CERTHoneypots

Honeypots: Focus on honeypots hosted in Germany

For the first half of May 2024, TEHTRIS honeypots hosted in Germany have been hit almost a million times by more than 14,500 unique IP addresses on their SMB services (TCP/445).

Here is an illustration of the mosted tested Usernames:

The threat actors attempted to log into the following SHARE name via SMB :

  • IPC$

The threat actors were looking for the following files :

  • svcctl
  • RemCom_communicaton
  • srvsvc
  • samr
  • lsarpc
  • QzelHUgvVI

Top 10 IoCs of most active IP addresses against German honeypots SMB services:

5.202.255.16 โ€“ IR ๐Ÿ‡ฎ๐Ÿ‡ท – AS 49100 (Pishgaman Toseeh Ertebatat Company (Private Joint Stock))

185.146.215.88 โ€“ RU ๐Ÿ‡ท๐Ÿ‡บAS 197159 (Trinet Ltd.)

156.204.164.79 โ€“ EG ๐Ÿ‡ช๐Ÿ‡ฌAS 8452 (TE Data)

156.204.76.131 โ€“ EG ๐Ÿ‡ช๐Ÿ‡ฌAS 8452 (TE Data)

14.160.33.254 โ€“ VN ๐Ÿ‡ป๐Ÿ‡ณ – AS 45899 (VNPT Corp)

187.141.123.178 โ€“ MX ๐Ÿ‡ฒ๐Ÿ‡ฝ – AS 8151 (UNINET)

212.22.71.51 โ€“ RU ๐Ÿ‡ท๐Ÿ‡บ – AS 48528 (Lifetelecom LLC)

14.191.200.39 โ€“ VN ๐Ÿ‡ป๐Ÿ‡ณAS 45899 (VNPT Corp)

217.218.250.79 โ€“ IR ๐Ÿ‡ฎ๐Ÿ‡ท – AS 58224 (Iran Telecommunication Company PJS)

117.2.145.237 โ€“ VN ๐Ÿ‡ป๐Ÿ‡ณ – AS 7552 (Viettel Group)

The 4 IP addresses in bold were not identified as malicious by public databases at the time of writing.