F5 Labs in collaboration with Effluxio researches global attack traffic to gain a better understanding of the cyberthreat landscape. In this installment of regional threat analysis, F5 Labs researchers break down the data collected by our sensors on attacks targeting Latin America from January 1 through March 31, 2021. Cyberattacks happen in many forms, but they usually start with a scan. This report presents an analysis of network logs and does not necessarily indicate malicious intent from a source country or organization. We last looked at this cyberattacks for Latin America in our Regional Threat Perspectives, Fall 2019: Latin America.
- The United States was the top source country for cyberattacks against Latin America.
- Port 5900, commonly used by VNC for remote desktop sharing and control, was scanned the most.
- Internet hosting provider Serverius Holding B.v. (AS50673) led the attack chart with over 47 million requests.
- Attacks on PHP and WordPress were the most commonly seen, but many other vulnerabilities were also detected.
Attack Traffic Details
Analysis of the traffic yielded significant insights into the source and intended services that malicious actors wanted to abuse. This section covers the top categories, including traffic source countries, organizations, services, and IP addresses.
Top Source Traffic Countries
Analyzing the geographical sources of the IP addresses, malicious requests came from the following countries, in order: the United States, Lithuania, China, Russia, Germany, France, Brazil, the Netherlands, Argentina, and the UK (see Figure 1).
Top Source Organizations (ASNs)
Serverius Holding B.v. (AS50673) from the Netherlands leads the chart with 47 million requests, followed by DigitalOcean (AS14061) from United States. These are common ASNs seen in the top ASNs of cyberattack probes. Table 1 lists the ASN details.
|16276||OVH Groupe SAS||France||6,093,048|
|45090||Shenzhen Tencent Computer Systems||China||5,589,476|
|16814||Unclassified LACNIC Addresses||Latin America and Caribbean||4,025,128|
|202425||IP Volume Inc||Seychelles||1,466,630|
|13886||Cloud South||United States||1,205,006|
|52228||Cable Tica||Costa Rica||948,707|
Top Targeted Services and Ports
Threat actors scanned a wide range of ports, but port 5900 (used by VNC for remote desktop sharing and control) had the highest number of hits at more than 108 million. The top most targeted ports by volume were VNC port 5900, SSH port 22, and Telnet port 23, indicating threat actors’ attempts to gain remote access to servers. Figure 2 lists details of the top 10 ports scanned and associated services.
Effluxio sensors have more detailed web attack data available for the first two months of 2021 for Argentina, Brazil, Chile, Colombia, and Panama. Analysis of the web port targeting shows port 80 was still heavily favored over port 443. Chilean IP addresses saw the most scanning (23,955 probes between January and February 2021), with Brazil a close second (23,459 web probes). Figure 3 shows the breakdown by country.
HTTP Methods in Web Cyberattacks
Looking at the HTTP web methods used in scanning, GET is expected to be the most common for web probing, and this data set had 40,505 hits. HTTP POSTs came in second at 24,628, followed by HEAD probes at 1,608. Figure 4 shows the breakdown.