A good understanding of active threats is necessary to achieve a good security posture. The following report provides actual trends that emerge from the Internet Background Noise. The following data is based on the monitoring of two weeks of our Honeypots logs.
Check out our previous report here.
CVE-2020-2551 exploit attempts
The CVE-2020-2551 (CVSSv3: 9.8) relates to a vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. As the NIST explains, this easily exploitable vulnerability allows unauthenticated threat actor with network access via Internet Inter-ORB Protocol (IIOP) to compromise Oracle WebLogic Server. Successful exploits of this vulnerability can result in takeover of Oracle WebLogic Server.
On the 5th of May 2023, threat actors targeted equally 2 of our honeypots hosted in Southern Asia Pacific on port tcp/80.
The 2 source IP addresses that performed these attempts are both unknown from public databases identifying malicious IP addresses and both hosted by AS 45102 (Alibaba US Technology Co., Ltd.) in Singapour.
- 47.236.23[.]64
- 8.219.223[.]69
TEHTRIS-NTA technology recorded the following packet on our honeypot:
- GIOP………………..NameService
It matches the definition of the persistent root that classifies items in the server, according to the Oracle documentation.
The CISA’s known vulnerabilities catalog does not mention this CVE. But our investigation shows that it has been exploited recently targeting Asia.
TEHTRIS recommends controlling and monitoring all the devices’ ports exposed to the Internet.
AndoryuBot targeting our honeypots
Following up Fortinet’s technical publication on AndoryuBot (exploiting CVE-2023-25717 – CVSSv3: 9.8), we investigated this threat on our honeypots fleet. It turns out, we caught up one of the IP address exposed by Fortinet: the US 163.123.142[.]146 IP address, hosted by AS 399471 AS-SERVERION.
We recorded more than 630 hits on our honeypots network between the 1st and the 15th of May 2023, with a spike observed between the 3rd and the 8th. Activities were also detected at the end of April on our honeypots. The threat actor is targeting the following port/protocol arranged in this order:
Port | Protocol |
10023 | TCP |
81 | TCP |
5500 | TCP |
23 | TCP |
80 | TCP |
7000 | TCP |
17000 | TCP |
8088 | TCP |
443 | TCP |
3128 | TCP |
The honeypots hosted in Europe and in North America were the most targeted.
On our honeypots equipped with web services, we recorded some hits on Brazilian, French, Swedish, US and Polish decoys. We recorded the following URL:
- /config/getuser?index=0
This command line refers to CVE-2020-25078 (CVSSv3: 7,5) on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.
- /boaform/admin/formLogin
This command line refers to a type of brute force attack used to obtain privileged access.
Focus on the login “usr” on SSH
In the past couple weeks, the login “usr” was used with 7 different passwords on our worldwide honeypots equipped with SSH service. It was mostly tested with the password “www.usr.cn”.
Login | Password |
usr | www.usr.cn |
usr | 123456 |
usr | 1234 |
usr | 123 |
usr | 1 |
usr | 3245gs5662d34 |
usr | 123456789 |
As mentioned here, the “usr” login refers to Jinan USR IoT Technology Limited vendor. The USR IoT 4G LTE Industrial Cellular VPN Router 1.0.36 is vulnerable to a remote root backdoor. The “usr” login associated with the “www.usr.cn” password grants the highest privileges on the device.
Around 2,125 different IP addresses targeted hundreds of our honeypots mostly located in Europe and in the USA.
TOP 10 IoCs – all IP addresses are known from public databases identifying malicious IP:
Most of them are hosted by AS 4766 (Korea Telecom) in Korea
- 175.195.6[.]195
- 121.136.74[.]178
- 59.8.130[.]172
- 59.23.247[.]96
- 222.101.206[.]211
- 121.154.94[.]69
Others
- 193.105.134[.]95 – AS 42237 ( w1n ltd ) – SE
- 202.158.46[.]84 – AS 4787 ( PT Cyberindo Aditama ) – ID
- 195.3.147[.]52 – AS 41390 ( RN Data SIA ) – LV
- 100.38.226[.]74 – AS 701 ( UUNET ) – US
Tracking the Mirai botnet
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Most targeted port/protocols – top 10
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.