Attack Campaign
April 28, 2021

Cyberattacks Targeting Latin America, January through March 2021

article
5 min. read
App Tiers Affected:
Client
Services
Access
TLS
DNS
Network

F5 Labs in collaboration with Effluxio researches global attack traffic to gain a better understanding of the cyberthreat landscape. In this installment of regional threat analysis, F5 Labs researchers break down the data collected by our sensors on attacks targeting Latin America from January 1 through March 31, 2021. Cyberattacks happen in many forms, but they usually start with a scan. This report presents an analysis of network logs and does not necessarily indicate malicious intent from a source country or organization. We last looked at this cyberattacks for Latin America in our Regional Threat Perspectives, Fall 2019: Latin America.

Highlights

  • The United States was the top source country for cyberattacks against Latin America.
  • Port 5900, commonly used by VNC for remote desktop sharing and control, was scanned the most.
  • Internet hosting provider Serverius Holding B.v. (AS50673) led the attack chart with over 47 million requests.
  • Attacks on PHP and WordPress were the most commonly seen, but many other vulnerabilities were also detected.

Attack Traffic Details

Analysis of the traffic yielded significant insights into the source and intended services that malicious actors wanted to abuse. This section covers the top categories, including traffic source countries, organizations, services, and IP addresses.

Top Source Traffic Countries

Analyzing the geographical sources of the IP addresses, malicious requests came from the following countries, in order: the United States, Lithuania, China, Russia, Germany, France, Brazil, the Netherlands, Argentina, and the UK (see Figure 1).

Figure 1. Source countries for attack traffic targeting Latin America, January through March 2021.

Top Source Organizations (ASNs)

Serverius Holding B.v. (AS50673) from the Netherlands leads the chart with 47 million requests, followed by DigitalOcean (AS14061) from United States. These are common ASNs seen in the top ASNs of cyberattack probes. Table 1 lists the ASN details.
 

ASN Organization Country Count
50673 Serverius Holding Netherlands 47,114,536
14061 DigitalOcean United States 19,865,915
6428 CDM United States 9,604,067
51167 Contabo Germany 8,620,798
16276 OVH Groupe SAS France 6,093,048
45090 Shenzhen Tencent Computer Systems China 5,589,476
4134 APNIC Addresses China 5,477,241
42632 MnogoByte Russia 5,383,837
16814 Unclassified LACNIC Addresses Latin America and Caribbean 4,025,128
197226 Sprint S.A. Poland 3,651,560
4837 China169 Backbone China 3,329,687
52368 ZAM LTDA. Columbia 2,420,949
12876 Online S.A.S. France 2,382,936
202425 IP Volume Inc Seychelles 1,466,630
4766 Korea Telecom Korea 1,358,407
57043 Hostkey B.v. Netherlands 1,261,167
13886 Cloud South United States 1,205,006
8075 Microsoft United States 956,623
52228 Cable Tica Costa Rica 948,707
209 CenturyLink United States 939,402

Table 1. Details of the top ASNs targeting Latin America, January through March 2021.

Top Targeted Services and Ports

Threat actors scanned a wide range of ports, but port 5900 (used by VNC for remote desktop sharing and control) had the highest number of hits at more than 108 million. The top most targeted ports by volume were VNC port 5900, SSH port 22, and Telnet port 23, indicating threat actors’ attempts to gain remote access to servers. Figure 2 lists details of the top 10 ports scanned and associated services.

Figure 2. Attack traffic volume targeting specific ports and services, January through March 2021.

Web Attacks

Effluxio sensors have more detailed web attack data available for the first two months of 2021 for Argentina, Brazil, Chile, Colombia, and Panama. Analysis of the web port targeting shows port 80 was still heavily favored over port 443. Chilean IP addresses saw the most scanning (23,955 probes between January and February 2021), with Brazil a close second (23,459 web probes). Figure 3 shows the breakdown by country.

Figure 3. Web scans against Argentina, Brazil, Chile, Colombia, and Panama, January and February 2021.

HTTP Methods in Web Cyberattacks

Looking at the HTTP web methods used in scanning, GET is expected to be the most common for web probing, and this data set had 40,505 hits. HTTP POSTs came in second at 24,628, followed by HEAD probes at 1,608. Figure 4 shows the breakdown.

Figure 4. HTTP methods scanned for Argentina, Brazil, Chile, Colombia, and Panama, January and February 2021.

Top Web Cyberattackers

Web attacks originated from the following countries during the first two months of 2021: China (23,583), Germany (10,847), and the United States (10,019). Figure 5 shows the entire top 10.

Figure 5. Top 10 countries attacking Argentina, Brazil, Chile, Colombia, and Panama, January and February 2021.

Specific Targeted Web URLs

One of the most crucial questions for defenders is knowing as much as possible about the vulnerabilities and technologies cyberattacks are targeting. Eliminating basic web root probes (14,246), table 2 shows the top web URLs that attackers scanned, with likely targeted vulnerabilities.
 

URL Scanned Likely Vulnerability Hits
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php CVE-2017-9841 PHPUnit RCE 1940
/wp-content/plugins/wp-file-manager/readme.txt CVE-2020-25213 wp-file-manager plugin RCE 951
/api/jsonws/invoke JSON Web Services Invoker 927
/?XDEBUG_SESSION_START=phpstorm Php Xdebug extension source scan 921
/index.php?s=/Index/\think\app/invokefunction& function=call_user_func_array&vars[0]=md5&vars[1][]= HelloThinkPHP21 CVE-2018-20062 Thinkphp5 RCE 920
/console/ Web console probe 917
/Autodiscover/Autodiscover.xml Microsoft Exchange (normal) 909
/manager/html Apache Tomcat probe 874
/login Login probe 851
/.env Unsecured ENV file scan 737
/config/getuser?index=0 CVE-2020-25078 Dlink remote admin password 671
/jenkins/login Jenkins probe 641
/boaform/admin/formLogin Netlink GPON Router 1.0.11 RCE 565
/?a=fetch&content=<php>die(@md5( HelloThinkCMF))</php> ThinkCMF Fetch vulnerability 496
/solr/admin/info/system?wt=json Solr admin page probe 467
/mifs/.;/services/LogService CVE-2020-15505 MobileIron Core RCE 455

Table 2. Top web URLs attackers scanned, with vulnerabilities.

Conclusion

Threat actors are consistently scanning the Internet seeking vulnerabilities and open services. In this data set for the beginning of 2021, we saw significant traffic trying to exploit remote access and known web vulnerabilities. Modern enterprises need to ensure that they have up-to-date visibility into exposed services, strong authentication, and an efficient and effective patching policy.

App Tiers Affected:
Client
Services
Access
TLS
DNS
Network

Recommendations

To mitigate the types of attacks discussed here, we recommend putting in place the following security controls:

Technical
Preventative
  • Prioritize hardening and patching for exposed ports that are commonly attacked like HTTP, VNC, and SSH.
  • Use strong authentication for remote administrative ports such as VNC and SSH.
  • Use firewalls to restrict all unnecessary access to commonly attacked ports that must be exposed publicly.
  • Disable weak and unused protocols such as Telnet.
  • Keep up to date on patches for web apps and infrastructure.
  • Configure network access controls to only allow access to administrative ports. from officially designated IP address ranges.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.