F5 Labs in collaboration with Effluxio researches global attack traffic to gain a better understanding of the cyberthreat landscape. In this installment of regional threat analysis, F5 Labs researchers break down the data collected by our sensors on attacks targeting Latin America from January 1 through March 31, 2021. Cyberattacks happen in many forms, but they usually start with a scan. This report presents an analysis of network logs and does not necessarily indicate malicious intent from a source country or organization. We last looked at this cyberattacks for Latin America in our Regional Threat Perspectives, Fall 2019: Latin America.
Highlights
- The United States was the top source country for cyberattacks against Latin America.
- Port 5900, commonly used by VNC for remote desktop sharing and control, was scanned the most.
- Internet hosting provider Serverius Holding B.v. (AS50673) led the attack chart with over 47 million requests.
- Attacks on PHP and WordPress were the most commonly seen, but many other vulnerabilities were also detected.
Attack Traffic Details
Analysis of the traffic yielded significant insights into the source and intended services that malicious actors wanted to abuse. This section covers the top categories, including traffic source countries, organizations, services, and IP addresses.
Top Source Traffic Countries
Analyzing the geographical sources of the IP addresses, malicious requests came from the following countries, in order: the United States, Lithuania, China, Russia, Germany, France, Brazil, the Netherlands, Argentina, and the UK (see Figure 1).
Top Source Organizations (ASNs)
Serverius Holding B.v. (AS50673) from the Netherlands leads the chart with 47 million requests, followed by DigitalOcean (AS14061) from United States. These are common ASNs seen in the top ASNs of cyberattack probes. Table 1 lists the ASN details.
| ASN | Organization | Country | Count |
| 50673 | Serverius Holding | Netherlands | 47,114,536 |
| 14061 | DigitalOcean | United States | 19,865,915 |
| 6428 | CDM | United States | 9,604,067 |
| 51167 | Contabo | Germany | 8,620,798 |
| 16276 | OVH Groupe SAS | France | 6,093,048 |
| 45090 | Shenzhen Tencent Computer Systems | China | 5,589,476 |
| 4134 | APNIC Addresses | China | 5,477,241 |
| 42632 | MnogoByte | Russia | 5,383,837 |
| 16814 | Unclassified LACNIC Addresses | Latin America and Caribbean | 4,025,128 |
| 197226 | Sprint S.A. | Poland | 3,651,560 |
| 4837 | China169 Backbone | China | 3,329,687 |
| 52368 | ZAM LTDA. | Columbia | 2,420,949 |
| 12876 | Online S.A.S. | France | 2,382,936 |
| 202425 | IP Volume Inc | Seychelles | 1,466,630 |
| 4766 | Korea Telecom | Korea | 1,358,407 |
| 57043 | Hostkey B.v. | Netherlands | 1,261,167 |
| 13886 | Cloud South | United States | 1,205,006 |
| 8075 | Microsoft | United States | 956,623 |
| 52228 | Cable Tica | Costa Rica | 948,707 |
| 209 | CenturyLink | United States | 939,402 |
Top Targeted Services and Ports
Threat actors scanned a wide range of ports, but port 5900 (used by VNC for remote desktop sharing and control) had the highest number of hits at more than 108 million. The top most targeted ports by volume were VNC port 5900, SSH port 22, and Telnet port 23, indicating threat actors’ attempts to gain remote access to servers. Figure 2 lists details of the top 10 ports scanned and associated services.
Web Attacks
Effluxio sensors have more detailed web attack data available for the first two months of 2021 for Argentina, Brazil, Chile, Colombia, and Panama. Analysis of the web port targeting shows port 80 was still heavily favored over port 443. Chilean IP addresses saw the most scanning (23,955 probes between January and February 2021), with Brazil a close second (23,459 web probes). Figure 3 shows the breakdown by country.
HTTP Methods in Web Cyberattacks
Looking at the HTTP web methods used in scanning, GET is expected to be the most common for web probing, and this data set had 40,505 hits. HTTP POSTs came in second at 24,628, followed by HEAD probes at 1,608. Figure 4 shows the breakdown.
Top Web Cyberattackers
Web attacks originated from the following countries during the first two months of 2021: China (23,583), Germany (10,847), and the United States (10,019). Figure 5 shows the entire top 10.
Specific Targeted Web URLs
One of the most crucial questions for defenders is knowing as much as possible about the vulnerabilities and technologies cyberattacks are targeting. Eliminating basic web root probes (14,246), table 2 shows the top web URLs that attackers scanned, with likely targeted vulnerabilities.
| URL Scanned | Likely Vulnerability | Hits |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | CVE-2017-9841 PHPUnit RCE | 1940 |
| /wp-content/plugins/wp-file-manager/readme.txt | CVE-2020-25213 wp-file-manager plugin RCE | 951 |
| /api/jsonws/invoke | JSON Web Services Invoker | 927 |
| /?XDEBUG_SESSION_START=phpstorm | Php Xdebug extension source scan | 921 |
| /index.php?s=/Index/\think\app/invokefunction& function=call_user_func_array&vars[0]=md5&vars[1][]= HelloThinkPHP21 | CVE-2018-20062 Thinkphp5 RCE | 920 |
| /console/ | Web console probe | 917 |
| /Autodiscover/Autodiscover.xml | Microsoft Exchange (normal) | 909 |
| /manager/html | Apache Tomcat probe | 874 |
| /login | Login probe | 851 |
| /.env | Unsecured ENV file scan | 737 |
| /config/getuser?index=0 | CVE-2020-25078 Dlink remote admin password | 671 |
| /jenkins/login | Jenkins probe | 641 |
| /boaform/admin/formLogin | Netlink GPON Router 1.0.11 RCE | 565 |
| /?a=fetch&content=<php>die(@md5( HelloThinkCMF))</php> | ThinkCMF Fetch vulnerability | 496 |
| /solr/admin/info/system?wt=json | Solr admin page probe | 467 |
| /mifs/.;/services/LogService | CVE-2020-15505 MobileIron Core RCE | 455 |
Conclusion
Threat actors are consistently scanning the Internet seeking vulnerabilities and open services. In this data set for the beginning of 2021, we saw significant traffic trying to exploit remote access and known web vulnerabilities. Modern enterprises need to ensure that they have up-to-date visibility into exposed services, strong authentication, and an efficient and effective patching policy.
Recommendations
To mitigate the types of attacks discussed here, we recommend putting in place the following security controls:
- Prioritize hardening and patching for exposed ports that are commonly attacked like HTTP, VNC, and SSH.
- Use strong authentication for remote administrative ports such as VNC and SSH.
- Use firewalls to restrict all unnecessary access to commonly attacked ports that must be exposed publicly.
- Disable weak and unused protocols such as Telnet.
- Keep up to date on patches for web apps and infrastructure.
- Configure network access controls to only allow access to administrative ports. from officially designated IP address ranges.
