App Tiers Affected:
F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in the United States during the winter of 2019 was characterized by a large amount of traffic directed at Microsoft SQL Server and other web applications and the protocols they use.
- Of all the regions we analyzed, the United States had the second highest amount of in-region attack traffic, only behind Russia. This kind of traffic is particularly difficult to filter as it’s not possible to block just based on geolocation if enterprises want to remain accessible to their customers.
- The top attacked ports in the U.S. threat landscape indicate that malicious actors are particularly interested in web applications and web application databases: the United States and Canada were the only regions in which PostgreSQL on port 5432 was targeted. Other ports such as MySQL 3306 were also targeted, as were RDP port 3389 and other nonstandard HTTP and HTTPS ports.
- The U.S. threat landscape followed the trend we saw around the world, where SMB port 445 in first position and SSH port 22 in third position were common because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.
- Along with web application targeting, credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, continued during this time period. They were launched through networks in Russia, France, and Moldova, and targets were not unique to systems in the United States; these attacks were felt around the world.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia (see Figure 1). However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries attacked all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.
The threat landscape in the United States differed from other regions in that the largest amount of normalized traffic originated from source IP addresses based in Russia. When looking at normalized numbers, which, among other factors, accounted for differing numbers of sensors in-region, the U.S. threat landscape saw more traffic from the Russian IP address space than we even saw inside Russia. Three of the top four attacking IP addresses were assigned to the Russian IP address space and together accounted for 72 percent of all traffic coming from Russian IP addresses toward U.S. systems. These IP addresses were each focused on specific attacks, one on SMB port 445, one on RFB/VNC port 5900, and one on a number of ports focused on web application protocols.
The United States in second position is also notable. We cannot attribute this attack traffic to malicious actors inside the United States due to proxy and VPN usage, but the data shows that malicious actors know being closer to their target gives them a better chance of landing an attack. The amount of in-region attack traffic poses a challenge to defenders. This type of traffic can be more difficult for enterprises to filter out, as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region. The rest of the top ten source traffic countries were all seen attacking most other regions around the world.
Top Attacking Organizations (ASNs)
Web services provider Hostkey B.v. accounted for a large portion of the attack traffic destined for systems in the United States between October 1, 2019, and December 31, 2019. Hostkey B.v. is in this position because it hosts the top three Russian IP addresses attacking U.S. systems. These IP addresses launched abusive port scanning attacks along with specifically targeting web application protocols.
In second position is Amazon.com, which hosted six of the top 50 attacking IP addresses. Distributing traffic over a number of IP addresses is done in an attempt to hide malicious traffic within regular web traffic and takes more resources (systems and human effort) to carry out; it is therefore typically attributed to more sophisticated threat actors. In third position is RM Engineering, targeting RFB/VNC port 5900 with credential stuffing attacks on systems around the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB/VNC port 5900 began, unlike other ASNs such as OVH SAS and Hostkey B.v., which for years have routinely shown up on top attacking network lists in our Hunt for IoT Report series.
During this time period, the IP addresses associated with Alibaba (U.S.) and ReliableSite.Net were seen targeting only U.S. systems. Other ASNs associated with the top 50 attacking IP addresses targeted only U.S. systems, however they had lower traffic levels.
Top Attacking IP Addresses
Out of the top IP addresses attacking American systems, 30 percent targeted only systems in the United States. The top four IP addresses launched more than double the amount of attack traffic than any other IP address in the top 50 attacking IP addresses. The IP address that launched the most attack traffic, Versaweb, LLC, was geolocated in the United States. This IP address was focused on abusive port scanning targeting SMB port 445 and MS SQL port 1433. The IP address in second position, Hostkey B.v., geolocated in Russia, targeted the same ports.
Attack Types of Top Attacking IP Addresses
Many of the IP addresses attacking American systems during the winter of 2019 were involved with abusive port scanning activity. As noted in the Top Target Ports section, Microsoft SMB port 445 was the highest targeted port. We continue to observe high levels of attack traffic pointed toward RFB/VNC port 5900, and as our sensor stacks evolve, we notice more IP addresses targeting SMB port 445 at higher rates.
Along with these attacks, we are also noticing a large amount of attack traffic in the United States directed toward databases and other web application protocols.
|Source IP Address||Attack Type||ASN||Source Country||United States Count|
|220.127.116.11||Port Scanning: SMB port 445, MS SQL port 1433||Versaweb, LLC||United States||1,397,377|
|18.104.22.168||Port Scanning: SMB port 445, MS SQL port 1433||Hostkey B.v.||Russia||1,390,698|
|22.214.171.124||Port Scanning: RFB/VNC port 5900||Hostkey B.v.||Russia||1,384,990|
|126.96.36.199||Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP Port MS RDP port 3389, Telnet Port 23||Hostkey B.v.||Russia||1,370,536|
|188.8.131.52||Port Scanning: 48 unique ports||Serverius Holding B.V.||Netherlands||598,132|
|184.108.40.206||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||490,247|
|220.127.116.11||Port Scanning: 6 unique ports||RM Engineering||Moldova||486,688|
|18.104.22.168||Port Scanning: SMB port 445, MS SQL port 1433||ReliableSite.Net LLC||476,363|
|22.214.171.124||Credential Stuffing: RFB/VNC port 5900||RM Engineering||Moldova||399,751|
|126.96.36.199||Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25||Hetzner Online GmbH||Germany||373,181|
|188.8.131.52||Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25||Hetzner Online GmbH||Germany||373,034|
|184.108.40.206||Port Scanning: 443, 445, HTTP port 80||Amazon.com||Germany||278,175|
|220.127.116.11||Port Scanning: RFB/VNC port 5900 & 5901||GTECH S.p.A.||Italy||233,258|
|18.104.22.168||Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22||Online S.a.s.||France||232,718|
|22.214.171.124||Port Scanning: SMB port 445, MS SQL port 1433||SK Broadband Co Ltd||South Korea||222,944|
|126.96.36.199||Port Scanning: 6 unique ports||Amazon.com||Germany||219,125|
|188.8.131.52||Port Scanning: 61 unique ports||Korea Telecom||South Korea||214,882|
|184.108.40.206||Port Scanning: 6 unique ports||Amazon.com||Germany||213,525|
|220.127.116.11||Port Scanning: ICB/SWX port 7326||Cogent Communications||United States||160,217|
|18.104.22.168||Port Scanning: SMB port 445, WebLogic port 7001, 8080, MS SQL port 1433
HTTP Attacks: Alt-HTTP port 8080
Malware Uploads: SMB port 445
|22.214.171.124||Port Scanning: MS RDP port 3389, port 5909, RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
|126.96.36.199||Port Scanning: MS SQL port 1433, SMB port 445||Essensys Inc.||142,692|
|188.8.131.52||Port Scanning: SMB port 445, MS SQL port 1433||IP Volume||Netherlands||140,126|
|184.108.40.206||Port Scanning: 48 unique ports||Korea Telecom||South Korea||120,510|
|220.127.116.11||Port Scanning: 48 unique ports||Korea Telecom||South Korea||110,827|
Table 1. Top attacking IP addresses and their attack types targeting U.S. systems, October 1, 2019–December 31, 2019
Uniquely Targeting U.S. Systems
Along with tracking the top attacking IP addresses, we also isolated the IP addresses that attacked only U.S. systems and gathered further information about what they might be. We noticed during this time period that the IP addresses that uniquely targeted U.S. systems were mostly located in the United States, with a few in Japan, one in Mexico, and one in Germany. Like the top attacking IP addresses, we noticed that these IP addresses were engaged in a range of behaviors, from abusive port scanning to credential stuffing. Notably, these IP addresses were mostly focused on attacking web application protocols.
Details from the Shodan search engine provided more color regarding what these attacking systems could be. In this case, the IP address geolocated in Mexico appears to belong to Alestra, a Mexican IT services company. Another attacking IP address appears to belong to Lone Car Rental Systems, a company that provides car rental reservation software. A range of different systems appears to be attacking U.S. systems, including one which seems to belong to Vultr, a VPN service.
|IP Address||ASN||Country||Attack Type||IP Address Info (Shodan)|
|18.104.22.168||Versaweb, LLC||United States||Port Scanning: 445 (MS SMB), 1433 (MS SQL)||None|
|22.214.171.124||ReliableSite.Net||United States||Port Scanning: 445 (MS SMB), 1433 (MS SQL)||Host Name: lax01.hostwiki.net
Open Ports & Services: 8888
|126.96.36.199||Cogent Communications||United States||Port Scanning: 445 (MS SMB), 1433 (MS SQL)||None|
|188.8.131.52||essensys Inc.||United States||Port Scanning: 445 (MS SMB), 1433 (MS SQL)||Host Name: host-104-238-202-134.essensys.co.uk
Open Ports & Services: 80 (Nginx), 81, 8080 (Apache, Coyote JSP)
|184.108.40.206||ReliableSite.Net LLC||United States||Port Scanning: 7001, 445 (MS SMB), 1433 (MS SQL)
HTTP Attacks: 8080 (Alt-HTTP)
|Open Ports & Services: 22 (OpenSSH), 111 (Portmap)|
|220.127.116.11||Alestra, S. de R.L. de C.V.||Mexico||Port Scanning: 445 (MS SMB), 1433 (MS SQL)||Host Name: static-207-248-236-84.alestra.net.mx
Open Ports & Services: 80 (MS IIS), 88 (MS IIS), 137 (NetBIOS), 443 (MS IIS), 445 (SMB), 1433 (MS SQL Server) 1434 (MS SQL Server), 3389 (MS RDP),
|18.104.22.168||Digital Ocean||United States||Credential Stuffing: 23 (Telnet)||22 OpenSSH, 111 (Portmap)|
|22.214.171.124||Choopa, LLC||United States||Port Scanning: 22 (SSH), 161 (SNMP), 80 (HTTP)||Hostname: 126.96.36.199.vultr.com
Open Ports: 1723 (Mikrotik PPTP)
|188.8.131.52||Renaissance Systems||United States||Port Scanning: 5900 (RFB/VNC)||OS: Window Server 2003
Open Ports: 80 (MS IIS), 3389 (RDP)
|184.108.40.206||Alibaba (US)||Japan||Port Scanning: 445 (MS SMB), 443 (HTTPS), 25 (SMTP), 22 (SSH), 80 (HTTP)||None|
|220.127.116.11||Alibaba (US)||Japan||Port Scanning: 25 (SMTP), 443 (HTTPS), 445(MS SMB), 80 (HTTP), 22 (SSH)|
|18.104.22.168||Charter Communications||United States||Port Scanning: 5900 (RFB/VNC)|
|22.214.171.124||Digital Ocean||United States||Port Scanning: 5900 (RFB/VNC)|
|126.96.36.199||Amazon.com, Inc.||Germany||Port Scanning: 443 (HTTPS), 445 (SMB), 80 (HTTP)|
|188.8.131.52||Cogent Communications||United States||Port Scanning: 445 (MS SMB), 1433 (MS SQL)|
Table 2. Top attacking IP addresses and their attack types targeting only U.S. systems, October 1, 2019–December 31, 2019
Top Targeted Ports
SMB port 445 was the top attacked port in the United States from October 1 through December 31, 2019. This is a shift from the fall regional threat perspective we wrote about the United States, where RFB/VNC port 5900 was the top attacked port. This can be attributed to constantly updating and evolving our sensor stack regarding the current threat landscape. Unlike many other global regions, we saw a closer gap between first and second position for the top attacked ports. This may be attributed to our current perspective and the fact that more VNC port 5900 attacks were directed toward sensors in the United States than anywhere else in the world. VNC port 5900 does not typically appear in our top attacked ports lists, thus we continue to actively investigate this credential stuffing and IPv4 campaign.
In addition to remote access ports, including SMB port 445 and SSH port 22 (in position three), the number of nonstandard HTTP ports (8443, 8080, and 8088) targeted and other application ports, like Microsoft SMB port 445 and Microsoft CRM port 5555, make it clear that attackers are targeting applications in the United States.
Also noteworthy, the United States and Canada were the only regions in which PostgreSQL on port 5432 was targeted. This, along with the targeting of other database port 3306, indicates malicious actors are particularly interested in web applications and web application databases.
In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic one backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you collect attack traffic and monitor your logs. You can compare this high-level attack data to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because attackers know default vendor credentials, all systems should be hardened before being deployed and protected with multifactor authentication.
Additionally, the volume of credentials that were breached in 2017 was so large that usernames and passwords should be considered “public.” Therefore, all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more on these breached passwords.
To mitigate the types of attacks discussed here, we recommend the following security controls: