Top Risks

Regional Threat Perspectives, Fall 2019: Canada

The U.S. and Canada have 95% of top source traffic countries in common.
December 02, 2019
18 min. read

F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, Asia, Australia, and the Middle East. The attack landscape in Canada was similar to both the U.S. and Europe, most similar to the U.S. in terms of ports/services targeted with an identical top 8 for ports/services. All three of these regions (along with much of the world) were heavily targeted with malicious traffic directed towards RFB/VNC1 port 5900.

  • The number one source of attack traffic targeting Canadian systems came from IP addresses assigned in France, however, Russia in second place, followed closely. When looking at traffic coming from IP addresses in the top 20 attacking counties, 10.4% of that traffic originated from IP addresses assigned to France whereas IP addresses assigned to Russia were responsible for 10.2% of the traffic. This was the smallest gap between the first and second attacking countries of all the regions we analyzed.
  • The top attacking IP address launching malicious traffic against systems in Canada is Canadian, assigned to a French ASN. This IP address was seen launching multi-port scanning against ports with known vulnerabilities (port 1433, the default port for SQL Server, and port 445, used for Server Message Block (SMB)).
  • Of the top five IP addresses launching attacks against systems in the Canada, two are assigned to IP addresses in Canada, two are assigned to IP addresses in Moldova, and one is assigned to an IP address in France. These IP addresses were seen launching credential stuffing and aggressive multi-port scanning focusing on RFB/VNC port 5900 (hitting all regions of the world). Three of these IP addresses were seen sending attack traffic to every other region over the same period.
  • The top eight ports or services targeted in Canada mirrored the top 8 targeted in the U.S. Of these, the top four were also identical to those targeted in Europe. The top 8 ports targeted in Canada were VNC port 5900 (being attacked all over the world), SMB port 445, SSH port 22, HTTP port 80, HTTPS port 443, SMTP port 25, Telnet port 23, and MS RDP 3389. These top attacked ports were common targets all over the world, however, Canada was the only region in the world to see targeted malicious traffic directed at port 1080, SOCKS protocol.

Note: “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no one region is overrepresented in the total data analysis.

Top Source Traffic Countries

Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have been coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as top source traffic countries.

IP addresses assigned to France launched the most malicious traffic against systems in Canada from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:

  1. France
  2. Russia
  3. Republic of Moldova
  4. Italy
  5. Canada
  6. U.S.
  7. South Korea
  8. Netherlands
  9. China
  10. Turkey

All of the top 10, with the exception of Canada in position 5, were also the top malicious source traffic countries globally.

Figure 1. Source traffic countries launching malicious traffic against targets in Canada, August through October 2019
Figure 1. Source traffic countries launching malicious traffic against targets in Canada, August through October 2019

IP addresses assigned in France launched the most attack traffic against systems in Canada (see Figure 2). With normalized data, France was followed closely by IP addresses assigned in Russia and attack traffic from IP addresses assigned in these two countries accounts for just over 20% of malicious traffic seen targeting Canada. There was only a 1% difference in attack traffic between IP addresses assigned to Russia (in second position with 10.2%) and Moldova, (in third position with 9.3%). IP addresses assigned in both of these countries were seen participating in the RFB/VNC port 5900 port scanning and credential stuffing.

Attacks originating from IP addresses assigned in Canada and directed in country are in fifth place and account for 8.8% of malicious traffic seen targeting in-country systems. This kind of in-country, or in-region traffic can be more difficult for enterprises to filter out since businesses typically want everyone in their country to be able to access them. Three IP addresses assigned in Canada are in the top attacking IP list.

No unique countries are seen targeting Canada. In fact, in the top 20 attacking countries, all were seen targeting other regions of the world. The most unique attacking IP addresses targeting Canada were assigned in Singapore and Ireland. IP addresses assigned in these countries targeted three regions of the world. IP addresses assigned in Singapore focused on Asia, Australia, and Canada while IP addresses assigned in Ireland targeted Europe and the U.S. along with Canada.

Europe, the U.S., and Canada have many similarities in their threat landscapes over this time period, especially when it comes to protocols targeted. The U.S. and Canada have a particularly similar geographic attacker landscape. They share 95% of the same top source traffic countries. They differ in that IP addresses assigned in Singapore rank as a top source country targeting Canada, and not the U.S.. One IP address in Singapore launched a normalized 200,000 count of attacks against VNC port 5900. No other IP addresses assigned in Singapore were in the top attacking IP addresses list. This means attacks coming from IP addresses in this country were more distributed; that is, they were launched from many IP addresses but had a low number of attacks per address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.

Figure 2. Top 20 source traffic countries (on a normalized scale) of attacks targeting Middle Eastern systems, August through October 2019
Figure 2. Top 20 source traffic countries (on a normalized scale) of attacks targeting Middle Eastern systems, August through October 2019

Top Attacking Organizations (ASNs)

The highest number of attacks against Canada were launched through French cloud computing company OVH SAS (see Figure 3). In fact, twice as many attacks were launched through OVH SAS than RM Engineering, the ASN in second position. Notably, OVH SAS and RM Engineering are the number one and number two attacking organizations across most of the world, and rank in the top three attacking ASNs in all regions except the Middle East, Russia (RM Engineering is in seventh position), and Latin America (OVH SAS is in fifth position).

Rounding out the top five attacking organizations targeting Canada are other popular ASNs HOSTKEY B.v. in third position, and GTECH S.p.A. and Digital Ocean in fourth and fifth respectively. These ASNs were all seen attacking every region of the world, indicating widespread attacks on the IPv4 address space.

Ten percent of ASNs targeting Canada are only seen targeting Canada. Traffic through these ASNs only makes up 2.8% of attack traffic directed towards Canada and no IP addresses from these ASNs appear in the top attacking IP addresses against Canada.

Figure 3. Top 50 Source ASNs of attacks targeting Canadian systems, August through October 2019
Figure 3. Top 50 Source ASNs of attacks targeting Canadian systems, August through October 2019

The following table lists ASNs and their associated organizations (note that some have multiple ASNs).

AS Organization ASN Normalized Count
OVH SAS 16276 2,306,827.80
RM Engineering LLC 49877 1,285,804.90
HOSTKEY B.v. 57043 995,262.70
GTECH S.p.A. 35574 868,484.50
DigitalOcean, LLC 14061 673,248.10
Amazon.com, Inc. 16509 546,601.50
Garanti Bilisim Teknolojisi ve Ticaret T.A.S. 12903 605,792.40
Korea Telecom 4766 597,073.90
Hetzner Online GmbH 24940 579,522.20
China Telecom 4134 439,445.80
Serverius Holding B.V. 50673 329,375.80
Online S.A.S. 12876 291,327.50
SK Broadband Co Ltd 9318 226,616.40
Eurobet Italia SRL 200944 212,455.90
G-Core Labs S.A. 199524 199,212.00
Data Communication Business Group 3462 153,744.70
Winamax SAS 197014 123,593.30
Sprint S.A. 197226 116,979.50
NeuStar, Inc. 19905 110,373.50
IP Volume Inc 202425 103,562.50
Selectel 49505 93,908.10
China Unicom 4837 100,906.40
LeaseWeb Netherlands B.V. 60781 99,793.40
PT Telekomunikasi Indonesia 7713 88,587.70
Continent 8 LLC 14537 91,055.80
Alibaba (US) Technology Co., Ltd. 45102 77,666.10
Shenzhen Tencent Computer Systems Company Limited 45090 71,845.20
Webzilla B.V. 35415 70,496.30
Servers.com, Inc. 7979 65,789.00
VNPT Corp 45899 65,452.10
CNSERVERS LLC 40065 64,784.30
Rostelecom 12389 47,890.70
Turk Telekom 9121 37,555.40
Digital United Inc. 4780 55,331.00
SoftLayer Technologies Inc. 36351 54,487.40
PIN Hosting Europe GmbH 39556 54,417.10
NETSEC 45753 46,120.10
Garanntor-Hosting-AS 328110 44,467.40
TELEFÔNICA BRASIL S.A 27699 32,999.70
HOSTKEY 395839 40,383.60
Chinanet 23650 38,763.70
CANTV Servicios, Venezuela 8048 38,453.50
TE-AS 8452 38,019.60
Viettel Group 7552 37,206.50
ALGAR TELECOM S/A 16735 29,450.40
Contabo GmbH 51167 35,396.90
Offshore Racks S.A 52469 35,288.50
WorldStream B.V. 49981 32,369.80
Google LLC 15169 31,916.60
UAB Cherry Servers 16125 29,873.00
Table 1. ASNs and their associated organizations (some have multiple ASNs)

ASNs Attacking Canada Compared to Other Regions

We looked at the count of attacks by ASN targeting Canadian systems and compared that to other regions of the world. Canada remains in the middle of the pack as a target for most of the ASN attack traffic. Notably though, attack traffic directed at Canadian systems followed a similar pattern to European and U.S. traffic, with the exception of 17 ASNs that only targeted Canadian and Russian systems (denoted with ** in Figure 4 below). The fact that the attack traffic patterns by ASNs in Canada so closely mirror European and American patterns could be due to geopolitical reasons or the close alliances of these areas.

Figure 4. Normalized attack count by ASN by region, August through October 2019
Figure 4. Normalized attack count by ASN by region, August through October 2019

Top Attacking IP Addresses

The top five IP addresses attacking systems in Canada from August 1 through October 31, 2019 come from a mix of IP addresses assigned in Canada, Moldova, and France (see Figure 4). These IP addresses were engaged in port scanning, along with RBF/VNC port 5900 credential stuffing activity. This was a trend seen all over the world during this time period. Sixty-five percent of the IP addresses on the top 50 attacking IP addresses list were engaging in aggressive multi-port scanning, most of which was conducted by IP addresses assigned in Russia and IP addresses assigned in Moldova.1 For a complete list of attacks by IP address, see section Attacks Types of Top Attacking IP Addresses.

Figure 5. Top 50 IP addresses attacking Canadian targets, August through October 2019
Figure 5. Top 50 IP addresses attacking Canadian targets, August through October 2019

IP Addresses Attacking Canada Compared to Other Regions

We compared the volume of attack traffic Canadian systems received per IP address to other regions of the world. Attack traffic destined for Canadian systems had significant overlap with the rest of the world due to the IP addresses launching attacks globally against RFB/VNC port 5900 (see the next section). Only 10% of the top attacking IP addresses sending malicious traffic to Canada were uniquely targeting Canadian systems (denoted by *** in Figure 6). While Canadian and U.S. malicious traffic shared 64% of top attacking IP addresses, there were fewer shared top attacking IP addresses with Europe. This could indicate traffic spread across IP addresses using the same ISPs in order to launch attacks.

Figure 6: Normalized attack count by IP by region, August through October 2019
Figure 6: Normalized attack count by IP by region, August through October 2019

Attacks Types of the Top Attacking IP Addresses

The top 50 IP addresses attacking systems in Canada were geographically spread fairly evenly. Eight percent are assigned to South Korea, and closely following, with 7% are assigned in the U.S. Though smaller in number, the three Canadian IP addresses in the top attacking IP address list are responsible for 17% of all attack traffic that targeted Canadian systems. These IP addresses were conducting a variety of activities, but most were scanning or doing some sort of credential stuffing.

Out of the top 50 attacking IP addresses, 65% were engaging in aggressive multi-port scanning ,32% participated in aggressive credential stuffing activity, and the remaining 2% were evenly distributed conducting HTTP attacks against port 8080, 8443, and 2375 and attempting to upload malware through SMB shares on port 445. The IP addresses in Moldova assigned to RM Engineering, as well as OVH SAS in France were launching brute force attacks and credential stuffing attacks against Remote Frame Buffer (RFB) / VNC port 5900, globally. All regions of the world were being hit with these same attacks from these IP addresses:

  • 185.153.197.251
  • 185.153.198.197
  • 46.105.144.48
  • 193.188.22.114
  • 185.156.177.44
  • 185.153.196.159
  • 5.39.39.49
  • 185.40.13.3

These port 5900 attacks were new activity we noticed earlier in the summer and continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.

As mentioned, only 10% of IP addresses seen targeting Canada were exclusively targeting the region. This indicates that Canadian systems were likely not being geographically targeted but instead were being targeted based on the services they were providing. The following list is in descending order starting with top attacking IP addresses.

Source IP Address AS Organization Country Normalized Count Attacks Known For
192.99.222.16 OVH SAS Canada 716,690.60 Multi-port scanning
185.153.197.251 RM Engineering LLC Republic of Moldova 518,482.80 Credential stuffing, multi-port scanning
185.153.198.197 RM Engineering LLC Republic of Moldova 481,153.40 Credential stuffing, multi-port scanning
46.105.144.48 OVH SAS France 414,766.50 Credential stuffing, multi-port scanning
192.99.140.91 OVH SAS Canada 324,049.60 Malware uploads
5.39.108.50 OVH SAS France 294,705.10 Credential stuffing, multi-port scanning
193.188.22.114 HOSTKEY B.v. Russia 283,938.30 Credential stuffing, multi-port scanning
185.156.177.44 HOSTKEY B.v. Russia 280,945.30 Credential stuffing, multi-port scanning
185.156.177.11 HOSTKEY B.v. Russia 279,985.70 Credential stuffing, multi-port scanning
212.83.172.140 Online S.A.S. France 266,336.80 Credential stuffing, multi-port scanning
148.251.20.134 Hetzner Online GmbH Germany 210,316.30 Multi-port scanning
148.251.20.137 Hetzner Online GmbH Germany 210,280.10 Multi-port scanning
185.153.196.159 RM Engineering LLC Republic of Moldova 207,474.80 Credential stuffing, multi-port scanning
92.223.85.77 G-Core Labs S.A. Singapore 199,211.50 Credential stuffing, multi-port scanning
5.39.39.49 OVH SAS France 179,829.60 Credential stuffing, multi-port scanning
212.80.217.139 Serverius Holding B.V. Netherlands 152,250.90 Credential stuffing, multi-port scanning
185.40.13.3 GTECH S.p.A. Italy 113,956.80 Multi-port scanning
211.44.226.158 SK Broadband Co Ltd South Korea 102,566.10 Multi-port scanning
112.175.124.2 Korea Telecom South Korea 99,799.20 Multi-port scanning
164.132.22.162 OVH SAS United Kingdom 81,270.90 HTTP attacks
112.175.127.189 Korea Telecom South Korea 76,341.30 Multi-port scanning
185.234.218.16 Sprint S.A. Ireland 72,580.10 Credential stuffing, multi-port scanning
218.237.65.80 SK Broadband Co Ltd South Korea 65,499.30 Multi-port scanning
198.245.60.31 OVH SAS Canada 63,804.30 Credential stuffing, multi-port scanning
192.250.197.246 CNSERVERS LLC United States 61,273.60 Credential stuffing, multi-port scanning
212.32.233.178 LeaseWeb Netherlands B.V. Netherlands 53,482.70 Multi-port scanning
194.187.175.68 GTECH S.p.A. Italy 52,261.80 Multi-port scanning
112.175.127.179 Korea Telecom South Korea 51,100.60 Multi-port scanning
185.232.28.237 PIN Hosting Europe GmbH Estonia 50,910.70 Multi-port scanning
206.189.209.142 DigitalOcean, LLC United States 48,186.30 Multi-port scanning
112.175.127.186 Korea Telecom South Korea 45,624.90 Multi-port scanning
164.160.130.141 Garanntor-Hosting-AS Nigeria 44,467.40 Multi-port scanning
112.175.126.18 Korea Telecom South Korea 43,702.00 Multi-port scanning
218.92.0.207 No.31,Jin-rong Street China 42,711.20 Credential stuffing, multi-port scanning
139.60.163.68 HOSTKEY United States 40,371.20 Credential stuffing, multi-port scanning
203.73.59.86 Digital United Inc. Taiwan 38,481.60 Multi-port scanning
185.153.198.202 RM Engineering LLC Republic of Moldova 34,002.00 Multi-port scanning
159.65.108.26 DigitalOcean, LLC United States 33,952.40 Multi-port scanning
95.216.172.249 Hetzner Online GmbH Finland 31,897.50 Credential stuffing, multi-port scanning
95.216.217.44 Hetzner Online GmbH Finland 31,520.00 Credential stuffing, multi-port scanning
165.22.10.222 DigitalOcean, LLC United States 31,148.70 Multi-port scanning
218.92.0.208 No.31,Jin-rong Street China 31,049.70 Credential stuffing, multi-port scanning
193.188.22.46 HOSTKEY B.v. Russia 30,470.30 Credential stuffing, multi-port scanning
185.156.177.55 HOSTKEY B.v. Russia 29,556.70 Credential stuffing, multi-port scanning
61.177.172.158 No.31,Jin-rong Street China 29,383.30 Credential stuffing, multi-port scanning
89.248.174.201 IP Volume Inc. Netherlands 27,471.60 Multi-port scanning
94.102.51.117 IP Volume Inc. Netherlands 26,113.80 Credential stuffing, multi-port scanning
183.110.242.142 Korea Telecom South Korea 26,043.20 Multi-port scanning
165.22.6.170 DigitalOcan, LLC United States 25,502.00 Multi-port scanning
165.22.6.17 DigitalOcean, LLC United States 25,501.00 Multi-port scanning
Table 2. Top attacking IP addresses in descending order

Top Targeted Ports

VNC port 5900 was attacked all over the world during this time period and was the number one attacked port in Canada by a large margin. This activity is not typical, hence the investigative threat hunting F5 Labs is doing on Twitter mentioned previously. In a distant second position was SMB port 445, also attacked all over the world. SMB port 445 is a common port where threat actors attempt to upload malware. The third most attacked port is SSH port 22, another commonly attacked port.

What stands out the most in top attacked ports in Canada is the targeting of SOCKS port 1080. That port does not show up in any other region during the same period, nor is it typically on a top 50 attacked port list.

In addition to some of the most commonly targeted ports, the number of non-standard HTTP port (8443, and 8080) targeting, and other application ports like Microsoft SMB port 445, and Microsoft CRM port 5555 makes it clear that attackers are targeting applications

Also noteworthy was the apparent attempt to compromise non-standard use of SSH and database by the targeting of ports 2222 and 33899 (along with 22 and 3389).

Figure 7. Top 20 ports attacked in Canada, August through October 2019
Figure 7. Top 20 ports attacked in Canada, August through October 2019

Conclusion

In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, rather, it’s a realistic position backed up by the volume of attack traffic all systems touching the Internet receive, the likelihood of vulnerabilities existing, and the amount of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare against the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic, or help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.

Additionally, locking down any of the top targeted ports that do not absolutely require unfettered internet access should be completed as soon as possible.

And because default vendor credentials are commonly left in place, and the volume of breached credentials in 2017 (see F5 Labs report Lessons Learned from a Decade of Data Breaches) was enough to determine that many usernames and passwords are now considered “public,” all organizations should have credential stuffing protection in place. Particularly for any system with remote authentication, and especially administrative remote access.

Security Controls

To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:

Technical
Preventative
  • Use firewalls to restrict all unnecessary access to commonly attacked ports that must be exposed publicly.
  • Never expose internal databases publicly, and restrict access to internal data on a need-to-know basis.
  • Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH) for vulnerability management.
  • Protect applications accessible over SSH using brute force restrictions.
  • Disable all vendor default credentials (commonly used in SSH brute force attacks) on all systems before deploying them publicly.
Administrative
Preventative
  • Implement geo IP address blocking of commonly attacking countries that your organization does not need to communicate with.
Authors & Contributors
Remi Cohen (Author)
Sara Boddy (Author)
Footnotes

1 Remote Frame Buffer (RFB) is the protocol used for Virtual Network Computing (VNC), a graphical desktop sharing system that enables the remote control of another computer.

2 Note here that some of the top 50 IP addresses were engaged in multiple types of malicious behavior to include port scanning and credential stuffing. It is possible for an IP to be involved in more than one type of behavior.

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read