Top Risks

Cyber Threats Targeting Middle East, Winter 2019

Attackers used two top ASNs to broadly distribute IP addresses in an attempt to camouflage attack traffic targeting Middle Eastern systems.
March 11, 2020
13 min. read

F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensor and tracking system is constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in the Middle East during the winter of 2019 was characterized by:

  • Attackers used the top two attacking ASN organizations to distribute traffic over many IP addresses. As a result, none appeared in the top 50 attacking IP addresses that targeted Middle Eastern systems.
  • Fifty-four percent of the top 50 attacking IP addresses during this time period uniquely targeted this region alone.
  • As noted in our article Cyber Threats Targeting Asia, Winter 2019, credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, continued during this time period. They were launched through networks in Russia, France, and Moldova, and attacks were felt around the world. Notably in the Middle East, many of these attacks also came from IP addresses assigned in Italy.
  • The top two attacked ports in the Middle Eastern threat landscape, SMB port 445 and SSH port 22, remained popular with attackers, as a successful exploit on either port can provide full remote access to a system.

Top Source Traffic Countries

Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”

Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia. However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries were seen attacking all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.

Figure 1. Top source traffic countries of global attack traffic, October 1, 2019–December 31, 2019

When zooming in on the Middle East, one of the most notable findings is the large amount of traffic coming from IP addresses assigned in China, along with a significant amount of traffic coming from other Asian countries. Notably, none of the top 10 attacking source traffic countries falls within the Middle East. This may be attributed to a high usage of VPNs in the area, given the Internet restrictions many countries in this region have in place.

When looking at the top 50 IP addresses targeting the Middle East, we also note that the top attacking IP address and one other IP address are geographically located in Italy. Twelve of the top 50 IP addresses targeting systems in the Middle East were geographically located in Russia. This distributed attack style is deliberate and takes more resources (systems and human effort) to carry out, and therefore is often attributed to more sophisticated threat actors.

Vietnam and China are the only top source traffic countries on the list targeting systems in the Middle East that did not also appear to be targeting systems globally. Notably, these attacks concentrated on specific IP addresses, with one IP address representing the traffic attributed to IP addresses sourced in Vietnam, and six IP addresses making up the attack traffic geographically located in China, five specifically in Hong Kong. The other countries in the top 10 were all seen attacking all regions of the world.

Figure 2. Top source traffic countries of attacks destined for Middle Eastern systems, October 1, 2019–December 31, 2019

Top Attacking Organizations (ASNs)

Eurobet Italia SRL was the number one attacking ASN during the winter of 2019 and accounted for a large portion of the attacks launched toward systems in the Middle East from October 1, 2019, through December 31, 2019. Notably, however, none of the IP addresses in the top 50 attacking IP addresses list were assigned to Eurobet Italia SRL. Similarly, attacks from Garanti Bilisim Teknolojisi, in third position, did not appear in the top attacking IP address list. This indicates that attacks from these ASNs were distributed over many IP addresses, apportioning the workload and resources. This could have been done to make the traffic appear to look more like regular traffic. Conversely, GTECH S.p.A., in second position, is the hosting ASN for the only two Italian IP addresses launching port scanning and credential stuffing attacks on RFB/VNC port 5900 toward Middle Eastern systems. This was a large portion of the traffic.

Notably different from Asia and the rest of the world’s threat landscape during the winter of 2019, OVH SAS did not appear as a top attacking ASN for the Middle East. This is an ASN that we’ve seen attacking different regions of the world for years. We also noticed a lot of attack traffic coming from Hostkey B.v., which was seen attacking all regions of the world. The traffic seen from Hostkey B.v. was conducting multiport scanning and targeted SMB port 445 attacks. These IP addresses were primarily hosted in Russia. The attacks coming from RM Engineering targeted RFB/VNC port 5900 with credential stuffing attacks and were received by systems all over the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB began. RM Engineering was in fourth position for attacking Middle Eastern systems during this time period.

Figure 3. Source ASNs of attacks targeting Middle Eastern systems, October 1, 2019–December 31, 2019

Top Attacking IP Addresses

Out of the top IP addresses attacking Middle Eastern systems, 54% only targeted systems in the region. Though we saw a large amount of malicious SMB port 445 activity, we also saw a large amount of RFB/VNC port 5900 attack traffic, which accounts for the top attacking IP address traffic. In the Middle East, we saw a more linear trend along how much attack activity could be attributed to the top attacking IP addresses, compared to other regions we looked at, where one or a few IP addresses really dominated the threat landscape.

Figure 4. Top 25 IP addresses attacking Middle Eastern targets, October 1, 2019–December 31, 2019

Attack Types of Top Attacking IP Addresses

Many of the IP addresses attacking Middle Eastern systems during the winter of 2019 were involved in abusive port scanning activity. As noted in the Top Targeted Ports section, Microsoft SMB port 445 was the most targeted port, and that was seen across all of the top attacking IP addresses. In the Middle Eastern threat landscape, we’re also seeing many specific ports targeted, notably database ports, including port 3389. We’ve continued to observe high levels of attack traffic pointed toward RFB/VNC port 5900. As our sensor stack has evolved, we’re noticing more IP addresses targeting SMB port 445 at higher rates.

Source IP Address Attack Type ASN Source Country Normalized Attack Count
185.40.13.3 Port Scanning: RFB/VNC port 5900 & 5901 GTECH S.p.A. Italy 401,555
185.153.197.251 Port Scanning: 6 unique ports RM Engineering Moldova 397,142
185.153.196.159 Credential Stuffing: RFB/VNC port 5900 RM Engineering Moldova 387,420
148.251.20.137 Port Scanning: HTTPS port 443, HTTP port 80, SSH port 22, SMTP port 25 Hetzner Online GmbH Germany 367,606
148.251.20.134 Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25 Hetzner Online GmbH Germany 367,032
185.153.198.197 Credential Stuffing: RFB/VNC port 5900 RM Engineering Moldova 344,447
212.80.217.139 Port Scanning: 48 unique ports Serverius Holding B.V. Netherlands 322,156
193.188.22.114 Port Scanning: SMB port 445, MS SQL port 1433 Hostkey B.v. Russia 313,001
185.156.177.11 Port Scanning: RFB/VNC port 5900 Hostkey B.v. Russia 306,023
185.156.177.44 Port Scanning: Radan HTTP port 8088, Alt SSH Port 2222, MS RDP Port MS RDP port 3389, Telnet Port 23 Hostkey B.v. Russia 305,233
81.22.45.215 Port Scanning: 28188 unique ports Selectel Russia 243,746
185.89.239.149 Port Scanning: 6 unique ports Melita Limited Malta 210,385
212.123.218.109 Port Scanning: MS SQL port 1433, SMB port 445 COLT Technology Services Netherlands 209,363
185.89.239.148 Port Scanning: 51 unique ports Melita Limited Malta 209,135
112.175.124.2 Port Scanning: 61 unique ports Korea Telecom South Korea 181,110
31.167.41.100 Port Scanning: SSH port 22, Credential Stuffing: SSH port 22 Bayanat Al-Oula / Net Srvcs Saudi Arabia 180,775
211.44.226.158 Port Scanning: SMB port 445, MS SQL port 1433 SK Broadband Co Ltd. South Korea 178,798
78.93.113.178 Port Scanning: 6386, 6385 Arabian Internet & Comms Saudi Arabia 178,521
178.19.108.178 Port Scanning: MS SMB port 445, MS SQL port 1433
Malware Uploads: SMB port 445
Livenet Sp. z o.o. Poland 172,493
194.187.175.68 Port Scanning: MS SQL port 1433, SMB port 445 GTECH S.p.A. Italy 171,089
93.189.249.109 Port Scanning: Alt HTTP port 8080, Credential Stuffing: Telnet port 23 Teleline Ltd. Russia 159,635
93.189.222.80 Port Scanning: Alt HTTP port 8080, HTTP Attacks: Alt-HTTP port 8080
Credential Stuffing: Telnet port 23
DIANET Ltd. Russia 158,916
93.189.144.135 Port Scanning: 33398 unique ports IMAQLIQ SERVICE Ltd Russia 158,027
52.128.227.251 Port Scanning: MS SQL port 1433, SMB port 445 NETSEC Hong Kong 153,608
52.128.227.254 Port Scanning: HTTPS port 443, DNS port 53, HTTP port 80, SSH port 22 NETSEC Hong Kong 153,457

Table 1. Top attacking IP addresses and their attack types targeting Middle Eastern systems, October 1 2019–December 31, 2019

Top Targeted Ports

SMB port 445 was the number one attacked port in the Middle East during the winter of 2019. In a distant second place was SSH port 22. When we look back at the Regional Threat Perspectives, Fall 2019: Middle East, the volume of SMB traffic is significantly lower. This can be attributed to constantly updating and evolving our sensor stack—typically we expect SMB port 445 to be a top targeted port. Both of these ports are commonly targeted, as exploiting a vulnerability on either port can give a malicious actor access to the entire system. Notably, both of these ports were the top attacked ports during fall 2019 as well, showing the trend continuing into the winter months.

HTTP port 80 and HTTPS port 443 follow SSH and SMB as the third and fourth most attacked ports, respectively. The fifth most attacked port, RFB/VNC 5900, was attacked around the world during this time period, and we are continuing to investigate the global campaign in the IPv4 space on this port.

In addition to some of the most commonly targeted ports, the targeting of nonstandard HTTP ports (8443 and 8080) and other application ports, like Microsoft SMB port 445 and Microsoft CRM port 5555, makes it clear that attackers are targeting applications in the Middle East.

Also noteworthy is the apparent attempt to compromise IoT systems in the Middle East by targeting ports 7547 and 8291, both of which are used only by SOHO routers and are commonly attacked by IoT botnets (thingbots). We called out these ports in our 2017 report The Hunt for IoT: The Rise of Thingbots. The Middle East is one of two regions where these two ports appear in the top attacked ports—the other region where we saw this activity is Latin America. This further illustrates that vulnerable devices, no matter where they are in the world, will be targeted. Attackers do not see geographic boundaries as deterrents.

Figure 5. Top 20 ports attacked in the Middle East, October 1, 2019–December 31, 2019

Conclusion

In general, the best approach a security team can take as defenders in this modern threat landscape is to “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, it is a realistic one backed up by the volume of attack traffic all Internet-connected systems receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you collect attack traffic and monitor your logs. You can compare this high-level attack data to the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic and also help you determine whether you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.

Any of the top targeted ports that do not absolutely require unfettered Internet access should be locked down as soon as possible. And because attackers know default vendor credentials, all systems should be hardened before being deployed and protected with multifactor authentication.

Additionally, the volume of credentials that were breached in 2017 was so large that usernames and passwords should be considered “public.” Therefore, all organizations should have credential stuffing protection in place—particularly for any system that allows remote authentication. See the F5 Labs report Lessons Learned from a Decade of Data Breaches for more on these breached passwords.

Security Controls

To mitigate the types of attacks discussed here, we recommend putting in place the following security controls

Technical
Preventative
  • Use firewalls to restrict unnecessary access to commonly attacked and publicly exposed ports.
  • Use a web application firewall to protect against common web application attacks.
  • Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH).
  • Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
  • For remote administration, migrate from Telnet to SSH and implement brute force restrictions.
  • Disable vendor default credentials on all systems.
  • Implement multifactor authentication for all remote administrative access and any web login.
  • Implement geographic IP address blocking of commonly attacking countries that your organization does not need to communicate with.
Administrative
Preventative
  • Enforce system hardening and test all systems for the existence of vendor default credentials (commonly used in SSH brute force attacks).
  • Conduct security awareness training to ensure employees know how systems and data are targeted, and specifically how they are targeted with phishing attacks that can lead to credential theft, malware, and breaches.
Authors & Contributors
Sara Boddy (Author)

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read