Forescout reveals the US, Russia, and the Netherlands as the top 3 countries where a cyberattack is most likely to originate from
Forescout’s research team, Vedere Labs has today released its first annual Threat Roundup report after analysing data from millions of cyberattacks, exploits and malware samples to explore the rise of mixed IT and IoT threats.
As part of the report, Forescout looked at the most dangerous territories of 2022. The US, Russia and the Netherlands took first, second and third place in the top ten countries where a cyberattack is most likely to originate from.
Whilst cyberattacks can come from anywhere, the top ten countries account for 73% of malicious traffic. In these countries, attackers rely on large hosting providers (81%), many of which ignore complaints of illicit activity, or on compromised devices in consumer and business networks.
Daniel dos Santos, Head of Security Research at Forescout says, “The Netherlands, for instance, is known to be used in cybercrime because of reliable Internet connections and the presence of some of the largest Internet exchanges in the world – such as AMS-IX and DATAIX.”
In addition, the report reveals the top ten countries originating exploits, in which the UK (3%) was the third most popular European country used for attacks, exploits and malware, after the Netherlands and Germany (4%).
Daniel continues, “When specifically looking at the UK, it was fifth in the top countries originating exploits, fifteenth in the top countries originating attacks and had the eleventh most popular autonomous system hosting attacks (Xhost Internet Solutions Lp). Furthermore, the UK came twelfth in the number of IP addresses used to host malware. The reason for its popularity is predominantly because it has a reliable Internet infrastructure, with London having one of the largest Internet Exchanges in the world (LINX) and a large Internet-connected population.”
Other key findings include:
- Remote management protocols are the top target for initial access, with 43% of attacks being initiated via this method, followed by web attacks (26%) and attacks on remote storage protocols (23%)
- Attacks on these protocols, primarily rely on weak or default credentials
- Exploits are not limited to traditional applications, with over three-quarters (76%) of exploits targeting software libraries such as Log4j, OpenSSH and TCP/IP stacks.
- Ransomware (53%), botnets (25%) and crypto miners (7%) are the most common malware observed.
- WannaCry ransomware is still alive more than five years after its first wave of attacks. The largest amount of distinct malware samples within a single family corresponds to WannaCry (53%)
- Large active botnet campaigns, such as Dota3, are responsible for almost 90% of the IPs dropping malware.
- Observations about new botnets such as Chaos, and other malware like ZuoRAT, using automation to leverage exploits for multiple types of devices and crossing the boundaries between IT and IoT.
Daniel concludes “The adoption and development of new connected devices is set to pose even greater challenges for cybersecurity professionals on a global scale in the year ahead. The research, which was correlated from a set of online honeypots, has revealed that threat actors are using increased connectivity to blur the lines between traditional IT attacks and emerging OT and IoT threats. To protect your environment, we recommend organisations focus on three key pillars of cybersecurity, including risk and exposure management, network security and threat and detection response.”
The full report is available here.
Featured Photo by KeepCoding on Unsplash
