Introduction
F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, Middle East, Asia, and Australia. We separated Russia from Europe because Russia is consistently a top source traffic country globally, so we wanted to understand if its threat landscape was different—and it was. Attacks targeting Russian systems originated from more unique source networks and IP addresses than anywhere else in the world.
- IP addresses assigned in the U.S. launched the most malicious traffic towards systems in Russia from August 1, 2019, through October 31, 2019. The U.S. is a top source traffic country globally, however, 90% of the IP addresses in the U.S. that attacked Russian systems in the fall of 2019 were not seen attacking other regions.
- Russian IP addresses were responsible for 13% of the attacks received by Russia systems during the fall of 2019.
- Fifty-eight (58%) percent of the IP addresses seen sending malicious traffic to Russia exclusively targeted Russian systems.
- The top ports targeted in Russia followed similar patterns to the rest of the world with SMB port 445 being the #1 attacked port and SSH port 22 being the #3 top attacked port.
- The Swiss Exchange service port 7326 was the #2 attacked port in Russia, which is very interesting given the potential financial implications, and the fact that this was not a top attacked port anywhere else in the world in this time period.
- Outside of multi-port reconnaissance scanning looking for commonly used web application ports, attackers are conducting credential stuffing attacks on RFB/VNC port 5900, SSH port 22, and Telnet port 23 (common with IoT bot building).
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have been coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
IP addresses assigned in the U.S. launched the most malicious traffic towards systems in Russia from August 1, 2019, through October 31, 2019. The U.S. is a top source traffic country globally, however 90% of the IP addresses in the U.S. that were attacking Russian systems in the fall of 2019 were not seen attacking other regions. Whereas the U.S. being a top source country is not unique, the attacks sourced from IP addresses in the U.S. to Russia were exclusively targeting systems in Russia. Conversely, 70% of the IP addresses in the Netherlands (which is a top source traffic country globally) that attacked systems in Russia were also engaged in global attack campaigns; Russian systems weren’t the only target.
The number of attacks launched from IP addresses in Russia regularly drive Russia into one of the top three source traffic country positions globally. This is no exception for Russia itself as 13% of the attacks received by Russia systems during the fall of 2019 came from IP addresses in Russia. This kind of traffic can be more difficult for enterprises to filter as they can’t simply block IP addresses by geography since businesses typically want to remain accessible to customers in their region.
All of the top 10 source traffic countries of attacks targeting Russian systems in the fall of 2019 were top source traffic countries globally.
Note: The “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no single region is overrepresented in the total data analysis.
Sixty percent (60%) of the attacks launched towards Russian systems came from the top 5 source traffic countries. In addition to the U.S., Netherlands, and Russia in the top 3 positions, attacks launched from IP addresses in Germany (in position 4) were uniquely scanning for port 7326. Port 7326 is used by the Swiss Exchange (SWX) and Internet Citizen’s Band (ICB) services. No other region was targeted on that port, or by the German IP addresses launching the attacks. Additionally, attacking IP addresses that drove Italy into position 5 on the top source countries list engaged in SWX/ICB scanning, unique to Russia.
Top Attacking Organizations (ASNs)
Attacks targeting Russian systems came from more unique ASNs than in any other region. Attacks from 36% percent of the ASNs on the top 50 attacking ASNs list were uniquely destined for Russian systems. These networks, listed below, accounted for 28% of total attack traffic Russian systems received in the fall of 2019.
| ASN Organization | ASN # | Normalized Attack Count |
| Charter Communications, Inc | 33363 | 455,179.70 |
| Smart Telecom S.A.R.L | 51558 | 405,925.40 |
| Cambrium IT Services B.V. | 25596 | 372,613.80 |
| Vodafone Kabel Deutschland GmbH | 31334 | 359,061.40 |
| Liberty Global B.V. | 6830 | 250,071.60 |
| MCI Communications d/b/a Verizon | 701 | 243,396.50 |
| Cablevision Systems Corp. | 6128 | 162,131.40 |
| WideOpenWest Finance LLC | 12083 | 160,654.90 |
| Hostmaze Inc Srl-d | 39517 | 150,661.40 |
| EOLO S.p.A. | 35612 | 141,944.60 |
| AT&T Services, Inc. | 7018 | 141,643.00 |
| Tellcom Iletisim Hizmetleri A.s. | 34984 | 121,125.90 |
| Alviva Holding Limited | 209272 | 107,061.40 |
| UAB Host Baltic | 209605 | 105,467.60 |
| Dgn Teknoloji A.s. | 43260 | 105,259.70 |
| 1&1 Versatel Deutschland GmbH | 8881 | 88,340.30 |
| ITC NG ltd | 202940 | 82,745.40 |
| OOO Tecom | 56679 | 81,128.90 |
Four of the networks: 1&1 Versatel Deutschland GmbH, Hostmaze Inc Srl-d, ITC NG ltd and Tellcom Iletisim Hizmetleri A.s., did not have IP addresses on the top 50 attacking IP addresses list, indicating attacks from these networks were diversified across many IP addresses.
Attacks from the OVH SAS network, primarily sourced from France and also Canada, drove OVH SAS to the number 1 position in the top attacking networks list. The OVH SAS network was within the top 5 attacking networks in all regions of the world during this timeframe, with the exception of attacks destined for the Middle East. OVH SAS is a top attacking network globally on a regular basis. The attacks from IP addresses in this network in the fall of 2019 were RFB/VNC credential stuffing attacks targeting systems all over the world and were not unique to Russia.
The Hetzner Online Gmbh network assigned in Germany had a similar attack profile as OVH SAS. This network engaged in global attacks targeting all regions of the world, including Russia.
Attacks coming from Softlayer Technologies networks in the U.S. and Netherlands were also felt all over the world during this period. However, the only IP addresses in this network that showed up on the top 50 attacking IP addresses list were attacks toward Russia. That means attacks generated from Softlayer during this period destined for other regions of the world were conducted at lower counts per IP address, so they didn’t show up on a top attacking IP addresses list. Rounding out the top 5 network sources of attacks against Russia in the fall of 2019 were GTECH and Korea Telecom. Attacks from both of these networks were launched globally and were not unique to Russia.
The following table lists ASNs and their associated organizations (note that some ASNs have multiple ASNs).
| ASN Organization | ASN | Normalized Attack Count |
| OVH SAS | 16276 | 862,781.1 |
| Hetzner Online GmbH | 24940 | 728,790.3 |
| SoftLayer Technologies Inc. | 36351 | 663,457.8 |
| GTECH S.p.A. | 35574 | 589,894.3 |
| Korea Telecom | 4766 | 534,229.7 |
| RM Engineering | 49877 | 497,338.6 |
| Digital Ocean | 14061 | 456,316.8 |
| Charter Communications | 33363 | 455,179.7 |
| Amazon.com | 16509 | 440,305.9 |
| Smart Telecom S.A.R.L | 51558 | 405,925.4 |
| Cambrium IT Services B.V. | 25596 | 372,613.8 |
| Serverius Holding B.V. | 50673 | 367,331.1 |
| Garanti Bilisim Teknolojisi ve Ticaret T.A.S. | 12903 | 363,010.3 |
| Vodafone Kabel Deutschland GmbH | 31334 | 359,061.4 |
| Eurobet Italia SRL | 200944 | 338,586.5 |
| Selectel | 49505 | 332,049.7 |
| SK Broadband Co Ltd | 9318 | 278,335.9 |
| Donner Oleg Alexeevich | 35606 | 253,659.7 |
| Liberty Global B.V. | 6830 | 250,071.6 |
| MCI Communications DBA Verizon | 701 | 243,396.5 |
| Hostkey B.v. | 57043 | 213,834.6 |
| UGB Hosting OU | 206485 | 192,084.1 |
| China Telecom | 4134 | 177,100.3 |
| IP Volume inc | 202425 | 169,648.1 |
| Cablevision Systems Corp. | 6128 | 162,131.4 |
| WideOpenWest Finance LLC | 12083 | 160,654.9 |
| Hostmaze Inc Srl-d | 39517 | 150,661.4 |
| Rostelecom | 12389 | 149,025.9 |
| EOLO S.p.A. | 35612 | 141,944.6 |
| AT&T Services, Inc. | 7018 | 141,643.0 |
| CNSERVERS LLC | 40065 | 135,055.1 |
| Sprint S.A. | 197226 | 129,031.1 |
| Tellcom Iletisim Hizmetleri A.s. | 34984 | 121,125.9 |
| VNPT Corp | 45899 | 112,996.8 |
| Microsoft Corporation | 8075 | 111,412.4 |
| Servers.com, Inc. | 7979 | 109,655.9 |
| SS-Net | 204428 | 109,239.5 |
| China Unicom | 4837 | 107,517.8 |
| Alviva Holding Limited | 209272 | 107,061.4 |
| UAB Host Baltic | 209605 | 105,467.6 |
| Dgn Teknoloji A.s. | 43260 | 105,259.7 |
| JSC ER-Telecom Holding | 39028 | 102,269.5 |
| NETSEC | 45753 | 101,548.6 |
| Continent 8 LLC | 14537 | 90,635.7 |
| 1&1 Versatel Deutschland GmbH | 8881 | 88,340.3 |
| TS-NET of TOSET, Inc. in Japan | 55902 | 88,226.2 |
| ITC NG ltd | 202940 | 82,745.4 |
| OOO Tecom | 56679 | 81,128.9 |
| PT Telekomunikasi Indonesia | 7713 | 79,919.5 |
| PVimpelCom | 8402 | 71,321.4 |
ASNs Attacking Russia Compared to Other Regions
We looked at the count of attacks by ASN launching attacks toward systems in Russia and compared that to other regions of the world. The key difference between attack traffic launched from networks targeting Russia versus the rest of the world was the volume of attack traffic launched from the 18 ASNs exclusively targeting systems in Russia (see ASNs denoted with *** in Figure 4). Sixty-four percent (64%) of the total attack volume in Russia came from networks uniquely targeting Russia. Additionally, the exponential increase in attacks systems in the Middle East received from networks that also targeted Russian systems is notable.
Top 50 Attacking IP Addresses
Two of the top three IP addresses attacking Russian systems in the fall of 2019 were not seen targeting systems anywhere else in the world. The following table shows all 29 IP addresses (or 58% of the 50 IP addresses targeting Russian systems list) that were not seen attacking systems in other regions of the world during the fall of 2019. There are more IP addresses on this list from the U.S. than anywhere else in the world. Comparatively, when looking at all top 50 IP addresses attacking all regions of the world, there are more Russian IP addresses than any other country. All of these IP addresses engaged in port scanning, 34% of which specifically targeted the Swiss Exchange service.
| POSITION | Source IP | Normalized Attack Count | ASN Organization | Country |
| 1 | 71.46.230.178 | 438,148.6 | Charter Communications, Inc | United States |
| 3 | 217.19.18.4 | 372,510.5 | Cambrium IT Services B.V. | Netherlands |
| 9 | 92.118.37.67 | 208,530.3 | Donner Oleg Alexeevich | Romania |
| 12 | 95.90.230.133 | 185,584.9 | Vodafone Kabel Deutschland GmbH | Germany |
| 13 | 69.14.153.121 | 160,198.1 | WideOpenWest Finance LLC | United States |
| 14 | 74.88.7.125 | 155,631.9 | Cablevision Systems Corp. | United States |
| 15 | 88.147.99.15 | 141,357.8 | EOLO S.p.A. | Italy |
| 16 | 5.153.2.228 | 139,437.8 | SoftLayer Technologies Inc. | Netherlands |
| 17 | 23.115.65.92 | 136,175.7 | AT&T Services, Inc. | United States |
| 18 | 5.153.18.254 | 134,490.5 | SoftLayer Technologies Inc. | Netherlands |
| 19 | 72.69.11.97 | 134,443.8 | MCI Communications d/b/a Verizon | United States |
| 20 | 130.198.67.114 | 132,925.1 | SoftLayer Technologies Inc. | United States |
| 21 | 169.54.190.139 | 132,527.0 | SoftLayer Technologies Inc. | United States |
| 23 | 46.5.229.231 | 121,165.9 | Liberty Global B.V. | Germany |
| 27 | 141.98.11.12 | 105,461.9 | UAB Host Baltic | Lithuania |
| 28 | 185.222.211.54 | 105,343.8 | Alviva Holding Limited | United Kingdom |
| 29 | 37.4.253.50 | 104,834.9 | Vodafone Kabel Deutschland GmbH | Germany |
| 32 | 185.82.220.115 | 91,456.5 | Dgn Teknoloji A.s. | Turkey |
| 34 | 72.69.223.115 | 89,193.0 | MCI Communications d/b/a Verizon | United States |
| 35 | 5.178.83.125 | 82,488.1 | Selectel | Russia |
| 36 | 213.33.244.218 | 81,127.8 | OOO Tecom | Russia |
| 38 | 213.170.88.82 | 78,858.4 | Quantum CJSC | Russia |
| 39 | 189.125.110.234 | 75,498.9 | Level 3 Parent, LLC | Brazil |
| 40 | 109.226.179.245 | 69,210.3 | TELTA Citynetz GmbH | Germany |
| 41 | 134.209.52.246 | 68,745.7 | Digital Ocean | United States |
| 42 | 185.254.122.21 | 55,132.2 | UGB Hosting OU | Russia |
| 43 | 80.179.140.36 | 52,842.2 | Partner Communications Ltd. | Israel |
| 44 | 185.254.122.8 | 51,893.8 | UGB Hosting OU | Russia |
| 50 | 14.29.179.99 | 49,220.5 | China Telecom (Group) | China |
Similar to the U.S., IP addresses assigned within the country were uniquely targeting systems in Russia versus launching global attacks. 63% of the Russian-assigned IP addresses attacking systems inside Russia were uniquely targeting Russian systems. The other 37% were all from one network, Hostkey B.V, which participated in a global attack campaign targeting RFB/VNC port 5900 with credential stuffing attacks.1
For a complete list of attacks by IP address, see section Attacks Types of Top Attacking IP Addresses below.
IP Addresses Attacking Russia Compared to Other Regions
We compared the volume of attack traffic systems in Russia received per IP address to other regions of the world and there was a clear difference. As mentioned in the previous section, 54% of the IP addresses on Russia’s top 50 attacking IP addresses list (see IP addresses denoted with *** in Figure 6) exclusively targeted Russian systems, a pattern that stands out visually when comparing the attack counts Russia received to attacks received by the rest of the world.
Attacks Types of Top Attacking IP Addresses
Fifty-eight (58%) percent of the IP addresses seen sending malicious traffic to Russia exclusively targeted this region in the fall of 2019. Expectedly, abusive port scanning looking for vulnerabilities occured with each IP address. Outside of multi-port reconnaissance scanning, attackers were looking for the following open services on Russian systems:
- RFB/VNC port 5900
- Microsoft SMB port 445
- Swiss Exchange service port 7326
- HTTP/S ports 80, 443, 8080
- SSH port 22, 2222
- Telnet port 23
- SMTP port 25
- MS SQL port 1433
After scanning for these open services, attackers conducted credential stuffing attacks on RFB/VNC port 5900, SSH port 22, and Telnet port 23 (common with IoT bot building). The port 5900 attacks were new activity we noticed earlier in the summer, and they continued through October 31, 2019. We have opened up a public threat hunting investigation on Twitter to uncover what is going on with these attacks and will be looking to share our findings and ask questions soon. Join the conversation on Twitter.
The following table is in descending order of attack count, starting with top attacking IP addresses; it includes the attack types each IP address launched.
| Source IP address | Normalized Attack Count | Attack Type | ASN Organization | Country |
| 71.46.230.178 | 438,148.6 | Port Scanning: SWX / ICB port 7326 | Charter Communications | United States |
| 193.233.63.46 | 372,510.5 | Port Scanning: 59 unique ports | Smart Telecom S.A.R.L | Argentina |
| 217.19.18.4 | 208,530.3 | Port Scanning: SWX / ICB port 7326 | Cambrium IT Services B.V. | Netherlands |
| 148.251.20.137 | 185,584.9 | Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25 | Hetzner Online GmbH | Germany |
| 148.251.20.134 | 160,198.1 | Port Scanning: HTTPS port 443, SSH port 22, HTTP port 80, SMTP port 25 | Hetzner Online GmbH | Germany |
| 185.153.198.197 | 155,631.9 | Port Scanning: 29 unique ports Credential Stuffing: RFB/VNC port 5900 |
RM Engineering | Moldova |
| 46.105.144.48 | 141,357.8 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
OVH SAS | France |
| 5.39.108.50 | 139,437.8 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
OVH SAS | France |
| 92.118.37.67 | 136,175.7 | Port Scanning: 65506 unique ports | Donner Oleg Alexeevich | Romania |
| 185.153.197.251 | 134,490.5 | Port Scanning: 36 unique ports Credential Stuffing: RFB/VNC port 5900 |
RM Engineering | Moldova |
| 5.39.39.49 | 134,443.8 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
OVH SAS | France |
| 95.90.230.133 | 132,925.1 | Port Scanning: SWX / ICB port 7326 | Vodafone Kabel Deutschland GmbH | Germany |
| 69.14.153.121 | 132,527.0 | Port Scanning: SWX / ICB port 7326 | WideOpenWest Finance LLC | United States |
| 74.88.7.125 | 121,165.9 | Port Scanning: SWX / ICB port 7326 | Cablevision Systems Corp. | United States |
| 88.147.99.15 | 105,461.9 | Port Scanning: SWX / ICB port 7326 | EOLO S.p.A. | Italy |
| 5.153.2.228 | 105,343.8 | Port Scanning: 66 unique ports | SoftLayer Technologies | Netherlands |
| 23.115.65.92 | 104,834.9 | Port Scanning: Signet CTF port 2733 | AT&T Services | United States |
| 5.153.18.254 | 91,456.5 | Port Scanning: 66 unique ports | SoftLayer Technologies | Netherlands |
| 72.69.11.97 | 89,193.0 | Port Scanning: SWX / ICB port 7326 | MCI Communications d/b/a Verizon | United States |
| 130.198.67.114 | 82,488.1 | Port Scanning: 64 unique ports | SoftLayer Technologies | United States |
| 169.54.190.139 | 81,127.8 | Port Scanning: 64 unique ports | SoftLayer Technologies | United States |
| 192.250.197.246 | 78,858.4 | Port Scanning: 20 unique ports Credential Stuffing: SSH port 22 |
CNSERVERS LLC | United States |
| 46.5.229.231 | 75,498.9 | Port Scanning: SWX / ICB port 7326 | Liberty Global B.V. | Germany |
| 218.237.65.80 | 69,210.3 | Port Scanning: SSH port 22, HTTPS port 443, 53, 80 | SK Broadband Co Ltd | South Korea |
| 212.80.217.139 | 68,745.7 | Port Scanning: 6 unique ports Credential Stuffing: RFB/VNC port 5900 |
Serverius Holding B.V. | Netherlands |
| 185.40.13.3 | 55,132.2 | Port Scanning: 51 unique ports | GTECH S.p.A. | Italy |
| 141.98.11.12 | 52,842.2 | Port Scanning: 35159 unique ports | UAB Host Baltic | Lithuania |
| 185.222.211.54 | 51,893.8 | Port Scanning: 30054 unique ports | Alviva Holding Limited | United Kingdom |
| 37.4.253.50 | 49,220.5 | Port Scanning: SWX / ICB port 7326 | Vodafone Kabel Deutschland GmbH | Germany |
| 211.44.226.158 | 438,148.6 | Port Scanning: 48 unique ports | SK Broadband Co Ltd | South Korea |
| 112.175.124.2 | 372,510.5 | Port Scanning: 61 unique ports | Korea Telecom | South Korea |
| 185.82.220.115 | 208,530.3 | Port Scanning: MS SMB port 445, HTTP port 80, MS SQL port 1433, HTTP port 8080, port 7001 HTTP Attacks: Alt-HTTP port 8080 |
Dgn Teknoloji A.s. | Turkey |
| 112.175.127.189 | 185,584.9 | Port Scanning: 48 unique ports | Korea Telecom | South Korea |
| 72.69.223.115 | 160,198.1 | Unknown | MCI Communications d/b/a Verizon | United States |
| 5.178.83.125 | 155,631.9 | Port Scanning: 23515 unique ports | Selectel | Russia |
| 213.33.244.218 | 141,357.8 | Port Scanning: port 7001, MS SQL port 1433, HTTP port 80, MS RDP port 445 HTTP Attacks: Alt-HTTP port 8080 Malware Uploads: MS SMB port 445 |
OOO Tecom | Russia |
| 198.245.60.31 | 139,437.8 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
OVH SAS | Canada |
| 213.170.88.82 | 136,175.7 | Port Scanning: MS SMB port 445, port 7001, MS SQL port 1433 | Quantum CJSC | Russia |
| 189.125.110.234 | 134,490.5 | Port Scanning: SSH port 22, Telnet port 23, Alt-SSH port 2222 Credential Stuffing: Telnet port 23 |
Level 3 Parent | Brazil |
| 109.226.179.245 | 134,443.8 | Port Scanning: SWX / ICB port 7326 | TELTA Citynetz GmbH | Germany |
| 134.209.52.246 | 132,925.1 | Port Scanning: RFB/VNC port 5900 | Digital Ocean | United States |
| 185.254.122.21 | 132,527.0 | Port Scanning: 17887 unique ports | UGB Hosting OU | Russia |
| 80.179.140.36 | 121,165.9 | Port Scanning: port 7001, MS SQL port 1433, MS SMB port 445 | Partner Communications Ltd. | Israel |
| 185.254.122.8 | 105,461.9 | Port Scanning: 20289 unique ports | UGB Hosting OU | Russia |
| 185.156.177.44 | 105,343.8 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Hostkey B.v. | Russia |
| 185.153.196.159 | 104,834.9 | Port Scanning: 23 unique ports Credential Stuffing: RFB/VNC port 5900 |
RM Engineering | Moldova |
| 193.188.22.114 | 91,456.5 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900, SSH port 22 |
Hostkey B.v. | Russia |
| 185.156.177.11 | 89,193.0 | Port Scanning: RFB/VNC port 5900 Credential Stuffing: RFB/VNC port 5900 |
Hostkey B.v. | Russia |
| 194.187.175.68 | 82,488.1 | Port Scanning: 45 unique ports | GTECH S.p.A. | Italy |
| 14.29.179.99 | 81,127.8 | Port Scanning: SMTP port 25 | China Telecom (Group) | China |
Top Targeted Ports
SMB port 445 was the number one attacked port in Russia (consistent with global attack activity since the Eternal Blue exploit was released in April 2017). In a close second was the Swiss Exchange port 7326, which is very interesting, given the potential financial implications and the fact that this was not a top attacked port anywhere else in the world during this time period. (Other ports attacked on Russia systems during this time period that were not attacked in other regions include Signet CTF port 2733 and port 21455.)
SSH port 22 in the third position was another top attacked port globally because vendor default credentials used to remotely administer applications over SSH are known to attackers. For a list of top attacked SSH credentials, see this F5 Labs article about the top attacked credentials. SMB port 445 and SSH port 22 are commonly targeted because exploiting a vulnerability on either port (especially SMB port 445 when using the Eternal Blue exploit) can give a malicious actor access to the entire system.
RFB / VNC port 5900 scanning and credential stuffing, which were conducted against systems all over the world, is not typical, hence the investigative threat hunting we are doing on Twitter. The remaining top targeted ports—all web application, access, and email ports—clearly indicate attackers went after applications and access to applications in Russia (as they did all across the world).
Conclusion
In general, the best approach a security team can take as defenders in this modern threat landscape is one of “assume breach.” This is not a FUD (fear, uncertainty, and doubt) position, this is a realistic position backed up by the volume of attack traffic all systems touching the Internet receive, the likelihood of vulnerabilities existing, and the number of compromised credentials available to attackers. When you take an “assume breach” defensive position, you are collecting attack traffic and monitoring your logs. You can use this high-level attack data to compare against the attack traffic directly hitting your own network. This will help you rule out run-of-the-mill attack traffic, or help you determine whether or not you are being targeted, in which case, investigating the attack sources and patterns is a worthwhile activity.
Locking down any of the top targeted ports that do not absolutely require unfettered Internet access should be completed as soon as possible. And because default vendor credentials are known by attackers, all systems should be hardened before being deployed and protected with multi-factor authentication.
Additionally, the volume of breached credentials in 2017 was so large that usernames and passwords should be considered “public,” therefore all organizations should have credential stuffing protection in place. Particularly for any system with remote authentication. See F5 Labs report Lessons Learned from a Decade of Data Breaches for more data on these breached passwords.
Security Controls
To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:
- Use firewalls to restrict unnecessary access to commonly attacked and publicly exposed ports.
- Use a web application firewall to protect against common web application attacks.
- Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH).
- Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
- For remote administration, migrate from Telnet to SSH and implement brute force restrictions.
- Disable vendor default credentials on all systems.
- Implement multi-factor authentication on all remote administrative access and any web login.
- Implement geo IP address blocking of commonly attacking countries that your organization does not need to communicate with.
- Enforce system hardening and test all systems for the existence of vendor default credentials (commonly used in SSH brute force attacks).
- Conduct security awareness training to ensure employees know how systems and data are targeted, and specifically how they are targeted with phishing attacks that can lead to credential theft, malware, and breaches.
