App Tiers Affected:
F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensor and tracking system is constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in the Middle East during the winter of 2019 was characterized by:
- Attackers used the top two attacking ASN organizations to distribute traffic over many IP addresses. As a result, none appeared in the top 50 attacking IP addresses that targeted Middle Eastern systems.
- Fifty-four percent of the top 50 attacking IP addresses during this time period uniquely targeted this region alone.
- As noted in our article Cyber Threats Targeting Asia, Winter 2019, credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, continued during this time period. They were launched through networks in Russia, France, and Moldova, and attacks were felt around the world. Notably in the Middle East, many of these attacks also came from IP addresses assigned in Italy.
- The top two attacked ports in the Middle Eastern threat landscape, SMB port 445 and SSH port 22, remained popular with attackers, as a successful exploit on either port can provide full remote access to a system.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia. However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries were seen attacking all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.
When zooming in on the Middle East, one of the most notable findings is the large amount of traffic coming from IP addresses assigned in China, along with a significant amount of traffic coming from other Asian countries. Notably, none of the top 10 attacking source traffic countries falls within the Middle East. This may be attributed to a high usage of VPNs in the area, given the Internet restrictions many countries in this region have in place.
When looking at the top 50 IP addresses targeting the Middle East, we also note that the top attacking IP address and one other IP address are geographically located in Italy. Twelve of the top 50 IP addresses targeting systems in the Middle East were geographically located in Russia. This distributed attack style is deliberate and takes more resources (systems and human effort) to carry out, and therefore is often attributed to more sophisticated threat actors.
Vietnam and China are the only top source traffic countries on the list targeting systems in the Middle East that did not also appear to be targeting systems globally. Notably, these attacks concentrated on specific IP addresses, with one IP address representing the traffic attributed to IP addresses sourced in Vietnam, and six IP addresses making up the attack traffic geographically located in China, five specifically in Hong Kong. The other countries in the top 10 were all seen attacking all regions of the world.
Top Attacking Organizations (ASNs)
Eurobet Italia SRL was the number one attacking ASN during the winter of 2019 and accounted for a large portion of the attacks launched toward systems in the Middle East from October 1, 2019, through December 31, 2019. Notably, however, none of the IP addresses in the top 50 attacking IP addresses list were assigned to Eurobet Italia SRL. Similarly, attacks from Garanti Bilisim Teknolojisi, in third position, did not appear in the top attacking IP address list. This indicates that attacks from these ASNs were distributed over many IP addresses, apportioning the workload and resources. This could have been done to make the traffic appear to look more like regular traffic. Conversely, GTECH S.p.A., in second position, is the hosting ASN for the only two Italian IP addresses launching port scanning and credential stuffing attacks on RFB/VNC port 5900 toward Middle Eastern systems. This was a large portion of the traffic.
Notably different from Asia and the rest of the world’s threat landscape during the winter of 2019, OVH SAS did not appear as a top attacking ASN for the Middle East. This is an ASN that we’ve seen attacking different regions of the world for years. We also noticed a lot of attack traffic coming from Hostkey B.v., which was seen attacking all regions of the world. The traffic seen from Hostkey B.v. was conducting multiport scanning and targeted SMB port 445 attacks. These IP addresses were primarily hosted in Russia. The attacks coming from RM Engineering targeted RFB/VNC port 5900 with credential stuffing attacks and were received by systems all over the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB began. RM Engineering was in fourth position for attacking Middle Eastern systems during this time period.
Top Attacking IP Addresses
Out of the top IP addresses attacking Middle Eastern systems, 54% only targeted systems in the region. Though we saw a large amount of malicious SMB port 445 activity, we also saw a large amount of RFB/VNC port 5900 attack traffic, which accounts for the top attacking IP address traffic. In the Middle East, we saw a more linear trend along how much attack activity could be attributed to the top attacking IP addresses, compared to other regions we looked at, where one or a few IP addresses really dominated the threat landscape.
Attack Types of Top Attacking IP Addresses
Many of the IP addresses attacking Middle Eastern systems during the winter of 2019 were involved in abusive port scanning activity. As noted in the Top Targeted Ports section, Microsoft SMB port 445 was the most targeted port, and that was seen across all of the top attacking IP addresses. In the Middle Eastern threat landscape, we’re also seeing many specific ports targeted, notably database ports, including port 3389. We’ve continued to observe high levels of attack traffic pointed toward RFB/VNC port 5900. As our sensor stack has evolved, we’re noticing more IP addresses targeting SMB port 445 at higher rates.
|Source IP Address||Attack Type||ASN||Source Country||Normalized Attack Count|
|126.96.36.199||Port Scanning: RFB/VNC port 5900 & 5901||GTECH S.p.A.||Italy||401,555|
|188.8.131.52||Port Scanning: 6 unique ports||RM Engineering||Moldova||397,142|
|184.108.40.206||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||387,420|
|220.127.116.11||Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25||Hetzner Online GmbH||Germany||367,606|
|18.104.22.168||Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25||Hetzner Online GmbH||Germany||367,032|
|22.214.171.124||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||344,447|
|126.96.36.199||Port Scanning: 48 unique ports||Serverius Holding B.V.||Netherlands||322,156|
|188.8.131.52||Port Scanning: SMB port 445, MS SQL port 1433||Hostkey B.v.||Russia||313,001|
|184.108.40.206||Port Scanning: RFB/VNC port 5900||Hostkey B.v.||Russia||306,023|
|220.127.116.11||Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP Port MS RDP port 3389, Telnet Port 23||Hostkey B.v.||Russia||305,233|
|18.104.22.168||Port Scanning: 28188 unique ports||Selectel||Russia||243,746|
|22.214.171.124||Port Scanning: 6 unique ports||Melita Limited||Malta||210,385|
|126.96.36.199||Port Scanning: MS SQL port 1433, SMB port 445||COLT Technology Services||Netherlands||209,363|
|188.8.131.52||Port Scanning: 51 unique ports||Melita Limited||Malta||209,135|
|184.108.40.206||Port Scanning: 61 unique ports||Korea Telecom||South Korea||181,110|
|220.127.116.11||Port Scanning: SSH port 22, Credential Stuffing: SSH port 22||Bayanat Al-Oula / Net Srvcs||Saudi Arabia||180,775|
|18.104.22.168||Port Scanning: SMB port 445, MS SQL port 1433||SK Broadband Co Ltd.||South Korea||178,798|
|22.214.171.124||Port Scanning: 6386, 6385||Arabian Internet & Comms||Saudi Arabia||178,521|
|126.96.36.199||Port Scanning: MS SMB port 445, MS SQL port 1433
Malware Uploads: SMB port 445
|Livenet Sp. z o.o.||Poland||172,493|
|188.8.131.52||Port Scanning: MS SQL port 1433, SMB port 445||GTECH S.p.A.||Italy||171,089|
|184.108.40.206||Port Scanning: Alt HTTP port 8080, Credential Stuffing: Telnet port 23||Teleline Ltd.||Russia||159,635|
|220.127.116.11||Port Scanning: Alt HTTP port 8080, HTTP Attacks: Alt-HTTP port 8080
Credential Stuffing: Telnet port 23
|18.104.22.168||Port Scanning: 33398 unique ports||IMAQLIQ SERVICE Ltd||Russia||158,027|
|22.214.171.124||Port Scanning: MS SQL port 1433, SMB port 445||NETSEC||Hong Kong||153,608|
|126.96.36.199||Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22||NETSEC||Hong Kong||153,457|
Table 1. Top attacking IP addresses and their attack types targeting Middle Eastern systems, October 1 2019–December 31, 2019
Top Targeted Ports
SMB port 445 was the number one attacked port in the Middle East during the winter of 2019. In a distant second place was SSH port 22. When we look back at the Regional Threat Perspectives, Fall 2019: Middle East, the volume of SMB traffic is significantly lower. This can be attributed to constantly updating and evolving our sensor stack—typically we expect SMB port 445 to be a top targeted port. Both of these ports are commonly targeted, as exploiting a vulnerability on either port can give a malicious actor access to the entire system. Notably, both of these ports were the top attacked ports during fall 2019 as well, showing the trend continuing into the winter months.
HTTP port 80 and HTTPS port 443 follow SSH and SMB as the third and fourth most attacked ports, respectively. The fifth most attacked port, RFB/VNC 5900, was attacked around the world during this time period, and we are continuing to investigate the global campaign in the IPv4 space on this port.
In addition to some of the most commonly targeted ports, the targeting of nonstandard HTTP ports (8443 and 8080) and other application ports, like Microsoft SMB port 445 and Microsoft CRM port 5555, makes it clear that attackers are targeting applications in the Middle East.
Also noteworthy is the apparent attempt to compromise IoT systems in the Middle East by targeting ports 7547 and 8291, both of which are used only by SOHO routers and are commonly attacked by IoT botnets (thingbots). We called out these ports in our 2017 report The Hunt for IoT: The Rise of Thingbots. The Middle East is one of two regions where these two ports appear in the top attacked ports—the other region where we saw this activity is Latin America. This further illustrates that vulnerable devices, no matter where they are in the world, will be targeted. Attackers do not see geographic boundaries as deterrents.
In general, the best approach a security team can take as defenders in this modern threat landscape is to “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, it is a realistic one backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you collect attack traffic and monitor your logs. You can compare this high-level attack data to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because attackers know default vendor credentials, all systems should be hardened before being deployed and protected with multifactor authentication.
Additionally, the volume of credentials that were breached in 2017 was so large that usernames and passwords should be considered “public.” Therefore, all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See the F5 Labs report Lessons Learned from a Decade of Data Breaches for more on these breached passwords.
To mitigate the types of attacks discussed here, we recommend putting in place the following security controls