Top Risks
March 27, 2020

Cyberthreats Targeting the United States, Winter 2019

article
16 min. read

F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in the United States during the winter of 2019 was characterized by a large amount of traffic directed at Microsoft SQL Server and other web applications and the protocols they use.

  • Of all the regions we analyzed, the United States had the second highest amount of in-region attack traffic, only behind Russia. This kind of traffic is particularly difficult to filter as it’s not possible to block just based on geolocation if enterprises want to remain accessible to their customers.
  • The top attacked ports in the U.S. threat landscape indicate that malicious actors are particularly interested in web applications and web application databases: the United States and Canada were the only regions in which PostgreSQL on port 5432 was targeted. Other ports such as MySQL 3306 were also targeted, as were RDP port 3389 and other nonstandard HTTP and HTTPS ports.
  • The U.S. threat landscape followed the trend we saw around the world, where SMB port 445 in first position and SSH port 22 in third position were common because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.
  • Along with web application targeting, credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, continued during this time period. They were launched through networks in Russia, France, and Moldova, and targets were not unique to systems in the United States; these attacks were felt around the world.

Top Source Traffic Countries

Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”

Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia (see Figure 1). However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries attacked all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.

The threat landscape in the United States differed from other regions in that the largest amount of normalized traffic originated from source IP addresses based in Russia. When looking at normalized numbers, which, among other factors, accounted for differing numbers of sensors in-region, the U.S. threat landscape saw more traffic from the Russian IP address space than we even saw inside Russia. Three of the top four attacking IP addresses were assigned to the Russian IP address space and together accounted for 72 percent of all traffic coming from Russian IP addresses toward U.S. systems. These IP addresses were each focused on specific attacks, one on SMB port 445, one on RFB/VNC port 5900, and one on a number of ports focused on web application protocols.

The United States in second position is also notable. We cannot attribute this attack traffic to malicious actors inside the United States due to proxy and VPN usage, but the data shows that malicious actors know being closer to their target gives them a better chance of landing an attack. The amount of in-region attack traffic poses a challenge to defenders. This type of traffic can be more difficult for enterprises to filter out, as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region. The rest of the top ten source traffic countries were all seen attacking most other regions around the world.

Top Attacking Organizations (ASNs)

Web services provider Hostkey B.v. accounted for a large portion of the attack traffic destined for systems in the United States between October 1, 2019, and December 31, 2019. Hostkey B.v. is in this position because it hosts the top three Russian IP addresses attacking U.S. systems. These IP addresses launched abusive port scanning attacks along with specifically targeting web application protocols.

In second position is Amazon.com, which hosted six of the top 50 attacking IP addresses. Distributing traffic over a number of IP addresses is done in an attempt to hide malicious traffic within regular web traffic and takes more resources (systems and human effort) to carry out; it is therefore typically attributed to more sophisticated threat actors. In third position is RM Engineering, targeting RFB/VNC port 5900 with credential stuffing attacks on systems around the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB/VNC port 5900 began, unlike other ASNs such as OVH SAS and Hostkey B.v., which for years have routinely shown up on top attacking network lists in our Hunt for IoT Report series.

During this time period, the IP addresses associated with Alibaba (U.S.) and ReliableSite.Net were seen targeting only U.S. systems. Other ASNs associated with the top 50 attacking IP addresses targeted only U.S. systems, however they had lower traffic levels.

Top Attacking IP Addresses

Out of the top IP addresses attacking American systems, 30 percent targeted only systems in the United States. The top four IP addresses launched more than double the amount of attack traffic than any other IP address in the top 50 attacking IP addresses. The IP address that launched the most attack traffic, Versaweb, LLC, was geolocated in the United States. This IP address was focused on abusive port scanning targeting SMB port 445 and MS SQL port 1433. The IP address in second position, Hostkey B.v., geolocated in Russia, targeted the same ports.

Attack Types of Top Attacking IP Addresses

Many of the IP addresses attacking American systems during the winter of 2019 were involved with abusive port scanning activity. As noted in the Top Target Ports section, Microsoft SMB port 445 was the highest targeted port. We continue to observe high levels of attack traffic pointed toward RFB/VNC port 5900, and as our sensor stacks evolve, we notice more IP addresses targeting SMB port 445 at higher rates.

Along with these attacks, we are also noticing a large amount of attack traffic in the United States directed toward databases and other web application protocols.

Source IP Address Attack Type ASN Source Country United States Count
104.238.194.34 Port Scanning: SMB port 445, MS SQL port 1433 Versaweb, LLC United States 1,397,377
193.188.22.114 Port Scanning: SMB port 445, MS SQL port 1433 Hostkey B.v. Russia 1,390,698
185.156.177.11 Port Scanning: RFB/VNC port 5900 Hostkey B.v. Russia 1,384,990
185.156.177.44 Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP Port MS RDP port 3389, Telnet Port 23 Hostkey B.v. Russia 1,370,536
212.80.217.139 Port Scanning: 48 unique ports Serverius Holding B.V. Netherlands 598,132
185.153.198.197 Credential Stuffing: RFB/VNC port 5900 RM Engineering Moldova 490,247
185.153.197.251 Port Scanning: 6 unique ports RM Engineering Moldova 486,688
104.238.221.65 Port Scanning: SMB port 445, MS SQL port 1433 ReliableSite.Net LLC   476,363
185.153.196.159 Credential Stuffing: RFB/VNC port 5900 RM Engineering Moldova 399,751
148.251.20.137 Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25 Hetzner Online GmbH Germany 373,181
148.251.20.134 Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25 Hetzner Online GmbH Germany 373,034
52.58.75.133 Port Scanning: 443, 445, HTTP port 80 Amazon.com Germany 278,175
185.40.13.3 Port Scanning: RFB/VNC port 5900 & 5901 GTECH S.p.A. Italy 233,258
212.83.172.140 Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22 Online S.a.s. France 232,718
211.44.226.158 Port Scanning: SMB port 445, MS SQL port 1433 SK Broadband Co Ltd South Korea 222,944
52.57.70.66 Port Scanning: 6 unique ports Amazon.com Germany 219,125
112.175.124.2 Port Scanning: 61 unique ports Korea Telecom South Korea 214,882
35.158.151.206 Port Scanning: 6 unique ports Amazon.com Germany 213,525
50.7.98.219 Port Scanning: ICB/SWX port 7326 Cogent Communications United States 160,217
185.234.218.16 Port Scanning: SMB port 445, WebLogic port 7001, 8080, MS SQL port 1433
HTTP Attacks: Alt-HTTP port 8080
Malware Uploads: SMB port 445
Sprint S.A. Ireland 159,383
185.56.252.57 Port Scanning: MS RDP port 3389, port 5909, RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Bellnet Limited Portugal 155,072
104.238.202.134 Port Scanning: MS SQL port 1433, SMB port 445 Essensys Inc.   142,692
89.248.174.201 Port Scanning: SMB port 445, MS SQL port 1433 IP Volume Netherlands 140,126
112.175.127.189 Port Scanning: 48 unique ports Korea Telecom South Korea 120,510
112.175.127.179 Port Scanning: 48 unique ports Korea Telecom South Korea 110,827

Table 1. Top attacking IP addresses and their attack types targeting U.S. systems, October 1, 2019–December 31, 2019

Uniquely Targeting U.S. Systems

Along with tracking the top attacking IP addresses, we also isolated the IP addresses that attacked only U.S. systems and gathered further information about what they might be. We noticed during this time period that the IP addresses that uniquely targeted U.S. systems were mostly located in the United States, with a few in Japan, one in Mexico, and one in Germany. Like the top attacking IP addresses, we noticed that these IP addresses were engaged in a range of behaviors, from abusive port scanning to credential stuffing. Notably, these IP addresses were mostly focused on attacking web application protocols.

Details from the Shodan search engine provided more color regarding what these attacking systems could be. In this case, the IP address geolocated in Mexico appears to belong to Alestra, a Mexican IT services company. Another attacking IP address appears to belong to Lone Car Rental Systems, a company that provides car rental reservation software. A range of different systems appears to be attacking U.S. systems, including one which seems to belong to Vultr, a VPN service.

IP Address ASN Country Attack Type IP Address Info (Shodan)
104.238.194.34 Versaweb, LLC United States Port Scanning: 445 (MS SMB), 1433 (MS SQL) None
104.238.221.65 ReliableSite.Net United States Port Scanning: 445 (MS SMB), 1433 (MS SQL) Host Name: lax01.hostwiki.net
Open Ports & Services: 8888
50.7.98.219 Cogent Communications United States Port Scanning: 445 (MS SMB), 1433 (MS SQL) None
104.238.202.134 essensys Inc. United States Port Scanning: 445 (MS SMB), 1433 (MS SQL) Host Name: host-104-238-202-134.essensys.co.uk
Open Ports & Services: 80 (Nginx), 81, 8080 (Apache, Coyote JSP)
104.238.220.225 ReliableSite.Net LLC United States Port Scanning: 7001, 445 (MS SMB), 1433 (MS SQL)
HTTP Attacks: 8080 (Alt-HTTP)
Open Ports & Services: 22 (OpenSSH), 111 (Portmap)
207.248.236.84 Alestra, S. de R.L. de C.V. Mexico Port Scanning: 445 (MS SMB), 1433 (MS SQL) Host Name: static-207-248-236-84.alestra.net.mx
Open Ports & Services: 80 (MS IIS), 88 (MS IIS), 137 (NetBIOS), 443 (MS IIS), 445 (SMB), 1433 (MS SQL Server) 1434 (MS SQL Server), 3389 (MS RDP), 
165.227.69.239 Digital Ocean United States Credential Stuffing: 23 (Telnet) 22 OpenSSH, 111 (Portmap)
140.82.24.119 Choopa, LLC United States Port Scanning: 22 (SSH), 161 (SNMP), 80 (HTTP) Hostname: 140.82.24.119.vultr.com
Open Ports: 1723 (Mikrotik PPTP)
66.194.167.76 Renaissance Systems United States Port Scanning: 5900 (RFB/VNC) OS: Window Server 2003
Hostname: crosspoint.
lonestarrentalsystems.com.c
Open Ports:  80 (MS IIS), 3389 (RDP)
47.74.56.139 Alibaba (US) Japan Port Scanning: 445 (MS SMB), 443 (HTTPS), 25 (SMTP), 22 (SSH), 80 (HTTP) None
47.245.2.225 Alibaba (US) Japan Port Scanning: 25 (SMTP), 443 (HTTPS), 445(MS SMB), 80 (HTTP), 22 (SSH)  
24.39.3.105 Charter Communications United States Port Scanning: 5900 (RFB/VNC)  
159.65.108.26 Digital Ocean United States Port Scanning: 5900 (RFB/VNC)  
52.57.6.67 Amazon.com, Inc. Germany Port Scanning: 443 (HTTPS), 445 (SMB), 80 (HTTP)  
50.7.98.218 Cogent Communications United States Port Scanning: 445 (MS SMB), 1433 (MS SQL)  

Table 2. Top attacking IP addresses and their attack types targeting only U.S. systems, October 1, 2019–December 31, 2019

Top Targeted Ports

SMB port 445 was the top attacked port in the United States from October 1 through December 31, 2019. This is a shift from the fall regional threat perspective we wrote about the United States, where RFB/VNC port 5900 was the top attacked port. This can be attributed to constantly updating and evolving our sensor stack regarding the current threat landscape. Unlike many other global regions, we saw a closer gap between first and second position for the top attacked ports. This may be attributed to our current perspective and the fact that more VNC port 5900 attacks were directed toward sensors in the United States than anywhere else in the world. VNC port 5900 does not typically appear in our top attacked ports lists, thus we continue to actively investigate this credential stuffing and IPv4 campaign.

In addition to remote access ports, including SMB port 445 and SSH port 22 (in position three), the number of nonstandard HTTP ports (8443, 8080, and 8088) targeted and other application ports, like Microsoft SMB port 445 and Microsoft CRM port 5555, make it clear that attackers are targeting applications in the United States.

Also noteworthy, the United States and Canada were the only regions in which PostgreSQL on port 5432 was targeted. This, along with the targeting of other database port 3306, indicates malicious actors are particularly interested in web applications and web application databases.

Conclusion

In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic one backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you collect attack traffic and monitor your logs. You can compare this high-level attack data to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.

Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because attackers know default vendor credentials, all systems should be hardened before being deployed and protected with multifactor authentication.

Additionally, the volume of credentials that were breached in 2017 was so large that usernames and passwords should be considered “public.” Therefore, all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more on these breached passwords.

Security Controls

To mitigate the types of attacks discussed here, we recommend the following security controls:

Technical
Preventative
  • Use firewalls to restrict unnecessary access to commonly attacked and publicly exposed ports.
  • Use a web application firewall to protect against common web application attacks.
  • Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH).
  • Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
  • For remote administration, migrate from Telnet to SSH and implement brute force restrictions.
  • Disable vendor default credentials on all systems.
  • Implement multifactor authentication for all remote administrative access and any web login.
  • Implement geographic IP address blocking of commonly attacking countries that your organization does not need to communicate with.
Administrative
Preventative
  • Enforce system hardening and test all systems for the existence of vendor default credentials (commonly used in SSH brute force attacks).
  • Conduct security awareness training to ensure employees know how systems and data are targeted, and specifically how they are targeted with phishing attacks that can lead to credential theft, malware, and breaches.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.