F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, the Middle East, Asia (excluding China), and Australia. The attack landscape targeting systems in Asia during the fall of 2019 was largely driven by global attack campaigns scanning for vulnerable applications and conducting credential stuffing attacks.
- A network in Italy, owned by global gambling company GTECH, launched enough attacks against systems in Asia to make Italy the number one geographical source of attack traffic towards Asia.
- Credential stuffing attacks targeting RFB/VNC port 5900 launched through networks in Russia, France, and Moldova were not unique to systems in Asia; these attacks were felt all over the world.
- Fifty percent of the countries in the top attacking source countries list are inside southeast Asia and combined, accounted for 39% of the region’s attack traffic in the fall of 2019.
- RM Engineering, with IP addresses registered in Moldova and having an ASN number (49877) registered in Russia, accounted for 99% of the total attack traffic launched from Moldavian IP addresses towards systems in Asia.
- Only three IP addresses on the top 50 attacking list were from inside Asia. However, Asian countries appear on the top attacking countries list, and Asian networks appear on the top attacking networks list. This indicates that attacks originating from Asian IP addresses were distributed across many IP addresses at a lower attack counts per IP address. This is behavior typically associated with more sophisticated threat actors attempting to fly under the radar.
- The top targeted port, SMB port 445, and the third most attacked port, SSH port 22, were commonly targeted across the world because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
IP addresses assigned in Italy launched the most malicious traffic against systems in Asia from August 1, 2019, through October 31, 2019. Most of this traffic (90%) came from one network in Italy: GTECH S.p.A., a global gambling company that was seen attacking all regions of the world during this time period. These attacks were distributed across many IP addresses; only 10% of the total attack traffic from this Italian network towards systems in Asia were generated from IP addresses on the top 50 attacking IP addresses list. This distributed style of attack is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.
The top 10 countries of source traffic targeting Italian systems in the fall of 2019 were:
- Italy
- Russia
- France
- Moldova
- Netherlands
- China
- U.S.
- South Korea
- India
- Vietnam
With the exception of India, all of the top ten source traffic countries were seen attacking all regions of the world. The top 5 source traffic countries, all within the European continent, was a threat profile only shared with Australia during this period.
Similar to the European and Latin American threat landscapes, systems in Asia received a considerable amount of attacks coming from in-region systems. Fifty percent of the countries in the top attacking source countries list are inside southeast Asia and combined, accounted for 39% of the region’s attack traffic. Asia was the only region of the world that received attacks from IP addresses in Thailand during this time period. This type of behavior can be more difficult for enterprises to filter out as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region.
The IP addresses in Russia, France, and Moldova all launched Remote Frame Buffer (RFB) / Virtual Network Computing (VNC) port 5900 credential stuffing attacks against systems all over the world. The Netherlands IP addresses (in fifth position), all launched different types of attacks directed at a smaller global footprint that targeted only a few global regions at a time.
Note: The “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no single region is overrepresented in the total data analysis.
Top Attacking Organizations (ASNs)
RM Engineering, with IP addresses registering in Moldova but having ASN number (49877) registered in Russia, accounted for 99% of the total attack traffic launched from Moldavian IP addresses towards systems in Asia. OVH SAS registered in France accounted for 89% of the attacks launched from French IP addresses towards systems in Asia during the same period. The attacks coming from these networks targeted RFB port 5900 with credential stuffing attacks and were received by systems all over the world. RM Engineering is new to our top threat actor network tracking as of June 2019, when the global campaign targeting RFB began, unlike OVH SAS which has routinely shown up on top attacking network lists in our Hunt for IoT Report series for years. GTECH, the network in third position that is driving Italy into the top position on the geographic source country list, was new to the top threat actor networks list globally. As stated previously, the attacks coming from this network were distributed with a small number of attacks being launched from many IP addresses. The attacks are abusive port scanning, typically associated with network reconnaissance looking for vulnerabilities.
The following table lists ASNs and their associated organizations (note that some ASNs have multiple ASNs).
| ASN Organization | ASN | Normalized Attack Count |
| RM Engineering | 49877 | 1,187,073 |
| OVH SAS | 16276 | 1,130,634 |
| GTECH S.p.A. | 35574 | 840,302 |
| Hostkey B.v. | 57043 | 709,873 |
| Digital Ocean | 14061 | 630,034 |
| Hetzner Online GmbH | 24940 | 498,350 |
| Korea Telecom | 4766 | 476,294 |
| Garanti Bilisim Teknolojisi ve Ticaret T.A.S. | 12903 | 465,597 |
| Amazon.com | 16509 | 460,265 |
| Eurobet Italia SRL | 200944 | 432,029 |
| Serverius Holding B.V. | 50673 | 425,712 |
| China Telecom | 4134 | 385,776 |
| VNPT Corp | 45899 | 278,127 |
| Data Communication Business Group | 3462 | 274,249 |
| SK Broadband Co Ltd | 9318 | 220,519 |
| CMC Telecom Infrastructure Company | 38733 | 187,518 |
| China Unicom | 4837 | 179,740 |
| PT Telekomunikasi Indonesia | 7713 | 178,068 |
| IP Volume | 202425 | 153,140 |
| Winamax SAS | 197014 | 148,286 |
| Online S.a.S | 12876 | 144,001 |
| Viettel Group | 7552 | 139,440 |
| Selectel | 49505 | 138,253 |
| The Corporation for Financing & Promoting Tech... | 18403 | 113,130 |
| Continent 8 LLC | 14537 | 112,619 |
| Sprint S.A. | 197226 | 112,063 |
| SoftLayer Technologies Inc. | 36351 | 111,762 |
| Alibaba (US) | 45102 | 109,757 |
| NETSEC | 45753 | 103,165 |
| Rostelecom | 12389 | 92,108 |
| Shenzhen Tencent Computer Systems Co. | 45090 | 90,731 |
| Cybernet Introtech Private Limited | 137139 | 88,090 |
| Elyzium Technologies Pvt. Ltd. | 134319 | 85,313 |
| Cloudie Limited | 55933 | 80,123 |
| TS-NET of TOSET, Inc. in Japan | 55902 | 77,833 |
| NeuStar, Inc. | 19905 | 76,843 |
| Servers.com, Inc. | 7979 | 75,462 |
| CNSERVERS LLC | 40065 | 74,565 |
| CANTV Servicios, Venezuela | 8048 | 67,460 |
| Garanntor-Hosting-AS | 328110 | 66,966 |
| Webzilla B.V. | 35415 | 66,927 |
| Livenet Sp. z o.o. | 59491 | 65,387 |
| LeaseWeb Netherlands B.V. | 60781 | 63,409 |
| National Internet Backbone | 9829 | 58,458 |
| Offshore Racks S.A | 52469 | 57,019 |
| SS-Net | 204428 | 56,034 |
| TOT Public Company Limited | 23969 | 55,572 |
| Melita Limited | 200805 | 54,511 |
| Microsoft Corporation | 8075 | 54,269 |
| Turk Telekom | 47331 | 53,783 |
ASNs Attacking Asia Compared to Other Regions
We looked at the count of attacks by ASN towards systems in Asia and compared that to other regions of the world. The key difference between attack traffic launched from networks targeting Asia versus the rest of the world was the 7 ASNs, 6 of which are inside Asia, that exclusively targeted systems in Asia (see ASNs denoted with *** in Figure 4). Additionally, many networks targeting systems in Asia were clearly launching exponentially more attacks against systems in the Middle East.
IP Addresses Attacking Asia Compared to Other Regions
We compared the volume of attack traffic systems in Asia received per IP address to other regions of the world. With 16% of IP addresses uniquely targeting systems in Asia (see IP addresses denoted with *** in Figure 6), attack traffic destined for these systems had considerable overlap with the rest of the world. A clear differentiator is the number of attacks systems in the U.S. received from the same IP addresses targeting systems in Asia.
IP Addresses Attacking Europe Compared to Other Regions
The following chart shows the volume of attack traffic European systems received per IP address in comparison to other regions of the world. Attack traffic destined for European systems had some overlap with the rest of the world, with many IP addresses seen in Europe also seen in 6 or 7 other regions of the world. There is an exception of a handful of IP addresses launching global attacks against RFB/VNC port 5900 (see the next section). Although geographically in the same region, the European and the Russian threat landscapes saw little overlap in terms of specific IP addresses sending malicious traffic. Eighteen percent of the top attacking IP addresses sending malicious traffic to Europe were unique to Europe, while 16% of that top 50 were seen sending malicious attack traffic to all other regions in the world.
Attacks Types of Top Attacking IP Addresses
All of the top 50 attacking IP addresses were engaging in port scanning (see top targeted ports section below). Most (82%) of the top attacking IP addresses had a follow-up plan that included credential stuffing on RFB/VNC port 5900 and SSH port 22, HTTP/S attacks on ports 443 and 8080, and spamming on SMTP port 25.
The following IP addresses launched attacks against RFB / VNC port 5900 all over the world:
| Source IP | Normalized Attack Count | ASN Org | Country |
| 185.153.197.251 | 448,387.2 | RM Engineering | Moldova |
| 185.153.198.197 | 445,224.5 | RM Engineering | Moldova |
| 46.105.144.48 | 407,252.3 | OVH SAS | France |
| 185.153.196.159 | 212,853.6 | RM Engineering | Moldova |
| 193.188.22.114 | 187,135.1 | Hostkey B.v. | Russia |
| 185.156.177.44 | 186,283.6 | Hostkey B.v. | Russia |
| 5.39.39.49 | 157,176.0 | OVH SAS | France |
These port 5900 attacks are new activity as of June 2019 and continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.
| Source IP | Normalized Attack Count | Attack Type | ASN Organization | Country |
| 185.153.197.251 | 448,387.2 | Port Scanning: 36 unique ports Credential Stuffing: RFB/VNC port 5900 |
RM Engineering | Moldova |
| 185.153.198.197 | 445,224.5 | Port Scanning: 29 unique ports Credential Stuffing: RFB/VNC port 5900 |
RM Engineering | Moldova |
| 46.105.144.48 | 407,252.3 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
OVH SAS | France |
| 5.39.108.50 | 284,982.0 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
OVH SAS | France |
| 212.80.217.139 | 231,210.0 | Port Scanning: 6 unique ports Credential Stuffing: RFB/VNC port 5900 |
Serverius Holding B.V. | Netherlands |
| 185.153.196.159 | 212,853.6 | Port Scanning: 23 unique ports Credential Stuffing: RFB/VNC port 5900 |
RM Engineering | Moldova |
| 193.188.22.114 | 187,135.1 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: SSH port 22, RFB/VNC port 5900 |
Hostkey B.v. | Russia |
| 185.156.177.44 | 186,283.6 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Hostkey B.v. | Russia |
| 185.156.177.11 | 185,902.8 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Hostkey B.v. | Russia |
| 5.39.39.49 | 157,176.0 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
OVH SAS | France |
| 148.251.20.137 | 143,100.7 | Port Scanning: SSH port 22, HTTPS port 443, SMTP port 25, HTTP port 80 | Hetzner Online GmbH | Germany |
| 148.251.20.134 | 143,081.2 | Port Scanning: SSH port 22, SMTP port 25, HTTPS port 443, HTTP port 80 | Hetzner Online GmbH | Germany |
| 212.83.172.140 | 112,158.2 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Online S.a.s. | France |
| 198.245.60.31 | 95,839.7 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
OVH SAS | Canada |
| 185.40.13.3 | 94,717.4 | Port Scanning: 51 unique ports | GTECH S.p.A. | Italy |
| 211.44.226.158 | 78,188.5 | Port Scanning: 48 unique ports | SK Broadband Co Ltd | South Korea |
| 112.175.124.2 | 73,814.1 | Port Scanning: 61 unique ports | Korea Telecom | South Korea |
| 218.237.65.80 | 70,586.4 | Port Scanning: SSH port 22, DNS port 53, HTTPS port 443, HTTP port 80 | SK Broadband Co Ltd | South Korea |
| 192.250.197.246 | 67,681.3 | Port Scanning: 20 unique ports Credential Stuffing: SSH port 22 |
CNSERVERS LLC | United States |
| 164.160.130.141 | 66,965.3 | Port Scanning: port 33899, Microsoft RDP port 3389 | Garanntor-Hosting-AS | Nigeria |
| 178.19.108.178 | 65,306.1 | Port Scanning: 249 unique ports HTTP Attacks: HTTPS port 443 & Alt-HTTP port 8080 |
Livenet Sp. z o.o. | Poland |
| 112.175.127.189 | 63,434.3 | Port Scanning: 48 unique ports | Korea Telecom | South Korea |
| 185.234.218.16 | 52,881.6 | Port Scanning: 5900, 5909, 8089, 3389 Credential Stuffing: RFB/VNC port 5900 |
Sprint S.A. | Ireland |
| 103.28.70.59 | 43,294.8 | Port Scanning: SMTP port 25 Spam: SMTP port 25 |
HIVELOCITY, Inc. | United States |
| 194.187.175.68 | 42,610.3 | Port Scanning: 45 unique ports | GTECH S.p.A. | Italy |
| 173.225.100.225 | 39,176.1 | Port Scanning: SMTP port 25 | Interserver, Inc | United States |
| 112.175.127.179 | 36,882.2 | Port Scanning: 48 unique ports | Korea Telecom | South Korea |
| 89.248.174.201 | 36,691.1 | Port Scanning: 64502 unique ports | IP Volume inc | Netherlands |
| 185.156.177.55 | 36,413.3 | Port Scanning: 111 unique ports Credential Stuffing: RFB/VNC port 5900 |
Hostkey B.v. | Russia |
| 112.175.127.186 | 34,557.8 | Port Scanning: 46 unique ports | Korea Telecom | South Korea |
| 185.234.218.24 | 34,328.6 | Port Scanning: port 3396, Microsoft RDP port 3389, RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Sprint S.A. | Ireland |
| 167.99.108.200 | 34,080.6 | Port Scanning: RFB/VNC port 5900 | Digital Ocean | United States |
| 185.232.28.237 | 33,599.1 | Port Scanning: 11 unique ports | PIN Hosting Europe GmbH | Estonia |
| 112.175.126.18 | 33,199.5 | Port Scanning: 42 unique ports | Korea Telecom | South Korea |
| 212.32.233.178 | 31,857.6 | Port Scanning: 443, 25, 80 | LeaseWeb Netherlands B.V. | Netherlands |
| 141.98.252.252 | 29,983.6 | Port Scanning: MySQL port 3306 | 31173 Services AB | United Kingdom |
| 95.216.217.44 | 29,885.4 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Hetzner Online GmbH | Finland |
| 103.78.38.158 | 27,659.3 | Port Scanning: 1433, 7001, 80, 445, 8080 HTTP Attacks: Alt-HTTP port 8080 |
PT.Mora Telematika Indonesia | Indonesia |
| 185.89.239.149 | 27,274.9 | Port Scanning: HTTP port 80, DNS port 53, HTTPS port 443, SSH port 22 | Melita Limited | Malta |
| 212.123.218.109 | 27,234.4 | Port Scanning: HTTP port 80, HTTPS port 443, DNS port 53, SSH port 22 | COLT Technology Services Group Ltd | Netherlands |
| 185.89.239.148 | 27,225.6 | Port Scanning: SSH port 22, DNS port 53, HTTPS port 443, HTTP port 80 | Melita Limited | Malta |
| 47.56.163.120 | 27,075.4 | Unknown | Alibaba (US) Technology Co., Ltd. | United States |
| 185.156.177.197 | 25,737.0 | Port Scanning: 43 unique ports Credential Stuffing: SSH port 22, RFB/VNC port 5900 |
Hostkey B.v. | Russia |
| 193.188.22.208 | 25,666.7 | Port Scanning: VNC port 5901, MS CRM port 5555, RFB/VNC port 5900, Alt-HTTP port 8088, SSH port 22 Credential Stuffing: RFB/VNC port 5900 |
Hostkey B.v. | Russia |
| 103.103.92.42 | 24,992.4 | Port Scanning: MS SQL port 1433, MS RDP 445 | Xd Network | India |
| 66.194.167.76 | 24,824.1 | Port Scanning: RFB/VNC port 5900 | Renaissance Systems, Inc. | United States |
| 134.209.206.170 | 24,667.3 | Port Scanning: 6 unique ports | Digital Ocean | Netherlands |
| 95.216.172.249 | 24,620.8 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Hetzner Online GmbH | Finland |
| 134.209.204.225 | 24,592.4 | Port Scanning: 80, 22, 445, 443, 53 | Digital Ocean | Netherlands |
| 103.44.147.20 | 24,399.2 | Port Scanning: MS SQL port 1433, MS RDP 445 | National Computer Network And Information | China |
Top Targeted Ports
SMB port 445 was the number one attacked port in Asia during the fall of 2019. In a distant second place was port, VNC 5900, which was attacked all over the world during this time period. SMB port 445 has been a top targeted port since the release of the Eternal Blue exploit in April 2017. However, targeting VNC port 5900 is not typically at the top of the list, hence the threat hunting investigation we are doing on Twitter mentioned previously. SSH port 22 targeting, which followed in position 3, is activity we see globally on a consistent basis. This activity is typically associated with credential stuffing attacks (see top attacked SSH credentials) and IoT botnet building.
Both SMB and SSH are commonly targeted because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system. HTTP port 80 and the encrypted HTTP port 443 were in the fourth and fifth most attacked positions. The only port uniquely targeted in Asia during this time period was the unassigned TCP port 22225. Given the ports that were targeted, vulnerability scanning, and credential stuffing attack types seen against systems in Asia in the fall of 2019, it is clear that attackers are targeting applications in Asia.
Conclusion
In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic position backed up by the volume of attack traffic all systems touching the Internet receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare against the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic, or help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Locking down any of the top targeted ports that do not absolutely require unfettered Internet access should be completed as soon as possible. And because default vendor credentials are known by attackers, all systems should be hardened before being deployed and protected with multi-factor authentication.
Additionally, the volume of breached credentials in 2017 was so large that usernames and passwords should be considered “public,” therefore all organizations should have credential stuffing protection in place. Particularly for any system with remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more data on these breached passwords.
Security Controls
To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:
- Use firewalls to restrict unnecessary access to commonly attacked and publicly exposed ports.
- Use a web application firewall to protect against common web application attacks.
- Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH).
- Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
- For remote administration, migrate from Telnet to SSH and implement brute force restrictions.
- Disable vendor default credentials on all systems.
- Implement multi-factor authentication on all remote administrative access and any web login.
- Implement geo IP address blocking of commonly attacking countries that your organization does not need to communicate with.
- Enforce system hardening and test all systems for the existence of vendor default credentials (commonly used in SSH brute force attacks).
- Conduct security awareness training to ensure employees know how systems and data are targeted, and specifically how they are targeted with phishing attacks that can lead to credential theft, malware, and breaches.
