Threat Bulletin
Retefe uses special sandbox evasion techniques to avoid detection & prevent code from correctly executing when launched from somewhere other than the intended target. See More...
Top Risks
April 24, 2019

Regional Threat Perspectives: Australia

article
11 min. read
By Sara Boddy

F5 Labs, in conjunction with our partner Baffin Bay Networks, researched attacks by geographic region to get a better understanding of the threat landscape region to region. We sought to understand if the global attack landscape was consistent or if it differed region to region, and to identify consistencies in attacking networks, IP addresses, and targeted ports. In this research series we looked at attacks over the same 90-day period in Europe, the United States, Canada, and Australia.

This article covers attack traffic destined for Australian IP addresses from December 1, 2018 through March 1, 2019, and how it compares to the other regions.

  • The majority of attacks against Australian systems came from IP addresses in China, the United States, and the Netherlands.

  • State sponsored Chinese ISP networks launched the largest number of attacks destined for Australian IP addresses. These networks, China Unicom (ASN 4837), and Chinanet (ASN 4134) are regularly seen attacking all regions of the world and that remained consistent during this time period.

  • HostPalace Web Solutions (ASN 133229), a hosting provider out of the Netherlands, was the third largest network contributor of attacks against Australian systems. This network was also the number one network attacking European systems, and number two network attacking Canadian systems in the same time period.

  • The IP addresses used to attack within these networks differ by target region. Forty-eight of the top 50 IP addresses attacking Australia were unique to attacks against Australia. However, the number one attacking IP (58.242.83.26), resolving to the Chinese ISP China Unicom, also attacked systems in the US in the same time period.

  • The top attacked port was SSH port 22, consistent with what we saw on an aggregated global scale, followed by Microsoft SMB (SAMBA) and then HTTP port 80.

Top Attacking Countries

Systems residing in Australia were targeted by systems all over the world, most notably from systems in southeast Asia, the US, and Europe. The source countries of Australian attacks were very similar to the source countries of attacks against European and Canadian systems. In comparison, the US received far fewer attacks from European IP addresses than Australia, Europe, or Canada did.

Figure 1: Source countries of attacks targeting Australia December 1, 2018 through March 1, 2019

China was the top source traffic country of attacks against systems in Australia from Dec 1, 2018 through March 1, 2019. IP addresses in China launched two times more attacks than IP addresses in the US, and 5.3 times more than IP addresses in the Netherlands.

Figure 2: Top countries attacking Australia by count

Top Attacking Organizations (ASNs)

The Chinese-based (and state-sponsored) ISP network of China Unicom (ASN 4837) launched the largest number of attacks destined for Australian IP addresses, followed by another state-sponsored ISP, Chinanet (ASN 4134). HostPalace Web Solutions (ASN 133229), a hosting provider out of the Netherlands, was the third largest network contributor of attacks against Australian systems. This network was the number one network attacking European systems, and the number two network attacking Canadian systems in the same time period. All three of these ASNs are routinely on our top attacking networks lists globally.

Figure 3: Top 25 Attacking ASNs by attack count

The table in Figure 4 shows the top 50 ASNs attacking Australia from Dec 1, 2018 to March 1, 2019 in order of highest to lowest number of attacks. Interestingly, these top 50 networks were split fifty-fifty between ISPs and hosting companies whereas the company types attacking other regions lean heavier towards ISPs. For comparison, ISPs accounted for 90% of attacks against US systems and 72% of European systems in the same time period. Attacks coming from a system in a hosting network are more likely to be launched by a threat actor either renting or maliciously controlling a server in the hosting environment. Systems residing in an ISP network are more likely to be a compromised residential or small office IoT devices, unless the attacker does nothing to disguise their activities (like using a proxy or VPN).
 

ASN ASN Organization Country Industry
4837 China Unicom (China169 Backbone) China ISP
4134 Chinanet China ISP
133229 HostPalace Web Solution PVT LTD Netherlands Hosting
58271 FOP Gubina Lubov Petrivna Ukraine ISP
43513 Nano IT Latvia Hosting
1241 Forthnet Greece ISP
34011 Host Europe GmbH Germany Hosting
53667 FranTech Solutions United States Hosting
38283 Chinanet (SiChuan Telecom Data Center) China ISP
45090 Shenzhen Tencent Computer Systems Company Limited China Hosting
4515 PCCW IMSBiz Hong Kong Hosting
8075 Microsoft Corporation United States Hosting
45102 Alibaba (China) Technology Co., Ltd. China ISP
201229 Digital Ocean, Inc. United Kingdom Hosting
56046 China Mobile communications corporation China ISP
25092 PE Tetyana Mysyk Ukraine ISP
33387 DataShack, LC United States Hosting
49877 RM Engineering LLC Moldova Hosting
19817 DSL Extreme United States ISP
12876 Online S.a.s. France Hosting
44050 Petersburg Internet Network ltd. Russia ISP
45899 VNPT Corp Vietnam ISP
3462 Data Communication Business Group Taiwan ISP
206792 IP Khnykin Vitaliy Yakovlevich Russia Hosting
6939 Hurricane Electric, Inc. United States ISP
60781 LeaseWeb Netherlands B.V. Netherlands Hosting
4766 Korea Telecom South Korea ISP
50968 Hostmaster, Ltd. Ukraine Hosting
4808 China Unicom (Beijing Province Network) China ISP
17974 PT Telekomunikasi Indonesia Indonesia ISP
16276 OVH SAS France Hosting
14987 Rethem Hosting LLC United States Hosting
237 Merit Network Inc. United States ISP
27699 TELEFÔNICA BRASIL S.A Brazil ISP
4812 China Telecom (Group) China ISP
43350 NForce Entertainment B.V. Netherlands Hosting
8151 Uninet S.A. de C.V. Mexico ISP
7552 Viettel Corporation Vietnam ISP
63949 Linode, LLC United States Hosting
10439 CariNet, Inc. United States Hosting
29073 Quasi Networks LTD. N/A Hosting
8452 TE Data Norway ISP
63199 Capitalonline Data Service Co.,LTD China Hosting
9299 Philippine Long Distance Telephone Company Philippians ISP
36352 ColoCrossing United States Hosting
51852 Private Layer INC Switzerland Hosting
12083 WideOpenWest Finance LLC United States ISP
199883 ArubaCloud Limited United Kingdom Hosting
40065 CNSERVERS LLC United States Hosting
12389 PJSC Rostelecom Russia ISP

Figure 4: Top 50 ASNs attacking Australian systems

Most of the top 50 attacking ASNs were seen attacking European and Canadian systems in the same time period with very little overlap with the US. The exception was Chinese networks that were seen consistently attacking systems across the entire world. The following 19 networks exclusively targeted Australian systems, most of which were hosting companies:
 

ASN ASN Organization Country Industry
43513 Nano IT Latvia Hosting
1241 Forthnet Greece ISP
53667 FranTech Solutions United States Hosting
4515 PCCW IMSBiz Hong Kong Hosting
8075 Microsoft Corporation United States Hosting
45102 Alibaba (China) Technology Co., Ltd. China ISP
25092 PE Tetyana Mysyk Ukraine ISP
33387 DataShack, LC United States Hosting
19817 DSL Extreme United States ISP
206792 IP Khnykin Vitaliy Yakovlevich Russia Hosting
6939 Hurricane Electric, Inc. United States ISP
50968 Hostmaster, Ltd. Ukraine Hosting
14987 Rethem Hosting LLC United States Hosting
237 Merit Network Inc. United States ISP
10439 CariNet, Inc. United States Hosting
63199 Capitalonline Data Service Co.,LTD China Hosting
51852 Private Layer INC Switzerland Hosting
199883 ArubaCloud Limited United Kingdom Hosting
40065 CNSERVERS LLC United States Hosting

Figure 5: Networks targeting Australian systems not seen targeting other regions

Top Attacking IP Addresses

Unlike the consistency seen between networks attacking Australian, European, and Canadian systems, there was no consistency in the IP addresses used in those networks to attack. Forty-eight (96%) of the top 50 attacking IP addresses were unique to attacks against Australia. The number one attacking IP address (58.242.83.26), resolving to ISP China Unicom, also attacked systems in the US in the same time period. The other IP address (185.107.80.31), resolving to NForce Entertainment, a hosting provider in the Netherlands, also attacked systems in Canada during the same time period.

This can indicate that attackers are using specific (hosting) networks from which they know they can successfully launch attacks (and spinning up new systems or getting dynamic IP addresses from which to launch attacks), or they are exploiting vulnerabilities in systems resolving to ISPs, like residential or commercial IoT devices, and keep using new systems. Both scenarios result in new IP addresses from the same networks. And both scenarios are likely in the attacks against Australia, given the attacking ASNs are a fifty-fifty split between hosting providers and ISPs. The chart in Figure 6 below shows the top 50 IP addresses attacking destinations in Australia from Dec 1, 2018 through March 1, 2019 by count.

Figure 6: Top 50 IPs attacking Australian systems December 1, 2018 through March 1, 2019 by count

Figure 7 shows the top 50 IP addresses attacking systems in Australia from Dec 1, 2018 through March 1, 2019 by ASN and country origin.
 

Source IP ASN Organization Country
58.242.83.26 China Unicom (China169 Backbone) China
112.85.42.237 China Unicom (China169 Backbone) China
37.49.231.58 HostPalace Web Solution PVT LTD Netherlands
188.92.75.240 Sia Nano IT Latvia
115.239.174.206 Chinanet China
134.119.193.57 Host Europe GmbH Germany
209.97.190.168 Digital Ocean, Inc. United Kingdom
218.23.216.253 Chinanet China
205.185.123.210 FranTech Solutions United States
113.28.21.251 PCCW IMSBiz Hong Kong
61.188.189.7 Chinanet (SiChuan Telecom Data Center) China
43.226.145.150 Chinanet (Sichuan province Chengdu MAN network) China
40.118.7.71 Microsoft Corporation Netherlands
47.91.235.81 Alibaba (China) Technology Co., Ltd. United States
5.62.63.221 AVAST Software s.r.o. US
58.57.35.3 Chinanet China
123.206.49.29 Shenzhen Tencent Computer Systems Company Limited China
193.201.224.218 PE Tetyana Mysyk Ukraine
74.91.24.2 DataShack, LC United States
37.49.231.68 HostPalace Web Solution PVT LTD Netherlands
185.153.198.177 RM Engineering LLC Moldova
123.207.242.179 Shenzhen Tencent Computer Systems Company Limited China
115.233.246.46 Chinanet China
172.104.113.6 Linode United States
178.128.45.71 Forthnet Greece
5.62.63.183 AVAST Software s.r.o. US
112.112.7.211 Chinanet China
138.197.4.56 Digital Ocean, Inc. United States
68.183.223.78 DSL Extreme United States
204.48.28.11 Digital Ocean, Inc. United States
178.128.175.19 Forthnet Greece
178.128.33.85 Forthnet Greece
178.128.44.249 Forthnet Greece
185.235.245.5 SPRINT SA Russia
139.59.148.33 Digital Ocean, Inc. Germany
176.119.4.77 FOP Gubina Lubov Petrivna Ukraine
112.85.42.238 China Unicom (China169 Backbone) China
198.44.228.97 DCS Pacific Star, LLC United States
5.188.10.156 Petersburg Internet Network ltd. Russia
104.152.52.30 Rethem Hosting LLC United States
46.101.109.160 Digital Ocean, Inc. Germany
176.119.4.18 FOP Gubina Lubov Petrivna Ukraine
185.107.80.31 NForce Entertainment B.V. Netherlands
142.93.76.96 Digital Ocean, Inc. United States
62.210.214.136 Online S.a.s. France
158.140.140.251 MYREPUBLIC-SG Singapore
176.119.7.50 FOP Gubina Lubov Petrivna Ukraine
176.119.4.73 FOP Gubina Lubov Petrivna Ukraine
104.248.19.20 Digital Ocean, Inc. Germany
185.244.25.108 KV Solutions B.V. Netherlands

Figure 7: Top 50 IPs attacking Australian systems December 1, 2018 through March 1, 2019 by ASN and Location

Top Targeted Ports

Looking at the destination ports of the attacks gives us a good understanding of the types of systems the attackers are after. The top targeted ports in the Australian attacks were SSH port 22, used for secure access to applications; Microsoft SMB, commonly referred to as Samba, which became popular to attack after the leaked NSA/CIA exploit in 2017; and HTTP port 80, the web traffic standard. These targeted ports indicate run-of-the-mill attacks looking for access to web applications.

Figure 8: Top 20 attacked ports and services

Conclusion

Organizations should continually run external vulnerability scans to discover what systems are exposed publicly, and on which specific ports. Any systems exposed publicly and having the top attacked ports open should be prioritized for either firewalling off (like the Microsoft Samba port 445, or SQL port 3306 and 1433 as they should not be exposed to the internet), or vulnerability management. Web applications taking traffic on port 80 should be protected with a web application firewall, be continually scanned for web application vulnerabilities, and prioritized for vulnerability management, including but not limited to bug fixes and patching.

A lot of the attacks we see on ports supporting access services like SSH are brute force, so any public login page should have adequate brute force protections in place. For a list of the top 100 credential pairs used in SSH brute force attacks, see the Hunt for IoT Volume 5.

Network administrators and security engineers should review network logs for any connections to the top attacking IP addresses. If you are experiencing attacks from any of these top IP addresses, you should submit abuse complaints to the owners of the ASNs and ISPs so they hopefully shut down the attacking systems.

For those interested in IP blocking, it can be troublesome not only to maintain large IP blocklists, but also to block IP addresses within ISPs that offer Internet service to residences that might be customers. In these cases, the attacking system is likely to be an infected IoT device that the resident doesn’t know is infected, and it likely won’t get cleaned up. Blocking traffic from entire ASNs or an entire ISP can be problematic for the same reason—blocking their entire network would block all of their customers from doing business with you. Unless of course it’s an ISP supporting a country you don’t do business with. In that case, geolocation blocking at a country level can be effective way to reduce a large amount of attack traffic and save your systems the unnecessary processing. For this reason, it is best to drop traffic based on the attack pattern on your network and web application firewalls.

F5 Labs will continue to monitor global attacks and analyze at a regional level quarterly. Future research series will include the Asia-Pacific, the Middle East and North Africa, and Latin American regions. If you are an implicated ASN or ISP, please reach out to us at F5LabsTeam@F5.com and we’ll be happy to share further information with you.

Technical
Preventative
  • Organizations exposing commonly attacked ports publicly to the Internet, especially systems that shouldn’t be accessible over the internet like databases, should do their best to restrict public accessibility through their firewall.
  • Any commonly attacked ports that require external access, like HTTP and SSH, should be prioritized for vulnerability management.
  • Access to applications over SSH should be protected with brute force restrictions.
  • Vendor default credentials, commonly used in SSH brute force attacks, should be disabled on all systems before public deployment.
  • Organizations should consider implementing geo IP blocking of commonly attacking countries that the business does not have a need to communicate with.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.