Smart sensors, global defense: check out the main threats and offenders identified by ISH

By Heimdall ISHIn today's article, we will highlight the main statistics collected by the ISH Intelligence team, Heimdall, which operates a vast network of sensors spread across several countries. These sensors are capable of collecting, processing and using indicators to prevent cyber attacks. In recent days, the sensors have been the target of multiple DDoS (distributed denial-of-service) attacks, brute-force attempts and brute-forceand many other attacks.

As well as capturing DDoS attack data, the team was able to gather valuable statistics from different countries and continents. This data is essential for understanding the methodologies of threat actors, allowing attacks to be anticipated and effective defense strategies to be developed. Analyzing these indicators helps not only to prevent future attacks, but also to study the tactics and techniques used by malicious groups around the world.

All the statistics and IP addresses collected are transformed into intelligence feeds, managed by the Heimdall team, offering a continuous source of information to strengthen cyber defenses. For those wishing to access these indicators and intelligence feeds, we suggest contacting the commercial team or the ISH threat intelligence team directly, who will be able to provide details on the operation and structure of the services offered.

Statistics collected

In this article, we highlight the importance of data collected from various sensors distributed globally. This data, segmented by continent, provides a comprehensive and up-to-date view of the information collected over the last seven days. Analyzing this data is crucial to understanding the trends and patterns emerging in different regions of the world.

All the data presented in this report was obtained over a period of just seven days, demonstrating the ability to carry out collections over longer periods and greater distances.

Attack statistics

In the table below, we present the data collected over the last seven days, as mentioned above. These figures represent the number of attacks recorded by the sensors.

Data collected from some of ISH Tecnologia's sensors over a 7-day period

Countries that most attacked sensors

The following table presents a detailed analysis of the countries that have carried out the most attacks against our sensors in recent days. These countries are ranked based on the volume of attack attempts detected, allowing a clear understanding of which regions are generating the highest number of cyber threats based on continents.

Ranking by continent of countries with the most targeted attacks

In the statistics on the geolocation of malicious IP addresses, it can be seen that certain countries appeared more frequently as offenders on different continents. India, for example, stood out as one of the main offenders, appearing in both North America and Asia, which indicates a significant presence of potentially malicious activity originating from these regions.

The United States was mentioned on practically every continent, appearing in North America, South America, Europe and Asia, reflecting the global reach of malicious activity from the country. Similarly, China also recurred, being mentioned in South America, Europe and Asia, reinforcing the perception that the country is a central point of origin for malicious traffic.

Russia stood out particularly in Europe and Asia, while Brazil was prominent in South America, highlighting their respective regional influences in terms of malicious activities.

On the other hand, countries such as Moldova, Cyprus, Bulgaria and Colombia appeared less frequently, indicating a lower incidence of malicious activity associated with these countries or their lower detection.

This data is essential for understanding global cyber threat trends and can help direct risk mitigation efforts. This geopolitical overview of the origin of malicious IPs is crucial for guiding cyber defence strategies, helping to prioritize resources and monitoring efforts towards specific regions that show the most malicious activity.

DDoS attack statistics

In the table below, we present the data collected over the last seven days, referring to collectors with a primary focus on capturing information and details about DDoS (Distributed Denial of Service) type cyber attacks .

Statistics of data collected by sensors identified as DDoS (Distributed Denial of Service) attacks

The data analyzed in a segregated manner and collected individual country attacks, we can reveal that the United States stands out significantly as the main source of DDoS attacks detected on sensors, with a total of 122,942 hits on sensors.

Next, Poland and China appear as other major origins of these attacks, accumulating 37,287 and 34,856 events respectively. Russia is also a notable origin, with 30,930 hits detected.

In addition, countries such as Germany, Italy, Vietnam, Hong Kong, the United Kingdom and the Philippines complete the top 10, demonstrating that these attacks have a wide global distribution, involving both Western and Asian nations, highlighting the need for robust cyber defense measures in various parts of the world.

Statistics on the most used Brute-Force credentials

ISH Tecnologia also collects the main credentials used in cyber intrusions using techniques such as brute-force. It is worth noting that, depending on the geolocation of the sensors, the dictionary used by threat actors can vary, since words in Portuguese, for example, are not commonly applied to services located in Asia.

 The following are the credentials (users and passwords) most commonly used in sensors located in Brazil, followed by a ranking of the credentials collected in other sensors around the world.

Dictionary used by threat actors against Brazilian sensors
Dictionary used by threat actors against other geolocation sensors

Other data collected

Main target doors

In addition to the data mentioned above, we were able to successfully identify the most attacked ports on the sensors, classifying them in a TOP 10 port format.

Most attacked ports followed by total attacks, countries and number of attacks

Door legend:

  • Port 445 (TCP/UDP): Used by the SMB (Server Message Block) protocol for sharing files and printers on Windows networks.
  • Port 53 (TCP/UDP): Used by DNS (Domain Name System) to resolve domain names into IP addresses.
  • Port 123 (UDP): Used by NTP (Network Time Protocol) to synchronize clocks between computer systems.
  • Port 80 (TCP): Used by HTTP (Hypertext Transfer Protocol) for web page traffic.
  • Port 443 (TCP): Used by HTTPS (Hypertext Transfer Protocol Secure) for secure web page traffic.
  • Port 5060 (TCP/UDP): Used by SIP (Session Initiation Protocol) to signal VoIP calls.
  • Port 5038 (TCP): Used by the Asterisk Manager Interface (AMI) to control Asterisk telephony systems.
  • Port 631 (TCP/UDP): Used by IPP (Internet Printing Protocol) for network printing.
  • Port 8000 (TCP): Commonly used for alternative web servers, proxies and streaming.
  • Port 23 (TCP): Used by Telnet for remote text communication without encryption.

Stay one step ahead of cyber threats

Staying ahead of cyber threats is essential in a scenario where attack techniques are constantly evolving. Organizations that are unprepared run the risk of facing serious consequences, from data breaches to significant operational downtime. To mitigate these risks, it is crucial to adopt a proactive stance, continuously monitoring new threats and adjusting defenses accordingly. Agility in identifying and responding to incidents can mean the difference between a contained attack and a large-scale disaster.

The use of sensors spread around the world plays a key role in this process. These sensors capture a wide range of data on attack attempts, allowing organizations to identify patterns and trends in real time. With a global sensor network, it is possible to detect emerging threats in different regions and sectors, anticipating attacks before they become widespread. This not only strengthens an organization's defences, but also contributes to more robust collective security.

For companies wishing to benefit from this approach, ISH Technology offers a specific activity for the consumption of intelligence feeds generated by globally distributed sensors. These feeds provide valuable, up-to-date information on cyber threats, allowing organizations to adjust their defence strategies in an effective and timely manner. By contracting out this activity, companies can gain a significant competitive advantage by strengthening their security posture and ensuring greater resilience against possible attacks. Contact our experts and find out more.

References

Heimdall by ISH Tecnologia

Leave a comment

Your e-mail address will not be published. Required fields are marked with *