Top Risks
December 23, 2019

Regional Threat Perspectives, Fall 2019: Russia

article
21 min. read

Introduction

F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, Middle East, Asia, and Australia. We separated Russia from Europe because Russia is consistently a top source traffic country globally, so we wanted to understand if its threat landscape was different—and it was. Attacks targeting Russian systems originated from more unique source networks and IP addresses than anywhere else in the world.

  • IP addresses assigned in the U.S. launched the most malicious traffic towards systems in Russia from August 1, 2019, through October 31, 2019. The U.S. is a top source traffic country globally, however, 90% of the IP addresses in the U.S. that attacked Russian systems in the fall of 2019 were not seen attacking other regions.
  • Russian IP addresses were responsible for 13% of the attacks received by Russia systems during the fall of 2019.
  • Fifty-eight (58%) percent of the IP addresses seen sending malicious traffic to Russia exclusively targeted Russian systems.
  • The top ports targeted in Russia followed similar patterns to the rest of the world with SMB port 445 being the #1 attacked port and SSH port 22 being the #3 top attacked port.
  • The Swiss Exchange service port 7326 was the #2 attacked port in Russia, which is very interesting given the potential financial implications, and the fact that this was not a top attacked port anywhere else in the world in this time period.
  • Outside of multi-port reconnaissance scanning looking for commonly used web application ports, attackers are conducting credential stuffing attacks on RFB/VNC port 5900, SSH port 22, and Telnet port 23 (common with IoT bot building).

Top Source Traffic Countries

Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have been coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”

IP addresses assigned in the U.S. launched the most malicious traffic towards systems in Russia from August 1, 2019, through October 31, 2019. The U.S. is a top source traffic country globally, however 90% of the IP addresses in the U.S. that were attacking Russian systems in the fall of 2019 were not seen attacking other regions. Whereas the U.S. being a top source country is not unique, the attacks sourced from IP addresses in the U.S. to Russia were exclusively targeting systems in Russia. Conversely, 70% of the IP addresses in the Netherlands (which is a top source traffic country globally) that attacked systems in Russia were also engaged in global attack campaigns; Russian systems weren’t the only target.

The number of attacks launched from IP addresses in Russia regularly drive Russia into one of the top three source traffic country positions globally. This is no exception for Russia itself as 13% of the attacks received by Russia systems during the fall of 2019 came from IP addresses in Russia. This kind of traffic can be more difficult for enterprises to filter as they can’t simply block IP addresses by geography since businesses typically want to remain accessible to customers in their region.

All of the top 10 source traffic countries of attacks targeting Russian systems in the fall of 2019 were top source traffic countries globally.

Map of top 20 source countries launching cyber-attacks against Russian systems, fall of 2019.
Figure 1. Top 20 source traffic countries launching attack traffic against targets in the Russia, August 1, 2019 through October 31, 2019

Note: The “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no single region is overrepresented in the total data analysis.

Sixty percent (60%) of the attacks launched towards Russian systems came from the top 5 source traffic countries. In addition to the U.S., Netherlands, and Russia in the top 3 positions, attacks launched from IP addresses in Germany (in position 4) were uniquely scanning for port 7326. Port 7326 is used by the Swiss Exchange (SWX) and Internet Citizen’s Band (ICB) services. No other region was targeted on that port, or by the German IP addresses launching the attacks. Additionally, attacking IP addresses that drove Italy into position 5 on the top source countries list engaged in SWX/ICB scanning, unique to Russia.

Source countries of cyber-attacks targeting Russian systems, fall of 2019.
Figure 2. Top 20 source traffic countries (on a normalized scale) of attacks targeting systems in Russia, August through October 2019.

Top Attacking Organizations (ASNs)

Attacks targeting Russian systems came from more unique ASNs than in any other region. Attacks from 36% percent of the ASNs on the top 50 attacking ASNs list were uniquely destined for Russian systems. These networks, listed below, accounted for 28% of total attack traffic Russian systems received in the fall of 2019.

ASN Organization ASN # Normalized Attack Count
Charter Communications, Inc 33363 455,179.70
Smart Telecom S.A.R.L 51558 405,925.40
Cambrium IT Services B.V. 25596 372,613.80
Vodafone Kabel Deutschland GmbH 31334 359,061.40
Liberty Global B.V. 6830 250,071.60
MCI Communications d/b/a Verizon 701 243,396.50
Cablevision Systems Corp. 6128 162,131.40
WideOpenWest Finance LLC 12083 160,654.90
Hostmaze Inc Srl-d 39517 150,661.40
EOLO S.p.A. 35612 141,944.60
AT&T Services, Inc. 7018 141,643.00
Tellcom Iletisim Hizmetleri A.s. 34984 121,125.90
Alviva Holding Limited 209272 107,061.40
UAB Host Baltic 209605 105,467.60
Dgn Teknoloji A.s. 43260 105,259.70
1&1 Versatel Deutschland GmbH 8881 88,340.30
ITC NG ltd 202940 82,745.40
OOO Tecom 56679 81,128.90

Four of the networks: 1&1 Versatel Deutschland GmbH, Hostmaze Inc Srl-d, ITC NG ltd and Tellcom Iletisim Hizmetleri A.s., did not have IP addresses on the top 50 attacking IP addresses list, indicating attacks from these networks were diversified across many IP addresses.

Attacks from the OVH SAS network, primarily sourced from France and also Canada, drove OVH SAS to the number 1 position in the top attacking networks list. The OVH SAS network was within the top 5 attacking networks in all regions of the world during this timeframe, with the exception of attacks destined for the Middle East. OVH SAS is a top attacking network globally on a regular basis. The attacks from IP addresses in this network in the fall of 2019 were RFB/VNC credential stuffing attacks targeting systems all over the world and were not unique to Russia.

The Hetzner Online Gmbh network assigned in Germany had a similar attack profile as OVH SAS. This network engaged in global attacks targeting all regions of the world, including Russia.

Attacks coming from Softlayer Technologies networks in the U.S. and Netherlands were also felt all over the world during this period. However, the only IP addresses in this network that showed up on the top 50 attacking IP addresses list were attacks toward Russia. That means attacks generated from Softlayer during this period destined for other regions of the world were conducted at lower counts per IP address, so they didn’t show up on a top attacking IP addresses list. Rounding out the top 5 network sources of attacks against Russia in the fall of 2019 were GTECH and Korea Telecom. Attacks from both of these networks were launched globally and were not unique to Russia.

Top 50 network sources of cyber-attacks towards Russia, fall of 2019.
Figure 3. Source ASNs of attacks targeting systems in Russia, August through October 2019

The following table lists ASNs and their associated organizations (note that some ASNs have multiple ASNs).

ASN Organization ASN Normalized Attack Count
OVH SAS 16276 862,781.1
Hetzner Online GmbH 24940 728,790.3
SoftLayer Technologies Inc. 36351 663,457.8
GTECH S.p.A. 35574 589,894.3
Korea Telecom 4766 534,229.7
RM Engineering 49877 497,338.6
Digital Ocean 14061 456,316.8
Charter Communications 33363 455,179.7
Amazon.com 16509 440,305.9
Smart Telecom S.A.R.L 51558 405,925.4
Cambrium IT Services B.V. 25596 372,613.8
Serverius Holding B.V. 50673 367,331.1
Garanti Bilisim Teknolojisi ve Ticaret T.A.S. 12903 363,010.3
Vodafone Kabel Deutschland GmbH 31334 359,061.4
Eurobet Italia SRL 200944 338,586.5
Selectel 49505 332,049.7
SK Broadband Co Ltd 9318 278,335.9
Donner Oleg Alexeevich 35606 253,659.7
Liberty Global B.V. 6830 250,071.6
MCI Communications DBA Verizon 701 243,396.5
Hostkey B.v. 57043 213,834.6
UGB Hosting OU 206485 192,084.1
China Telecom 4134 177,100.3
IP Volume inc 202425 169,648.1
Cablevision Systems Corp. 6128 162,131.4
WideOpenWest Finance LLC 12083 160,654.9
Hostmaze Inc Srl-d 39517 150,661.4
Rostelecom 12389 149,025.9
EOLO S.p.A. 35612 141,944.6
AT&T Services, Inc. 7018 141,643.0
CNSERVERS LLC 40065 135,055.1
Sprint S.A. 197226 129,031.1
Tellcom Iletisim Hizmetleri A.s. 34984 121,125.9
VNPT Corp 45899 112,996.8
Microsoft Corporation 8075 111,412.4
Servers.com, Inc. 7979 109,655.9
SS-Net 204428 109,239.5
China Unicom 4837 107,517.8
Alviva Holding Limited 209272 107,061.4
UAB Host Baltic 209605 105,467.6
Dgn Teknoloji A.s. 43260 105,259.7
JSC ER-Telecom Holding 39028 102,269.5
NETSEC 45753 101,548.6
Continent 8 LLC 14537 90,635.7
1&1 Versatel Deutschland GmbH 8881 88,340.3
TS-NET of TOSET, Inc. in Japan 55902 88,226.2
ITC NG ltd 202940 82,745.4
OOO Tecom 56679 81,128.9
PT Telekomunikasi Indonesia 7713 79,919.5
PVimpelCom 8402 71,321.4
Table 1. ASNs and their associated organizations (some have multiple ASNs)

ASNs Attacking Russia Compared to Other Regions

We looked at the count of attacks by ASN launching attacks toward systems in Russia and compared that to other regions of the world. The key difference between attack traffic launched from networks targeting Russia versus the rest of the world was the volume of attack traffic launched from the 18 ASNs exclusively targeting systems in Russia (see ASNs denoted with *** in Figure 4). Sixty-four percent (64%) of the total attack volume in Russia came from networks uniquely targeting Russia. Additionally, the exponential increase in attacks systems in the Middle East received from networks that also targeted Russian systems is notable.

Cyber-attacks by network targeting Russian systems versus the rest of the world in the fall of 2019.
Figure 4: Normalized attack count by ASN by region, August through October 2019

Top 50 Attacking IP Addresses

Two of the top three IP addresses attacking Russian systems in the fall of 2019 were not seen targeting systems anywhere else in the world. The following table shows all 29 IP addresses (or 58% of the 50 IP addresses targeting Russian systems list) that were not seen attacking systems in other regions of the world during the fall of 2019. There are more IP addresses on this list from the U.S. than anywhere else in the world. Comparatively, when looking at all top 50 IP addresses attacking all regions of the world, there are more Russian IP addresses than any other country. All of these IP addresses engaged in port scanning, 34% of which specifically targeted the Swiss Exchange service.

POSITION Source IP Normalized Attack Count ASN Organization Country
1 71.46.230.178 438,148.6 Charter Communications, Inc United States
3 217.19.18.4 372,510.5 Cambrium IT Services B.V. Netherlands
9 92.118.37.67 208,530.3 Donner Oleg Alexeevich Romania
12 95.90.230.133 185,584.9 Vodafone Kabel Deutschland GmbH Germany
13 69.14.153.121 160,198.1 WideOpenWest Finance LLC United States
14 74.88.7.125 155,631.9 Cablevision Systems Corp. United States
15 88.147.99.15 141,357.8 EOLO S.p.A. Italy
16 5.153.2.228 139,437.8 SoftLayer Technologies Inc. Netherlands
17 23.115.65.92 136,175.7 AT&T Services, Inc. United States
18 5.153.18.254 134,490.5 SoftLayer Technologies Inc. Netherlands
19 72.69.11.97 134,443.8 MCI Communications d/b/a Verizon United States
20 130.198.67.114 132,925.1 SoftLayer Technologies Inc. United States
21 169.54.190.139 132,527.0 SoftLayer Technologies Inc. United States
23 46.5.229.231 121,165.9 Liberty Global B.V. Germany
27 141.98.11.12 105,461.9 UAB Host Baltic Lithuania
28 185.222.211.54 105,343.8 Alviva Holding Limited United Kingdom
29 37.4.253.50 104,834.9 Vodafone Kabel Deutschland GmbH Germany
32 185.82.220.115 91,456.5 Dgn Teknoloji A.s. Turkey
34 72.69.223.115 89,193.0 MCI Communications d/b/a Verizon United States
35 5.178.83.125 82,488.1 Selectel Russia
36 213.33.244.218 81,127.8 OOO Tecom Russia
38 213.170.88.82 78,858.4 Quantum CJSC Russia
39 189.125.110.234 75,498.9 Level 3 Parent, LLC Brazil
40 109.226.179.245 69,210.3 TELTA Citynetz GmbH Germany
41 134.209.52.246 68,745.7 Digital Ocean United States
42 185.254.122.21 55,132.2 UGB Hosting OU Russia
43 80.179.140.36 52,842.2 Partner Communications Ltd. Israel
44 185.254.122.8 51,893.8 UGB Hosting OU Russia
50 14.29.179.99 49,220.5 China Telecom (Group) China

Similar to the U.S., IP addresses assigned within the country were uniquely targeting systems in Russia versus launching global attacks. 63% of the Russian-assigned IP addresses attacking systems inside Russia were uniquely targeting Russian systems. The other 37% were all from one network, Hostkey B.V, which participated in a global attack campaign targeting RFB/VNC port 5900 with credential stuffing attacks.1

For a complete list of attacks by IP address, see section Attacks Types of Top Attacking IP Addresses below.

Top 50 IP addresses attacking Russian systems in the fall of 2019 by count.
Figure 5. Top 50 IP addresses attacking Russian targets, August through October 2019.

IP Addresses Attacking Russia Compared to Other Regions

We compared the volume of attack traffic systems in Russia received per IP address to other regions of the world and there was a clear difference. As mentioned in the previous section, 54% of the IP addresses on Russia’s top 50 attacking IP addresses list (see IP addresses denoted with *** in Figure 6) exclusively targeted Russian systems, a pattern that stands out visually when comparing the attack counts Russia received to attacks received by the rest of the world.

Top 50 IP addresses launching cyberattacks towards Russia, by IP, by region, in the fall of 2019.
Figure 6: Normalized attack count by IP by region, August through October 2019

Attacks Types of Top Attacking IP Addresses

Fifty-eight (58%) percent of the IP addresses seen sending malicious traffic to Russia exclusively targeted this region in the fall of 2019. Expectedly, abusive port scanning looking for vulnerabilities occured with each IP address. Outside of multi-port reconnaissance scanning, attackers were looking for the following open services on Russian systems:

  • RFB/VNC port 5900
  • Microsoft SMB port 445
  • Swiss Exchange service port 7326
  • HTTP/S ports 80, 443, 8080
  • SSH port 22, 2222
  • Telnet port 23
  • SMTP port 25
  • MS SQL port 1433

After scanning for these open services, attackers conducted credential stuffing attacks on RFB/VNC port 5900, SSH port 22, and Telnet port 23 (common with IoT bot building). The port 5900 attacks were new activity we noticed earlier in the summer, and they continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.

The following table is in descending order of attack count, starting with top attacking IP addresses; it includes the attack types each IP address launched.

Source IP address Normalized Attack Count Attack Type ASN Organization Country
71.46.230.178 438,148.6 Port Scanning: SWX / ICB port 7326 Charter Communications United States
193.233.63.46 372,510.5 Port Scanning: 59 unique ports Smart Telecom S.A.R.L Argentina
217.19.18.4 208,530.3 Port Scanning: SWX / ICB port 7326 Cambrium IT Services B.V. Netherlands
148.251.20.137 185,584.9 Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25 Hetzner Online GmbH Germany
148.251.20.134 160,198.1 Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25 Hetzner Online GmbH Germany
185.153.198.197 155,631.9 Port Scanning: 29 unique ports
Credential Stuffing: RFB/VNC port 5900
RM Engineering Moldova
46.105.144.48 141,357.8 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
OVH SAS France
5.39.108.50 139,437.8 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
OVH SAS France
92.118.37.67 136,175.7 Port Scanning: 65506 unique ports Donner Oleg Alexeevich Romania
185.153.197.251 134,490.5 Port Scanning: 36 unique ports
Credential Stuffing: RFB/VNC port 5900
RM Engineering Moldova
5.39.39.49 134,443.8 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
OVH SAS France
95.90.230.133 132,925.1 Port Scanning: SWX / ICB port 7326 Vodafone Kabel Deutschland GmbH Germany
69.14.153.121 132,527.0 Port Scanning: SWX / ICB port 7326 WideOpenWest Finance LLC United States
74.88.7.125 121,165.9 Port Scanning: SWX / ICB port 7326 Cablevision Systems Corp. United States
88.147.99.15 105,461.9 Port Scanning: SWX / ICB port 7326 EOLO S.p.A. Italy
5.153.2.228 105,343.8 Port Scanning: 66 unique ports SoftLayer Technologies Netherlands
23.115.65.92 104,834.9 Port Scanning: Signet CTF port 2733 AT&T Services United States
5.153.18.254 91,456.5 Port Scanning: 66 unique ports SoftLayer Technologies Netherlands
72.69.11.97 89,193.0 Port Scanning: SWX / ICB port 7326 MCI Communications d/b/a Verizon United States
130.198.67.114 82,488.1 Port Scanning: 64 unique ports SoftLayer Technologies United States
169.54.190.139 81,127.8 Port Scanning: 64 unique ports SoftLayer Technologies United States
192.250.197.246 78,858.4 Port Scanning: 20 unique ports
Credential Stuffing: SSH port 22
CNSERVERS LLC United States
46.5.229.231 75,498.9 Port Scanning: SWX / ICB port 7326 Liberty Global B.V. Germany
218.237.65.80 69,210.3 Port Scanning: SSH port 22, HTTPS port 443, 53, 80 SK Broadband Co Ltd South Korea
212.80.217.139 68,745.7 Port Scanning: 6 unique ports
Credential Stuffing: RFB/VNC port 5900
Serverius Holding B.V. Netherlands
185.40.13.3 55,132.2 Port Scanning: 51 unique ports GTECH S.p.A. Italy
141.98.11.12 52,842.2 Port Scanning: 35159 unique ports UAB Host Baltic Lithuania
185.222.211.54 51,893.8 Port Scanning: 30054 unique ports Alviva Holding Limited United Kingdom
37.4.253.50 49,220.5 Port Scanning: SWX / ICB port 7326 Vodafone Kabel Deutschland GmbH Germany
211.44.226.158 438,148.6 Port Scanning: 48 unique ports SK Broadband Co Ltd South Korea
112.175.124.2 372,510.5 Port Scanning: 61 unique ports Korea Telecom South Korea
185.82.220.115 208,530.3 Port Scanning: MS SMB port 445, HTTP port 80, MS SQL port 1433, HTTP port 8080, port 7001
HTTP Attacks: Alt-HTTP port 8080
Dgn Teknoloji A.s. Turkey
112.175.127.189 185,584.9 Port Scanning: 48 unique ports Korea Telecom South Korea
72.69.223.115 160,198.1 Unknown MCI Communications d/b/a Verizon United States
5.178.83.125 155,631.9 Port Scanning: 23515 unique ports Selectel Russia
213.33.244.218 141,357.8 Port Scanning: port 7001, MS SQL port 1433, HTTP port 80, MS RDP port 445
HTTP Attacks: Alt-HTTP port 8080
Malware Uploads: MS SMB port 445
OOO Tecom Russia
198.245.60.31 139,437.8 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
OVH SAS Canada
213.170.88.82 136,175.7 Port Scanning: MS SMB port 445, port 7001, MS SQL port 1433 Quantum CJSC Russia
189.125.110.234 134,490.5 Port Scanning: SSH port 22, Telnet port 23, Alt-SSH port 2222
Credential Stuffing: Telnet port 23
Level 3 Parent Brazil
109.226.179.245 134,443.8 Port Scanning: SWX / ICB port 7326 TELTA Citynetz GmbH Germany
134.209.52.246 132,925.1 Port Scanning: RFB/VNC port 5900 Digital Ocean United States
185.254.122.21 132,527.0 Port Scanning: 17887 unique ports UGB Hosting OU Russia
80.179.140.36 121,165.9 Port Scanning: port 7001, MS SQL port 1433, MS SMB port 445 Partner Communications Ltd. Israel
185.254.122.8 105,461.9 Port Scanning: 20289 unique ports UGB Hosting OU Russia
185.156.177.44 105,343.8 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Hostkey B.v. Russia
185.153.196.159 104,834.9 Port Scanning: 23 unique ports
Credential Stuffing: RFB/VNC port 5900
RM Engineering Moldova
193.188.22.114 91,456.5 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900, SSH port 22
Hostkey B.v. Russia
185.156.177.11 89,193.0 Port Scanning: RFB/VNC port 5900
Credential Stuffing: RFB/VNC port 5900
Hostkey B.v. Russia
194.187.175.68 82,488.1 Port Scanning: 45 unique ports GTECH S.p.A. Italy
14.29.179.99 81,127.8 Port Scanning: SMTP port 25 China Telecom (Group) China

Top Targeted Ports

SMB port 445 was the number one attacked port in Russia (consistent with global attack activity since the Eternal Blue exploit was released in April 2017). In a close second was the Swiss Exchange port 7326, which is very interesting, given the potential financial implications and the fact that this was not a top attacked port anywhere else in the world during this time period. (Other ports attacked on Russia systems during this time period that were not attacked in other regions include Signet CTF port 2733 and port 21455.)

SSH port 22 in the third position was another top attacked port globally because vendor default credentials used to remotely administer applications over SSH are known to attackers. For a list of top attacked SSH credentials, see this F5 Labs article about the top attacked credentials. SMB port 445 and SSH port 22 are commonly targeted because exploiting a vulnerability on either port (especially SMB port 445 when using the Eternal Blue exploit) can give a malicious actor access to the entire system.

RFB / VNC port 5900 scanning and credential stuffing, which were conducted against systems all over the world, is not typical, hence the investigative threat hunting we are doing on Twitter. The remaining top targeted ports—all web application, access, and email ports—clearly indicate attackers went after applications and access to applications in Russia (as they did all across the world).

Top 20 attacked ports and services in Russia during the fall of 2019.
Figure 7. Top 20 ports attacked in Russia, August through October 2019

Conclusion

In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic position backed up by the volume of attack traffic all systems touching the Internet receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare against the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic, or help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.

Locking down any of the top targeted ports that do not absolutely require unfettered Internet access should be completed as soon as possible. And because default vendor credentials are known by attackers, all systems should be hardened before being deployed and protected with multi-factor authentication.

Additionally, the volume of breached credentials in 2017 was so large that usernames and passwords should be considered “public,” therefore all organizations should have credential stuffing protection in place. Particularly for any system with remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more data on these breached passwords.

Security Controls

To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:

Technical
Preventative
  • Use firewalls to restrict unnecessary access to commonly attacked and publicly exposed ports.
  • Use a web application firewall to protect against common web application attacks.
  • Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH).
  • Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
  • For remote administration, migrate from Telnet to SSH and implement brute force restrictions.
  • Disable vendor default credentials on all systems.
  • Implement multi-factor authentication on all remote administrative access and any web login.
  • Implement geo IP address blocking of commonly attacking countries that your organization does not need to communicate with.
Administrative
Preventative
  • Enforce system hardening and test all systems for the existence of vendor default credentials (commonly used in SSH brute force attacks).
  • Conduct security awareness training to ensure employees know how systems and data are targeted, and specifically how they are targeted with phishing attacks that can lead to credential theft, malware, and breaches.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.