F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019 through December 31, 2019—in the United States (U.S.), Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in Russia during the winter of 2019 was characterized by a large number of unique attacking IP addresses, which only targeted systems in Russia.
- SoftLayer Technologies Inc., with IP addresses geographically located in the Netherlands, launched the most attack traffic directed towards systems in Russia.
- Attack traffic originating from IP addresses inside Russia accounted for the most attack traffic attributed by any nation. This kind of traffic is particularly hard to filter as it requires behavioral detection versus geographical IP address blocking.
- The top targeted port, SMB port 445, and the third most attacked port, SSH port 22, were commonly targeted across the world because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.
- Swiss Exchange port 7326 was only attacked on Russian systems. This traffic was first noticed in October and only targeted Russia. This is notable, given the potential financial implications and the fact that this was not a top attacked port anywhere else in the world during this time period.
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia. However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the U.S., and the Netherlands round out the top five for sources of global attack traffic. The full top ten source traffic countries were seen attacking all regions of the world. Moldova is a relative newcomer to this list, again due to the global VNC port 5900 attack campaign.
When zooming in on Russia specifically, we found it notable that Russia itself is the top attacking source traffic country. This type of behavior can be more difficult for enterprises to filter out as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region.
IP addresses located in Argentina, appearing in both the top source traffic list and the top attacking IP addresses list, were only seen targeting Latin America and Russia during this time period. The top attacking IP address targeting Russian systems came from Argentina, as well. This represents the largest volume of attack traffic coming from a single IP address. Other threat actors took a more distributed approach, with eight IP addresses out of the top 50 attacking IP addresses located in Russia and seven geolocated in the United States and Germany. This distributed style of attack is deliberate and takes more resources (systems and human effort) to carry out, and therefore is often attributed to more sophisticated threat actors. The other countries in the top ten were all seen attacking all regions of the world.
Top Attacking Organizations (ASNs)
SoftLayer Technologies Inc., registered in the Netherlands, accounted for a large portion of the attacks launched towards systems in Russia from October 1, 2019 through December 31, 2019. We saw the IP address tied to this ASN conducing abusive port scanning directed towards SMB port 445 and other common ports such as SSH port 22. Access granted by exploiting a vulnerability in either protocol could spill a lot of information about a system. Amazon.com was the ASN in second position, targeting systems in Russia. The IP addresses registered to this ASN were geographically located in Germany and were also involved with abusive port scanning, often scanning a number of unique ports. GTECH, the network in third position, is driving Italy into the top source traffic countries list, targeted Russian systems with only one IP address in the top 50 attacking IP addresses.
Notably absent from the Russian threat landscape was cloud computing company OVH SAS and Hostkey B.v. We saw attack traffic from these ASNs targeting systems all over the world and they appeared in the top attacking ASNs list targeting other systems in Europe. The top attacking ASNs targeting systems in Russia overlap somewhat with the top attacking ASNs targeting systems in Europe. We continued to see Hetzer Online GmbH as a top attacking ASN in both geographic regions. Rounding out the top ten ASNs were those that often used more distributed IP addresses in order to conduct abusive port scanning, which is typically associated with network reconnaissance looking for vulnerabilities.
Top Attacking IP Addresses
Out of the top 50 IP addresses attacking Russian systems, 70% only targeted systems in Russia. This is notably higher than what we saw in the European threat landscape, where only 22% of the top attacking IP addresses uniquely targeted European systems. The large drop in traffic from the top 2 attacking IP addresses to the rest of the top 50 can be attributed to the malicious SMB port 445 activity. The top attacking IP addresses targeting systems in Russia were often spotted attempting to attack specific ports and protocols that could give threat actors greater visibility into a network.
Attack Types of Top Attacking IP Addresses
Many of the IP addresses attacking Russian systems during the winter of 2019 were involved in abusive port scanning activity. As noted in the top attacked ports section, Microsoft SMB on port 445 was the highest targeted port, and that was seen across all of the top attacking IP addresses. We continued to observe high levels of attack traffic pointed towards VNC/RFB port 5900, although those levels are notably lower in Russia. As our sensor stack has evolved, we’ve noticed more IP addresses that are targeted on SMB port 445 at higher rates.
RM Engineering, which hosts a number of the top attacking IP addresses, does appear in the Russian threat landscape during this time period. One reason they don’t appear in the top attacking ASNs list could be that the attacks were at a lower volume. RM Engineering launched credential stuffing attacks that targeted RFB port 5900 and were received by systems all over the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB began, unlike OVH SAS, which has routinely shown up on top attacking network lists in our Hunt for IoT Report series for years.
|Source IP address||Attack Type||ASN||Source Country||Russia Count|
|22.214.171.124||Port Scanning: SMB port 445, MS SQL port 1433||Smart Telecom S.A.R.L||Argentina||873,668|
|126.96.36.199||Port Scanning: WebLogic port 7001, MS SMB port 445, MS SQL port 1433||Cambrium IT Services B.V.||Netherlands||650,419|
|188.8.131.52||Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25||Hetzner Online GmbH||Germany||539,707|
|184.108.40.206||Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25||Hetzner Online GmbH||Germany||538,668|
|220.127.116.11||Port Scanning: MS SQL port 1433, SMB port 445||Charter Communications||United States||391,305|
|18.104.22.168||Port Scanning: 48 unique ports||Serverius Holding B.V.||Netherlands||340,171|
|22.214.171.124||Port Scanning: SSH port 22, Credential Stuffing: SSH port 22||SoftLayer Technologies||Netherlands||300,110|
|126.96.36.199||Port Scanning: SMB port 445, HTTPS port 443, SMTP port 25, SSH port 22, HTTP port 80||SoftLayer Technologies||Netherlands||289,462|
|188.8.131.52||Port Scanning: MS SMB port 445, WebLogic port 7001, MS SQL port 1433, HTTP port 80
HTTP Attacks: Alt-HTTP port 8080
|SoftLayer Technologies||United States||286,093|
|184.108.40.206||Port Scanning: MS SMB port 445, MS SQL port 1433||SoftLayer Technologies||United States||285,236|
|220.127.116.11||Port Scanning: MS SMB port 445||OOO Tecom||Russia||279,386|
|18.104.22.168||Port Scanning: ICB/SWX port 7326||Vodafone Kabel Deutschland||Germany||233,842|
|22.214.171.124||Port Scanning: RFB/VNC port 5900 & 5901||GTECH S.p.A.||Italy||231,174|
|126.96.36.199||Port Scanning: SMB port 445, MS SQL port 1433||SK Broadband Co Ltd||South Korea||207,491|
|188.8.131.52||Port Scanning: SMB port 445, WebLogic port 7001, MS SQL port 1433, 8080||Donner Oleg Alexeevich||Romania||204,043|
|184.108.40.206||Port Scanning: 61 unique ports||Korea Telecom||South Korea||201,434|
|220.127.116.11||Port Scanning: MS SMB port 445, WebLogic port 7001, MS SQL port 1433, Alt-HTTP port 8080, HTTP port 80
HTTP Attacks: Alt-HTTP port 8080
|Dgn Teknoloji A.s.||Turkey||196,841|
|18.104.22.168||Port Scanning: SMB port 445, MS SQL port 1433, WebLogic port 7001
HTTP Attacks: Alt-HTTP port 8080
|MCI DBA Verizon||United States||191,969|
|22.214.171.124||Port Scanning: 443, 445, HTTP port 80||Amazon.com||Germany||173,994|
|126.96.36.199||Port Scanning: ICB/SWX port 7326||Cablevision Systems Corp.||United States||173,943|
|188.8.131.52||Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
|184.108.40.206||Port Scanning: 40048 unique ports||UAB Host Baltic||Lithuania||161,719|
|220.127.116.11||Port Scanning: RFB/VNC port 5900||WideOpenWest Finance LLC||United States||161,433|
|18.104.22.168||Port Scanning: RFB/VNC port 5900, Credential Stuffing: RFB/VNC port 5900||ITC NG ltd||Israel||150,800|
|22.214.171.124||Port Scanning: Netbios port 139, HTTP port 80, 137, 138, SMB port 445||Alviva Holding Limited||United Kingdom||146,538|
Table 1. Top Attacking IP addresses and their attack types targeting Russian Systems, October 1, 2019 – December 31, 2019
Top Targeted Ports
Looking at top targeted ports and services can provide insight as to where attackers are focusing resources and what services they’re after. Russia had possibly the most distinct top attacked ports over this time period. As in most of the rest of the world, SMB port 445 was the number one attacked port in Russia (consistent with global attack activity since the Eternal Blue exploit was released in April 2017). We noticed a large uptick in volume of SMB port 445 attack traffic in this time period compared to the volume noted in our fall 2019 regional threat perspectives article about Russia. This can be attributed to our continuously evolving sensor network where we are observing the regional threat landscape from different postures.
In a distant second position was the Swiss Exchange port 7326. This traffic was first noticed in October. and is only targeting Russia. This is notable, given the potential financial implications and the fact that this was not a top attacked port anywhere else in the world during this time period. When looking at attacks on Russian systems, the only other port only targeted port was 21455.
In third position was SSH port 22. This activity was consistent all over the world—and we expect to see this. SMB port 445 and SSH port 22 are commonly targeted because exploiting a vulnerability on either port can give a malicious actor access to the entire system. Many of the remaining top targeted ports were those used for web applications, access, and email. This clearly indicate attackers went after applications and access to applications in Russia (as they did all across the world).
Notable in the Russian threat landscape was the relatively smaller number of attacks targeted towards VNC port 5900. This activity is atypical and was first noticed in July 2019. We are actively engaged in an ongoing investigation of this activity, much of which appears to be coming from Russia, although with the use of proxies and VPNs, we cannot be sure of attribution.
In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic position backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because default vendor credentials are known by attackers, all systems should be hardened before being deployed and protected with multi-factor authentication.
Additionally, the volume of credentials that were breached in 2017 was so large that usernames and passwords should be considered “public,” therefore all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more data on these breached passwords.
To mitigate the types of attacks discussed here, we recommend the following security controls be put in place: