TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Regional Threat Perspectives, Fall 2019: United States

2019-11-25 · Read original ↗

ATT&CK techniques detected

9 predictions
T1071.001Web Protocols
98%
“traffic directed towards u. s. systems. both the u. s. and russia are on the global list of top source traffic countries. ip addresses assigned in both of these countries were seen participating in the rfb / vnc port 5900 port scanning and credential stuffing, targeting all regio…”
T1071.001Web Protocols
85%
“top source traffic countries. ” ip addresses assigned to the u. s. launched the most malicious traffic against systems in the u. s. from august 1, 2019, through october 31, 2019. the top 10 source traffic countries during this period were : u. s. russia france south korea netherl…”
T1071.001Web Protocols
83%
“combined 1. 885 million normalized count of attack traffic to the region. - rounding out the top 10 ip addresses sending malicious traffic to systems in the u. s. were those assigned to moldova, france, germany, and the u. s. these 10 ip addresses launched rfb / vnc port 5900 att…”
T1110.004Credential Stuffing
82%
“force and credential stuffing attacks. the ip addresses in moldova assigned to rm engineering, as well as ovh sas in france, were launching brute force and credential stuffing attacks against remote frame buffer ( rfb ) / vnc port 5900, globally. all regions of the world are bein…”
T1071.001Web Protocols
66%
“asns are ovh sas ( from france ) in third position, digitalocean llc ( from the netherlands and the u. s. ) in fourth position, and amazon. com inc. ( from the u. s. ) in fifth position. amazon. com inc. did not have any ip addresses on the 50 top attacking ip address list, which…”
T1110Brute Force
66%
“over a quarter ( 26 % ) of the top 50 attacking ip addresses sending malicious traffic to u. s. systems only targeted the u. s. while 16 % of that top 50 were seen sending malicious attack traffic to all other regions in the world. figure 6 : normalized attack count by ip address…”
T1046Network Service Discovery
49%
“the ip addresses on the top 50 attacking ip addresses list were engaging in the same multi - port scanning behavior, many of which were american, dutch, french, russian, and moldovan. 1 similar to the top source traffic countries list, most of the top attacking ip addresses come …”
T1110Brute Force
43%
“force and credential stuffing attacks. the ip addresses in moldova assigned to rm engineering, as well as ovh sas in france, were launching brute force and credential stuffing attacks against remote frame buffer ( rfb ) / vnc port 5900, globally. all regions of the world are bein…”
T1071.001Web Protocols
42%
“list, and only one ip address each from a handful of countries was seen in the top attacking source countries list. in the top attacking ip addresses list, one ip address assigned to ireland launched a normalized 121, 000 attacks. this means attacks coming from ip addresses assig…”

Summary

U.S. systems were heavily targeted by IP addresses in Russia, Moldova, and France that launched credential stuffing attacks on VNC port 5900 beginning in June 2019.