Regional Threat Perspectives: Canada

F5 Labs, in conjunction with our partner Baffin Bay Networks, researched attacks by geographic region to get a better understanding of the threat landscape region to region. We sought to understand if the global attack landscape was consistent, or if it differed region to region, and to identify consistencies in attacking networks, IPs, and targeted ports. In this research series we looked at attacks over the same 90-day period in Europe, the United States, Canada, and Australia. The United States and Canada were originally slated to be combined to a “North American” view, however because Canada’s attack profile is similar to Europe and Australia, we separated the countries.

This article covers attack traffic destined for Canadian IP addresses from December 1, 2018 through March 1, 2019, and explores how it compares to the other regions.

• European countries were the primary source of attack traffic against Canadian systems
• OVH SAS from France launched 5.5 times more attacks against systems in Canada than Netherlands-based Host Palace Web Solutions, which was in second place.
• Four of the top 5 IP addresses targeting Canadian systems are from OVH SAS’s network.
• The top attacked port was SIP 5060, followed by Microsoft SMB, and then HTTP port 80. SIP was targeted 8.3 times more than Microsoft SMB.

Top Attacking Countries

Canadian systems receive attacks from systems all over the world, however 6 of the top 10 attacking countries between December 1, 2018 and March 1, 2019 were European. European systems have a similar threat profile such that they receive a high rate of attacks from European countries.

The Netherlands was the top source traffic country launching attacks against systems in Canada from Dec 1, 2018 through March 1, 2019, followed by the United States and then France, Germany, and Italy to round out the top 5 attacking countries.

Top Attacking Organizations

The top 5 networks attacking Canadian systems from December 1, 2018 to March 1, 2019 were European. The top attacking network, OVH SAS (ASN 16276), launched 5.5 times more attacks from systems in France and Germany than Host Palace Web Solutions (ASN 133229), a hosting provider from the Netherlands, which took second place. The top 4 attacking networks targeting Canadian systems in this period were the same top 4 networks attacking European systems in this period, just in a slightly different order. The fifth attacking network, Vitox Telecom from the Netherlands, was not seen attacking the other regions in this period.

The top attacking networks were primarily ISPs, followed by hosting providers and one anti-virus software provider. In comparison with Europe and Australia with similar threat profiles, ISPs accounted for 72% of attacks against European systems, and 50% of attacks against Australian systems in the same time period.

Systems residing in an ISP network are more likely to be a compromised residential or small office IoT devices. Attacks coming from a system in a hosting network are more likely to be launched by a threat actor either renting or maliciously controlling a server in the hosting environment. We believe the latter was happening, based on the count of attacks being launched per IP address in hosting environments (see Top Attacking IP Addresses section below).

The following table shows the top 50 ASNs attacking Canada from December 1, 2018 to March 1, 2019 in order of highest to lowest number of attacks. The majority, 54%, of the top attacking networks targeting Canada were not seen attacking systems in the US, Europe, or Australia during this time period. (The US saw similar activity in the same period where 54% of their top attacking networks were not seen attacking systems in the other regions.) One of the networks seen only targeting Canadian systems was AVAST, the anti-virus software provider.

Of the top attacking networks targeting multiple regions, almost all were seen attacking either Europe or Australia – though very few were seen attacking the US. The rows highlighted in yellow in Figure 5 indicate ASNs seen attacking other regions, and Figure 6 shows which regions those ASNs were seen attacking.
 

Figure 5: Top 50 attacking ASNs

Top Attacking IP Addresses

Unlike the consistency seen between networks attacking Canada, European, and Australian systems, there was no consistency in the IP addresses used in those networks to attack. Forty-eight of the top 50 IP addresses (96%) attacking Canadian systems during this period were not seen attacking the other regions. Attackers are using different IP addresses in the same networks to launch attacks.

Four of the top five attacking IP addresses were from OVH SAS from systems located in Germany, Italy, and France, and collectively launched 84% of total attacks OVH SAS launched against Canada in that period. It is reasonable to think that systems in OVH SAS were compromised and used to launch these attacks, given such a high number of attacks per IP address (a threat actor trying not to get caught wouldn’t launch so many attacks per IP address).

The chart in Figure 7 below shows the top 25 IP addresses that were attacking destinations in Canada from December 1, 2018 through March 1, 2019 by count. 

Figure 8 below shows the top 50 attacking IPs that launched 1.6 million attacks against Canadian destinations from Dec 1, 2018 through March 1, 2019 by ASN and Country origin. The Online SAS IP (highlighted in yellow) and NForce Entertainment IP (highlighted in orange) were also seen attacking systems in Europe in the same time period.
 

Figure 8: Top 50 IP addresses attacking Canadian systems December 1, 2018 through March 1, 2019

Top Targeted Ports

Looking at the destination ports of the attacks helps us understanding what types of systems attackers are after. The top three targeted ports in the Canadian attacks were SIP 5060, used by VoIP-enabled phones and video conferencing systems; Microsoft SMB, commonly referred to as Samba, which became a popular attack target after the leaked NSA/CIA exploit in 2017; and HTTP port 80, the web traffic standard. SIP 5060 was targeted eight times more than Microsoft SMB systems in the #2 position, making VoIP systems the clear target during this period.

Comparing ports targeted in Canada versus the US, Europe, or Australia, Canada was the only region where DNS port 53 and the UPnP port 37215 were on the top 20 targeted port list. The UPnP port relates to Huawei small office home office (SOHO) routers with a Remote Code Execution (RCE) vulnerability (CVE-2017-17215¹ and Exploit ID 43414²) that is targeted in the Kaizen, Katrina_V1, Sora, Owari, Mirai, and Hakai IoT botnets, or “thingbots.” Similarly, Microtik routers over port 8291 (CVE-2018-14847³) were targeted in US, Europe, and Australia.

Conclusion

Organizations should continually run external vulnerability scans to discover what systems are exposed publicly, and on which specific ports. Systems exposed publicly with the top attacked ports open should be prioritized for firewalling off, most notably the ports from this attack traffic that should never be exposed to the big bad Internet, including: SIP port 5060, secure SIP 5061, Microsoft Samba port 445, MS SQL port 1433, MySQL port 3306, SSH port 22, Microsoft RDP port 3389 and Telnet port 23. Web applications taking traffic on ports 80, 81, 8080, and 443 should be protected with a web application firewall, be continually scanned for web application vulnerabilities, and prioritized for vulnerability management, including but not limited to bug fixes and patching.

A lot of the attacks we see on ports supporting remote access services like SSH and Telnet are brute-force attacks with known vendor default credentials. For a list of the top 100 credential pairs used in SSH brute force attacks, see the Hunt for IoT Volume 5. Remote administrative login should be restricted to a management network and have adequate brute force protections in place.

Network administrators and security engineers should review network logs for any connections from the top attacking IP addresses. If you are experiencing attacks from any of these top IP addresses, you should submit abuse complaints to the owners of the ASNs and ISPs so they hopefully shut down the attacking systems.

For those interested in IP blocking, it can be troublesome to maintain large IP blocklists and also block IP addresses within ISPs that offer Internet service to residences that might be customers. In these cases, the attacking system is likely to be an infected IoT device that the resident doesn’t know is infected, and it likely won’t get cleaned up. Blocking traffic from entire ASNs or an entire ISP can be problematic for the same reason—blocking their entire network would block all of their customers from doing business with you. Unless, of course, it’s an ISP supporting a country you don’t do business with. In that case, geolocation blocking at a country level can be effective way to reduce a large amount of attack traffic and save your systems the unnecessary processing. For this reason, it is best to drop traffic based on the attack pattern using your web application firewall.

We will continue to monitor global attacks and analyze at a regional level quarterly. Future research in this series will include the Asia-Pacific, Middle East and North Africa, and Latin American regions. If you are an implicated ASN or ISP, please reach out to us at F5LabsTeam@F5.com and we’ll be happy to share further information with you.