Top Risks
November 21, 2019

Regional Threat Perspectives, Fall 2019: Middle East

article
15 min. read
By Remi CohenSara Boddy
App Tiers Affected:
Client
Services
Access
TLS
DNS
Network

F5 Labs, in conjunction with our partner Baffin Bay Networks, set out to research global attack traffic by geographic region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (the IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms. This can be seen when it comes to the way nonstandard ports are used for different services such as HTTP and SSH. In this latest data collection, we looked at malicious traffic over the same 90-day period in the U.S., Canada, Latin America, Europe, Russia, Asia, Australia, and the Middle East. (Note, for purposes of this research series, the Middle East includes Turkey, and excludes Middle Eastern countries that U.S. companies are not authorized to operate in.) This article covers attack traffic destined for systems in the Middle East from August 1, 2019 through October 31, 2019.

  • The number one source of attacks targeting systems in the Middle Eastern came from IP addresses assigned to Russia, which launched more malicious traffic to the region than IP addresses assigned to the Netherlands, in second position. The Middle East was the most popular target of attacks sourced from Russian IP addresses.
  • The top four IP addresses launching attacks against systems in the Middle East were assigned to Russia. These were abusive scans, largely looking for vulnerabilities on multiple ports. These IP addresses were not seen attacking other regions in the same time period.
  • Rounding out the top 10 attacking IP addresses were those assigned to the Netherlands, Romania, and Moldova. These 10 IP addresses launched attacks on RFB/VNC1 port 5900, hitting all regions of the world.
  • Of the top targeted ports, two were port 8291, used by MikroTik routers, and port 7547, used by Internet service providers (ISPs) to remotely manage their small office/home office (SOHO) router infrastructure. Combined, these ports received 3.7 million attacks. This activity is directly tied to the building of IoT botnets, also known as thingbots.
  • The top ports targeted in the Middle East followed similar patterns as the rest of the world, with SMB port 445 as the top attacked port followed by SSH port 22, VNC port 5900, and HTTP port 80. Looking past the top 7 attacked services, the Middle East is the only region to see targeted malicious traffic directed at ports 81 (used for HTTP), 53 (used for DNS), and 8545 (used by Ethereum clients).
    • In addition to the most frequently attacked ports, the Middle East was one of two regions to receive malicious traffic against Microsoft SQL server on port 1433, indicating databases, along with IoT devices, were a top target in that region.

Top Source Traffic Countries

Before we look at the “top source traffic countries,” let’s clarify that we’re talking about the geographical source of IP addresses. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have gone through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”

IP addresses assigned to Russia launched the most malicious traffic against systems in the Middle East from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:

  1. Russia
  2. Netherlands
  3. United States
  4. China
  5. Italy
  6. France
  7. Turkey
  8. Moldova
  9. Germany
  10. South Korea

The top 10 were also the top source traffic countries globally.

Figure 1. Source traffic countries launching attack traffic against targets in the Middle East, August through October 2019
Figure 1. Source traffic countries launching attack traffic against targets in the Middle East, August through October 2019

IP addresses assigned in Russia launched 4 times the amount of attack traffic against systems in the Middle East than those registered in the Netherlands. Both the Netherlands and Russia are on the list for the top source traffic countries globally. These IP addresses launched nearly 11 times more malicious traffic directed toward the Middle East than they did toward the U.S., the second most targeted by these IP addresses. France, one of the top 3 source countries attacking other regions, is noticeably further down the list (at position 6). The Middle East also received a considerable amount of traffic from IP addresses assigned in Romania (position 11) and in Ukraine (position 13). The Middle East is one of two regions to receive malicious traffic from Romania, the other being Russia. In regard to the Ukraine, malicious traffic attributed to IP addresses assigned in Ukraine only targeted three regions: Russia, Europe, and the Middle East. Other than two IP addresses assigned in Ukraine that together launched a normalized 372,000 attacks, accounting for about one third of total traffic attributed to IP addresses assigned in Ukraine, no other IP addresses in Ukraine or Romania show up in the top attacking IP address list, discussed later. This indicates that attacks coming from IP addresses in those countries were more distributed; that is, they were launched from many IP addresses but had a low number of attacks per address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.

Note: The “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no one region is overrepresented in the total data analysis.

The Middle East is the only region to receive malicious traffic attributed to source IP addresses assigned in Spain. This only accounts for 1.6% of all malicious traffic August through October 2019.

Figure 2. Top 20 source traffic countries (on a normalized scale) of attacks targeting systems in the Middle East, August through October 2019
Figure 2. Top 20 source traffic countries (on a normalized scale) of attacks targeting systems in the Middle East, August through October 2019

Because IP addresses assigned to Russia launched so many attacks against systems in the Middle East during this period, we wanted to show a comparison of malicious traffic sourced from IP addresses in Russia directed to all regions analyzed around the world.

Figure 3. Normalized count of attack sourced from IP addresses assigned in Russia by geographical target, August through October 2019
Figure 3. Normalized count of attack sourced from IP addresses assigned in Russia by geographical target, August through October 2019

Top Attacking Organizations (ASNs)

Petersburg Internet Network from Russia launched nearly double the attack traffic against systems in the Middle East than hosting provider Selectel (from the Netherlands), which was in second place. SS-Net in third position and MAROSNET Telecommunication Company LLC, in fourth position, are Russian. DigitalOcean, in sixth position, did not have any IP addresses show up on the top 50 attacking IP addresses list, which means the attacks were more evenly distributed across systems.

Figure 4. Source ASNs of attacks targeting Middle Eastern systems, August through October 2019
Figure 4. Source ASNs of attacks targeting Middle Eastern systems, August through October 2019

The following table lists ASNs and their associated organizations (note that some have multiple ASNs).

AS Organization ASN Normalized Count
Petersburg Internet Network ltd. 44050 7,007,052.50
Selectel 49505 4,294,692.00
SS-Net 204428 3,358,399.40
Marosnet Telecommunication Company LLC 48666 2,673,245.80
IP Volume Inc 202425 2,509,987.40
Digital Ocean LLC 14061 1,847,636.20
RM Engineering LLC 49877 1,539,218.70
China Telecom 4134 1,397,017.60
Eurobet Italia SRL 200944 1,385,536.10
OVH SAS 16276 1,273,846.40
GTECH S.p.A. 35574 1,041,995.50
Donner Oleg Alexeevich 35606 880,958.10
IP CHistyakov Mihail Viktorovich 35582 760,214.70
Amazon.com, Inc. 16509 632,401.90
IMAQLIQ SERVICE Ltd 12555 722,226.90
Garanti Bilisim Teknolojisi ve Ticaret T.A.S. 12903 678,935.70
Vitox Telecom 209299 645,652.90
Korea Telecom 4766 642,071.10
Data Communication Business Group 3462 632,553.00
SoftLayer Technologies Inc. 36351 595,028.20
Internet-Cosmos LLC 34300 588,531.50
Hetzner Online GmbH 24940 572,179.90
Hosting technology LTD 48282 567,631.60
Hostkey B.v. 57043 549,825.90
Dianet Ltd. 43314 527,897.80
Teleline Ltd. 13016 525,814.40
VNPT Corp 45899 520,675.70
PT Telekomunikasi Indonesia 7713 454,833.80
Contabo GmbH 51167 422,825.10
Online S.a.s. 12876 420,159.30
China Unicom 4837 416,594.10
NETSEC 45753 414,159.60
SK Broadband Co Ltd 9318 394,738.90
Serverius Holding B.V. 50673 375,209.20
PE Taran Marina Vasil'evna 51743 372,027.50
Chernyshov Aleksandr Aleksandrovich 202984 371,658.90
Turk Telekom 47331 238,842.50
UGB Hosting OU 206485 306,819.60
China Unicom IP network 133119 287,601.30
JSC ER-Telecom Holding 41786 266,715.80
Rostelecom 12389 210,051.20
Linode, LLC 63949 228,179.50
CariNet, Inc. 10439 201,691.90
Melita Limited 200805 200,896.40
Viettel Group 7552 197,330.10
TS-NET of TOSET, Inc. in Japan 55902 195,257.10
LeaseWeb Netherlands B.V. 60781 193,883.40
Vietnam Posts and Telecommunications Group 135905 188,628.80
CANTV Servicios, Venezuela 8048 187,967.50
TELEFÔNICA BRASIL S.A 27699 99,004.70

ASNs Attacking the Middle East Compared to Other Regions

We looked at the count of attacks by ASN toward Middle Eastern systems and compared that to other regions of the world. The key difference between attack traffic launched from networks targeting the Middle East versus the rest of the world is the volume of attacks launched from the top 4 networks targeting Middle Eastern systems—Petersburg Internet Network, Selectel, SS-Net, and MAROSNET Telecommunication Company LLC, (three Russian, one Dutch)—and the rest of the world receiving little to no attacks from the same networks. In contrast, top attacking networks in other regions like OVH SAS (France) and RM Engineering (Moldova) sent much less traffic toward Middle Eastern systems.

Top Attacking IP Addresses

The top 4 IP addresses attacking systems in the Middle East from August 1, 2019 through October 31, 2019 were all assigned in Russia and were engaged in either credential stuffing or in multi-port scanning, activities typically attributed to looking for vulnerabilities. Seventy-four percent of the IP addresses on the top 50 attacking IP addresses list engaged in the same multi-port scanning behavior, most of which are Russian.1 For a complete list of attacks by IP address, see section Attacks Types of Top Attacking IP Addresses.

Figure 5. Top 50 IP addresses attacking Middle East targets, August through October 2019
Figure 5. Top 50 IP addresses attacking Middle East targets, August through October 2019

IP Addresses Attacking the Middle East Compared to Other Regions

We looked at the volume of attack traffic Middle Eastern systems received per IP address and compared that to other regions of the world. Attack traffic destined for Middle Eastern systems had little overlap with the rest of the world except for a handful of IP addresses launching global attacks against RFB/VNC port 5900 (see the next section). Eighty percent of the top attacking IP addresses sending malicious traffic to the middle east were unique to the Middle East region, 16% of that top 50 were seen sending malicious attack traffic to all other regions in the world, and the remaining 4% were seen targeting 7/8 of the regions we looked at.

Attack Types of Top Attacking IP Addresses

Of the top 50 IP addresses attacking systems in the Middle East, most were Russian (64%). These IP addresses along with the remainder coming from the Netherlands (4%), Romania (4%), Moldova (6%), France (8%), Spain (2%), Germany (6%), Italy (2%), France (8%), and Ukraine (4%) are launching scans against multiple ports (49%), targeting port 80 and 8080 with HTTP attacks (5%), and targeting Remote Frame Buffer (RFB)/VNC port 5900 with brute force and credential stuffing attacks (19%).

The IP addresses in Moldova assigned to RM Engineering, as well as OVH SAS in France, were launching brute force and credential stuffing attacks against Remote Frame Buffer (RFB)/VNC port 5900, globally. All regions of the world are being hit with these same attacks from the following IP addresses:

  • 185.153.197.251
  • 185.153.198.197
  • 46.105.144.48
  • 193.188.22.114
  • 185.156.177.44
  • 185.153.196.159
  • 5.39.39.49
  • 185.40.13.3

These port 5900 attacks were new activity we noticed earlier in the summer and continued through October 31, 2019. We are conducting an investigation and will be looking to share our findings publicly on Twitter.

Eighty percent of the IP addresses seen sending malicious traffic to the Middle East exclusively targeted this region. The following list is in descending order starting with top attacking IP addresses.

Source IP Address ASN Organization Country Normalized Attack Count Attacks Known For
31.184.196.195 Petersburg Internet Network Russia 1,830,560.5 Multi-port scanning
31.184.197.195 Petersburg Internet Network Russia 1,743,359.4 Multi-port scanning
31.184.196.199 Petersburg Internet Network Russia 1,713,624.0 Multi-port scanning
31.184.197.199 Petersburg Internet Network Russia 1,709,400.9 Multi-port scanning
185.143.221.104 Selectel Netherlands 1,205,687.1 Multi-port scanning
80.82.78.104 IP Volume inc Netherlands 929,167.6 Multi-port scanning
185.176.27.250 SS-Net Russia 922,830.2 Multi-port scanning
92.118.37.97 Donner Oleg Alexeevich Romania 563,369.5 Multi-port scanning
185.153.197.251 RM Engineering LLC Moldova 557,115.2 Multi-port scanning
185.176.27.6 SS-Net Russia 544,818.3 Multi-port scanning
93.189.222.80 DIANET Ltd. Russia 527,462.7 Credential stuffing and HTTP attacks
93.189.249.109 Teleline Ltd. Russia 525,814.4 Credential stuffing, multi-port scanning, and HTTP attacks
185.153.198.197 RM Engineering Moldova 503,611.6 Credential stuffing and multi-port scanning
92.119.160.90 Selectel Russia 474,398.1 Multi-port scanning
185.58.204.69 Marosnet Telecommunication Company LLC Russia 454,153.3 Multi-port scanning
185.58.206.51 Marosnet Telecommunication Company LLC Russia 453,857.1 Multi-port scanning
185.58.206.15 Marosnet Telecommunication Company LLC Russia 389,440.9 Multi-port scanning
185.87.48.104 Marosnet Telecommunication Company LLC Russia 384,468.3 Multi-port scanning
93.189.147.162 IMAQLIQ SERVICE Ltd Russia 374,878.9 Credential stuffing, multi-port scanning, and HTTP attacks
92.119.160.251 Selectel Russia 356,754.9 Multi-port scanning
92.119.160.250 Selectel Russia 347,531.5 Multi-port scanning
93.189.144.135 IMAQLIQ SERVICE Ltd Russia 347,236.6 Credential stuffing, multi-port scanning, and HTTP attacks
93.189.204.162 JSC ER-Telecom Holding Russia 256,840.9 Credential stuffing, multi-port scanning, and HTTP attacks
185.254.122.50 UGB Hosting OU Russia 224,907.5 Multi-port scanning
185.153.196.159 RM Engineering LLC Republic of Moldova 212,839.1 Credential stuffing and multi-port scanning
46.105.144.48 OVH SAS France 202,142.7 Credential stuffing and multi-port scanning
185.176.27.246 SS-Net Russia 198,532.4 Multi-port scanning
51.75.32.149 OVH SAS France 198,274.3 Multi-port scanning
185.40.13.3 GTECH S.p.A. Italy 192,255.5 Multi-port scanning
194.67.207.25 MAROSNET Telecommunication Company LLC Russia 190,066.7 Multi-port scanning
62.210.220.217 Online S.a.s. France 186,914.8 Multi-port scanning
91.217.254.37 PE Taran Marina Vasil'evna Ukraine 186,263.8 Multi-port scanning
91.217.254.167 PE Taran Marina Vasil'evna Ukraine 185,763.6 Multi-port scanning
5.39.39.49 OVH SAS France 184,431.2 Credential stuffing and multi-port scanning
148.251.20.137 Hetzner Online GmbH Germany 176,001.6 Multi-port scanning
148.251.20.134 Hetzner Online GmbH Germany 175,726.6 Multi-port scanning
185.176.27.166 SS-Net Russia 175,511.8 Multi-port scanning
194.67.202.109 MAROSNET Telecommunication Company LLC Russia 172,302.0 Multi-port scanning
185.176.27.186 SS-Net Russia 170,891.8 Multi-port scanning
185.175.93.105 IP CHistyakov Mihail Viktorovich Spain 170,151.3 Multi-port scanning
92.118.37.86 Donner Oleg Alexeevich Romania 169,713.6 Multi-port scanning
185.176.27.18 SS-Net Russia 166,207.1 Multi-port scanning
62.173.145.112 Internet-Cosmos LLC Russia 156,611.4 Multi-port scanning
62.173.139.141 Internet-Cosmos LLC Russia 155,513.1 Multi-port scanning
62.173.149.167 Internet-Cosmos LLC Russia 155,443.9 Multi-port scanning
185.176.27.42 SS-Net Russia 152,556.9 Multi-port scanning
92.119.160.52 Selectel Russia 145,908.0 Multi-port scanning
213.136.90.36 Contabo GmbH Germany 143,881.3 Credential stuffing and multi-port scanning
193.188.22.114 Hostkey B.v. Russia 142,707.9 Credential stuffing and multi-port scanning

Top Targeted Ports

Looking at the destination ports of the attacks helps us understanding what types of systems and services attackers are looking for. Microsoft SMB port 445 was the number one attacked port in the Middle East by a large margin. In a distant second was SSH port 22. Both of these ports are commonly targeted as exploiting a vulnerability, and either port can give a malicious actor access to the entire system. The third most attacked port, VNC 5900, was being attacked all over the world during this time period. This activity is not typical, hence the investigative threat hunting we are doing on Twitter mentioned previously.

What stands out the most in top attacked ports in the Middle East is the targeting of DNS port 53. That port does not show up in any other region we analyzed during the same time period.

In addition to some of the most commonly targeted ports, the number of non-standard HTTP ports (81, 8443, and 8080) and other application ports like Microsoft SMB port 445, and Microsoft CRM port 5555 makes it clear that attackers are targeting applications in the Middle East.

Also noteworthy is the apparent attempt to compromise IoT systems in the Middle East by targeting ports 7547 and 8291, both of which are only used by SOHO routers and are commonly attacked by IoT botnets (thingbots). We called out these ports in our 2017 report, The Hunt for IoT: The Rise of Thingbots.

Figure 6. Top 20 ports attacked in the Middle East, August through October 2019
Figure 6. Top 20 ports attacked in the Middle East, August through October 2019

Conclusion

In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position; rather, it’s a realistic position backed by the volume of attack traffic received by all Internet-connected systems, the likelihood of vulnerabilities existing, and the amount of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare against the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic, or help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.

Additionally, locking down any of the top targeted ports that do not absolutely require unfettered internet access should be completed as soon as possible.

And because default vendor credentials are commonly left in place, and the volume of breached credentials in 2017 was enough to determine that many usernames and passwords are now considered “public,” all organizations should have credential stuffing protection in place. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more data on these breached passwords. Particularly for any system with remote authentication, and especially administrative remote access.

Security Controls

To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:  

App Tiers Affected:
Client
Services
Access
TLS
DNS
Network

Related Articles

Top Risks
August 26, 2020
How Credential Stuffing Bots Bypass Defenses
article
11 min. read
Education
October 13, 2020
What Is Credential Stuffing?
Top Risks
October 06, 2020
How Cyber Attacks Changed During the Pandemic
article
7 min. read
Technical
Preventative
  • Use firewalls to restrict all unnecessary access to commonly attacked ports that must be exposed publicly.
  • Never expose internal databases publicly, and restrict access to internal data on a need-to-know basis.
  • Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH) for vulnerability management.
  • Protect applications accessible over SSH using brute force restrictions.
  • Disable all vendor default credentials (commonly used in SSH brute force attacks) on all systems before deploying them publicly.
Administrative
Preventative
  • Implement geo IP address blocking of commonly attacking countries that your organization does not need to communicate with.
About the author
Remi Cohen

Remi Cohen is a Threat Research Evangelist with F5 Labs. Prior to F5 she worked for a large national laboratory conducting vulnerability assessments, and research on current threats as well as an civilian analyst for the US Department of Defense. Her specialty areas of research include mobile vulnerabilities, Industrial Control Systems, and Eastern European threats. She is an associate of (ISC)2 by passing the CISSP exam and is certified in both COMPTIA Security+ and ECCouncil C|EH. She holds a Master’s degree from New Mexico State University in Industrial Engineering as well as Bachelor’s degrees in Computer Science and Government from Georgetown University.

About the author
Sara Boddy

Sara Boddy is a Senior Director overseeing F5 Labs and Communities. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years; prior to Demand Media, she held various roles in the information security community over 11 years at Network Computing Architects and Conjungi Networks.

Footnotes

1 Remote Frame Buffer (RFB) is the protocol used for Virtual Network Computing (VNC), a graphical desktop sharing system that enables the remote control of another computer.

2 Note here that some of the top 50 IP addresses were engaged in multiple types of malicious behavior that included port scanning and credential stuffing. It is possible for an IP to be involved in more than one type of behavior.

TAGS: Middle East, Threats, Top Risks, Credential stuffing, Cybercrime, Access Tier, reconnaissance, Web Application Attacks

Related Articles

Top Risks
August 26, 2020
How Credential Stuffing Bots Bypass Defenses
article
11 min. read
Education
October 13, 2020
What Is Credential Stuffing?
Top Risks
October 06, 2020
How Cyber Attacks Changed During the Pandemic
article
7 min. read

Need-to-Know

Expertly picked stories on threat intelligence
Top Risks
May 18, 2021
Encryption
July 17, 2020
Top Risks
February 01, 2021

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.