F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, Asia, Australia, and the Middle East. The attack landscape in Latin America was different from the rest of the regions in that it had the most unique in-region IP addresses sending malicious traffic.
- IP addresses assigned in-region were the number one source of attacks targeting systems in Latin America. IP addresses assigned in Brazil launched the most malicious traffic to the region, more than IP addresses assigned to the Venezuela, in second place. Latin America was also one of two regions targeted by attack traffic assigned to IP addresses in Argentina.
- Three of the top five IP addresses launching attacks against systems in Latin America were assigned to Costa Rica and Venezuela. These IP addresses conducted abusive scans, largely looking for vulnerabilities on multiple ports. These same IP addresses were not seen attacking other regions in the same period.
- Rounding out the top five IP addresses were those assigned to Moldova. These IP addresses were seen launching RFB/VNC port 5900 attacks that hit all regions of the world.
- Two of the top 25 most targeted ports were port 8291, used by Mikrotik routers, and port 7547 used by ISPs to remotely manage their SOHO router infrastructure. While these were the nineteenth and twentieth most popular targeted ports, they still saw significant attack traffic directed towards them. This activity is directly tied to the building of IoT botnets, also known as thingbots.
- The top ports targeted in Latin America followed similar patterns to the rest of the world, with SMB port 445 being the top attacked port. Other ports included VNC port 5900 (being attacked in regions all over the world), SSH port 22, and Telnet port 23.
- In addition to the most commonly attacked ports, Latin America saw a lot of attack traffic directed towards common web application ports, including port 5555, and 3389. Traffic was also directed towards MySQL port 3306 (indicating that databases were targeted), as well as web applications and IOT devices, which were a top target in Latin America.
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
IP addresses assigned to Brazil launched the most malicious traffic against systems in Latin America from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:
- Republic of Moldova
- Costa Rica
- South Korea
All of the top 10, with the exception of Venezuela and Costa Rica, were also the top malicious source traffic countries globally.
Similar to the European threat landscape, the Latin American threat picture experienced a lot of in-region attacks. Thirty percent of the countries in the top attacking source countries list came from Latin America, and combined they accounted for 37% of malicious traffic. The two top source traffic countries were Brazil and Venezuela, both in-region countries. While malicious traffic from Brazil was seen all over the world, malicious traffic coming from IP addresses in Venezuela exclusively targeted systems in Latin America. This kind of traffic can be more difficult for enterprises to filter since typically businesses want to remain accessible to customers in their region.
Latin America also received a considerable amount of traffic from IP addresses assigned in Argentina (position 11). Latin America was one of two regions to receive malicious traffic from Argentina, the other being Russia. Other than one IP address assigned in Argentina that together launched a normalized 120,000 attacks, accounting for about one sixth of total traffic attributed to IP addresses assigned in Argentina, no other IP addresses in Argentina show up in the top attacking IP address list, discussed later. This indicates that attacks coming from IP addresses in Argentina were more distributed; that is, they were launched from many IP addresses but had a low number of attacks per address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.
Note: The “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no single region is overrepresented in the total data analysis.
Latin American was the only region to receive malicious traffic attributed to source IP addresses assigned in Venezuela, Costa Rice, Colombia, and Chile. Traffic from IP addresses in these countries account for 19% of malicious traffic seen during the August through October timeframe. It is notable that these are in-region countries, which may indicate threat actors were attempting to disguise their traffic to blend in with other benign in-region traffic.
The threat landscape in Latin America was a bit of an outlier when it comes to some of the more popular top source traffic countries. IP addresses assigned in Russia launched the least amount of traffic against systems in Latin America. In addition, many of the top source traffic countries in other regions of the world appeared lower in the rankings for Latin America. IP addresses assigned in Russia, which was in first or second position for four regions, was in position 9 in Latin America. Along with Russia, France, which was similarly in first position for 3 regions, was noticeably further down the list (at position 12) for Latin America.