F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time.
The attack landscape targeting systems in Australia during the winter of 2019 was characterized by a large amount of attack traffic destined for SMB port 445 and SSH port 22, along with many other web application protocols and web application database protocols. We believe these ports were targeted because exploiting a vulnerability on these ports could give a malicious actor access to the entire system.
- During the winter of 2019, Australia was the only region in the world in which NetBIOS port 139 was a targeted protocol.
- IP addresses assigned in Singapore accounted for the most attack traffic targeting systems in Australia. Singapore IP addresses hosted through French cloud computing company OVH SAS, launched the most attack traffic directed toward systems in Australia during this time period.
- Half of the countries in the top attacking source countries list were in Asia, with IP addresses located in Singapore targeting only systems in Australia and Asia.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia (see Figure 1). However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019. We are still actively investigating this activity. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries were also seen attacking regions around the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.
In Australia, the threat landscape differed slightly from some of the other regions in the world, particualrly Europe and the United States. Singapore was the top source traffic country directing attacks toward Australian systems. IP addresses geolocated in Singapore were seen targeting only systems in Australia and Asia, with the majority of those attacks directed toward systems in Asia. Malicious actors in Singapore may have focused on Australian and Asian systems because it’s reasonable to assume that those enterprises have customers in Singapore. It is more difficult to filter traffic from locations where businesses may have customers and they cannot rely on geographical IP address blocking techniques, assuming the business wants to remain accessible to legitimate customers.
Many of the top attacking IP addresses also came from Singapore and Russia (see Figure 2). These attacks were not concentrated in two or three IP addresses, as we’ve seen in other regions of the world. This distributed attack style is deliberate and takes more resources (systems and human effort) to carry out, and therefore is often attributed to more sophisticated threat actors. The other countries in the top 10 were all seen attacking regions around the world.
Top Attacking Organizations (ASNs)
Similar to Asia, the cloud computing company OVH SAS, registered in France, accounted for the most attack traffic launched toward Australian systems (see Figure 3). OVH SAS hosted 15 Singaporean IP addresses that conducted abusive port scanning and web application and web application database targeting. Hostkey B.v., another hosting provider, was in second position and was seen in attack traffic around the world. The IP addresses this ASN hosted, primarily in Russia, were involved in abusive port scanning and web application attacks, along with targeting RFB/VNC port 5900 with credential stuffing attacks. Along with some of the IP addresses Hostkey B.v. hosted, systems around the world received attacks targeting RFB/VNC port 5900 from RM Engineering, hosted in Moldova. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB/VNC port 5900 began, unlike OVH SAS, which for years has routinely shown up on top attacking network lists in our Hunt for IoT Report series. GTECH S.p.A., in fourth position, had only one IP address in the top 50 attacking IP addresses list, indicating this high level of attack traffic was achieved through distributed attacks over many IP addresses. Rounding out the top 10 ASNs were those that often used more distributed IP addresses in order to conduct abusive port scanning, which is typically associated with network reconnaissance looking for vulnerabilities.
Top Attacking IP Addresses
When looking at the top 50 attacking IP addresses targeting Australian systems, only 30% were seen uniquely targeting systems in Australia (see Figure 4). This is lower than the targeting we saw in Asia, where 40% of the IP addresses in the top attacking IP addresses list uniquely targeted Asian systems. The trend we saw across the top attacking IP addresses was linear after the top 10 attacking IP addresses. These are outliers with a large amount of attack traffic engaged in a variety of activities, ranging from malware uploads to abusive port scanning and credential stuffing. The large amount of activity on these IP addresses can also largely be attributed to attacks against SMB port 445.
Attack Types of Top Attacking IP Addresses
IP addresses geolocated in Singapore and Russia make up the top five attacking IP addresses (see Table 1). These were involved in targeted abusive port scanning and malware uploads and focused on web application and web application database protocols. Many of the IP addresses attacking Australian systems during the winter of 2019 were focused on abusive port scanning activity. We continued to observe high levels of attack traffic pointed toward RFB/VNC port 5900, and as our sensor stack evolves, we notice more IP addresses targeting SMB port 445 at higher rates.
|Source IP Address||Attack Type||ASN||Source Country||Normalized Attack Count|
|220.127.116.11||Port Scanning: MS SMB port 445, MS SQL port 1433||OVH SAS||Singapore||1,204,052|
|18.104.22.168||Port Scanning: MS SMB port 445, MS SQL port 1433, NetBIOS port 139
Malware Uploads: SMB port 445
|22.214.171.124||Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP Port MS RDP port 3389, Telnet Port 23||Hostkey B.v.||Russia||997,586|
|126.96.36.199||Port Scanning: SMB port 445, MS SQL port 1433||Hostkey B.v.||Russia||996,085|
|188.8.131.52||Port Scanning: RFB/VNC port 5900||Hostkey B.v.||Russia||983,961|
|184.108.40.206||Port Scanning: MS SQL port 1433, MS SMB port 445, NetBIOS port 139
Malware Uploads: SMB port 445
|220.127.116.11||Port Scanning: MS SQL port 1433, MS SMB port 445||OVH SAS||Singapore||643,091|
|18.104.22.168||Port Scanning: 48 unique ports||Serverius Holding||Netherlands||633,213|
|22.214.171.124||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||429,198|
|126.96.36.199||Port Scanning: 6 unique ports||RM Engineering||Moldova||419,105|
|188.8.131.52||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||399,841|
|184.108.40.206||Port Scanning: MS SQL port 1433, MS SMB port 445, NetBIOS port 139
Malware Uploads: SMB port 445
|220.127.116.11||Port Scanning: SMB port 445, MS SQL port 1433||IP Volume||Netherlands||165,220|
|18.104.22.168||Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22||Online S.a.s.||France||135,969|
|22.214.171.124||Port Scanning: MS SMB port 445, MS SQL port 1433||OVH SAS||Singapore||116,305|
|126.96.36.199||Port Scanning: MS SMB port 445, MS SQL port 1433||OVH SAS||Singapore||98,670|
|188.8.131.52||Port Scanning: MS SMB port 445, MS SQL port 1433||OVH SAS||Singapore||94,606|
|184.108.40.206||Port Scanning: 443, 445, HTTP port 80||Amazon.com||Germany||92,466|
|220.127.116.11||Port Scanning: MS SMB port 445, MS SQL port 1433||OVH SAS||Singapore||83,147|
|18.104.22.168||Port Scanning: 16 unique ports, HTTP Attacks: HTTPS port 443
Credential Stuffing: HTTP port 80
|Miti 2000 EOOD||82,375|
|22.214.171.124||Port Scanning: Telnet port 23, Huawei port 37215, Cred Stuffing: Telnet port 23||PIN Hosting Europe||Estonia||80,718|
|126.96.36.199||Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25||Hetzner Online GmbH||Germany||79,837|
|188.8.131.52||Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25||Hetzner Online GmbH||Germany||79,675|
|184.108.40.206||Port Scanning: MS SQL port 1433, MS SMB port 445||OVH SAS||Singapore||78,696|
|220.127.116.11||Port Scanning: RFB/VNC port 5900||RM Engineering||Moldova||78,396|
Table 1. Top attacking IP addresses and their attack types targeting Australia systems, October 1, 2019–December 31, 2019
Top Targeted Ports
Looking at the destination ports of the attacks helps us understanding what types of systems and services attackers are looking for. Australia was the only region analyzed during this time period where RFB/VNC port 5900 was the top attacked port, with this port also being attacked around the world during this same time (see Figure 5). This activity is not typical, and we continue to actively investigate this activity. In a close second position is SMB port 445, which is consistently one of the top attacked ports around the world. SMB port 445 has been a top targeted port since the release of the EternalBlue exploit in April 2017. We did not see this activity in the fall 2019 regional threat perspectives in Australia, which can be attributed to our constantly evolving and growing sensor stack as we look at the current threat landscape from different postures.
Following the RFB/VNC port 5900 and SMB port 445 targeting was SSH port 22 and SMTP port 25. Australia and Europe have similar port targeting in both SSH and alternate SSH ports (22, 2222, and 22222), along with classic web application ports, including HTTP and alternate HTTP ports (80, 443, 8080, 8088, 8443). Web applications and gaining remote access to systems are both prime targets of attackers attempting to exploit systems in Australia during this time period. Notably, Australia was the only region in the world during this time period where NetBIOS port 139 was targeted.
In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic position backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you collect attack traffic and monitor your logs. You can compare this high-level attack data to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because attackers know default vendor credentials, all systems should be hardened before being deployed and protected with multifactor authentication.
Additionally, the volume of credentials breached in 2017 was so large that usernames and passwords should be considered “public.” Therefore, all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more data on these breached passwords.
To mitigate the types of attacks discussed here, we recommend the following security controls: