Europe as a region stood for a conspicuously high volume of attacks by hosting the largest share of in-region IP addresses distributing malicious traffic. Europe also hosts the top attacking Automatic System (AS208091) attributable to Xhost Internet Solutions, an organization with links to Russia. This finding supports the notion that Russian entities continue to be key players in the cyberthreat domain.
In contrast, the United States was the most active source traffic country and also hosts the second most active attacking ASN, Digitalocean.
The records expose large discrepancies in many of the datasets pertaining to counts of events, where the difference between the top 1 and top 2, as well as top 1 and top 10, are often conspicuously high.
1. Top attacking IP addresses
1.1 Global
The top ten IP addresses attacking systems worldwide can all be assigned to Europe.[1] An IP address from Estonia had the highest count of malicious activity with almost 13 million reported events. In total, three Estonian IP addresses, sharing the same Automatic System Number (ASN), were represented in the top 10 list. This particular ASN, AS208091, further belongs to half of the most active IP addresses represented in the global dataset. By total count, AS208091 was involved in over 30 million malicious events during the time period. AS208091 can be attributed to XHOST Internet Solutions, an organization with registered companies in the United Kingdom, Netherlands and Russia. Despite the high attack frequency, AS208091 does not feature on generic ASN-blacklists and exhibits a low fraud-rate.[2]
100% of the top ten IP addresses were engaged in credential stuffing and port scanning, indicating that vulnerability-searching activities were prominent in the threat landscape during Q3.
[1] Russia is included in the European dataset
[2] E.g. https://cleantalk.org/blacklists/asn
Table 1: Top attacking IP addresses globally
|
IP |
Activity type |
ASN |
Country |
% |
Count |
|
185.73.125.94 |
Credential stuffing Port scanning |
208091 |
Estonia |
3% |
12.94 Mil |
|
87.251.67.229 |
Credential stuffing Port scanning |
208091 |
Poland |
1.62% |
6.98 Mil |
|
31.43.185.65 |
Credential stuffing Port scanning |
211736 |
Ukraine |
1.39% |
5.99 Mil |
|
79.124.58.138 |
Credential stuffing Port scanning |
50360 |
Bulgaria |
1.35% |
5.82 Mil |
|
185.11.61.122 |
Credential stuffing Port scanning |
57523 |
Russia |
5.37% |
5.37 Mil |
|
185.73.124.20 |
Credential stuffing Port scanning |
208091 |
Estonia |
4.88% |
4.88 Mil |
|
79.124.49.58 |
Credential stuffing Port scanning |
50360 |
Bulgaria |
4.86% |
4.86 Mil |
|
79.124.59.130 |
Credential stuffing HTTP attacks Port scanning |
50360 |
Bulgaria |
4.80% |
4.80 Mil |
|
185.73.124.159 |
Credential stuffing Port scanning |
208091 |
Estonia |
1.04% |
4.50 Mil |
|
185.73.124.160 |
Credential stuffing Port scanning |
208091 |
Estonia |
1.01% |
4.34 Mil |
1.2 Europe
As displayed in the table above, all of the 10 most active attacking IP addresses on a global scale originate from Europe, rendering the result for a regional European analysis identical to the global dataset.
1.3 Oceania
In the region of Oceania, all of the top five attacking IP addresses share the same ASN, which belongs to an American host, DigitalOcean-ASN. As opposed to the global and European trend, where port scanning and credential stuffing jointly comprise the activity fingerprint of the top attacking IP address, Oceania primarily saw port scanning. Generally, attack counts are low in comparison to other regions such as Europe, North America and Asia.
Table 2: top attacking IP addresses in Oceania
|
IP |
Activity type |
ASN |
Country |
Count |
|
170.64.188.173 |
Port scanning |
14061 |
Australia |
130,057 |
|
170.64.163.222 |
Port scanning |
14061 |
Australia |
116,817 |
|
170.64.182.111 |
Credential stuffing |
14061 |
Australia |
114,956 |
|
170.64.178.6 |
Port scanning |
14061 |
Australia |
81,808 |
|
170.64.167.34 |
Port scanning |
14061 |
Australia |
58,003 |
1.4 North America
All top five IP addresses in North America and Oceania share the same ASN-number, 14061 (DigitalOcean-ASN) making it the most common ASN among unique IP addresses when comparing the top 5-lists of each region and. Open source intelligence on DigitalOcean-ASN reveals that the organization is labeled as a fraud-risk and potential vulnerability.
Table 3: top attacking IP addresses in North America
|
IP |
Activity type |
ASN |
Country |
Count |
|
104.236.1.59 |
Port scanning |
14061 |
United States |
1,820,975 |
|
161.35.109.85 |
Port scanning |
14061 |
United States |
1,677,192 |
|
167.99.127.131 |
Port scanning |
14061 |
United States |
1,676,538 |
|
137.184.50.236 |
Port scanning |
14061 |
United States |
1,565,015 |
|
161.35.62.151 |
Port scanning |
14061 |
United States |
1,494,103 |
1.5 South America
Top South American attacking IP-addresses exhibit a variation in terms of AS-numbers and country of origin. However, the counts of individual attacks among the top 5 addresses display much less variation compared to other regions.
Table 4: top attacking IP addresses in South America
|
IP |
Activity type |
ASN |
Country |
Count |
|
177.222.57.2 |
Port scanning |
27882 |
Bolivia |
246,373 |
|
181.65.138.129 |
Port scanning |
6147 |
Peru |
244,001 |
|
190.202.116.29 |
Port scanning |
8048 |
Venezuela |
239,088 |
|
189.58.124.181 |
Port scanning |
18881 |
Brazil |
196,733 |
|
200.75.2.138 |
Port scanning |
14259 |
Chile |
191,715 |
1.6 Asia
The IP address topping the Asian list has the autonomous system number 209559, which can be assigned to XHOST Internet solutions. However this ASN controlled by XHOST has substantially less IPv4 numbers than AS208091. Another observation in the Asian dataset is that none of the top 5 IP addresses originate from China, despite it being the third most active source traffic country (see table 13).
Table 5: top attacking IP addresses in Asia
|
IP |
Activity type |
ASN |
Country |
Count |
|
80.66.83.124 |
Credential stuffing |
209559 |
India |
3,714,976 |
|
115.84.224.194 |
Port scanning |
9658 |
Philippines |
2,099,711 |
|
51.79.177.90 |
Credential stuffing |
16276 |
Singapore |
1,191,976 |
|
80.66.83.207 |
Credential stuffing Port scanning |
209559 |
India |
1,174,608 |
|
52.231.141.112 |
Port scanning |
8075 |
South Korea |
955,380 |
1.7 Africa
The top 5 IP addresses from Africa exhibit variation both in terms of country and ASNs. Attack counts are low in comparison to other regions such as Europe, North America and Asia.
Table 6: top attacking IP addresses in Africa
|
IP |
Activity type |
ASN |
Country |
Count |
|
185.56.83.110 |
Port scanning |
211720 |
Seychelles |
169,965 |
|
156.38.84.121 |
Port scanning Credential stuffing |
36924 |
Togo |
167,866 |
|
102.219.212.82 |
Port scanning Malware |
328852 |
Nigeria |
157,621 |
|
41.33.131.108 |
Port scanning Malware |
8452 |
Egypt |
121,857 |
|
41.214.134.199 |
Port scanning Credential stuffing |
36925 |
Morocco |
73,669 |
2. Credential Stuffing
2.1 Top credential stuffing sources
All of the IP addresses behind the top 10-credential stuffing sources appear in table 1 (most active attacking IP addresses globally). Interestingly, these sources together account for just over 15% of the total amount of recorded credential stuffing events, indicating that the amount of malicious IP addresses engaging in credential stuffing during Q3 was high.
Table 7: Top credential stuffing sources
|
Events |
IP |
Country |
% |
|
6,471,956 |
185.73.125.94 |
Estonia |
3.29 |
|
3,479,730 |
87.251.67.229 |
Poland |
1.77 |
|
2,995,976 |
31.43.185.65 |
Ukraine |
1.52 |
|
2,910,255 |
79.124.58.138 |
Bulgaria |
1.48 |
|
2,686,216 |
185.11.61.122 |
Russia |
1.37 |
|
2,528,733 |
79.124.59.130 |
Bulgaria |
1.29 |
|
2,481,500 |
185.73.124.20 |
Estonia |
1.26 |
|
2,385,173 |
79.124.49.58 |
Bulgaria |
1.21 |
|
2,192,550 |
185.73.124.159 |
Estonia |
1.12 |
2.2 Top values of passwords used in credential stuffing
The top password, 345gs5662d34, and its variant 3245gs5662d34, have circulated in credential stuffing attacks since 2022, exceeding other well-known and common passwords such as ‘’admin’’, ‘’root’’ and ‘’12345’’. It also appears as the second most frequent username used in credential stuffing attacks for the same time period.
Table 8: top values of passwords used in credential stuffing
|
Password |
Count of records |
|
345gs5662d34 |
1,357,546 |
|
3245gs5662d34 |
1,356,330 |
|
123456 |
452,512 |
|
admin |
306,549 |
|
123 |
136,392 |
|
password |
112,559 |
|
1234 |
92,567 |
|
12345 |
61,959 |
|
1 |
54,197 |
|
root |
49,648 |
|
Other passwords |
7,937,329 |
3. DDoS Attacks
3.1 Top DDoS reflection attack sources
Among DDoS reflection-attacks, a lot of variation is displayed in terms of ASNs, compared to e.g. credential stuffing, where we saw a lot of activity from one particular ASN (XHOST-IS). The top 6 IP addresses have each been involved in six (6) unique attacks.
Table 9: Top DDoS reflection attack sources
|
IP |
ASN |
Unique attacks |
|
200.52.82.122 |
14178 |
6 |
|
99.209.8.66 |
812 |
6 |
|
103.151.47.211 |
136969 |
6 |
|
24.37.22.22 |
5769 |
6 |
|
81.5.111.29 |
25100 |
6 |
|
148.101.179.182 |
6400 |
6 |
|
190.121.129.115 |
27951 |
5 |
|
109.73.241.46 |
51336 |
5 |
|
124.105.75.251 |
9299 |
5 |
|
95.182.107.138 |
212999 |
5 |
3.2 Top DDoS botnet-sources
An examination of top DDoS-botnet sources shows significantly less variation in terms of ASN compared to reflection-attacks, with ASN20940 (Akamai International B.V) accounting for 80% of the top 10-list. Interestingly, Akamai has not featured in any other top-10 list in this report.
A pattern that emerges is a correlation between vector and size of bytes + packets; TCP_SYN displayed a higher volume of both bytes and packets compared to other variants.
Table 10: top DDoS botnet-sources
|
IP |
ASN |
Vector |
Unique attacks |
Bytes |
Packets |
|
172.234.41.244 |
20940 |
TCP_PSHACK |
1 |
28 Mb |
42K |
|
172.234.41.244 |
20940 |
TCP_SYN |
1 |
23 Gb |
35M |
|
172.234.41.42 |
20940 |
TCP_ACK |
1 |
24 Mb |
36K |
|
172.234.41.42 |
20940 |
TCP_SYN |
1 |
22.8 Gb |
34M |
|
185.78.76.79 |
719 |
TCP_ACK |
1 |
27.9 Mb |
42K |
|
185.78.76.79 |
719 |
TCP_SYN |
1 |
43.8 Gb |
66M |
|
2.21.240.119 |
20940 |
TCP |
1 |
327 Mb |
22K |
|
2.21.240.119 |
20940 |
TCP_ACK |
1 |
1.7 Gb |
18K |
|
2.21.240.119 |
20940 |
TCP_PSHACK |
1 |
3.7 Gb |
3,5K |
|
2.21.240.119 |
20940 |
TCP_SYN |
1 |
43.8 Gb |
64M |
4. Top Spam Sources
25% of the top SPAM sources originate from the same source, namely AS17447, assigned to net4India. 50% of the IP addresses can be attributed to the United States.
As opposed to the top credential stuffing sources, the total percentage of the top spam sources account for over 90% of all recorded spam activity.
|
events |
ip |
ASN |
percentage |
Country |
|
129645 |
147.78.103.137 |
17447 |
48.7 |
United States |
|
66746 |
93.123.118.151 |
211252 |
25.0 |
Netherlands |
|
16163 |
23.148.146.157 |
46664 |
6.07 |
United States |
|
14892 |
197.211.59.135 |
328309 |
5.59 |
Nigeria |
|
9292 |
87.120.88.27 |
44477 |
3.49 |
France |
|
2883 |
85.208.139.163 |
44477 |
1.08 |
France |
|
2071 |
147.78.103.153 |
17447 |
0.777 |
United States |
|
1898 |
147.78.103.17 |
17447 |
0.712 |
United States |
|
1495 |
147.78.103.38 |
17447 |
0.561 |
United States |
5. Malware
5.1 Most active generic Malware
- Variation in terms of country and ASN
- Much less Europe-concentrated than other attack types
Table 11: Most active generic malware
|
Events |
IP |
Country |
ASN |
% |
|
832 |
181.49.176.37 |
Colombia |
14080 |
0.145 |
|
566 |
212.252.87.195 |
Turkey |
34984 |
0.0986 |
|
494 |
217.64.22.114 |
Azerbaijan |
28787 |
0.0861 |
|
406 |
67.216.105.95 |
United States |
23158 |
0.0707 |
|
396 |
190.202.85.115 |
Venezuela |
8048 |
0.0690 |
|
389 |
223.95.207.4 |
China |
56041 |
0.0678 |
|
367 |
103.167.74.151 |
India |
133232 |
0.0639 |
|
358 |
123.253.163.245 |
India |
45117 |
0.0624 |
|
325 |
69.165.41.152 |
United States |
23158 |
0.0566 |
5.2 Most active IOT Malware
A big gap in the number of attacks can be observed between the first and tenth most active IOT malware. All of the recorded top IOT Malware sources were Mirai trojans.
Table 12: most active IOT malware
|
Hash (SHA-256) |
Type of malware |
Count |
|
4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7 |
Mirai |
6,709 |
|
f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8 |
Mirai |
1,299 |
|
12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef |
Mirai |
1,191 |
|
b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605 |
Mirai |
1,041 |
|
ca35f2e3b3f297c371f0a58398cb43e24c1d1419f08baff9b9223b9032ccf4c1 |
Mirai |
757 |
|
2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6 |
Mirai |
299 |
|
64cd497a29a6801daa66b3ca23b63a1355b0b84fdf5a23a12810b88685b22f63 |
Mirai |
286 |
|
9e0a15a4318e3e788bad61398b8a40d4916d63ab27b47f3bdbe329c462193600 |
Mirai |
209 |
|
606d278b2e75119296bf48721ae72deec87912742ce4d9920bf565521de4dcb0 |
Mirai |
192 |
|
feffd413c8d62736b7a15007b34056099858f8e02568d8ec9a6ebd4996626111 |
Mirai |
80 |
6. Most active source traffic countries
In contrast to the top attacking IP addresses, the most active source traffic countries[3] were not as concentrated in Europe, but more scattered. Russia, Estonia and Bulgaria can be found in the dataset, which corresponds with the result from malicious IP address-traffic. However, an IP address assigned to the US launched the most malicious traffic with 15% of the total activity count globally. In addition, there is some overlap between the results and the countries attributable to the most active automatic system numbers (China, United States, Russia, Bulgaria, Philippines). See table 14.
[3] Note: The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country.
Table 13: most active source traffic countries
|
Country |
Continent |
Hits |
% |
|
United States |
NA |
66.19 Mil |
15.37 |
|
Russia |
EU |
40.07 Mil |
9.30 |
|
China |
AS |
35.56 Mil |
8.26 |
|
Estonia |
EU |
30.64 Mil |
7.12 |
|
Bulgaria |
EU |
26.34 Mil |
6.12 |
|
India |
AS |
21.87 Mil |
5.08 |
|
Singapore |
AS |
16.67 Mil |
3.87 |
|
Philippines |
AS |
14.31 Mil |
3.32 |
|
Vietnam |
AS |
14.25 Mil |
3.31 |
7. Most active Attacking Organizations (ASNs)/Most active Autonomous System Number
As discussed in the first section, Xhost Internet Solutions was behind many of the most active attacking IP addresses globally. Additionally, Tamatiya EOOD (AS50360) accounted for 1⁄3 of the top IP addresses engaging in malicious activity. Digitalocean-ASN was also found to dominate attack traffic in two of the regional datasets (Oceania and North America). The top 10 attacking ASNs together stand for less than 50% of all recorded malicious activity in Q3, indicating that the threat landscape consists of a large variety of attacking organizations.
China hosts the largest number of unique attacking organizations (30% of top 10), although Europe and North America dominate in terms of the total number of hits.
Table 14: most active ASN
|
ASN |
AS Org |
Country |
Continent |
hits |
% |
|
AS208091 |
Xhost Internet Solutions Lp |
UK/NL/Russia |
EU |
49.17 Mil |
11.42 |
|
AS14061 |
DIGITALOCEAN-ASN |
United States |
NA |
44.28 Mil |
10.28 |
|
AS50360 |
Tamatiya EOOD |
Bulgaria |
EU |
24.69 Mil |
5.73 |
|
AS132203 |
Tencent Building, Kejizhongyi |
China |
AS |
11.16 Mil |
2.59 |
|
AS16276 |
OVH SAS |
France |
EU |
10.84 Mil |
2.52 |
|
AS45090 |
Shenzhen Tencent Computer Syst |
China |
AS |
10.54 Mil |
2.45 |
|
AS4134 |
Chinanet |
China |
AS |
10.23 Mil |
2.38 |
|
AS57523 |
Chang Way Technologies Co. Lim |
HongKong |
AS |
7.53 Mil |
1.75 |
|
AS9299 |
Philippine Long Distance Telep |
Philippines |
AS |
7.02 Mil |
1.63 |
|
AS202425 |
IP Volume inc |
Seychelles |
AF |
6.38 Mil |
1.48 |
8. Top Target Ports
Generally, most of the ports listed in the graph below are considered as vulnerabilities/not secure.
A notable gap can be observed in the percentage of hits between the top 1 and top 10 ports; top 5 provides perhaps the most indicative data on top targeted ports.
Credential stuffing the most common activity type when it comes to port scanning.
Table 15: Top Targeted Ports
|
port |
type |
Usage |
hits |
% |
|
22 |
credentialStuffing |
SSH |
85152696 |
19.8 |
|
5900 |
credentialStuffing |
VNC |
47324446 |
11.0 |
|
3389 |
credentialStuffing |
MS RDP |
38375682 |
8.91 |
|
2222 |
credentialStuffing |
SSH Alternate |
18490491 |
4.29 |
|
3306 |
credentialStuffing |
MySQL |
3717056 |
0.863 |
|
2223 |
credentialStuffing |
|
2639643 |
0.613 |
|
21 |
credentialStuffing |
FTP |
625112 |
0.145 |
|
445 |
malwareUploads |
SBM |
573892 |
0.133 |
|
443 |
httpAttacks |
SSL |
328087 |
0.0762 |
|
25 |
spam |
SMTP |
266481 |
0.0619 |
About the research
In this quarterly report Mastercard Threat Protection Research team, Shadowforce, shared its information gathered and collected using its own methods and Threat Intelligence.
Data represented in this report is collected using Mastercard Threat Protection global sensory network and conclusions drawn from customer attacks and active / passive scanning.
