For the first half of May 2024, TEHTRIS honeypots hosted in Germany have been hit almost a million times by more than 14,500 unique IP addresses on their SMB services (TCP/445).
Here is an illustration of the mosted tested Usernames:
The threat actors attempted to log into the following SHARE name via SMB :
- IPC$
The threat actors were looking for the following files :
- svcctl
- RemCom_communicaton
- srvsvc
- samr
- lsarpc
- QzelHUgvVI
Top 10 IoCs of most active IP addresses against German honeypots SMB services:
5.202.255.16 – IR 🇮🇷 – AS 49100 (Pishgaman Toseeh Ertebatat Company (Private Joint Stock))
185.146.215.88 – RU 🇷🇺 – AS 197159 (Trinet Ltd.)
156.204.164.79 – EG 🇪🇬 – AS 8452 (TE Data)
156.204.76.131 – EG 🇪🇬 – AS 8452 (TE Data)
14.160.33.254 – VN 🇻🇳 – AS 45899 (VNPT Corp)
187.141.123.178 – MX 🇲🇽 – AS 8151 (UNINET)
212.22.71.51 – RU 🇷🇺 – AS 48528 (Lifetelecom LLC)
14.191.200.39 – VN 🇻🇳 – AS 45899 (VNPT Corp)
217.218.250.79 – IR 🇮🇷 – AS 58224 (Iran Telecommunication Company PJS)
117.2.145.237 – VN 🇻🇳 – AS 7552 (Viettel Group)
The 4 IP addresses in bold were not identified as malicious by public databases at the time of writing.