Regional Threat Perspectives, Fall 2019: Canada

F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, Asia, Australia, and the Middle East. The attack landscape in Canada was similar to both the U.S. and Europe, most similar to the U.S. in terms of ports/services targeted with an identical top 8 for ports/services. All three of these regions (along with much of the world) were heavily targeted with malicious traffic directed towards RFB/VNC¹ port 5900.

• The number one source of attack traffic targeting Canadian systems came from IP addresses assigned in France, however, Russia in second place, followed closely. When looking at traffic coming from IP addresses in the top 20 attacking counties, 10.4% of that traffic originated from IP addresses assigned to France whereas IP addresses assigned to Russia were responsible for 10.2% of the traffic. This was the smallest gap between the first and second attacking countries of all the regions we analyzed.
• The top attacking IP address launching malicious traffic against systems in Canada is Canadian, assigned to a French ASN. This IP address was seen launching multi-port scanning against ports with known vulnerabilities (port 1433, the default port for SQL Server, and port 445, used for Server Message Block (SMB)).
• Of the top five IP addresses launching attacks against systems in the Canada, two are assigned to IP addresses in Canada, two are assigned to IP addresses in Moldova, and one is assigned to an IP address in France. These IP addresses were seen launching credential stuffing and aggressive multi-port scanning focusing on RFB/VNC port 5900 (hitting all regions of the world). Three of these IP addresses were seen sending attack traffic to every other region over the same period.
• The top eight ports or services targeted in Canada mirrored the top 8 targeted in the U.S. Of these, the top four were also identical to those targeted in Europe. The top 8 ports targeted in Canada were VNC port 5900 (being attacked all over the world), SMB port 445, SSH port 22, HTTP port 80, HTTPS port 443, SMTP port 25, Telnet port 23, and MS RDP 3389. These top attacked ports were common targets all over the world, however, Canada was the only region in the world to see targeted malicious traffic directed at port 1080, SOCKS protocol.

Note: “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no one region is overrepresented in the total data analysis.

Top Source Traffic Countries

Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have been coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as top source traffic countries.

IP addresses assigned to France launched the most malicious traffic against systems in Canada from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:

1. France
2. Russia
3. Republic of Moldova
4. Italy
5. Canada
6. U.S.
7. South Korea
8. Netherlands
9. China
10. Turkey

All of the top 10, with the exception of Canada in position 5, were also the top malicious source traffic countries globally.

IP addresses assigned in France launched the most attack traffic against systems in Canada (see Figure 2). With normalized data, France was followed closely by IP addresses assigned in Russia and attack traffic from IP addresses assigned in these two countries accounts for just over 20% of malicious traffic seen targeting Canada. There was only a 1% difference in attack traffic between IP addresses assigned to Russia (in second position with 10.2%) and Moldova, (in third position with 9.3%). IP addresses assigned in both of these countries were seen participating in the RFB/VNC port 5900 port scanning and credential stuffing.

Attacks originating from IP addresses assigned in Canada and directed in country are in fifth place and account for 8.8% of malicious traffic seen targeting in-country systems. This kind of in-country, or in-region traffic can be more difficult for enterprises to filter out since businesses typically want everyone in their country to be able to access them. Three IP addresses assigned in Canada are in the top attacking IP list.

No unique countries are seen targeting Canada. In fact, in the top 20 attacking countries, all were seen targeting other regions of the world. The most unique attacking IP addresses targeting Canada were assigned in Singapore and Ireland. IP addresses assigned in these countries targeted three regions of the world. IP addresses assigned in Singapore focused on Asia, Australia, and Canada while IP addresses assigned in Ireland targeted Europe and the U.S. along with Canada.

Europe, the U.S., and Canada have many similarities in their threat landscapes over this time period, especially when it comes to protocols targeted. The U.S. and Canada have a particularly similar geographic attacker landscape. They share 95% of the same top source traffic countries. They differ in that IP addresses assigned in Singapore rank as a top source country targeting Canada, and not the U.S.. One IP address in Singapore launched a normalized 200,000 count of attacks against VNC port 5900. No other IP addresses assigned in Singapore were in the top attacking IP addresses list. This means attacks coming from IP addresses in this country were more distributed; that is, they were launched from many IP addresses but had a low number of attacks per address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.

Top Attacking Organizations (ASNs)

The highest number of attacks against Canada were launched through French cloud computing company OVH SAS (see Figure 3). In fact, twice as many attacks were launched through OVH SAS than RM Engineering, the ASN in second position. Notably, OVH SAS and RM Engineering are the number one and number two attacking organizations across most of the world, and rank in the top three attacking ASNs in all regions except the Middle East, Russia (RM Engineering is in seventh position), and Latin America (OVH SAS is in fifth position).

Rounding out the top five attacking organizations targeting Canada are other popular ASNs HOSTKEY B.v. in third position, and GTECH S.p.A. and Digital Ocean in fourth and fifth respectively. These ASNs were all seen attacking every region of the world, indicating widespread attacks on the IPv4 address space.

Ten percent of ASNs targeting Canada are only seen targeting Canada. Traffic through these ASNs only makes up 2.8% of attack traffic directed towards Canada and no IP addresses from these ASNs appear in the top attacking IP addresses against Canada.

The following table lists ASNs and their associated organizations (note that some have multiple ASNs).

ASNs Attacking Canada Compared to Other Regions

We looked at the count of attacks by ASN targeting Canadian systems and compared that to other regions of the world. Canada remains in the middle of the pack as a target for most of the ASN attack traffic. Notably though, attack traffic directed at Canadian systems followed a similar pattern to European and U.S. traffic, with the exception of 17 ASNs that only targeted Canadian and Russian systems (denoted with ** in Figure 4 below). The fact that the attack traffic patterns by ASNs in Canada so closely mirror European and American patterns could be due to geopolitical reasons or the close alliances of these areas.

Top Attacking IP Addresses

The top five IP addresses attacking systems in Canada from August 1 through October 31, 2019 come from a mix of IP addresses assigned in Canada, Moldova, and France (see Figure 4). These IP addresses were engaged in port scanning, along with RBF/VNC port 5900 credential stuffing activity. This was a trend seen all over the world during this time period. Sixty-five percent of the IP addresses on the top 50 attacking IP addresses list were engaging in aggressive multi-port scanning, most of which was conducted by IP addresses assigned in Russia and IP addresses assigned in Moldova.¹ For a complete list of attacks by IP address, see section Attacks Types of Top Attacking IP Addresses.

IP Addresses Attacking Canada Compared to Other Regions

We compared the volume of attack traffic Canadian systems received per IP address to other regions of the world. Attack traffic destined for Canadian systems had significant overlap with the rest of the world due to the IP addresses launching attacks globally against RFB/VNC port 5900 (see the next section). Only 10% of the top attacking IP addresses sending malicious traffic to Canada were uniquely targeting Canadian systems (denoted by *** in Figure 6). While Canadian and U.S. malicious traffic shared 64% of top attacking IP addresses, there were fewer shared top attacking IP addresses with Europe. This could indicate traffic spread across IP addresses using the same ISPs in order to launch attacks.

Attacks Types of the Top Attacking IP Addresses

The top 50 IP addresses attacking systems in Canada were geographically spread fairly evenly. Eight percent are assigned to South Korea, and closely following, with 7% are assigned in the U.S. Though smaller in number, the three Canadian IP addresses in the top attacking IP address list are responsible for 17% of all attack traffic that targeted Canadian systems. These IP addresses were conducting a variety of activities, but most were scanning or doing some sort of credential stuffing.

Out of the top 50 attacking IP addresses, 65% were engaging in aggressive multi-port scanning ,32% participated in aggressive credential stuffing activity, and the remaining 2% were evenly distributed conducting HTTP attacks against port 8080, 8443, and 2375 and attempting to upload malware through SMB shares on port 445. The IP addresses in Moldova assigned to RM Engineering, as well as OVH SAS in France were launching brute force attacks and credential stuffing attacks against Remote Frame Buffer (RFB) / VNC port 5900, globally. All regions of the world were being hit with these same attacks from these IP addresses:

• 185.153.197.251
• 185.153.198.197
• 46.105.144.48
• 193.188.22.114
• 185.156.177.44
• 185.153.196.159
• 5.39.39.49
• 185.40.13.3

These port 5900 attacks were new activity we noticed earlier in the summer and continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.

As mentioned, only 10% of IP addresses seen targeting Canada were exclusively targeting the region. This indicates that Canadian systems were likely not being geographically targeted but instead were being targeted based on the services they were providing. The following list is in descending order starting with top attacking IP addresses.

Top Targeted Ports

VNC port 5900 was attacked all over the world during this time period and was the number one attacked port in Canada by a large margin. This activity is not typical, hence the investigative threat hunting F5 Labs is doing on Twitter mentioned previously. In a distant second position was SMB port 445, also attacked all over the world. SMB port 445 is a common port where threat actors attempt to upload malware. The third most attacked port is SSH port 22, another commonly attacked port.

What stands out the most in top attacked ports in Canada is the targeting of SOCKS port 1080. That port does not show up in any other region during the same period, nor is it typically on a top 50 attacked port list.

In addition to some of the most commonly targeted ports, the number of non-standard HTTP port (8443, and 8080) targeting, and other application ports like Microsoft SMB port 445, and Microsoft CRM port 5555 makes it clear that attackers are targeting applications

Also noteworthy was the apparent attempt to compromise non-standard use of SSH and database by the targeting of ports 2222 and 33899 (along with 22 and 3389).

Conclusion

In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, rather, it’s a realistic position backed up by the volume of attack traffic all systems touching the Internet receive, the likelihood of vulnerabilities existing, and the amount of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare against the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic, or help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.

Additionally, locking down any of the top targeted ports that do not absolutely require unfettered internet access should be completed as soon as possible.

And because default vendor credentials are commonly left in place, and the volume of breached credentials in 2017 (see F5 Labs report Lessons Learned from a Decade of Data Breaches) was enough to determine that many usernames and passwords are now considered “public,” all organizations should have credential stuffing protection in place. Particularly for any system with remote authentication, and especially administrative remote access.

Security Controls

To mitigate the types of attacks discussed here, we recommend the following security controls be put in place: