attack landscape h2 2019 - f-secure attack landscape h2 2019 10 ransomware levels in spam throughout

Download ATTACK LANDSCAPE H2 2019 - F-Secure Attack Landscape H2 2019 10 Ransomware levels in spam throughout

Post on 29-Sep-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • ATTACK LANDSCAPE H2 2019

  • 2019 wrapped up with high-impact ransomware attacks on

    enterprises, as well as continued high rates of attack traffic

    throughout our global network of honeypots. Honeypot

    traffic was driven by action aimed at the SMB and Telnet

    protocols, indicating continued attacker interest in the

    Eternal Blue vulnerability as well as plenty of infected IoT

    devices. The end of the year also served as the end of

    the decade, prompting a look back at where we’ve come

    since 2010.

    In this report, we cover the attack traffic seen by our

    global network of honeypots over the last six months of

    2019, as well as malware seen by our customer endpoints

    throughout the year. We also take a trip down memory

    lane, revisiting cyber security highlights of the decade.

    Attack Landscape H2 2019

    2

  • HONEYPOT ATTACK TRAFFIC: WHO’S AFTER WHO? In the first half of 2019, we documented1 a jump in cyber attack traffic to our global network of honeypots from

    millions of hits to 2.9 billion. In the second half of the year, this frenetic pace of attack traffic continued but at a

    slightly reduced rate, with 2.8 billion hits to our servers. DDoS attacks drove this deluge, accounting for two thirds

    of the traffic.

    Total Global Honeypot Attacks Per Period

    1 https://blog.f-secure.com/attack-landscape-h1-2019-iot-smb-traffic-abound/

    Our honeypots are decoy servers set up in countries around the world to

    gauge trends and patterns in the global cyber attack landscape. Because

    honeypots are decoys not otherwise meant for real world use, an incoming

    connection registered by a honeypot is either the result of a mistyped IP

    address, which is rather uncommon, or of the service being found during

    an attacker’s scans of the network or the internet.

    99.9% of traffic to our honeypots is automated traffic coming from bots,

    malware and other tools. Attacks may come from any sort of infected

    connected device – a traditional computer, smartwatch or even IoT

    toothbrush can be a source.

    H2 2019H1 2019

    H1 2017

    2800 M2900 M

    H2 2018

    813 M

    H1 2018

    231 M

    H2 2017

    546 M

    246 M

    Attack Landscape H2 2019

    3

    https://blog.f-secure.com/attack-landscape-h1-2019-iot-smb-traffic-abound/

  • Top Source Countries H2 2019 Top Source Countries H1 2019

    The list of source countries must be taken with a grain of salt, as attackers can route their attacks through proxies in other countries to avoid

    identification by authorities.

    In addition, we do not mean to imply that this activity is predominantly nation-state behavior. The majority of these attacks are instigated by cyber criminals who are

    carrying out DDoS attacks and sending malware for financial gain.

    The country whose IP space played host to the greatest number of attacks was the US,

    followed by China and Russia. Germany, a regular to the top 10 list, dropped off the

    list to number 12 with 43 million attacks, while attacks from Ukraine’s IP space were

    enough to replace Germany in the number four spot.

    China

    United States

    Russia

    Germany

    Philippines

    Ukraine

    Netherlands

    Brazil

    Armenia

    India

    702 M

    479 M

    381 M

    155 M

    129 M

    92 M

    56 M

    52 M

    45 M

    44 M

    USA

    China

    Russia

    Ukraine

    Philippines

    United Kingdom

    Singapore

    Hong Kong

    France

    Netherlands

    556 M

    430 M

    335 M

    121 M

    91 M

    80 M

    78 M

    65 M

    55 M

    46 M

    Top targeted port: 23

    Top targeted port: 1433

    22

    445

    445

    23

    445

    445

    23

    22

    Attack Landscape H2 2019

    4

  • Top Destination Countries H2 2019 Top Destination Countries H1 2019

    Ukraine was the top attack destination, followed by China, Austria and the US. The top

    aggressors hitting the Ukraine were the United States, the Ukraine itself, and Russia.

    In the number two spot, the top countries hitting China were China itself, the United

    States and France, while Austria was hit by China, Russia and the United States. Attacks

    hitting the United States came from primarily the US, followed by Russia and China.

    Ukraine

    China

    Austria

    United States

    Netherlands

    Poland

    United Kingdom

    Italy

    Hungary

    Bulgaria

    357 M

    239 M

    230 M

    190 M

    185 M

    161 M

    136 M

    136 M

    107 M

    89 M

    296 MUnitedStates

    Austria

    Ukraine

    United Kingdom

    Netherlands

    Italy

    Nigeria

    Poland

    Czechia

    Ireland

    294 M

    276 M

    185 M

    160 M

    159 M

    119 M

    109 M

    104 M

    94 M

    Attack Landscape H2 2019

    5

  • Philippines

    85 M

    Vietnam

    37 M Venezuela

    41 M

    Russia

    38 M

    China

    81 M

    Top TCP Ports Targeted H2 2019

    PORTS AND PROTOCOLS

    Top TCP Ports Targeted H1 2019

    445 - SMB

    23 - Telnet

    22 - SSH

    1433 - MSSQL

    23145

    80 - HTTP

    20 - FTP

    3306 - MySQL

    25 - SMTP

    3389 - RDP

    523 M

    526 M

    490 M

    165 M

    8.3 M

    3.9 M

    3.3 M

    2.6 M

    1.5 M

    0.7 M

    23 - Telnet

    445 - SMB

    22 - SSH

    1433 - MSSQL

    3306 - MySQL

    80 - HTTP

    7547 - CWMP

    25 - SMTP

    20 - FTP

    5431 – park-agent

    760 M

    556 M

    456 M

    260 M

    7.4 M

    3.8 M

    2.3 M

    1.7 M

    0.6 M

    0.6 M

    SMB port 445 took the position as most-targeted port over the period, indicating that,

    as in the first half of the year, attackers are still keen to use SMB worms and exploits

    such as Eternal Blue. For example, Trickbot, one of the top spam payloads we observed

    hitting endpoint devices, leverages Eternal Blue as a means of spreading. There were 526

    million hits on SMB this period, slightly less than the previous period’s 556 million.

    Top sources of SMB traffic

    Attack Landscape H2 2019

    6

  • 247 M

    UK

    19 M

    Bulgaria

    17 M Armenia 26 M

    France

    16 M

    United States

    Telnet was a close second with 523 million hits. While that’s a reduction

    from a high of 760 million in H1 of 2019, it’s a continued indicator that

    attacks on an ever-growing pool of IoT devices are still going strong.

    The ease with which attackers can acquire tools such as Mirai, which

    enable high-volume, low-sophistication attacks, continues to result in the

    compromise of large numbers of these poorly secured devices.

    Top sources of Telnet hits

    Malware found in honeypots

    Most of the malicious traffic we see today is generated by Linux-based malware like Mirai.

    Backdoor.Linux.Mirai.wan

    Other:Malware-gen [Trj]

    HEUR:Backdoor.Linux.Mirai.ba

    HEUR:Backdoor.Linux.Mirai.b

    Trojan.Linux.Mirai.K!c

    Trojan.Linux.Mirai

    Backdoor.Linux.asqp

    Attack Landscape H2 2019

    7

  • 263 M Russia

    Ireland

    36 M Germany 29 M

    Bulgaria

    14 M

    Netherlands

    29 M

    SQL-related attacks, which represent database attacks common in data breaches

    as well as attempts to spread cryptocurrency miners, remote access backdoors and

    ransomware, followed, with China the overwhelming source of attacks on MSSQL.

    Top 10 Passwords used in honeypots

    SSH on port 22 followed with 490 million hits. SSH enables secure remote

    access and is commonly associated with full administrative access, as well as

    IoT devices. Attacks against SSH represent attempts to brute force credentials,

    which are too often vendor default credentials of applications and devices.

    Russia, as usual, played host to the source of most of these attacks.

    Top Sources of SSH hits

    A great way to see what attackers are interested in is to check out the list of passwords

    they use. The everpresent “admin” is predictably in first place. The number two

    password of the period, “vizxv,” is a default for Dahua DVRs, and two other passwords

    on the list, “1001chin” and “taZz@23495859” represent the factory defaults for other

    embedded devices such as routers.

    Brute forcing factory default usernames and passwords of IoT devices continues to

    be an effective method for recruiting these devices into botnets that can be used in

    DDoS attacks.

    admin

    vizxv

    default

    1001chin

    sh

    taZz@23495859

    12345

    password

    ttnet

    root

    8

    Attack Landscape H2 2019

  • THE YEAR IN MALWARE

    When it comes to malware, we turn to our customer endpoints to see what’s happening in the wild.

Recommended

View more >