CERTHoneypots

Our selection of alerts on honeypots: report 20 – November 2023

The following report consists of TEHTRIS observations on our worldwide honeypots network to provide you with information on what is going on the Internet. This actionable cyber threat intelligence is based on observations from a real and uncontrolled environment. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adjust the cybersecurity posture.

Check out our previous report here.

Recent increase in exploit attempts of CVE-2023-46604

The CVE-2023-46604 (CVSSv3: not yet established by NVD) was disclosed on October 24th. It refers to a flaw in Apache ActiveMQ, which makes it vulnerable to remote code execution.The vulnerability allows a remote threat actor with network access to a vulnerable broker to run arbitrary shell commands. To do so, specific data (serialized class types in the OpenWire protocol) is specially crafted, which leads the broker to instantiate any class on the classpath.

On 27th of October, a proof of concept (PoC) regarding this vulnerability was published on Github. It targets port 61616, which is ActiveMQ’s default port. This vulnerability recently came out and is not yet mentioned in CISA’s known exploited vulnerabilities catalog.

On our worldwide honeypot network, we monitored a major increase in targeting this specific port since this PoC was publicly disclosed.

The 300 IP addresses used by threat actors to target this specific port, are mostly hosted in the US (73%), in China (19%) and in Netherlands (3%). Our main honeypots victim of this threat are hosted in Singapore (17%), Indonesia (15%), Europe (12%) and the UAE (5%).

This phenomenon illustrates how much consequences the publication of a vulnerability can have in a few days. The famous IT and cyber media bleepingcomputer also published an article on the 1st of November helping spreading the information accross the globe. We will continue to monitor this specific threats, as we assess it will gain in importance day by day.

Interesting findings: during the spike, our honeypots became victims of malicious IP addresses already known for spreading Mirai botnet. It means the threat actors upgraded their botnet the exact same day. These IP were not monitored on our honeypots targeting port 61616 before.

Example:

🇺🇸 US – 68.69.186[.]14 – AS 399045 (DEDIOUTLET-NETWORKS)

TEHTRIS recommends users of Apache ActiveMQ to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Top 10 IoCs – all flaged as malicious by VirusTotal community:

🇺🇸 US IP addresses hosted by AS 63949 (Akamai Connected Cloud)

  • 66.228.40[.]98
  • 143.42.173[.]60
  • 170.187.163[.]90
  • 143.42.173[.]101
  • 170.187.165[.]139
  • 50.116.59[.]19
  • 143.42.164[.]34
  • 143.42.164[.]97

🇨🇳 Chinese IP addresses hosted by AS 58461 (CT-HangZhou-IDC)

  • 183.136.225[.]9
  • 183.136.225[.]29

R7-2014-02 exploit attempts

The R7-2014-02 vulnerability was disclosed in Februrary 2014 by our fellow member of the Cyber Threat Alliance, Rapid7. A proof-of-concept using Metasploit followed in May of the same year. It refers to Ambit U10C019 and Ubee DDW3611 cable modems, which store information such as credentials within the SNMP (Simple Network Management Protocol) MIB (management information base) tables on specific Object IDentifier indexes. By default, SNMP is not enabled on these devices. Although a number of cable providers that utilize Ubee devices enable SNMP with the well known “public” community string on the uplink side of the cable modem for remote management purposes. By doing so, it makes it possible in those cases to enumerate this data over the Internet.

In October, 47 IP addresses performed this exploit attempt targeting all of our European honeypots as well as the ones hosted in India on port UDP/161. We monitored a spike on the 12th of October.

Here is the top 10 IoCs, which all known from VirusTotal community for being malicious:

Most of them are hosted by AS 211680 (Sistemas Informaticos, S.A.) in Portugal.

  • 185.180.143[.]6
  • 185.180.143[.]190
  • 185.180.143[.]71
  • 185.180.143[.]7
  • 185.180.143[.]136
  • 185.180.143[.]49
  • 185.180.143[.]137
  • 185.180.143[.]188

The two others are localized in the US and are hosted by AS 21859 (ZEN-ECN).

  • 128.14.134[.]170
  • 128.14.134[.]134

This illustrates just how old vulnerabilities, disclosed almost a decade ago, are still included in current threat actors’ arsenals to find and exploit vulnerable devices exposed over the Internet.

CVE-2023-35078 exploit attempts

The CVE-2023-35078 (CVSSv3: 9.8) refers to an authentication bypass in Ivanti Endpoint Manager Mobile which allows remote threat actors to obtain personally identifiable information, add an administrative account, change the configuration and doing so, change the security policy applied on endpoints. It is mentionned in CISA’s known exploited vulnerabilities catalog, alongside the CVE-2023-35081 as it can be used in conjunction with CVE-2023-35078 to bypass authentication and ACLs restrictions

On the 22nd of October, all of our Indian honeypots were targeted on port TCP/80 by 3 malicious IP addresses hosted by AS 63949 ( Akamai Connected Cloud ) in Germany. They are not not known from VirusTotal community.

IoCs:

  • 143.42.30[.]165
  • 143.42.30[.]137
  • 143.42.30[.]130

TEHTRIS NTA captured the following request in packets:

  • GET /mifs/aad/api/v2/admins/users

The threat actor is trying to get the users’ list, highly likely to try and abuse accounts on the device using bruteforce.

TEHTRIS recommends using strong passwords and multi factor authentication.

Focus on osboxes and exxact passwords on SSH service

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

    Top 10 most exploited CVE – October 2023

    Want to learn more on this subject?

    More insights on this research issued from the alerts on our worldwide honeypots network.

    Subscribe to our bi-monthly threat intelligence newsletter


      Information remain TEHTRIS sole property and reproduction is forbidden

      TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

      No warranty and liability

      TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.