F5 Labs was honored to host two Howard University undergraduate students, Malaya Moon and Akosua Wordie, as part of a Summer Security Practicum program. These two students assisted F5 Labs staff with analyzing and classifying web sensor data, and they dived deep into attacks against South Africa from the first part of 2021. By doing so, Moon and Wordie learned about web application attacks, global scanning trends, and data analysis using Python, R, and other tools. What follows is the report on their findings. Wordie and Moon chose to focus on South Africa because they were interested in how attack traffic differs between regions, especially when it came to the Europe, Middle East, Africa (EMEA) region, and specifically South Africa.
Cyberattack Highlights from South Africa
F5 Labs, in collaboration with Effluxio, researches global attack traffic to gain a better understanding of the cyberthreat landscape. In this regional threat analysis, F5 Labs researchers broke down the data collected by sensors on attacks targeting South Africa from January 1 through June 30, 2021.
Cyberattacks happen in many forms, but they usually start with a scan. This report presents an analysis of logs of web requests to unadvertised web baiting. The attack’s originating source address does not necessarily indicate malicious intent from a source country or organization. The source address may be a compromised system at that location being used as a proxy by an unknown attacker in another location. F5 Labs noted the following about cyberattacks against South Africa:
- The United States was the top source country for cyberattacks against users in South Africa, followed closely by China.
- Internet hosting provider Serverius Holding B.v. (AS50673) was the source of the most attacks seen per ISP, with over 3,000 requests.
- Scans for PHP vulnerabilities were the most frequent, but many other scans for vulnerabilities were also detected.
Attack Traffic Details
Analysis of the traffic yielded significant insights into the source and intended services that malicious actors wanted to abuse. This section covers the top categories, including traffic source countries, organizations, services, and IP addresses.
Top Source Traffic Countries
Analyzing the geographical sources of the IP addresses, malicious requests came from the following countries, in order: the United States, China, Germany, Estonia, Russia, the U.K., Singapore, France, South Africa, and the Netherlands (see Figure 1).
Top Source Organizations (ASNs)
Serverius Holding B.v. (AS50673) from the Netherlands leads the chart with 3,337 requests, followed by Telia (AS3249) from Estonia. These are common ASNs seen in the top ASNs of cyberattack probes. Table 1 lists the ASN details.
Organization |
ASN | Country | Count |
| Serverius Holding | 50673 | Netherlands | 3,337 |
| Telia | 3249 | Estonia | 2,118 |
| OVH Groupe SAS | 16276 | France | 2,019 |
| DigitalOcean | 14061 | United States | 1,753 |
| Baidu Netcom Science & Technology | 38365 | China | 1,014 |
| BGP Network Limited | 64050 | Malaysia | 1,007 |
| LLC Baxet | 49392 | Russia | 998 |
| DXTL Tseung Kwan O Service | 134548 | China | 995 |
| Shanghai Blue Cloud Technology | 58593 | China | 993 |
| Forcepoint | 13448 | United States | 928 |
| Microsoft | 8075 | United States | 672 |
| T-Mobile Deutsche Telekom Network | 5588 | Czech Republic | 551 |
| Shenzhen Tencent Computer Systems | 45090 | China | 481 |
| Zenlayer | 21859 | United States | 410 |
| Linode | 63949 | United States | 346 |
| China169 Backbone | 4837 | China | 319 |
| Frantech Solutions | 53667 | United States | 283 |
| Petersburg Internet Network | 34665 | Russia | 251 |
| APNIC addresses | 4134 | China | 240 |
| Meerfarbig GmbH | 34549 | Germany | 235 |
Web Attacks
The sensor data analyzed was solely for traffic sent to ports 80 and 443, with the sensor recording the source IP address, source ASN, HTTP method, requested URI, and any headers submitted with the request.
HTTP Methods in Web Cyberattacks
Looking at the HTTP web methods used in scanning, GET is expected to be the most common for web probing, and this data set had 55,471 hits. HTTP POSTs came in second at 19,149, and all others at 1,354, as shown in Figure 2.
Specific Targeted Web URLs
One of the most crucial questions for defenders is knowing as much as possible about the vulnerabilities and technologies cyberattacks are targeting. Eliminating basic web root probes, which accounted for 17,298 requests, Table 2 shows the top web URLs that attackers scanned, with likely targeted vulnerabilities.
| URL Scanned | Likely Vulnerability | Hits |
| PHP files (/test.php, /shell.php, /cmd.php, /login.php) | No specifics, mainly looking for login pages or web shells | 38,078 |
| /scryba/file.php|file=fsociety.xml and similar | Citadel|Atmos|ZeuS traffic | 15,340 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php and similar | CVE-2017-9841 | 2,426 |
| /stalker_portal/c and similar | IPTV scanning | 170 |
PHP was present as both the top vulnerability as well the third-most in CVE-2017-9841. This vulnerability refers to a remote code execution weakness that allows an attacker to read and write data as the web server processes it.
Scryba, a secure URL shortening API, appeared to be requests related to the functioning of the Citadel or Atmos variants of the ZeuS banking trojan. The requests seemed to be for an XML configuration file that is fetched by an infected machine to get command-and-control instructions.1
Lastly, the /stalker_portal/ scans point to attempts to find open Ministra TV Internet Protocol television (IPTV) APIs. Ministra TV, also known as Stalker Portal, is a middleware platform that allows for multimedia streaming. Cited IP addresses for this vulnerability came from the United States and the United Kingdom.
Conclusion
The majority of traffic targeted PHP-based applications, which mostly indicates the prevalence of PHP as a web application language. This is not to say that PHP is necessarily less secure, only that many applications use this language. Perhaps, given its age, many applications may be old, out of date, or unmaintained. The prevalence of scans for what can be assumed to be web shell endpoints indicates attackers are interested in finding already compromised websites.
The high amount of traffic related to a ZeuS trojan variant seems to indicate that this family of trojans is still alive and well, and continually evolving.
CVE-2017-9841 exploitation attempts are interesting in that this vulnerability has been known for over four years, but attackers still consider it worth targeting. This aligns with what F5 Labs has seen over the years regarding the “long tail” of exploit scanning.
The scanning for open endpoints for an IPTV-related API may simply be an attempt to find free entertainment or access to geo-restricted content.
Recommendations
To mitigate the types of attacks discussed here, we recommend putting in place the following security controls:
- As always, keep web applications patched and updated.
- Consider the use of web application firewalls to detect and stop common attack patterns.
- Review and test web application configurations for misconfigurations that may lead to compromise.
- Review website content for indicators of compromise, such as web shells and other unauthorized content.
