F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, the Middle East, Asia (excluding China), and Australia. The attack landscape targeting systems in Asia during the fall of 2019 was largely driven by global attack campaigns scanning for vulnerable applications and conducting credential stuffing attacks.
- A network in Italy, owned by global gambling company GTECH, launched enough attacks against systems in Asia to make Italy the number one geographical source of attack traffic towards Asia.
- Credential stuffing attacks targeting RFB/VNC port 5900 launched through networks in Russia, France, and Moldova were not unique to systems in Asia; these attacks were felt all over the world.
- Fifty percent of the countries in the top attacking source countries list are inside southeast Asia and combined, accounted for 39% of the region’s attack traffic in the fall of 2019.
- RM Engineering, with IP addresses registered in Moldova and having an ASN number (49877) registered in Russia, accounted for 99% of the total attack traffic launched from Moldavian IP addresses towards systems in Asia.
- Only three IP addresses on the top 50 attacking list were from inside Asia. However, Asian countries appear on the top attacking countries list, and Asian networks appear on the top attacking networks list. This indicates that attacks originating from Asian IP addresses were distributed across many IP addresses at a lower attack counts per IP address. This is behavior typically associated with more sophisticated threat actors attempting to fly under the radar.
- The top targeted port, SMB port 445, and the third most attacked port, SSH port 22, were commonly targeted across the world because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
IP addresses assigned in Italy launched the most malicious traffic against systems in Asia from August 1, 2019, through October 31, 2019. Most of this traffic (90%) came from one network in Italy: GTECH S.p.A., a global gambling company that was seen attacking all regions of the world during this time period. These attacks were distributed across many IP addresses; only 10% of the total attack traffic from this Italian network towards systems in Asia were generated from IP addresses on the top 50 attacking IP addresses list. This distributed style of attack is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.
The top 10 countries of source traffic targeting Italian systems in the fall of 2019 were:
- South Korea
With the exception of India, all of the top ten source traffic countries were seen attacking all regions of the world. The top 5 source traffic countries, all within the European continent, was a threat profile only shared with Australia during this period.
Similar to the European and Latin American threat landscapes, systems in Asia received a considerable amount of attacks coming from in-region systems. Fifty percent of the countries in the top attacking source countries list are inside southeast Asia and combined, accounted for 39% of the region’s attack traffic. Asia was the only region of the world that received attacks from IP addresses in Thailand during this time period. This type of behavior can be more difficult for enterprises to filter out as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region.
The IP addresses in Russia, France, and Moldova all launched Remote Frame Buffer (RFB) / Virtual Network Computing (VNC) port 5900 credential stuffing attacks against systems all over the world. The Netherlands IP addresses (in fifth position), all launched different types of attacks directed at a smaller global footprint that targeted only a few global regions at a time.