Honeypots: activity of the week 46

TEHTRIS international honeypot network analysis provides information on the types of scans and malicious actions performed by cyber attackers. In week 46, we studied 3 activities.

SSH abuse on PostgreSQL

PostgreSQL, also known as Postgres, is an object-relational database management system emphasizing extensibility and SQL compliance, that works on premise or in the Cloud. Same as the projects Apache and Linux, PostgreSQL is a free available tool based on an international community of developers.

Organizations that want to maintain a high-level of integrity and personalization of their data choose Postgres for its trustworthiness and its innovative functionalities. This tool is widely used by many organizations, hence the importance of being well informed about it, because cyber criminals know and target the main used solutions.

PostgreSQL does not offer a default username and password. Thus, you need to configure the authentication credentials during the installation process. If this step is not taken seriously enough, and if the chosen logins and passwords are not strong enough, the attempts of cyber threat actors to enter your Postgres databases are going to succeed.

Indeed, TEHTRIS noticed this week on its honeypots network, a significant number of attempts to abuse SSH protocol on PostgreSQL. The login “postgres” was associated with 1,065 different passwords. These combinations have been tested by 82 IP addresses.

Here are the top 10 attempted passwords:

  • postgres
  • 123456
  • 1234
  • 123
  • 12345
  • 123456789
  • postgres1234
  • admin
  • postgres123
  • password

The TOP 10 IP addresses that performed the more abuses attempts were:

164.132.200[.]21351.174%AS 16276 ( OVH SAS )FR
15.235.114[.]7914.366%AS 16276 ( OVH SAS )CA
51.222.12[.]13711.643%AS 16276 ( OVH SAS )CA
59.148.203[.]504.225%AS 10103 ( HK Broadband Network Ltd. )HK
79.11.235[.]1463.192%AS 3269 ( Telecom Italia )IT
109.239.48[.]811.502%AS 34011 ( Host Europe GmbH )DE
191.36.173[.]951.502%AS 263336 ( EXTREME WI )BR
109.239.58[.]61.315%AS 34011 ( Host Europe GmbH )DE
122.117.185[.]2521.033%AS 3462 ( Data Communication Business Group )TW
82.79.69[.]2340.845%AS 8708 ( RCS & RDS )RO

SMB targeted by unknown malicious IP

This week, the main IP addresses that performed malicious activities targeting SMB protocol on TEHTRIS honeypots are unknown from public databases.

TEHTRIS recommends ensuring you filter flows on endpoints and servers, as well as put zero-trust concept in practice and using a VPN. In the end, to properly protect your IT systems, exposing devices directly on the Internet must be avoided, even for only a couple of minutes considering the permanent and intense hits we monitor in the world thanks to our sensors.

IoCs :

201.211.189[.]86 AS 8048 ( CANTV Servicios, Venezuela )VE
140.246.18[.]74 AS 58519 ( Cloud Computing Corporation )CN
186.122.247[.]214 AS 11664 ( Techtel LMDS Comunicaciones Interactivas S.A. )PY
1.169.110[.]3 AS 3462 ( Data Communication Business Group )TW
110.137.154[.]250 AS 7713 ( PT Telekomunikasi Indonesia )ID
96.10.242[.]118 AS 11426 ( TWC-11426-CAROLINAS )US
1.169.62[.]71 AS 3462 ( Data Communication Business Group )TW

Exploit of Netcore routers backdoor

This week, thanks to NTA solution integrated in TEHTRIS XDR Platform, we monitored one malicious IP adress that scanned the Internet to exploit a flaw discovered in 2014. It is a backdoor in routers from Chinese manufacturer Netcore, sold under the name Netis worldwide, that allows an attacker to take control of the device, leaving the users helpless to protect themselves.

Known from public databases for being malicious, the Swiss IP address 141.255.166[.]2 hosted by AS 51852 (Private Layer INC) targeted TEHTRIS honeypots on 644 occasions, mainly aiming at Irish, German, Belgian and Czechs infrastructures.

The cyber attacker can exploit the backdoor by monitoring UDP port 53413, which in the router’s standard setup is accessible from the Internet. This access requires a password, which is the same among all routers Netcore produces. This backdoor allows the attacker to easily enter the network and perform Man-in-the-Middle attacks on all systems that would use this compromised router. The router can also be used as an entry point to the internal network, which is a technique increasingly observed these last years.

8 years after the discovery of this backdoor, cyber threat actors are still trying to exploit the flaw. The lack of security on the ‘Internet of Things’ (IoT) is significant today and endanger your organization! Whenever you can, TEHTRIS recommends changing default passwords, modifying the setup of your systems according to your specific needs, and most importantly, making inquiries about existing vulnerabilities that might compromise your devices.