For the first half of May 2024, TEHTRIS honeypots hosted in Germany have been hit almost a million times by more than 14,500 unique IP addresses on their SMB services (TCP/445).
Here is an illustration of the mosted tested Usernames:
The threat actors attempted to log into the following SHARE name via SMB :
- IPC$
The threat actors were looking for the following files :
- svcctl
- RemCom_communicaton
- srvsvc
- samr
- lsarpc
- QzelHUgvVI
Top 10 IoCs of most active IP addresses against German honeypots SMB services:
5.202.255.16 โ IR ๐ฎ๐ท – AS 49100 (Pishgaman Toseeh Ertebatat Company (Private Joint Stock))
185.146.215.88 โ RU ๐ท๐บ – AS 197159 (Trinet Ltd.)
156.204.164.79 โ EG ๐ช๐ฌ – AS 8452 (TE Data)
156.204.76.131 โ EG ๐ช๐ฌ – AS 8452 (TE Data)
14.160.33.254 โ VN ๐ป๐ณ – AS 45899 (VNPT Corp)
187.141.123.178 โ MX ๐ฒ๐ฝ – AS 8151 (UNINET)
212.22.71.51 โ RU ๐ท๐บ – AS 48528 (Lifetelecom LLC)
14.191.200.39 โ VN ๐ป๐ณ – AS 45899 (VNPT Corp)
217.218.250.79 โ IR ๐ฎ๐ท – AS 58224 (Iran Telecommunication Company PJS)
117.2.145.237 โ VN ๐ป๐ณ – AS 7552 (Viettel Group)
The 4 IP addresses in bold were not identified as malicious by public databases at the time of writing.