Our selection of alerts on honeypots: report 22 – December 2023

The following report consists of TEHTRIS observations on our worldwide honeypots network to provide you with information on what is going on the Internet. This actionable cyber threat intelligence is based on observations from a real and uncontrolled environment. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adequately adjust the cybersecurity posture.

Check out our previous report here.

This past two weeks, over 338,000 unique IP addresses contacted TEHTRIS honeypots, amouting for over 70 million hits. From mere scanning to exploit attempts, let’s have a closer look to some of the malicious activities observed on this timeframe.

Top CVE exploit attempts in November 2023

In 2023, more than 21,000 new CVEs have been reported. That is already 4,5% more than in 2021… and the year is still not over! The month-by-month comparison of the top CVE exploit attempts recorded on TEHTRIS honeypots aim at revealing which vulnerabilities are the most exploited in the wild for initial access.

In November 2023, here are the top CVE exploit attempts that were recorded on TEHTRIS honeypots by TEHTRIS NTA:

Compared to the past months, 6^th place sees CVE-2018-13379 (CVSS3 9.8) make an entrance in the top 10. This path traversal vulnerability affects Fortinet FortiOS and allows and unauthenticated attacker to download system files via special crafted HTTP resource requests. This CVE has been reported as one of the most exploited in 2022 according to a report by the Five Eyes nations published in August 2023. You will find a focus on this malicious activity in section 2.

Ranks 8^th and 9^th are respectively allocated to:

• CVE-2020-2551 (CVSS2 9.8), which was in June’s top 10 according to TEHTRIS telemetry and was not in CISA’s Known Exploited Vulnerabilities catalog. Several exploitation POCs are available online. The vulnerability, which affects some versions of Oracle WebLogic Server products allowing successful attackers to takeover Oracle WebLogic Server, has recently (Novembre 2023) been added to that catalog.
• CVE-2019-16759 (CVSS3 9.8), a remote code execution vulnerability in vBulletin

What remains the same for months are the top 3 CVE:

• CVE-2017-9841 (CVSSv3: 9.8) in PHP Unit, which allows remote attackers to execute arbitrary PHP code. This vulnerability has been recently used for initial access by Kinsing / Money Libra group to deploy Kinsing malware and cryptominer. This concrete example shows how old vulnerabilities are leveraged in the wild and still pays off for threat actors.
• CVE-2019-9670 (CVSSv3: 9.8) in Synacor Zimbra Collaboration Suite, which has a XML External Entity injection (XXE) vulnerability.
• CVE-2019-9621 (CVSSv3: 7.5), also in Synacor Zimbra Collaboration Suite, which is still not mentioned in CISA’s known exploited vulnerabilities catalog. Several exploitation POCs are available online.

The other four CVEs (CVE-2021-35394 in Realtek Jungle SDK, CVE-2023-1389 in TP-Link Archer, and CVE-2018-10561 in Dasan GPON routers, and CVE-2021-41773 in Apache HTTP Server) were also in last month’s top 10, simply at a different rank.

Focus on CVE-2018-13379 in Fortinet

As mentioned in section 1, TEHTRIS observed attempts to exploit CVE-2018-13379 (CVSS3 9.8) in November 2023. PoC for exploit are publicly available, and it has been reported as one of the most exploited vulnerabilities in 2022 according to a report by the Five Eyes nations published in August 2023. We recorded a grouping of exploit attempts between November 20^th and 27^th.

This activity came from 6 IP addresses, 2 of which from AS60781 (LeaseWeb Netherlands B.V.), and 2 with no reputation of hosting malicious activity.

The mains targets were honeypots located in France (30,7%), Spain (21,4%), Portugal (10,2%) and Taiwan (10,2%):

URL:

/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

IoCs:

• 95.164.151[.]34
• 194.113.238[.]143
• 64.226.156[.]30
• 193.41.68[.]95
• 185.228.195[.]127
• 223.177.100[.]178

Exploit attempts on vulnerable NetScaler appliances: CVE-2023-4966

TEHTRIS monitored attempts to exploit vulnerable devices to CVE-2023-4966 (CVSS3 7.5) affecting NetScaler EDC and NetScaler Gateway appliances.

This vulnerability – known as Citrix Bleed – was disclosed on October 10^th and would allow a threat actor to access sensitive information from the device’s memory, including session authentication token information that may lead to hijacking a user’s session.

Two IP addresses probed TEHTRIS honeypots:

• 137.74.246[.]152 – on October 26^Th – 🇫🇷 FR – AS 16276 (OVH SAS)
• 38.180.1[.]139 – on November 18^th – 🇳🇴 NO – AS 9009 (M247 Europe SRL)

The first one is flagged by 2/88 vendors on VirusTotal, the second one is not flagged as malicious at the time of writing.

For context, Citrix Bleed is known for being leveradged by ransomware groups such as LockBit 3.0. Citrix released recommandations on October that should be taken into account. An PoC is available on GitHub since October 25^th, which is a day before we started monitoring theses request on our honeypots.

URL:

/oauth/idp/.well-known/openid-configuration

IoCs

• 137.74.246[.]152
• 38.180.1[.]139

Range of US IP addresses multi-exploit attempts against Singapore

Focus on port TCP/8728: botnets targeting new Mikrotik vulnerability?

ownCloud critical vulnerability: scans for CVE-2023-49103

---