Top Risks
December 19, 2019

Regional Threat Perspectives, Fall 2019: Asia

article
18 min. read
By Sara Boddy, Remi Cohen

F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, the Middle East, Asia (excluding China), and Australia. The attack landscape targeting systems in Asia during the fall of 2019 was largely driven by global attack campaigns scanning for vulnerable applications and conducting credential stuffing attacks.

  • A network in Italy, owned by global gambling company GTECH, launched enough attacks against systems in Asia to make Italy the number one geographical source of attack traffic towards Asia.
  • Credential stuffing attacks targeting RFB/VNC port 5900 launched through networks in Russia, France, and Moldova were not unique to systems in Asia; these attacks were felt all over the world.
  • Fifty percent of the countries in the top attacking source countries list are inside southeast Asia and combined, accounted for 39% of the region’s attack traffic in the fall of 2019.
  • RM Engineering, with IP addresses registered in Moldova and having an ASN number (49877) registered in Russia, accounted for 99% of the total attack traffic launched from Moldavian IP addresses towards systems in Asia.
  • Only three IP addresses on the top 50 attacking list were from inside Asia. However, Asian countries appear on the top attacking countries list, and Asian networks appear on the top attacking networks list. This indicates that attacks originating from Asian IP addresses were distributed across many IP addresses at a lower attack counts per IP address. This is behavior typically associated with more sophisticated threat actors attempting to fly under the radar.
  • The top targeted port, SMB port 445, and the third most attacked port, SSH port 22, were commonly targeted across the world because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.

Top Source Traffic Countries

Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”

IP addresses assigned in Italy launched the most malicious traffic against systems in Asia from August 1, 2019, through October 31, 2019. Most of this traffic (90%) came from one network in Italy: GTECH S.p.A., a global gambling company that was seen attacking all regions of the world during this time period. These attacks were distributed across many IP addresses; only 10% of the total attack traffic from this Italian network towards systems in Asia were generated from IP addresses on the top 50 attacking IP addresses list. This distributed style of attack is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.

The top 10 countries of source traffic targeting Italian systems in the fall of 2019 were:

  1. Italy
  2. Russia
  3. France
  4. Moldova
  5. Netherlands
  6. China
  7. U.S.
  8. South Korea
  9. India
  10. Vietnam

With the exception of India, all of the top ten source traffic countries were seen attacking all regions of the world. The top 5 source traffic countries, all within the European continent, was a threat profile only shared with Australia during this period.

Figure 1. Top 20 source traffic countries launching attack traffic against targets in Asia, August 1, 2019 through October 31, 2019
Figure 1. Top 20 source traffic countries launching attack traffic against targets in Asia, August 1, 2019 through October 31, 2019

Similar to the European and Latin American threat landscapes, systems in Asia received a considerable amount of attacks coming from in-region systems. Fifty percent of the countries in the top attacking source countries list are inside southeast Asia and combined, accounted for 39% of the region’s attack traffic. Asia was the only region of the world that received attacks from IP addresses in Thailand during this time period. This type of behavior can be more difficult for enterprises to filter out as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region.

The IP addresses in Russia, France, and Moldova all launched Remote Frame Buffer (RFB) / Virtual Network Computing (VNC) port 5900 credential stuffing attacks against systems all over the world. The Netherlands IP addresses (in fifth position), all launched different types of attacks directed at a smaller global footprint that targeted only a few global regions at a time.

Figure 2. Top 20 source traffic countries (on a normalized scale) of attacks targeting systems in Asia, August through October 2019
Figure 2. Top 20 source traffic countries (on a normalized scale) of attacks targeting systems in Asia, August through October 2019

Note: The “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no single region is overrepresented in the total data analysis.

Top Attacking Organizations (ASNs)

RM Engineering, with IP addresses registering in Moldova but having ASN number (49877) registered in Russia, accounted for 99% of the total attack traffic launched from Moldavian IP addresses towards systems in Asia. OVH SAS registered in France accounted for 89% of the attacks launched from French IP addresses towards systems in Asia during the same period. The attacks coming from these networks targeted RFB port 5900 with credential stuffing attacks and were received by systems all over the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB began, unlike OVH SAS which has routinely shown up on top attacking network lists in our Hunt for IoT Report series for years. GTECH, the network in third position that is driving Italy into the top position on the geographic source country list, was new to the top threat actor networks list globally. As stated previously, the attacks coming from this network were distributed with a small number of attacks being launched from many IP addresses. The attacks are abusive port scanning, typically associated with network reconnaissance looking for vulnerabilities.

Figure 3. Source ASNs of attacks targeting systems in Asia, August through October 2019
Figure 3. Source ASNs of attacks targeting systems in Asia, August through October 2019

The following table lists ASNs and their associated organizations (note that some ASNs have multiple ASNs).

ASN Organization ASN Normalized Attack Count
RM Engineering 49877 1,187,073
OVH SAS 16276 1,130,634
GTECH S.p.A. 35574 840,302
Hostkey B.v. 57043 709,873
Digital Ocean 14061 630,034
Hetzner Online GmbH 24940 498,350
Korea Telecom 4766 476,294
Garanti Bilisim Teknolojisi ve Ticaret T.A.S. 12903 465,597
Amazon.com 16509 460,265
Eurobet Italia SRL 200944 432,029
Serverius Holding B.V. 50673 425,712
China Telecom 4134 385,776
VNPT Corp 45899 278,127
Data Communication Business Group 3462 274,249
SK Broadband Co Ltd 9318 220,519
CMC Telecom Infrastructure Company 38733 187,518
China Unicom 4837 179,740
PT Telekomunikasi Indonesia 7713 178,068
IP Volume 202425 153,140
Winamax SAS 197014 148,286
Online S.a.S 12876 144,001
Viettel Group 7552 139,440
Selectel 49505 138,253
The Corporation for Financing & Promoting Tech... 18403 113,130
Continent 8 LLC 14537 112,619
Sprint S.A. 197226 112,063
SoftLayer Technologies Inc. 36351 111,762
Alibaba (US) 45102 109,757
NETSEC 45753 103,165
Rostelecom 12389 92,108
Shenzhen Tencent Computer Systems Co. 45090 90,731
Cybernet Introtech Private Limited 137139 88,090
Elyzium Technologies Pvt. Ltd. 134319 85,313
Cloudie Limited 55933 80,123
TS-NET of TOSET, Inc. in Japan 55902 77,833
NeuStar, Inc. 19905 76,843
Servers.com, Inc. 7979 75,462
CNSERVERS LLC 40065 74,565
CANTV Servicios, Venezuela 8048 67,460
Garanntor-Hosting-AS 328110 66,966
Webzilla B.V. 35415 66,927
Livenet Sp. z o.o. 59491 65,387
LeaseWeb Netherlands B.V. 60781 63,409
National Internet Backbone 9829 58,458
Offshore Racks S.A 52469 57,019
SS-Net 204428 56,034
TOT Public Company Limited 23969 55,572
Melita Limited 200805 54,511
Microsoft Corporation 8075 54,269
Turk Telekom 47331 53,783
Table 1. ASNs and their associated organizations (some have multiple ASNs)

ASNs Attacking Asia Compared to Other Regions

We looked at the count of attacks by ASN towards systems in Asia and compared that to other regions of the world. The key difference between attack traffic launched from networks targeting Asia versus the rest of the world was the 7 ASNs, 6 of which are inside Asia, that exclusively targeted systems in Asia (see ASNs denoted with *** in Figure 4). Additionally, many networks targeting systems in Asia were clearly launching exponentially more attacks against systems in the Middle East.

Figure 4: Normalized attack count by ASN by region, August through October 2019
Figure 4: Normalized attack count by ASN by region, August through October 2019

IP Addresses Attacking Asia Compared to Other Regions

We compared the volume of attack traffic systems in Asia received per IP address to other regions of the world. With 16% of IP addresses uniquely targeting systems in Asia (see IP addresses denoted with *** in Figure 6), attack traffic destined for these systems had considerable overlap with the rest of the world. A clear differentiator is the number of attacks systems in the U.S. received from the same IP addresses targeting systems in Asia.

Figure 5. Top 50 IP addresses attacking targets in Asia, August through October 2019.
Figure 5. Top 50 IP addresses attacking targets in Asia, August through October 2019.

IP Addresses Attacking Europe Compared to Other Regions

The following chart shows the volume of attack traffic European systems received per IP address in comparison to other regions of the world. Attack traffic destined for European systems had some overlap with the rest of the world, with many IP addresses seen in Europe also seen in 6 or 7 other regions of the world. There is an exception of a handful of IP addresses launching global attacks against RFB/VNC port 5900 (see the next section). Although geographically in the same region, the European and the Russian threat landscapes saw little overlap in terms of specific IP addresses sending malicious traffic. Eighteen percent of the top attacking IP addresses sending malicious traffic to Europe were unique to Europe, while 16% of that top 50 were seen sending malicious attack traffic to all other regions in the world.

Figure 6: Normalized attack count by IP by region, August through October 2019
Figure 6: Normalized attack count by IP by region, August through October 2019

Attacks Types of Top Attacking IP Addresses

All of the top 50 attacking IP addresses were engaging in port scanning (see top targeted ports section below). Most (82%) of the top attacking IP addresses had a follow-up plan that included credential stuffing on RFB/VNC port 5900 and SSH port 22, HTTP/S attacks on ports 443 and 8080, and spamming on SMTP port 25.

The following IP addresses launched attacks against RFB / VNC port 5900 all over the world:

Source IP Normalized Attack Count ASN Org Country
185.153.197.251 448,387.2 RM Engineering Moldova
185.153.198.197 445,224.5 RM Engineering Moldova
46.105.144.48 407,252.3 OVH SAS France
185.153.196.159 212,853.6 RM Engineering Moldova
193.188.22.114 187,135.1 Hostkey B.v. Russia
185.156.177.44 186,283.6 Hostkey B.v. Russia
5.39.39.49 157,176.0 OVH SAS France

These port 5900 attacks are new activity as of June 2019 and continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.

Source IP Normalized Attack Count Attack Type ASN Organization Country
185.153.197.251 448,387.2 Port Scanning: 36 unique ports
Credential Stuffing: RFB/VNC port 5900
RM Engineering Moldova
185.153.198.197 445,224.5 Port Scanning: 29 unique ports
Credential Stuffing: RFB/VNC port 5900
RM Engineering Moldova
46.105.144.48 407,252.3 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
OVH SAS France
5.39.108.50 284,982.0 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
OVH SAS France
212.80.217.139 231,210.0 Port Scanning: 6 unique ports
Credential Stuffing: RFB/VNC port 5900
Serverius Holding B.V. Netherlands
185.153.196.159 212,853.6 Port Scanning: 23 unique ports
Credential Stuffing: RFB/VNC port 5900
RM Engineering Moldova
193.188.22.114 187,135.1 Port Scanning: RFB/VNC port 5900
Credential Stuffing: SSH port 22, RFB/VNC port 5900
Hostkey B.v. Russia
185.156.177.44 186,283.6 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Hostkey B.v. Russia
185.156.177.11 185,902.8 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Hostkey B.v. Russia
5.39.39.49 157,176.0 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
OVH SAS France
148.251.20.137 143,100.7 Port Scanning: SSH port 22, HTTPS port 443, SMTP port 25, HTTP port 80 Hetzner Online GmbH Germany
148.251.20.134 143,081.2 Port Scanning: SSH port 22, SMTP port 25, HTTPS port 443, HTTP port 80 Hetzner Online GmbH Germany
212.83.172.140 112,158.2 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Online S.a.s. France
198.245.60.31 95,839.7 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
OVH SAS Canada
185.40.13.3 94,717.4 Port Scanning: 51 unique ports GTECH S.p.A. Italy
211.44.226.158 78,188.5 Port Scanning: 48 unique ports SK Broadband Co Ltd South Korea
112.175.124.2 73,814.1 Port Scanning: 61 unique ports Korea Telecom South Korea
218.237.65.80 70,586.4 Port Scanning: SSH port 22, DNS port 53, HTTPS port 443, HTTP port 80 SK Broadband Co Ltd South Korea
192.250.197.246 67,681.3 Port Scanning: 20 unique ports
Credential Stuffing: SSH port 22
CNSERVERS LLC United States
164.160.130.141 66,965.3 Port Scanning: port 33899, Microsoft RDP port 3389 Garanntor-Hosting-AS Nigeria
178.19.108.178 65,306.1 Port Scanning: 249 unique ports
HTTP Attacks: HTTPS port 443 & Alt-HTTP port 8080
Livenet Sp. z o.o. Poland
112.175.127.189 63,434.3 Port Scanning: 48 unique ports Korea Telecom South Korea
185.234.218.16 52,881.6 Port Scanning: 5900, 5909, 8089, 3389
Credential Stuffing: RFB/VNC port 5900
Sprint S.A. Ireland
103.28.70.59 43,294.8 Port Scanning: SMTP port 25
Spam: SMTP port 25
HIVELOCITY, Inc. United States
194.187.175.68 42,610.3 Port Scanning: 45 unique ports GTECH S.p.A. Italy
173.225.100.225 39,176.1 Port Scanning: SMTP port 25 Interserver, Inc United States
112.175.127.179 36,882.2 Port Scanning: 48 unique ports Korea Telecom South Korea
89.248.174.201 36,691.1 Port Scanning: 64502 unique ports IP Volume inc Netherlands
185.156.177.55 36,413.3 Port Scanning: 111 unique ports
Credential Stuffing: RFB/VNC port 5900
Hostkey B.v. Russia
112.175.127.186 34,557.8 Port Scanning: 46 unique ports Korea Telecom South Korea
185.234.218.24 34,328.6 Port Scanning: port 3396, Microsoft RDP port 3389, RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Sprint S.A. Ireland
167.99.108.200 34,080.6 Port Scanning: RFB/VNC port 5900 Digital Ocean United States
185.232.28.237 33,599.1 Port Scanning: 11 unique ports PIN Hosting Europe GmbH Estonia
112.175.126.18 33,199.5 Port Scanning: 42 unique ports Korea Telecom South Korea
212.32.233.178 31,857.6 Port Scanning: 443, 25, 80 LeaseWeb Netherlands B.V. Netherlands
141.98.252.252 29,983.6 Port Scanning: MySQL port 3306 31173 Services AB United Kingdom
95.216.217.44 29,885.4 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Hetzner Online GmbH Finland
103.78.38.158 27,659.3 Port Scanning: 1433, 7001, 80, 445, 8080
HTTP Attacks: Alt-HTTP port 8080
PT.Mora Telematika Indonesia Indonesia
185.89.239.149 27,274.9 Port Scanning: HTTP port 80, DNS port 53, HTTPS port 443, SSH port 22 Melita Limited Malta
212.123.218.109 27,234.4 Port Scanning: HTTP port 80, HTTPS port 443, DNS port 53, SSH port 22 COLT Technology Services Group Ltd Netherlands
185.89.239.148 27,225.6 Port Scanning: SSH port 22, DNS port 53, HTTPS port 443, HTTP port 80 Melita Limited Malta
47.56.163.120 27,075.4 Unknown Alibaba (US) Technology Co., Ltd. United States
185.156.177.197 25,737.0 Port Scanning: 43 unique ports
Credential Stuffing: SSH port 22, RFB/VNC port 5900
Hostkey B.v. Russia
193.188.22.208 25,666.7 Port Scanning: VNC port 5901, MS CRM port 5555, RFB/VNC port 5900, Alt-HTTP port 8088, SSH port 22
Credential Stuffing: RFB/VNC port 5900
Hostkey B.v. Russia
103.103.92.42 24,992.4 Port Scanning: MS SQL port 1433, MS RDP 445 Xd Network India
66.194.167.76 24,824.1 Port Scanning: RFB/VNC port 5900 Renaissance Systems, Inc. United States
134.209.206.170 24,667.3 Port Scanning: 6 unique ports Digital Ocean Netherlands
95.216.172.249 24,620.8 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Hetzner Online GmbH Finland
134.209.204.225 24,592.4 Port Scanning: 80, 22, 445, 443, 53 Digital Ocean Netherlands
103.44.147.20 24,399.2 Port Scanning: MS SQL port 1433, MS RDP 445 National Computer Network And Information China

Top Targeted Ports

SMB port 445 was the number one attacked port in Asia during the fall of 2019. In a distant second place was port, VNC 5900, which was attacked all over the world during this time period. SMB port 445 has been a top targeted port since the release of the Eternal Blue exploit in April 2017. However, targeting VNC port 5900 is not typically at the top of the list, hence the threat hunting investigation we are doing on Twitter mentioned previously. SSH port 22 targeting, which followed in position 3, is activity we see globally on a consistent basis. This activity is typically associated with credential stuffing attacks (see top attacked SSH credentials) and IoT botnet building.

Both SMB and SSH are commonly targeted because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system. HTTP port 80 and the encrypted HTTP port 443 were in the fourth and fifth most attacked positions. The only port uniquely targeted in Asia during this time period was the unassigned TCP port 22225. Given the ports that were targeted, vulnerability scanning, and credential stuffing attack types seen against systems in Asia in the fall of 2019, it is clear that attackers are targeting applications in Asia.

Figure 7. Top 20 ports attacked in Asia, August through October 2019
Figure 7. Top 20 ports attacked in Asia, August through October 2019

Conclusion

In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic position backed up by the volume of attack traffic all systems touching the Internet receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare against the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic, or help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.

Locking down any of the top targeted ports that do not absolutely require unfettered Internet access should be completed as soon as possible. And because default vendor credentials are known by attackers, all systems should be hardened before being deployed and protected with multi-factor authentication.

Additionally, the volume of breached credentials in 2017 was so large that usernames and passwords should be considered “public,” therefore all organizations should have credential stuffing protection in place. Particularly for any system with remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more data on these breached passwords.

Security Controls

To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:

Technical
Preventative
  • Use firewalls to restrict unnecessary access to commonly attacked and publicly exposed ports.
  • Use a web application firewall to protect against common web application attacks.
  • Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH).
  • Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
  • For remote administration, migrate from Telnet to SSH and implement brute force restrictions.
  • Disable vendor default credentials on all systems.
  • Implement multi-factor authentication on all remote administrative access and any web login.
  • Implement geo IP address blocking of commonly attacking countries that your organization does not need to communicate with.
Administrative
Preventative
  • Enforce system hardening and test all systems for the existence of vendor default credentials (commonly used in SSH brute force attacks).
  • Conduct security awareness training to ensure employees know how systems and data are targeted, and specifically how they are targeted with phishing attacks that can lead to credential theft, malware, and breaches.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.