F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varied regionally in terms of sources, targets, and attack types. In addition, targeted ports exposed regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Australia, Europe, Russia, Asia, Latin America, and the Middle East. Australian systems were probed for vulnerabilities on the ports most commonly used by applications, but these attacks were outweighed by a global campaign targeting VNC port 5900.
- IP addresses assigned in Europe were the primary source of attacks targeting systems in Australia in the fall of 2019. Specifically, IP addresses assigned to OVH SAS in France launched the most malicious traffic to the region.
- The top five IP addresses launching attacks against systems in Australia were engaged in a global campaign targeting RFB/VNC port 5900 that began in June 2019. Because of this large global campaign, VNC port 5900 was the top targeted port in Australia during this period.
- The RFB/VNC port 5900 attacks brought a new threat actor network onto the scene: RM Engineering LLC out of Moldova.
- Attackers launched reconnaissance scans against Internet facing applications in Australia, looking for vulnerabilities in commonly used services (VNC, HTTP, HTTPS, SMB, RDP, MySQL). They also conducted credential stuffing attacks against SSH and Telnet remote access.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic” countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
IP addresses assigned to France launched the most malicious traffic against systems in Australia from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:
- United States
- South Korea
All of the top 10, with the exception of Venezuela and Costa Rica, were also the top malicious source traffic countries globally. The top 5 source traffic countries, all within the European continent, is a threat profile only shared with Asia during this period. All other global regions had either the US, Canada or an Asian country in their top 5 source traffic countries list.
IP addresses assigned in France launched the most attack traffic against systems in Australia, followed by IP addresses assigned in Moldova, Russia, Italy and the Netherlands. Traffic from IP addresses assigned in these five countries account for over a half (55%) of malicious traffic seen targeting Australian systems during this time period. IP addresses assigned in Russia (in third position) followed the traffic seen from Moldovan and French IP addresses. Much of this traffic was seen participating in RFB/VNC port 5900 port scanning and credential stuffing (seen all over the world).
Australia received attack traffic originating from two countries that were not seen attacking other regions of the world. These countries were Nigeria, in the 17th position, and Australia itself in the 20th position. Attacks sourced from these countries accounted for 2.2% of all malicious traffic directed towards Australia during this period. This is notable since in other regions of the world (including the US and Europe) in region malicious traffic tops the list and poses a bigger threat. This kind of traffic can be more difficult for enterprises to filter since typically businesses want everyone in their country to be able to access them. Even though in country traffic accounts for a relatively small portion of all malicious traffic, there were two Australian IP addresses appearing in the top 50 attacking IP addresses in position 36, and position 43. These two IP addresses account for 57.66% of all malicious traffic originating from Australian IP addresses.
Australia is one of three regions of the world where Singapore appears in the top 20 source traffic countries. IP addresses assigned in Singapore focused on Asia, Australia, and Canada. There were no IP addresses assigned in Singapore appearing in the top attacking IP list. Notably, though, although not in the top 20 source traffic countries, systems in Australia received over 32,000 attacks from one IP in Romania. No other IP addresses in Romania show up in the top attacking IP address list, discussed later. This indicates that attacks coming from IP addresses in Romania and Singapore (and probably many other countries!) were more distributed; that is, they were launched from lots of IP addresses with low numbers of attacks per address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors intentionally disguising their activities.