App Tiers Affected:
F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in Canada during the winter of 2019 was characterized by a large amount of in-country attack traffic aimed at Canadian systems.
- OVH SAS hosted the top six IP addresses, all geolocated in Canada, which sent a substantial amount of traffic toward Canadian systems.
- Three out of 10 of the top attacking IP addresses were engaged in abusive port scanning and credential stuffing attacks against systems in Canada, targeting RFB/VNC port 5900, which was noted in the fall of 2019 and continued during this time period. These attacks were seen around the world.
- Canada itself was the top source traffic country targeting Canadian systems. We observed over four times as much attack traffic coming from in-country systems than from Russia, the source country in second position.
- The United States and Canada had identical top attacked ports during this time period, indicating that attack campaigns may have had a North American geographical focus. Attackers were especially interested in SMB and SSH. The top targeted port, SMB port 445, was commonly targeted globally because exploiting a vulnerability on this service can give a malicious actor access to the entire system.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia (see Figure 1). Notably, Russia also appears in the top source traffic countries for Europe. However, we cannot assign attribution on this traffic because we only have the geolocation of the IP addresses. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries attacked all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.
A large amount of in-country attack traffic was destined for Canadian systems during the winter of 2019 (see Figure 2). About four times as much attack traffic was seen originating inside Canada destined for Canadian systems than originated in Russia, the second position source traffic country. In-country traffic can be the hardest for enterprises to filter out since they want to remain accessible to their in-region customers. It’s impossible to block traffic based on geolocation; instead businesses need to employ behavioral blocking techniques, which is more difficult.
Notably, the United States was in sixth position targeting systems in Canada. For the U.S. threat landscape, in-region traffic was a much bigger threat. This highlights the differences that two neighboring countries may experience in their threat landscapes.
The other top source traffic countries targeting systems in the Canadian threat landscape were all seen targeting other regions of the world, as well.
Top Attacking Organizations (ASNs)
Cloud computing company OVH SAS accounted for the majority of attacks directed toward Canadian systems (see Figure 3). For these attacks, OVH SAS hosted the top six Canadian IP addresses launching attacks destined for in-country systems. This was different from Australia and Asian threat landscapes during the same time period, where OVH SAS was also in first position but hosted malicious IP addresses geolocated in Singapore.
In second position was Hostkey B.v., another hosting provider that we saw in attack traffic around the world. The IP addresses this ASN hosted, primarily in Russia, were involved in abusive port scanning and web application attacks, along with targeting RFB/VNC port 5900 with credential stuffing attacks. We saw these IP addresses and Hostkey B.v. targeting all regions of the world.
Along with some of the IP addresses Hostkey B.v. hosted, systems around the world received attacks targeting RFB/VNC port 5900 from RM Engineering, hosted in Moldova. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB began, unlike OVH SAS, which for years has routinely shown up on top attacking network lists in our Hunt for IoT Report series.
In Canada, the rest of the top attacking ASNs followed similar patterns to the rest of the world.
Top Attacking IP Addresses
Thirty-eight percent of the top attacking IP addresses directed at Canadian systems targeted only systems in Canada (see Figure 4). This includes the top two attacking IP addresses. The top attacking IP address was involved with abusive port scanning targeting SMB port 445 and MS SQL port 1433. Attackers were clearly interested in web application and web application database protocols. The IP address in second position was involved in RFB/VNC port 5900 scanning, which matches the activity we observed around the world.
Attack Types of Top Attacking IP Addresses
Many of the IP addresses seen attacking Canadian systems during the winter of 2019 were involved in abusive port scanning activity (see Table 1). As noted in the Top Target Ports section, Microsoft SMB on port 445 was the highest targeted port, which was seen across all of the top attacking IP addresses. We continue to observe high levels of attack traffic pointed toward RFB/VNC port 5900, and as our sensor stack evolves, we notice more IP addresses targeting SMB port 445 at higher rates. Overall, the attacks seen in Canada are in line with the threat landscapes observed in other regions.
|Source IP Address||Attack Type||ASN||Source Country||Normalized Attack Count|
|22.214.171.124||Port Scanning: MS SMB port 445, MS SQL port 1433||OVH SAS||Canada||4,134,779|
|126.96.36.199||Port Scanning: RFB/VNC port 5900||OVH SAS||Canada||3,731,105|
|188.8.131.52||Port Scanning: SMB port 445, MS SQL port 1433||OVH SAS||Canada||1,365,032|
|184.108.40.206||Port Scanning: SMB port 445, MS SQL port 1433||OVH SAS||Canada||1,078,381|
|220.127.116.11||Port Scanning: MS SQL port 1433, SMB port 445
Malware Uploads: SMB port 445
|18.104.22.168||Port Scanning: MS SQL port 1433, SMB port 445||OVH SAS||Canada||773,081|
|22.214.171.124||Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP port 3389, Telnet Port 23||Hostkey B.v.||Russia||646,101|
|126.96.36.199||Port Scanning: SMB port 445, MS SQL port 1433||Hostkey B.v.||Russia||644,433|
|188.8.131.52||Port Scanning: RFB/VNC port 5900||Hostkey B.v.||Russia||636,703|
|184.108.40.206||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||414,632|
|220.127.116.11||Port Scanning: 6 unique ports||RM Engineering||Moldova||399,210|
|18.104.22.168||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||353,434|
|22.214.171.124||Port Scanning: 48 unique ports||Serverius Holding B.V.||Netherlands||315,562|
|126.96.36.199||Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25||Hetzner Online GmbH||Germany||213,357|
|188.8.131.52||Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25||Hetzner Online GmbH||Germany||213,321|
|184.108.40.206||Port Scanning: Netbios port 139, MS SQL port 1433, SMB port 445
Malware Uploads: SMB port 445
|220.127.116.11||Port Scanning: 443, 445, HTTP port 80||Amazon.com||Germany||185,715|
|18.104.22.168||Port Scanning: 6 unique ports||Amazon.com||Germany||145,700|
|22.214.171.124||Port Scanning: 6 unique ports||Amazon.com||Germany||142,250|
|126.96.36.199||Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22||Online S.a.s.||France||123,063|
|188.8.131.52||Port Scanning: RFB/VNC port 5900 & 5901||GTECH S.p.A.||Italy||115,605|
|184.108.40.206||Port Scanning: SMB port 445, MS SQL port 1433||SK Broadband Co Ltd||South Korea||104,049|
|220.127.116.11||Port Scanning: MS RDP port 3389, port 5909, RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
|18.104.22.168||Port Scanning: 61 unique ports||Korea Telecom||South Korea||101,242|
|22.214.171.124||Port Scanning: SMB port 445, WebLogic port 7001, 8080, MS SQL port 1433
HTTP Attacks: Alt-HTTP port 8080
Malware Uploads: SMB port 445
Table 1. Top attacking IP addresses and their attack types targeting Canadian systems, October 1, 2019–December 31, 2019
Top Targeted Ports
Looking at the destination ports of the attacks helps us understand what types of systems attackers are targeting (see Figure 5). SMB port 445 is a common port where threat actors attempt to upload malware, and it was the top attacked port globally. Compared to the fall regional perspectives, the sheer volume of the SMB traffic is much lower. This can be attributed to constantly updating and evolving our sensor stack. Typically we expect SMB port 445 to be a top targeted port, which has been the case since the release of the EternalBlue exploit in April 2017. In a distant second place was RFB/VNC port 5900, which was attacked around the world during this time period. However, targeting RFB/VNC port 5900 is not typically at the top of the list. F5 Labs first noticed this activity in May 2019 and we continue to actively investigate this worldwide IPv4 activity.
Another commonly attacked port, SSH port 22, was the third most attacked port during this period, followed by SMTP port 25, and web traffic on ports 80 and 443. Database ports (MS SQL and PostgreSQL) were also targeted in Canada, indicating that attackers are especially interested in access and web application attacks. Databases were not targeted in every region of the world during this time period, indicating that threat actors were especially focused on getting information from these where they may be vulnerable. The United States and Canada have identical top attacked ports during this time period, indicating that attack campaigns may have had a North American geographical focus.
In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic one backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you collect attack traffic and monitor your logs. You can compare this high-level attack data to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because attackers know default vendor credentials, all systems should be hardened before being deployed and protected with multifactor authentication.
Additionally, the volume of credentials breached in 2017 was so large that usernames and passwords should be considered “public.” Therefore, all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more on these breached passwords.
To mitigate the types of attacks discussed here, we recommend putting in place the following security controls: