
Top Attacking IP Addresses
Out of the top IP addresses attacking European systems, 22% targeted only systems in Europe. This is less than other regions, such as the Middle East, where 54% of attacking IP addresses uniquely targeted in-region systems. In Europe, these uniquely attacking IP addresses include the Swiss IP addresses that made up the top attacking IP address in the region. One IP address in particular focused on abusive port scanning, targeting 65,521 unique ports.
Attack Types of Top Attacking IP Addresses
Many of the IP addresses attacking European systems during the winter of 2019 were involved in abusive port scanning activity. As noted in the Top Targeted Ports section, Microsoft SMB on port 445 was the most targeted port, and that was seen across all regions of the world. We continue to observe high levels of attack traffic pointed toward RFB/VNC port 5900. As our sensor stack has evolved, we’ve noticed more IP addresses targeting SMB port 445 at higher rates. In Europe, we also saw increased levels of targeting toward SSH and alternate SSH ports, including port 222 and port 22222.
|Source IP||Attack Type||ASN||Source Country||Normalized Attack Count|
|126.96.36.199||Port Scanning: 65521 unique ports||M247 Ltd||Switzerland||1,735,439|
|188.8.131.52||Port Scanning: 48 unique ports||Serverius Holding B.V.||Netherlands||639,310|
|184.108.40.206||Port Scanning: 6 unique ports||RM Engineering||Moldova||495,777|
|220.127.116.11||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||464,646|
|18.104.22.168||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||431,339|
|22.214.171.124||Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25||Hetzner Online GmbH||Germany||245,434|
|126.96.36.199||Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25||Hetzner Online GmbH||Germany||245,260|
|188.8.131.52||Port Scanning: 443, 445, HTTP port 80||Amazon.com||Germany||157,121|
|184.108.40.206||Port Scanning: RFB/VNC port 5900 & 5901||GTECH S.p.A.||Italy||128,438|
|220.127.116.11||Port Scanning: SMB port 445, MS SQL port 1433||SK Broadband Co Ltd||South Korea||123,608|
|18.104.22.168||Port Scanning: 6 unique ports||Amazon.com||Germany||123,473|
|22.214.171.124||Port Scanning: 6 unique ports||Amazon.com||Germany||120,435|
|126.96.36.199||Port Scanning: 61 unique ports||Korea Telecom||South Korea||117,766|
|188.8.131.52||Port Scanning: SMB port 445, MS SQL port 1433||Hostkey B.v.||Russia||111,710|
|184.108.40.206||Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP Port MS RDP port 3389, Telnet Port 23||Hostkey B.v.||Russia||109,787|
|220.127.116.11||Port Scanning: RFB/VNC port 5900||Hostkey B.v.||Russia||108,848|
|18.104.22.168||Port Scanning: 16 unique ports
HTTP Attacks: HTTPS port 443
Credential Stuffing: HTTP port 80
|Miti 2000 EOOD||88,082|
|22.214.171.124||Port Scanning: MS RDP port 3389, port 5909, RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
|126.96.36.199||Port Scanning: SMB port 445, WebLogic port 7001, 8080, MS SQL port 1433
HTTP Attacks: Alt-HTTP port 8080
Malware Uploads: SMB port 445
|188.8.131.52||Port Scanning: 48 unique ports||Korea Telecom||South Korea||65,411|
|184.108.40.206||Port Scanning: SMB port 445, MS SQL port 1433||IP Volume||Netherlands||65,029|
|220.127.116.11||Port Scanning: 48 unique ports||Korea Telecom||South Korea||61,487|
|18.104.22.168||Port Scanning: MS SQL port 1433, SMB port 445||GTECH S.p.A.||Italy||59,260|
|22.214.171.124||Port Scanning: 46 unique ports||Korea Telecom||South Korea||52,725|
|126.96.36.199||Port Scanning: 42 unique ports||Korea Telecom||South Korea||50,826|
Table 1. Top attacking IP addresses and their attack types targeting European systems, October 1, 2019–December 31, 2019
Top Targeted Ports
SMB port 445 was the top targeted port both in Europe and globally from October 1, 2019, through December 31, 2019. In a distant second place was RFB/VNC port 5900, which was also attacked around the world during this time period. When looking back at the fall 2019 regional threat perspectives in Europe, the volume of SMB traffic is significantly lower. This can be attributed to constantly updating and evolving our sensor stack. Typically, we expect SMB port 445 to be a top targeted port, which it has been since the release of the EternalBlue exploit in April 2017. However, targeting RFB/VNC port 5900 is not usually at the top of the list. F5 Labs first noticed this activity in May 2019, and it has remained consistent or grown since then. We are actively investigating this worldwide IPv4 activity.
In third position following the high attack traffic targeting SMB port 445 and RFB/VNC port 5900 was Telnet port 23, with SSH port 22 in fourth. These ports are commonly targeted because exploiting a vulnerability on any of these ports can give a malicious actor access to the entire system.
Along with these top attacked ports, Europe and the Middle East were the only regions where DNS port 53 was targeted. That port did not show up in any other region we analyzed during the same time period.
Targeting of SSH and alternate SSH stood out the most in the top attacked ports in Europe. The use of port 22222 for SSH in Europe is unique from other parts of the world, where port 22 or port 2222 is used. Europe is the only region where both ports 22222 and 2222 were also attacked in an attempt to exploit alternate ports and usages of SSH. In addition to some of the most commonly targeted ports, the targeting of other application ports, like Microsoft SMB port 445 and Microsoft CRM port 5555, makes it clear that attackers are targeting applications in Europe.
In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic one backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you collect attack traffic and monitor your logs. You can compare this high-level attack data to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because attackers know default vendor credentials, all systems should be hardened before being deployed and protected with multifactor authentication.
Additionally, the volume of credentials breached in 2017 was so large that usernames and passwords should be considered “public.” Therefore, all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more on these breached passwords.
To mitigate the types of attacks discussed here, we recommend putting in place the following security controls: