Honeypots: Focus on honeypots hosted in Germany

For the first half of May 2024, TEHTRIS honeypots hosted in Germany have been hit almost a million times by more than 14,500 unique IP addresses on their SMB services (TCP/445).

Here is an illustration of the mosted tested Usernames:

The threat actors attempted to log into the following SHARE name via SMB :

  • IPC$

The threat actors were looking for the following files :

  • svcctl
  • RemCom_communicaton
  • srvsvc
  • samr
  • lsarpc
  • QzelHUgvVI

Top 10 IoCs of most active IP addresses against German honeypots SMB services: โ€“ IR ๐Ÿ‡ฎ๐Ÿ‡ท – AS 49100 (Pishgaman Toseeh Ertebatat Company (Private Joint Stock)) โ€“ RU ๐Ÿ‡ท๐Ÿ‡บAS 197159 (Trinet Ltd.) โ€“ EG ๐Ÿ‡ช๐Ÿ‡ฌAS 8452 (TE Data) โ€“ EG ๐Ÿ‡ช๐Ÿ‡ฌAS 8452 (TE Data) โ€“ VN ๐Ÿ‡ป๐Ÿ‡ณ – AS 45899 (VNPT Corp) โ€“ MX ๐Ÿ‡ฒ๐Ÿ‡ฝ – AS 8151 (UNINET) โ€“ RU ๐Ÿ‡ท๐Ÿ‡บ – AS 48528 (Lifetelecom LLC) โ€“ VN ๐Ÿ‡ป๐Ÿ‡ณAS 45899 (VNPT Corp) โ€“ IR ๐Ÿ‡ฎ๐Ÿ‡ท – AS 58224 (Iran Telecommunication Company PJS) โ€“ VN ๐Ÿ‡ป๐Ÿ‡ณ – AS 7552 (Viettel Group)

The 4 IP addresses in bold were not identified as malicious by public databases at the time of writing.