Attack Campaign
September 10, 2021

Cyberattacks Targeting South Africa, January through June 2021

article
5 min. read
Additional Contributions By Malcolm HeathSander VinbergRaymond Pompon
App Tiers Affected:
Client
Services
Access
TLS
DNS
Network

F5 Labs was honored to host two Howard University undergraduate students, Malaya Moon and Akosua Wordie, as part of a Summer Security Practicum program. These two students assisted F5 Labs staff with analyzing and classifying web sensor data, and they dived deep into attacks against South Africa from the first part of 2021. By doing so, Moon and Wordie learned about web application attacks, global scanning trends, and data analysis using Python, R, and other tools. What follows is the report on their findings. Wordie and Moon chose to focus on South Africa because they were interested in how attack traffic differs between regions, especially when it came to the Europe, Middle East, Africa (EMEA) region, and specifically South Africa.

Cyberattack Highlights from South Africa

F5 Labs, in collaboration with Effluxio, researches global attack traffic to gain a better understanding of the cyberthreat landscape. In this regional threat analysis, F5 Labs researchers broke down the data collected by sensors on attacks targeting South Africa from January 1 through June 30, 2021.

Cyberattacks happen in many forms, but they usually start with a scan. This report presents an analysis of logs of web requests to unadvertised web baiting. The attack’s originating source address does not necessarily indicate malicious intent from a source country or organization. The source address may be a compromised system at that location being used as a proxy by an unknown attacker in another location. F5 Labs noted the following about cyberattacks against South Africa:

  • The United States was the top source country for cyberattacks against users in South Africa, followed closely by China.
  • Internet hosting provider Serverius Holding B.v. (AS50673) was the source of the most attacks seen per ISP, with over 3,000 requests.
  • Scans for PHP vulnerabilities were the most frequent, but many other scans for vulnerabilities were also detected.

Attack Traffic Details

Analysis of the traffic yielded significant insights into the source and intended services that malicious actors wanted to abuse. This section covers the top categories, including traffic source countries, organizations, services, and IP addresses.

Top Source Traffic Countries

Analyzing the geographical sources of the IP addresses, malicious requests came from the following countries, in order: the United States, China, Germany, Estonia, Russia, the U.K., Singapore, France, South Africa, and the Netherlands (see Figure 1).

Figure 1. Top 10 source countries for attack traffic targeting South Africa, January through June 2021.

Top Source Organizations (ASNs)

Serverius Holding B.v. (AS50673) from the Netherlands leads the chart with 3,337 requests, followed by Telia (AS3249) from Estonia. These are common ASNs seen in the top ASNs of cyberattack probes. Table 1 lists the ASN details.
 

Organization

ASN Country Count
Serverius Holding 50673 Netherlands 3,337
Telia 3249 Estonia 2,118
OVH Groupe SAS 16276 France 2,019
DigitalOcean 14061 United States 1,753
Baidu Netcom Science & Technology 38365 China 1,014
BGP Network Limited 64050 Malaysia 1,007
LLC Baxet 49392 Russia 998
DXTL Tseung Kwan O Service 134548 China 995
Shanghai Blue Cloud Technology 58593 China 993
Forcepoint 13448 United States 928
Microsoft 8075 United States 672
T-Mobile Deutsche Telekom Network 5588 Czech Republic 551
Shenzhen Tencent Computer Systems 45090 China 481
Zenlayer 21859 United States 410
Linode 63949 United States 346
China169 Backbone 4837 China 319
Frantech Solutions 53667 United States 283
Petersburg Internet Network 34665 Russia 251
APNIC addresses 4134 China 240
Meerfarbig GmbH 34549 Germany 235

Table 1. Details of the top 10 ASNs targeting South Africa, January through June 2021.

Web Attacks

The sensor data analyzed was solely for traffic sent to ports 80 and 443, with the sensor recording the source IP address, source ASN, HTTP method, requested URI, and any headers submitted with the request.

HTTP Methods in Web Cyberattacks

Looking at the HTTP web methods used in scanning, GET is expected to be the most common for web probing, and this data set had 55,471 hits. HTTP POSTs came in second at 19,149, and all others at 1,354, as shown in Figure 2.

Figure 2. HTTP methods scanned for South Africa, January to June 2021.

Specific Targeted Web URLs

One of the most crucial questions for defenders is knowing as much as possible about the vulnerabilities and technologies cyberattacks are targeting. Eliminating basic web root probes, which accounted for 17,298 requests, Table 2 shows the top web URLs that attackers scanned, with likely targeted vulnerabilities.
 

URL Scanned Likely Vulnerability Hits
PHP files (/test.php, /shell.php, /cmd.php, /login.php) No specifics, mainly looking for login pages or web shells 38,078
/scryba/file.php|file=fsociety.xml and similar Citadel|Atmos|ZeuS traffic 15,340
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php and similar CVE-2017-9841 2,426
/stalker_portal/c and similar IPTV scanning 170

Table 2. Top web URLs attackers scanned, with vulnerabilities.

PHP was present as both the top vulnerability as well the third-most in CVE-2017-9841. This vulnerability refers to a remote code execution weakness that allows an attacker to read and write data as the web server processes it.

Scryba, a secure URL shortening API, appeared to be requests related to the functioning of the Citadel or Atmos variants of the ZeuS banking trojan. The requests seemed to be for an XML configuration file that is fetched by an infected machine to get command-and-control instructions.1

Lastly, the /stalker_portal/ scans point to attempts to find open Ministra TV Internet Protocol television (IPTV) APIs. Ministra TV, also known as Stalker Portal, is a middleware platform that allows for multimedia streaming. Cited IP addresses for this vulnerability came from the United States and the United Kingdom.

Conclusion

The majority of traffic targeted PHP-based applications, which mostly indicates the prevalence of PHP as a web application language. This is not to say that PHP is necessarily less secure, only that many applications use this language. Perhaps, given its age, many applications may be old, out of date, or unmaintained. The prevalence of scans for what can be assumed to be web shell endpoints indicates attackers are interested in finding already compromised websites.

The high amount of traffic related to a ZeuS trojan variant seems to indicate that this family of trojans is still alive and well, and continually evolving.

CVE-2017-9841 exploitation attempts are interesting in that this vulnerability has been known for over four years, but attackers still consider it worth targeting. This aligns with what F5 Labs has seen over the years regarding the “long tail” of exploit scanning.

The scanning for open endpoints for an IPTV-related API may simply be an attempt to find free entertainment or access to geo-restricted content.

App Tiers Affected:
Client
Services
Access
TLS
DNS
Network

Recommendations

To mitigate the types of attacks discussed here, we recommend putting in place the following security controls:

Technical
Preventative
  • As always, keep web applications patched and updated.
  • Consider the use of web application firewalls to detect and stop common attack patterns.
  • Review and test web application configurations for misconfigurations that may lead to compromise.
  • Review website content for indicators of compromise, such as web shells and other unauthorized content.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.