F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensor and tracking system is constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in the Middle East during the winter of 2019 was characterized by:
- Attackers used the top two attacking ASN organizations to distribute traffic over many IP addresses. As a result, none appeared in the top 50 attacking IP addresses that targeted Middle Eastern systems.
- Fifty-four percent of the top 50 attacking IP addresses during this time period uniquely targeted this region alone.
- As noted in our article Cyber Threats Targeting Asia, Winter 2019, credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, continued during this time period. They were launched through networks in Russia, France, and Moldova, and attacks were felt around the world. Notably in the Middle East, many of these attacks also came from IP addresses assigned in Italy.
- The top two attacked ports in the Middle Eastern threat landscape, SMB port 445 and SSH port 22, remained popular with attackers, as a successful exploit on either port can provide full remote access to a system.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia. However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries were seen attacking all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.
When zooming in on the Middle East, one of the most notable findings is the large amount of traffic coming from IP addresses assigned in China, along with a significant amount of traffic coming from other Asian countries. Notably, none of the top 10 attacking source traffic countries falls within the Middle East. This may be attributed to a high usage of VPNs in the area, given the Internet restrictions many countries in this region have in place.
When looking at the top 50 IP addresses targeting the Middle East, we also note that the top attacking IP address and one other IP address are geographically located in Italy. Twelve of the top 50 IP addresses targeting systems in the Middle East were geographically located in Russia. This distributed attack style is deliberate and takes more resources (systems and human effort) to carry out, and therefore is often attributed to more sophisticated threat actors.
Vietnam and China are the only top source traffic countries on the list targeting systems in the Middle East that did not also appear to be targeting systems globally. Notably, these attacks concentrated on specific IP addresses, with one IP address representing the traffic attributed to IP addresses sourced in Vietnam, and six IP addresses making up the attack traffic geographically located in China, five specifically in Hong Kong. The other countries in the top 10 were all seen attacking all regions of the world.