We all know jolly ol’ St. Nick just loves lists, which is an attribute he shares with the researcher elves here at Rapid7 Labs. Unlike Sir Kringle, our lists aren’t focused on normalizing the inevitability of a pervasive surveillance state nor intended to establish the acceptance of—and participation in—a global social credit system, but have more to do with cataloging (mostly) naughty aspects of internet infrastructure and activity through our core research platforms, Projects Sonar and Heisenberg.
The Labs team thought it might be fun to give folks a glimpse into who made it to some of our naughtiest lists in 2019 with a “year in review” look at insights gleaned from both our research projects.
The top 20 ‘naughtiest’ countries
There are many ways to track attacker activity, one of which is to look at which source country IPv4 assigned network blocks that traffic comes from. This doesn’t mean that said nation state is performing the attacking, just that poorly secured devices or servers and/or deliberate attacker infrastructure just happen to be found sitting on addresses in a country’s IPv4 blocks.
Our first two lists came from making distributions of the total and unique (by source IPv4 address) connections from each country. We plotted a dot for the counts for each day, for the entire year, which produced these ornament-like views of who led the top of the naughty charts for overall activity:
Daily Total Count Summaries
Italy usually isn’t in the overall top 20 by total volume, nor has it ever been in the No. 2 position for the year in our four-year history of running our Heisenberg honeypot network. We’ll talk about just what IPv4s in Italy (and the Netherlands, since they are making an unusual Top 5 appearance as well) were doing to achieve this top spot in an upcoming report, along with what’s going on with some of those huge max count numbers..
South Korea and Vietnam both have scads of horribly configured Internet of Things (IoT) devices, which make them ideal sources of botnet and other attacker activity. Russia and China are, well, Russia and China, and both the U.S. and India are hotbeds of similarly horribly configured physical and virtual hosts.
We continue our Christmas ornament distribution plots with a similar look at unique source IPv4 addresses from each country:
Daily Unique Count Summaries
|Hong Kong SAR China||1,077||974||23,988|
It’s amazing that so few nodes can generate such high volumes of activity, yet we still have no single authority that can do much of anything about it.
The most common unique vs. total activity usually hits a sweet spot of around 100 nodes to 10,000 connections across our fleet of ~250 honeypots (points are colored by date similar to the previous charts, with recent activity in dark orange; the density layer shows the most concentrated hot spots of port/pair counts with fitted GAM curve on top):
(This also happens to be the exact path Kris Kringle takes across the Milky Way in his sleigh.)
But just what were these sources going after? For that, we need to take a look at another list.
The usual [naughty] suspects
Anyone who has ever run even a single honeypot knows there are a handful of ports, protocols, and services that most opportunistic attackers seem to gravitate toward. Whether it be brute forcing/credential stuffing SSH, Telnet, or RDP, holding compromised SMB territory with EternalBlue attacks, or trying to slurp up records from MySQL, Postgres, MS SQL and other databases, opportunistic attackers are just that: opportunistic and always on the lookout for new, pwnable quarry. We call these ports+protocol+service the “usual suspects,” and the members of this year’s suspects list of most naughty activity looks a bit different than 2018.
We’ll first return to our ornament distribution plots to look at this year’s top 20 usual suspects by daily unique sources and daily total connections:
A few items stand out on these charts.
First, we see DNS over TLS activity making it into both top 20 usual suspects lists for the first time ever. In fact, it slid into the Top 5 by total counts due to a series of campaigns starting around midyear. We talked a bit about this in our 2019 Q3 Threat Report and will be taking a deeper dive in our 2019 Q4 and year-end round up threat report (remember, patience is a virtue and helps keep you on Santa’s “nice” list).
Next, we note that when we cycled our honeypot nodes throughout the year, we were assigned IP addresses that used to be part of the Ethereum network, but also caught some interesting activity there, which we’ll likely expand on in the aforementioned forthcoming threat report.
The star of the show, however, is MS SQL Server compromise activity that began in October right after stories about a possible backdoor emerged. While we regularly see credential stuffing/brute forcing (and other activity) against our MS SQL Server honeypots, the October surprise ended up becoming the “new normal” for MS SQL Server activity as seen here in this non-log10-scaled chart:
If you’re wondering if there’s anything wrong with your eyes, fear not. You’re definitely seeing several orders of magnitude of increased activity that quite literally dwarfed all previous activity (even if you sum up all of the activity the previous year!).
Now, let’s turn to Project Sonar to see who is putting naughty things on the internet.
While we, thankfully, continue to see a slow but steady drop in counts of hosts exposing SMB to the internet (due, in part, to more ISPs blocking inbound 139 and 445 connections) there are still quite a few of them out there:
Just looking at port SMB port 445 hosts, the U.S. is still doing its best to make SMB great again and continues to hold its place at the top of the charts:
SMB Port 445 Host Counts by Country • Dec. 13, 2019 Study
|Country||# SMB Hosts|
|United Arab Emirates||8,149|
There’s no legitimate reason to run SMB on the internet in 2019 (or beyond), and these servers do not just sprout up and host themselves. They live somewhere, and while most are spread across a vast array of autonomous systems, there are some network/hosting providers that house between 1% and 10% of these naughty servers:
SMB Port 445 Hosting Organizations/Networks • Dec. 13, 2019 Study
|Hosting Org||# SMB Hosts||%|
|PEG TECH INC||35,982||5.30%|
|Data Communication Business Group||17,317||2.55%|
|Input Output Flood LLC||9,419||1.39%|
|Tencent Building, Kejizhongyi Avenue||9,184||1.35%|
|NTT Communications Corporation||8,508||1.25%|
|Emirates Telecommunications Corporation||8,054||1.19%|
|Hetzner Online GmbH||6,876||1.01%|
Telnet (Port 23)
The last naughty port/service/protocol we’ll look at is SMB’s older sibling: Telnet. There are far more secure and robust protocols to use than Telnet to talk to servers or devices over the internet, yet we still see just over 3 million of these nodes in each scan:
China continues to lead the pack, mostly due to the sheer number of routers and VoIP devices exposing Telnet (the same is true for Japan, Brazil, and most EU countries on the Telnet list):
Telnet Port 23 Host Counts by Country • Dec. 13, 2019 Study
|Country||# Telnet Hosts|
Given the large number of China-network hosted Telnet systems/devices, it’s no surprise Chinese autonomous systems tend to show up as having the largest percentage of hosts exposing this cleartext protocol.
Telnet Port 23 Hosting Organizations/Networks • Dec. 13, 2019 Study
|Hosting Org||# Telnet Hosts||%|
|CHINA UNICOM China169 Backbone||164,422||5.31%|
|Shenzhen Tencent Computer Systems Company Limited||109,296||3.53%|
|Data Communication Business Group||50,637||1.63%|
|NTT Communications Corporation||42,806||1.38%|
|Guangdong Mobile Communication Co.Ltd.||41,432||1.34%|
|University of Canterbury||37,397||1.21%|
|Hathway IP Over Cable Internet||35,417||1.14%|
|China Mobile communications corporation||31,773||1.03%|
Santa would never use Telnet to connect to his global surveillance infrastructure, and neither should you.
We’ve made our lists, checked them twice, and shown you who has been naughty (i.e., not nice). Heisinberg sees what folks are hacking; knows what they’re trying to take; Sonar identified hosts that’ve been bad (i.e. not good), now it’s time for the Labs’ elves to take a well-earned break.
You’d better watch out, because we still see WannaCry; you’d better not pout, I’m telling you why: Rapid7 Labs is coming to town in 2020, with even more data and insights to help you understand the makeup of the internet and help defend your organization.
Happy holidays to all, and to all a good night!