RiskRecon Threat Intelligence Report

The following report examines global attack traffic over a 90-day period - July 1, 2023 to September 30, 2023

RiskRecon Threat Intel Report

Research Timeline: Q3 2023

CyberAttack

A total of 430 million malicious events were recorded by Baffin Bay Networks’ global sensory network. Port scanning accounted for the majority of these events (54%) followed by credential stuffing (46%) and malware uploads, spam and HTTP attacks (1%). The sensory network further detected 13 million unique attacks and 760,916 unique IP addresses engaging in malicious activity.

Europe as a region stood for a conspicuously high volume of attacks by hosting the largest share of in-region IP addresses distributing malicious traffic. Europe also hosts the top attacking Automatic System (AS208091) attributable to Xhost Internet Solutions, an organization with links to Russia. This finding supports the notion that Russian entities continue to be key players in the cyberthreat domain.

In contrast, the United States was the most active source traffic country and also hosts the second most active attacking ASN, Digitalocean.

The records expose large discrepancies in many of the datasets pertaining to counts of events, where the difference between the top 1 and top 2, as well as top 1 and top 10, are often conspicuously high.

1. Top attacking IP addresses

1.1 Global

The top ten IP addresses attacking systems worldwide can all be assigned to Europe.[1] An IP address from Estonia had the highest count of malicious activity with almost 13 million reported events. In total, three Estonian IP addresses, sharing the same Automatic System Number (ASN), were represented in the top 10 list. This particular ASN, AS208091, further belongs to half of the most active IP addresses represented in the global dataset. By total count, AS208091 was involved in over 30 million malicious events during the time period. AS208091 can be attributed to XHOST Internet Solutions, an organization with registered companies in the United Kingdom, Netherlands and Russia. Despite the high attack frequency, AS208091 does not feature on generic ASN-blacklists and exhibits a low fraud-rate.[2]

100% of the top ten IP addresses were engaged in credential stuffing and port scanning, indicating that vulnerability-searching activities were prominent in the threat landscape during Q3.

[1] Russia is included in the European dataset

[2] E.g. https://cleantalk.org/blacklists/asn

Table 1: Top attacking IP addresses globally

IP

Activity type

ASN

Country

%

Count

185.73.125.94

Credential stuffing

Port scanning

208091

Estonia

3%

12.94 Mil

87.251.67.229

Credential stuffing

Port scanning

208091

Poland

1.62%

6.98 Mil

31.43.185.65

Credential stuffing

Port scanning

211736

Ukraine

1.39%

5.99 Mil

79.124.58.138

Credential stuffing

Port scanning

50360

Bulgaria

1.35%

5.82 Mil

185.11.61.122

Credential stuffing

Port scanning

57523

Russia

5.37%

5.37 Mil

185.73.124.20

Credential stuffing

Port scanning

208091

Estonia

4.88%

4.88 Mil

79.124.49.58

Credential stuffing

Port scanning

50360

Bulgaria

4.86%

4.86 Mil

79.124.59.130

Credential stuffing

HTTP attacks

Port scanning

50360

Bulgaria

4.80%

4.80 Mil

185.73.124.159

Credential stuffing

Port scanning

208091

Estonia

1.04%

4.50 Mil

185.73.124.160

Credential stuffing

Port scanning

208091

Estonia

1.01%

4.34 Mil

 

1.2 Europe

As displayed in the table above, all of the 10 most active attacking IP addresses on a global scale originate from Europe, rendering the result for a regional European analysis identical to the global dataset.

1.3 Oceania

In the region of Oceania, all of the top five attacking IP addresses share the same ASN, which belongs to an American host, DigitalOcean-ASN. As opposed to the global and European trend, where port scanning and credential stuffing jointly comprise the activity fingerprint of the top attacking IP address, Oceania primarily saw port scanning. Generally, attack counts are low in comparison to other regions such as Europe, North America and Asia.

Table 2: top attacking IP addresses in Oceania

IP

Activity type

ASN

Country

Count

170.64.188.173

Port scanning

14061

Australia

130,057

170.64.163.222

Port scanning

14061

Australia

116,817

170.64.182.111

Credential stuffing

14061

Australia

114,956

170.64.178.6

Port scanning

14061

Australia

81,808

170.64.167.34

Port scanning

14061

Australia

58,003

 

1.4 North America

All top five IP addresses in North America and Oceania share the same ASN-number, 14061 (DigitalOcean-ASN) making it the most common ASN among unique IP addresses when comparing the top 5-lists of each region and. Open source intelligence on DigitalOcean-ASN reveals that the organization is labeled as a fraud-risk and potential vulnerability.

Table 3: top attacking IP addresses in North America

IP

Activity type

ASN

Country

Count

104.236.1.59

Port scanning

14061

United States

1,820,975

161.35.109.85

Port scanning

14061

United States

1,677,192

167.99.127.131

Port scanning

14061

United States

1,676,538

137.184.50.236

Port scanning

14061

United States

1,565,015

161.35.62.151

Port scanning

14061

United States

1,494,103

 

1.5 South America

Top South American attacking IP-addresses exhibit a variation in terms of AS-numbers and country of origin. However, the counts of individual attacks among the top 5 addresses display much less variation compared to other regions.

Table 4: top attacking IP addresses in South America

IP

Activity type

ASN

Country

Count

177.222.57.2

Port scanning

27882

Bolivia

246,373

181.65.138.129

Port scanning
Malware

6147

Peru

244,001

190.202.116.29

Port scanning
Malware

8048

Venezuela

239,088

189.58.124.181

Port scanning
Credential stuffing

18881

Brazil

196,733

200.75.2.138

Port scanning

14259

Chile

191,715

 
1.6 Asia

The IP address topping the Asian list has the autonomous system number 209559, which can be assigned to XHOST Internet solutions. However this ASN controlled by XHOST has substantially less IPv4 numbers than AS208091. Another observation in the Asian dataset is that none of the top 5 IP addresses originate from China, despite it being the third most active source traffic country (see table 13).

Table 5: top attacking IP addresses in Asia

IP

Activity type

ASN

Country

Count

80.66.83.124

Credential stuffing
HTTP Attacks
Port scanning

209559

India

3,714,976

115.84.224.194

Port scanning

9658

Philippines

2,099,711

51.79.177.90

Credential stuffing
Port scanning

16276

Singapore

1,191,976

80.66.83.207

Credential stuffing

Port scanning

209559

India

1,174,608

52.231.141.112

Port scanning

8075

South Korea

955,380

 

1.7 Africa

The top 5 IP addresses from Africa exhibit variation both in terms of country and ASNs. Attack counts are low in comparison to other regions such as Europe, North America and Asia.

Table 6: top attacking IP addresses in Africa

IP

Activity type

ASN

Country

Count

185.56.83.110

Port scanning
Credential stuffing

 

211720

Seychelles

169,965

156.38.84.121

Port scanning

Credential stuffing

 

36924

Togo

167,866

102.219.212.82

Port scanning
Credential stuffing

Malware

328852

Nigeria

157,621

41.33.131.108

Port scanning

Malware

 

8452

Egypt

121,857

41.214.134.199

Port scanning

Credential stuffing

36925

Morocco

73,669

 

2. Credential Stuffing

2.1 Top credential stuffing sources

All of the IP addresses behind the top 10-credential stuffing sources appear in table 1 (most active attacking IP addresses globally). Interestingly, these sources together account for just over 15% of the total amount of recorded credential stuffing events, indicating that the amount of malicious IP addresses engaging in credential stuffing during Q3 was high.

Table 7: Top credential stuffing sources

Events

IP

Country

%

6,471,956

185.73.125.94

Estonia

3.29

3,479,730

87.251.67.229

Poland

1.77

2,995,976

31.43.185.65

Ukraine

1.52

2,910,255

79.124.58.138

Bulgaria

1.48

2,686,216

185.11.61.122

Russia

1.37

2,528,733

79.124.59.130

Bulgaria

1.29

2,481,500

185.73.124.20

Estonia

1.26

2,385,173

79.124.49.58

Bulgaria

1.21

2,192,550

185.73.124.159

Estonia

1.12

 

2.2 Top values of passwords used in credential stuffing

The top password, 345gs5662d34, and its variant 3245gs5662d34, have circulated in credential stuffing attacks since 2022, exceeding other well-known and common passwords such as ‘’admin’’, ‘’root’’ and ‘’12345’’. It also appears as the second most frequent username used in credential stuffing attacks for the same time period.

Table 8: top values of passwords used in credential stuffing

Password

Count of records

345gs5662d34

1,357,546

3245gs5662d34

1,356,330

123456

452,512

admin

306,549

123

136,392

password

112,559

1234

92,567

12345

61,959

1

54,197

root

49,648

Other passwords

7,937,329

 

3. DDoS Attacks

3.1 Top DDoS reflection attack sources

Among DDoS reflection-attacks, a lot of variation is displayed in terms of ASNs, compared to e.g. credential stuffing, where we saw a lot of activity from one particular ASN (XHOST-IS). The top 6 IP addresses have each been involved in six (6) unique attacks.

Table 9: Top DDoS reflection attack sources

IP

ASN

Unique attacks

200.52.82.122

14178

6

99.209.8.66

812

6

103.151.47.211

136969

6

24.37.22.22

5769

6

81.5.111.29

25100

6

148.101.179.182

6400

6

190.121.129.115

27951

5

109.73.241.46

51336

5

124.105.75.251

9299

5

95.182.107.138

212999

5

 

3.2 Top DDoS botnet-sources

An examination of top DDoS-botnet sources shows significantly less variation in terms of ASN compared to reflection-attacks, with ASN20940 (Akamai International B.V) accounting for 80% of the top 10-list. Interestingly, Akamai has not featured in any other top-10 list in this report.

A pattern that emerges is a correlation between vector and size of bytes + packets; TCP_SYN displayed a higher volume of both bytes and packets compared to other variants.

Table 10: top DDoS botnet-sources

IP

ASN

Vector

Unique attacks

Bytes

Packets

172.234.41.244

20940

TCP_PSHACK

1

28 Mb

42K

172.234.41.244

20940

TCP_SYN

1

23 Gb

35M

172.234.41.42

20940

TCP_ACK

1

24 Mb

36K

172.234.41.42

20940

TCP_SYN

1

22.8 Gb

34M

185.78.76.79

719

TCP_ACK

1

27.9 Mb

42K

185.78.76.79

719

TCP_SYN

1

43.8 Gb

66M

2.21.240.119

20940

TCP

1

327 Mb

22K

2.21.240.119

20940

TCP_ACK

1

1.7 Gb

18K

2.21.240.119

20940

TCP_PSHACK

1

3.7 Gb

3,5K

2.21.240.119

20940

TCP_SYN

1

43.8 Gb

64M

 

4. Top Spam Sources

25% of the top SPAM sources originate from the same source, namely AS17447, assigned to net4India. 50% of the IP addresses can be attributed to the United States.

As opposed to the top credential stuffing sources, the total percentage of the top spam sources account for over 90% of all recorded spam activity.

events

ip

ASN

percentage

Country

129645

147.78.103.137

17447

48.7

United States

66746

93.123.118.151

211252

25.0

Netherlands

16163

23.148.146.157

46664

6.07

United States

14892

197.211.59.135

328309

5.59

Nigeria

9292

87.120.88.27

44477

3.49

France

2883

85.208.139.163

44477

1.08

France

2071

147.78.103.153

17447

0.777

United States

1898

147.78.103.17

17447

0.712

United States

1495

147.78.103.38

17447

0.561

United States

 

5. Malware

5.1 Most active generic Malware
  • Variation in terms of country and ASN
  • Much less Europe-concentrated than other attack types

Table 11: Most active generic malware

Events

IP

Country

ASN

%

832

181.49.176.37

Colombia

14080

0.145

566

212.252.87.195

Turkey

34984

0.0986

494

217.64.22.114

Azerbaijan

28787

0.0861

406

67.216.105.95

United States

23158

0.0707

396

190.202.85.115

Venezuela

8048

0.0690

389

223.95.207.4

China

56041

0.0678

367

103.167.74.151

India

133232

0.0639

358

123.253.163.245

India

45117

0.0624

325

69.165.41.152

United States

23158

0.0566

 
5.2 Most active IOT Malware

A big gap in the number of attacks can be observed between the first and tenth most active IOT malware. All of the recorded top IOT Malware sources were Mirai trojans.

Table 12: most active IOT malware

Hash (SHA-256)

Type of malware

Count

4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

Mirai

6,709

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

Mirai

1,299

12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

Mirai

1,191

b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

Mirai

1,041

ca35f2e3b3f297c371f0a58398cb43e24c1d1419f08baff9b9223b9032ccf4c1

Mirai

757

2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6

Mirai

299

64cd497a29a6801daa66b3ca23b63a1355b0b84fdf5a23a12810b88685b22f63

Mirai

286

9e0a15a4318e3e788bad61398b8a40d4916d63ab27b47f3bdbe329c462193600

Mirai

209

606d278b2e75119296bf48721ae72deec87912742ce4d9920bf565521de4dcb0

Mirai

192

feffd413c8d62736b7a15007b34056099858f8e02568d8ec9a6ebd4996626111

Mirai

80

 

6. Most active source traffic countries

In contrast to the top attacking IP addresses, the most active source traffic countries[3] were not as concentrated in Europe, but more scattered. Russia, Estonia and Bulgaria can be found in the dataset, which corresponds with the result from malicious IP address-traffic. However, an IP address assigned to the US launched the most malicious traffic with 15% of the total activity count globally. In addition, there is some overlap between the results and the countries attributable to the most active automatic system numbers (China, United States, Russia, Bulgaria, Philippines). See table 14.

[3] Note: The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country.

Table 13: most active source traffic countries

Country

Continent

Hits

%

United States

NA

66.19 Mil

15.37

Russia

EU

40.07 Mil

9.30

China

AS

35.56 Mil

8.26

Estonia

EU

30.64 Mil

7.12

Bulgaria

EU

26.34 Mil

6.12

India

AS

21.87 Mil

5.08

Singapore

AS

16.67 Mil

3.87

Philippines

AS

14.31 Mil

3.32

Vietnam

AS

14.25 Mil

3.31

 

7. Most active Attacking Organizations (ASNs)/Most active Autonomous System Number

As discussed in the first section, Xhost Internet Solutions was behind many of the most active attacking IP addresses globally. Additionally, Tamatiya EOOD (AS50360) accounted for 1⁄3 of the top IP addresses engaging in malicious activity. Digitalocean-ASN was also found to dominate attack traffic in two of the regional datasets (Oceania and North America). The top 10 attacking ASNs together stand for less than 50% of all recorded malicious activity in Q3, indicating that the threat landscape consists of a large variety of attacking organizations.

China hosts the largest number of unique attacking organizations (30% of top 10), although Europe and North America dominate in terms of the total number of hits.

Table 14: most active ASN

ASN

AS Org

Country

Continent

hits

%

AS208091

Xhost Internet Solutions Lp

UK/NL/Russia

EU

49.17 Mil

11.42

AS14061

DIGITALOCEAN-ASN

United States

NA

44.28 Mil

10.28

AS50360

Tamatiya EOOD

Bulgaria

EU

24.69 Mil

5.73

AS132203

Tencent Building, Kejizhongyi

China

AS

11.16 Mil

2.59

AS16276

OVH SAS

France

EU

10.84 Mil

2.52

AS45090

Shenzhen Tencent Computer Syst

China

AS

10.54 Mil

2.45

AS4134

Chinanet

China

AS

10.23 Mil

2.38

AS57523

Chang Way Technologies Co. Lim

HongKong

AS

7.53 Mil

1.75

AS9299

Philippine Long Distance Telep

Philippines

AS

7.02 Mil

1.63

AS202425

IP Volume inc

Seychelles

AF

6.38 Mil

1.48

 

8. Top Target Ports

Generally, most of the ports listed in the graph below are considered as vulnerabilities/not secure.

A notable gap can be observed in the percentage of hits between the top 1 and top 10 ports; top 5 provides perhaps the most indicative data on top targeted ports.

Credential stuffing the most common activity type when it comes to port scanning.

Table 15: Top Targeted Ports

port

type

Usage

hits

%

22

credentialStuffing

SSH

85152696

19.8

5900

credentialStuffing

VNC

47324446

11.0

3389

credentialStuffing

MS RDP

38375682

8.91

2222

credentialStuffing

SSH Alternate

18490491

4.29

3306

credentialStuffing

MySQL

3717056

0.863

2223

credentialStuffing

 

2639643

0.613

21

credentialStuffing

FTP

625112

0.145

445

malwareUploads

SBM

573892

0.133

443

httpAttacks

SSL

328087

0.0762

25

spam

SMTP

266481

0.0619

 
About the research

In this quarterly report Mastercard Threat Protection Research team, Shadowforce, shared its information gathered and collected using its own methods and Threat Intelligence.

Data represented in this report is collected using Mastercard Threat Protection global sensory network and conclusions drawn from customer attacks and active / passive scanning.

iconemail-box

Subscribe to our newsletter

Subscribe to get the most up-to-date third-party risk management information and resources.