This last two weeks, international TEHTRIS honeypots have been under the usual massive wave of malicious activities. To be more precise, the ones located in Northeast Asia Pacific were the most targeted.
One IP conducting several malicious activities
The IP address 39.109.127[.]79 from Hong-Kong hosted by AS 142403 (YISU CLOUD LTD) performed numerous malicious activities on our honeypots targeting mainly port 80. More precisely, our honeypots detected 152 alerts the 19th of January between 7:22PM and 7:37PM (Paris time, GMT+1).
It was all about reconnaissance actions and a large range of CVE exploits was also tested, especially on the software Anywhere. 115 different URL requests have been recorded. Here are some examples :
- CVE-2018-20062
/App/?content=die(md5(HelloThinkPHP))- CVE-2012-1823
/cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E- Remote Code Execution (RCE) Anywhere (discovered in 2021)
/%69%73%70%69%72%69%74/%69%6D/%75%70%6C%6F%61%64%2E%70%68%70This IP address is very little known from public databases identifying malicious IP addresses.
Precise health data are being searched out in Canada
Between the 18th and the 21st of January, 212 original requests on one honeypot hosted in Canada have captured our attention.
Those requests are coming from 10 IP addresses all unknown of public databases identifying malicious IP addresses:
| IP | AS | Country |
| 72.14.199[.]168 72.14.199[.]176 72.14.199[.]181 192.178.10[.]46 192.178.10[.]50 74.125.210[.]50 192.178.10[.]48 72.14.199[.]191 74.125.210[.]48 64.233.172[.]114 | AS 15169 GOOGLE | US |
These IP have tried to request very specific URL about Quebec region in Canada and health from GoogleDocs. Here are some examples:
/static/archives/2023-01-18_quebec_ca.html?222222
/static/archives/2023-01-20_quebec_ca.html?222222
/static/archives/2023-01-18_santemontreal.html?222222
/static/archives/2023-01-19_quebec_ca_cas-region.csv (possible research of Covid cases)
/static/archives/2023-01-20_inspq_milieux.csv?222222This research of very specific documents on a short period of time made us believe that the person behind it knew what she was looking for and where she could find it. Unfortunately, these requests have also ended up on our honeypots…
Caution! It may not be malicious requests because it remains possible that an IT student, or an IT employee of an hospital or even a public health administration employee, had issues using a hand-made script while doing their job. This script could have been given to other colleagues, explaining the 10 different IP addresses. Behind the screen, there is a human that can make mistakes!
In the end, this is an unusual event that is difficult to assess, but that allows us to remind you the importance of better protecting health organizations against cyber threats.
Bi-monthly statistics: Top 10 of credentials tested by cyber attackers
| Login | Password |
| admin | admin |
| root | root |
| root | 0 |
| root | 1234 |
| 345gs5662d34 | 345gs5662d34 |
| pi | pi |
| root | 0 |
| admin | 7ujMko0admin |
| 111111 | $passwor |
| root | 123456 |
Bi-monthly statistics: Top 10 of URL requested used by cyber criminals
| URL |
| l9bjkkhaycw6f8f4.soundcloud.com:443 |
| /.git/config |
| /hm/capwap/index.html?NODEID=F09CE932A4C0 |
| /hm/capwap/index.html?NODEID=E01C41B18940 |
| /hm/capwap/index.html?NODEID=E01C41B19780 |
| /hm/capwap/index.html?NODEID=4018B1F83880 |
| /boaform/admin/formLogin |
| /hm/capwap/index.html?NODEID=4018B1CA4DC0 |
| /_ignition/execute-solution |
| /hm/capwap/index.html?NODEID=4018B1E369C0 |
Bi-monthly statistics : Top 10 of ports targeted by malicious cyber groups
| Port |
| 445 |
| 22 |
| 80 |
| 23 |
| 6379 |
| 443 |
| 8443 |
| 5555 |
| 3389 |
| 81 |
Unknown IoCs
The solution Deceptive Response with Web and SMB modules allows us to record attacks performed against our honeypots and to collect data from the attackers. These IP addresses have been monitored performing attacks on our international network of honeypots during these past two weeks. What is their common feature? They are all unknown from public databases identifying malicious IP addresses.
| IP | AS | Country | Attack |
| 109.237.96[.]124 | AS 202306 Hostglobal.plus Ltd | RU | Web Service |
| 109.237.97[.]141 | AS 202306 Hostglobal.plus Ltd | RU | Web Service |
| 37.153.250[.]65 | AS 28685 Routit BV | NL | Web Service |
| 202.157.176[.]224 | AS 136170 PT. EXABYTES NETWORK INDONESIA | MY | Web Service |
| 95.214.235[.]205 | AS 30860 Virtual Systems LLC | UA | Web Service |
| 85.27.52[.]68 | AS 12392 Brutele SC | BE | Web Service |
| 112.47.34[.]246 | AS 9808 China Mobile Communications Group Co., Ltd. | CN | Web Service |
| 185.254.196[.]115 | AS 30860 Virtual Systems LLC | US | Web Service |
| 47.242.80[.]60 | AS 45102 Alibaba US Technology Co., Ltd. | HK | Protocol SMB |
| 118.99.67[.]110 | AS 17451 BIZNET NETWORKS | ID | Protocol SMB |
| 222.255.122[.]62 | AS 7643 Vietnam Posts and Telecommunications VNPT | VN | Protocol SMB |
| 80.234.105[.]221 | AS 12389 Rostelecom | RU | Protocol SMB |
| 103.113.85[.]138 | AS 135307 Golden TMH Telecom Co. Ltd | MM | Protocol SMB |
| 122.53.126[.]30 | AS 9299 Philippine Long Distance Telephone Company | PH | Protocol SMB |
| 202.88.240[.]215 | AS 17465 Cable ISP in India | IN | Protocol SMB |
| 187.230.132[.]23 | AS 8151 Uninet S.A. de C.V. | MX | Protocol SMB |
| 189.203.208[.]115 | AS 22884 TOTAL PLAY TELECOMUNICACIONES SA DE CV | MX | Protocol SMB |