Cyber attacks are receiving from various countries at that time, but 97% of all attacks coming from Russia that belongs to various sectors and platform based attacks.
The heavy attack was discovered From June 11 to June 12, 2018, and it initially starts from Brazil that targeting port SIP 5060.
Port SIP 5060 IP phones to transmit communications in clear text; this was the single most attacked port.
There is no doubt and secret that Russia always targeting various sector in the U.S and performing various sophisticated attacks and US-Cert already warned that Russia maintaining persistent access to small office and home office routers warning of widespread espionage.
In this case, Initial stage of the attack performing reconnaissance scans from the Russian IP address 220.127.116.11 and it was actively targeting the variety of ports.
Telnet, consistent with IoT device attacks were mainly targeted to gain access to the vulnerable systems.
“Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.”
Heavy Attack on June 12, 2018
The day President Trump met with Kim Jong-un in Singapore, Approximately 40,000 attacks were launched Between the time on 6/11/2018 to 6/12/2018 ( 11:00 p.m. through 8:00 p.m)
Most of the Attacks (92 %) were registered as reconnaissance scans that eagerly looking for vulnerable devices and the other 8% of attack belongs to exploit based Attacks.
After Russia, most of the attacks come from China, US, France, and Italy and Brazil hold the sixth position.
According to F5 Labs, Singapore was the top destination of the attacks by a large margin, receiving 4.5 times more attacks than the U.S. or Canada. Singapore is not typically a top attack destination country; this anomaly coincides with President Trump’s meeting with Kim Jong-un.
Attack Destination Ports
Based on the F5 Labs report these are the ports in order of prevalence were targeted in the Singapore attacks:
- 5060 — clear text Session Initiation Protocol (SIP)
- 23 — Telnet remote management
- 1433 — Microsoft SQL Server database
- 81 — Alternate web server port for host-to-host communication
- 7547 — TCP port used by ISPs to remotely manage routers via the TR-069 protocol
- 8291 — Remote management port commonly used by MikroTik routers
- 8080 — Alternate web server port often used for a proxy server or caching
The SIP port 5060 received 25 times more attacks than port 23 in the #2 position an the Telnet is the most commonly attacked remote administration port by IoT attackers that enable them to spy on communications and collect data.
It was unclear that how may victims were compromised during the heavy cyber attack and the researchers are continuously analyzing.