Analysis of the activity observed on TEHTRIS honeypot network for week 40 has revealed new indicators of compromise as well as earlier well-known types of attacks that threat actors are still using nowadays.
Malicious use of by default credentials
CirrOS
CirrOS is a minimal Linux distribution that was designed for use as a test image on clouds such as OpenStack Compute. Images of operational system CirrOS include a classical authentication with login/password and provide credentials for prompt connection. The login is cirros and the password is gocubsgo since 2016. However, TEHTRIS still observes that threat actors are using the previous password cubswin:).
Since anyone can use these credentials to login, TEHTRIS recommend to not run this image with a public IP attached. In addition, we recommend you change by default credentials and you blacklist the following IP addresses that try to get inside your network using CirrOS tool. Please note that the 7 IP addresses in bold are not known from public blacklist databases. This threat is very real today.
Adresses IP | AS | Pays |
79.138.105[.]128 | AS45011 Bredband2 AB | SE |
101.58.81[.]246 | AS210278 Sky Italia | IT |
109.247.14[.]226 | AS29695 Altibox AS | NO |
109.28.24[.]17 | AS15557 Société française du radiotéléphone – SFR SA | FR |
115.66.238[.]94 | AS9506 Singtel Fibre Broadband | SG |
185.180.29[.]203 | AS212538 Poyrazwifi Limited Company | TR |
191.194.103[.]167 | AS26599 TELEFONICA BRASIL S.A | BR |
213.195.156[.]213 | AS12741 Netia SA | PL |
213.47.107[.]206 | AS8412 T-Mobile Austria GmbH | AT |
27.71.68[.]66 | AS7552 Viettel Group | VN |
36.32.24[.]160 | AS140726 UNICOM AnHui province network | CN |
36.35.24[.]106 | AS140726 UNICOM AnHui province network | CN |
46.170.30[.]146 | AS5617 Orange Polska Spolka Akcyjna | PL |
5.102.205[.]71 | AS47956 XFone 018 Ltd | IL |
77.181.135[.]15 | AS6805 Telefonica Germany | DE |
79.32.34[.]154 | AS3269 Telecom Italia | IT |
82.4.29[.]171 | AS5089 Virgin Media Limited | GB |
82.46.205[.]202 | AS5089 Virgin Media Limited | GB |
82.66.109[.]74 | AS12322 Free SAS | FR |
85.115.252[.]118 | AS16345 PVimpelCom | RU |
85.159.0[.]190 | AS3326 Private Joint Stock Company datagroup | UA |
87.249.135[.]116 | AS212238 Datacamp Limited | CZ |
91.40.166[.]40 | AS3320 Deutsche Telekom AG | DE |
94.17.152[.]223 | AS12709 Melita Limited | MT |
Huawei router
TEHTRIS noticed that the IP address 92.255.85[.]113 tried several times to use these by default credentials to connect to Huawei HG8245 router (the default username is telecomadmin and the default password is admintelecom) while monitoring our honeypots network. Located in Hong-Kong, this IP address is hosted by AS57523 Chang Way Technologies Co. Limited, which is very infamously known from public blacklist databases.
TEHTRIS highly recommends you change by default credentials of all your devices (endpoints, routers – including Internet of Things) and software when you first log in, choosing in particular strong and unique passwords.
Exploit attempts of Apache HTTP Server vulnerabilities still tested
This week, TEHTRIS noticed that the most used URL request by threat actors on its honeypot network is the following:
/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh
This echoes with the information published by American governmental agencies (CISA, FBI, CIA) on the 6th of October regarding the top CVEs actively exploited by people’s Republic of China state-sponsored cyber actors since 2020.
As a matter of fact, this specific URL is being used as part of exploit attempts of CVE-2021-41773 (CVSS3 : 7.5) in Apache HTTP Server version 2.4.49. These vulnerabilities allow a malicious actor to use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives and then could lead to remote code execution (RCE). This issue is known to be exploited in the wild as the code were available online. These vulnerabilities have been fixed in version 2.4.50. However, it was incomplete and quickly important new flaws were discovered resulting in the CVE-2021-42013 (CVSS : 9.8). The issue is fixed in the version 2.4.51.
It is generally accepted that Chinese cyber groups are formidable threats, but they are not the only ones trying to exploit these common vulnerabilities. The IP address 152.89.196[.]211, hosted by AS57523 Chang Way Technologies Co. Limited localized in Russia, is behind this URL request on honeypots TEHTRIS this week. The threat is still significant and used worldwide since it was discovered in May 2021.
TEHTRIS highly recommends you keep your devices and software up to date and that you keep track of daily discovered vulnerabilities.
The case of an AS hosting suspicious activities
Since the end of August, several IP addresses hosted by AS4134 Chinanet regularly scan TEHTRIS honeypots trying to act maliciously. This specific AS is known on social media for hosting malware sites for years [1][2].
Here is the IoCs list discovered by TEHTRI :
Adresses IP |
Commentaires |
49.88.112[.]60 |
SSH bruteforce Transporte le malware Kane_Sneak_out.exe – SHA256 : d7d84decce8c530a9a5d691fd23da867d233559b9968aa2767fc28bb43507211 |
61.177.172[.]13 |
SSH bruteforce |
61.177.173[.]11 |
Blacklist public |
61.177.173[.]13 |
Blacklist public |
61.177.173[.]27 |
SSH bruteforce et vol d’identifiants |
61.177.173[.]3 |
SSH bruteforce |
61.177.173[.]4 |
SSH bruteforce |
61.177.172[.]139 |
Botnet |
61.177.173[.]24 |
SSH bruteforce |
180.101.56[.]56 |
Blacklist public |
218.92.0[.]210 |
SSH bruteforce |
110.89.10[.]163 |
Télécharge un fichier 2022-10-09 bin.sh – SHA256 : 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef Copie du botnet MOZI sur Linux |
123.97.144[.]204 |
Télécharge un fichier 2022-10-09 bin.sh – SHA256 : 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef Copie du botnet MOZI sur Linux |
183.150.97[.]46 |
Inconnu des bases de données publiques |