The majority of cyber attacks on northern European targets come from machines in Russia, while China is the number one source of threats aimed at the US, according to new honeypot data collected by Alert Logic.
The firm deployed low-interaction honeypots in public cloud infrastructure around the world to imitate vulnerable operating systems, leaving common ports open to attract hackers.
On analyzing the resulting data, Alert Logic found that the largest number of attacks on Northern European victims (40%) came from Russia.
Western Europe’s primary attackers, meanwhile, came from China and North and South America. The majority of attacks on US targets came from China (32%), followed by the US itself (21%), India (17%) and Russia (9%).
Most attacks targeting APAC countries came from the US (63%).
However, it’s important to note that this data does not deal with attribution, so the cybercriminals behind the attacks may in reality be located in different countries to where Alert Logic observed the attacks coming from.
In all three regions the majority of attacks launched Microsoft Directory Services exploits.
In APAC 85% of attacks used this vector, while in the US it was 51%, with HTTP (21%) also prominent.
In Europe, Microsoft DS was still the most popular vector (35%) with SQL Server, HTTP, MySQL, RPC and FTP each accounting for 13%.
Interestingly, credential-stealing Conficker-A was by far the most popular malware observed in the US (91%), Europe (77%) and Asia (62%).
Alert Logic chief security evangelist, Stephen Coty, told Infosecurity it’s still being used because it’s “easy to access, extremely easy to use and in some situations still very effective.”
“If the code is effective, figure out how to use the same source code and modify it to bypass AV controls. That is a lot easier that trying to write something from scratch,” he added.
“I recently talked with a developer of some code and he mentioned it took him two years to get this code out onto the underground for sale. There is development, testing, patching, scanning, and hardening your code before you can get it to market. It's a lot easier to use a piece of code that has a proven track record of success and all you need to do is modify it to not match AV signature content.”
Given that most malware analyzed in this study was designed to steal user credentials, the majority of attacks were financially motivated cybercrime, rather than nation state espionage, campaigns, Coty argued.