Attack Campaign
February 11, 2021

Cyberthreats Targeting India, October through December 2020

article
4 min. read
Additional Contributions By Sara BoddyDebbie Walkowski
App Tiers Affected:
Client
Services
Access
TLS
DNS
Network

F5 Labs in collaboration with Effluxio researches global attack traffic to gain a better understanding of cyberthreat landscape. In this episode of regional threat analysis, F5 Labs researchers break down the data collected by our sensors on attacks targeting India from October 1 through December 31, 2020. Cyberattacks happen in many forms, but it usually starts with a scan. The insights in this report is an analysis of network logs and does not necessarily indicate a malicious intent from source country or organization.

Highlights

  • The network sensors collected 126 million malicious requests in a time period of 90 days.
  • The number one source country of malicious traffic origin was the UK.
  • Port 5900, used by Virtual Network Computing/VNC for remote desktop sharing and control, was scanned the most.
  • Web hosting provider SERVERIUS-AS (AS50673) lead the attack chart with over 25 million requests.

Details on Attack Traffic

Analysis on the traffic yields significant insights into the source as well as the intended services that malicious actors want to abuse. The section covers top 10 in categories like traffic source countries, organizations, services, and IP addresses.

Top Source Traffic Countries

Analyzing the geographical source of the IP addresses, the major source for the malicious request, listed in order, were the UK, US, Germany, Russia, China, Netherlands, France, India, Poland, and Brazil (see Figure 1).

Traffic Volume by Source Country
Figure 1. Source countries for attack traffic targeting India, October through December 2020

Top Source Organizations (ASNs)

SERVERIUS-AS (AS50673) from Netherlands lead the chart with 25 million requests, followed by Digital Ocean (AS 14061) from United States. Table 1 list details of ASNs.

ASN Organization Country Count
AS50673 SERVERIUS-AS Netherlands 25,143,000
AS14061 DIGITALOCEAN-ASN United States 14,701,472
AS51167 CONTABO Germany 11,217,965
AS49877 RMINJINERING Russia 5,852,243
AS16276 OVH France 3,705,512
AS4837 CHINA169-BACKBONE CHINA UNICOM China169 Backbone China 3,110,681
AS40590 AS40590 United States 2,652,144
AS4134 CHINANET-BACKBONE No.31,Jin-rong Street China 2,527,839
AS12876 Online SAS France 2,357,468
AS57678 REDBYTES Russia 2,205,426

Table 1. Details on top 10 traffic source ASN targeting India, October through December 2020

Top Targeted Services and Ports

A wide range of ports were scanned by threat actors, but port 5900 (used by VNC for remote desktop sharing and control) had the highest hit count at more than 70 million. The top most targeted ports by volume were 5900, 22 (SSH), and 3389 (Windows Remote Desktop), indicating threat actors’ intentions of gaining remote access to servers. Figure 3, list details on top ten ports scanned and associated services.

Traffic Volume by Destination Port
Figure 2. Volume of attack traffic targeting specific ports and services, October through December 2020

Top Attacking IP Addresses

A single IP address from Russia (45.146.164.171 from AS 49505) sent more than 23 million requests. This was followed by an IP address in Netherlands which was shy of 10 million requests. The other IP addresses in top 10 belonged to United States, Ukraine, Russia, and Netherlands. Table 2 details the top 10 traffic generating IP addresses and the ports scanned by them from October to December 2020.

 

IP Address Country ASN Traffic Volume Ports Scanned
45.146.164.171 Russia AS49505 23,598,072 5900
188.166.96.247 Netherlands AS14061 7,301,619 5900
161.35.228.63 United States Of America AS14061 3,624,630 59005901 -59124145
161.35.225.81 United States Of America AS14061 2,962,484 5900/5902
185.153.197.205 Ukraine AS49877 2,874,967 5900/3389
91.241.19.149 Russia AS207566 1,855,571 5900
185.153.197.202 Ukraine AS49877 1,458,292 5900
185.153.199.182 Ukraine AS49877 1,386,377 5900
67.205.170.62 United States Of America AS14061 1,1980,54 5900
45.153.203.207 Netherlands AS213035 1,124,044 590033895901

Table 2. Details on top 10 traffic generating IP address targeting India, October through December 2020

HTTP Scans

Analysis of the threat data for attacks targeting ports 80 and 443 revealed that a single IP address (155.65.155.237) in Bengaluru with DIGITALOCEAN-ASN made a million plus requests. In distant second place was an Amazon EC2 instance (52.66.160.14) in India.

Traffic Volume by Source IP Address
Figure 3. Top 10 IP's scanning port 80 and 443, October through December 2020

Conclusion

Threat actors are consistently scanning the Internet to look for weak links. In the dataset for October through December 2020 we saw significant traffic attempting to exploit remote access. Modern day enterprises need to ensure that they have a proactive security posture, harden their networks and embrace Zero Trust.

App Tiers Affected:
Client
Services
Access
TLS
DNS
Network

Recommendations

To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:

Technical
Preventative
  • Use firewalls to restrict all unnecessary access to commonly attacked ports that must be exposed publicly.
  • Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
  • Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH) for vulnerability management.
  • Protect applications accessible over SSH using brute force restrictions.
  • Disable all vendor default credentials (commonly used in SSH brute force attacks) on all systems before deploying them publicly.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.