One tactic commonly adopted by organizations to improve their security posture is to block traffic from countries where hackers are known to reside: Russia, China, North Korea for example. If a business has no dealings with those countries, it is a sensible tactic, but one which could lead to a false sense of security. Hackers may be based in those countries, but that may not be where their command and control infrastructure is located. In fact, an analysis by Cato Networks suggests blocking network traffic to and from those countries could have little effect, as threat actors based in those countries host their C2 servers in countries that are generally considered ‘friendly’ such as the United States, Germany, and Japan.
An analysis of countries where cyberattacks originate revealed Russia and North Korea do not even make the top 5. Most attacks are launched from within the United States, with Venezuela in 2nd, China in 3rd, Germany in 4th place, and Japan in 5th place.
Cato Networks analyzed network flows across its Secure Access Service Edge (SASE) platform in Q1, 2021. Network flows are defined as any sequence of packets sharing a common IP and port, destination IP and port, and protocol. In Q1, more than 200 billion traffic flows were analyzed for malicious traffic to identify exploitation attempts, malware beacons, hostile scans, and C2 communications. 16 billion events triggered its security controls in Q1, with its machine learning algorithms and data correlation identifying 181,000 high risk flows and 19,000 verified security incidents.
In Q1, 5.7 billion network scans were identified, there were around 230 million attempts to communicate with domains with bad reputations, 74 million vulnerability scans via OpenVAS, Nessus, and others, 11.6 million events were triggered by malware, and 8.1 million web application attacks.
The report shows there has been a rise in use of remote administration tools such as RDP, VNC, and TeamViewer, and these are a major target for hackers, so it is essential that they are made secure. Cato Networks identified an increase in attempts by threat actors to brute force passwords for those remote administration tools.
An analysis of the most common exploit attempts showed 3 of the top 5 remote code execution vulnerabilities that were attempted were PHP related: CVE-2017-9841 (377,721 attempts), CVE-2019-9082 (186,275), and CVE-2017-1001000 (125,794). The 4th most commonly exploited vulnerability, CVE-2020-8515 (43,640 attempts), is known to be exploited by nation state actors. Vulnerabilities in vSphere, IP-Big and Weblogic Oracle were also performed in the thousands.
When new vulnerabilities are identified there is usually a rush to patch before they are exploited, but organizations need to ensure that older vulnerabilities are corrected. Cato Networks’ data shows scans for vulnerabilities more than 20 years old still feature in the top 10.