Millions of malicious IP addresses are analyzing the internet daily in an attempt to find security holes in networks.
CrowdSec has recently released a Majority Report looking into the landscape of malicious behavior. The company analyzed data on internet protocol (IP) addresses identified as malicious, and It turns out that the lion’s share of malicious activity is coming from Russia, the US, and India. In each of these countries, 1M+ IP addresses were reported as malicious.
However, CrowdSec emphasized that this number doesn’t necessarily represent the nationality of the attacker but rather a “localization” of a compromised asset.
So, what sort of activity are these malicious IPs conducting?
The majority of malicious activity is attributed to scanning. It means precisely that – a threat actor is actively scanning the internet looking for various flaws they could exploit for unauthorized access, DDoS, or any other type of attacks. We’ve witnessed such exploitation parties with the public disclosure of Log4j or MS Exchange vulnerabilities in the past.
Nearly 60% of malicious IP addresses engage in scanning, while over 23% are trying to exploit known vulnerabilities. CrowdSec believes that this is the most dangerous threat you might encounter.
Brute force is the third most common threat, with threat actors going after the most common and weak passwords – usually set by default.
With the high adoption of IPv6 (Internet Protocol version 6), cybersecurity pundits have started registering increased new threats linked to IPv6 addresses. 20% of reported IPs are now linked to IPv6. Interestingly, the number went up to 35% between May and June, coinciding with the increase in mass scanning.
Interestingly enough, despite concerns that criminals rely on VPNs to throw law enforcement off track, the company said that it’s not really the case.
“VPN’s rise in popularity over the past few years sounded the alarm to many organizations. The joint action by Europol and ten other countries in January 2022 to take down VPNLab.net – a VPN provider whose services were being used in support of serious criminal acts – seemed to reinforce the concern that VPNs are a convenient tool for cybercriminals,” the report reads.
CrowdSec data shows that only 5% of reported IP addresses are flagged as VPN or proxy users.