Honeypots: activity of the week 40

Analysis of the activity observed on TEHTRIS honeypot network for week 40 has revealed new indicators of compromise as well as earlier well-known types of attacks that threat actors are still using nowadays.

Malicious use of by default credentials


CirrOS is a minimal Linux distribution that was designed for use as a test image on clouds such as OpenStack Compute. Images of operational system CirrOS include a classical authentication with login/password and provide credentials for prompt connection. The login is cirros and the password is gocubsgo since 2016. However, TEHTRIS still observes that threat actors are using the previous password cubswin:).
Since anyone can use these credentials to login, TEHTRIS recommend to not run this image with a public IP attached. In addition, we recommend you change by default credentials and you blacklist the following IP addresses that try to get inside your network using CirrOS tool. Please note that the 7 IP addresses in bold are not known from public blacklist databases. This threat is very real today.

Adresses IPASPays
79.138.105[.]128AS45011 Bredband2 ABSE
101.58.81[.]246AS210278 Sky ItaliaIT
109.247.14[.]226AS29695 Altibox ASNO
109.28.24[.]17AS15557 Société française du radiotéléphone – SFR SAFR
115.66.238[.]94AS9506 Singtel Fibre BroadbandSG
185.180.29[.]203AS212538 Poyrazwifi Limited CompanyTR
191.194.103[.]167AS26599 TELEFONICA BRASIL S.ABR
213.195.156[.]213AS12741 Netia SAPL
213.47.107[.]206AS8412 T-Mobile Austria GmbHAT
27.71.68[.]66AS7552 Viettel GroupVN
36.32.24[.]160AS140726 UNICOM AnHui province networkCN
36.35.24[.]106AS140726 UNICOM AnHui province networkCN
46.170.30[.]146AS5617 Orange Polska Spolka AkcyjnaPL
5.102.205[.]71AS47956 XFone 018 LtdIL
77.181.135[.]15AS6805 Telefonica GermanyDE
79.32.34[.]154AS3269 Telecom ItaliaIT
82.4.29[.]171AS5089 Virgin Media LimitedGB
82.46.205[.]202AS5089 Virgin Media LimitedGB
82.66.109[.]74AS12322 Free SASFR
85.115.252[.]118AS16345 PVimpelComRU
85.159.0[.]190AS3326 Private Joint Stock Company datagroupUA
87.249.135[.]116AS212238 Datacamp LimitedCZ
91.40.166[.]40AS3320 Deutsche Telekom AGDE
94.17.152[.]223AS12709 Melita LimitedMT

Huawei router

TEHTRIS noticed that the IP address 92.255.85[.]113 tried several times to use these by default credentials to connect to Huawei HG8245 router (the default username is telecomadmin and the default password is admintelecom) while monitoring our honeypots network. Located in Hong-Kong, this IP address is hosted by AS57523 Chang Way Technologies Co. Limited, which is very infamously known from public blacklist databases.

TEHTRIS highly recommends you change by default credentials of all your devices (endpoints, routers – including Internet of Things) and software when you first log in, choosing in particular strong and unique passwords.

Exploit attempts of Apache HTTP Server vulnerabilities still tested

This week, TEHTRIS noticed that the most used URL request by threat actors on its honeypot network is the following:


This echoes with the information published by American governmental agencies (CISA, FBI, CIA) on the 6th of October regarding the top CVEs actively exploited by people’s Republic of China state-sponsored cyber actors since 2020.

As a matter of fact, this specific URL is being used as part of exploit attempts of CVE-2021-41773 (CVSS3 : 7.5) in Apache HTTP Server version 2.4.49. These vulnerabilities allow a malicious actor to use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives and then could lead to remote code execution (RCE). This issue is known to be exploited in the wild as the code were available online. These vulnerabilities have been fixed in version 2.4.50. However, it was incomplete and quickly important new flaws were discovered resulting in the CVE-2021-42013 (CVSS : 9.8). The issue is fixed in the version 2.4.51.

It is generally accepted that Chinese cyber groups are formidable threats, but they are not the only ones trying to exploit these common vulnerabilities. The IP address 152.89.196[.]211, hosted by AS57523 Chang Way Technologies Co. Limited localized in Russia, is behind this URL request on honeypots TEHTRIS this week. The threat is still significant and used worldwide since it was discovered in May 2021.

TEHTRIS highly recommends you keep your devices and software up to date and that you keep track of daily discovered vulnerabilities.

The case of an AS hosting suspicious activities

Since the end of August, several IP addresses hosted by AS4134 Chinanet regularly scan TEHTRIS honeypots trying to act maliciously. This specific AS is known on social media for hosting malware sites for years [1][2].

Here is the IoCs list discovered by TEHTRI :

Adresses IP



SSH bruteforce

Transporte le malware Kane_Sneak_out.exe – SHA256 :  d7d84decce8c530a9a5d691fd23da867d233559b9968aa2767fc28bb43507211


SSH bruteforce


Blacklist public


Blacklist public


SSH bruteforce et vol d’identifiants


SSH bruteforce


SSH bruteforce




SSH bruteforce


Blacklist public


SSH bruteforce


Télécharge un fichier 2022-10-09 bin.sh – SHA256 :


Copie du botnet MOZI sur Linux


Télécharge un fichier 2022-10-09 bin.sh – SHA256 :


Copie du botnet MOZI sur Linux


Inconnu des bases de données publiques