In this bi-monthly report based on the malicious activities detected by our worldwide honeypot network, you’ll find a focus on the ports and protocols most used by threat actors, as well as vulnerabilities – old and new – that are continuously tested by attackers.
Top ports / protocols targeted by threat actors
During the month of January 2023, across TEHTRIS worldwide honeypot network, this is the top 10 ports and protocols that were most requested:
These top 10 are relatively similar from one region of the world to the other, excepting a few discrepancies. For instance, 4070 / UDP and 111/UDP are ranking high in Europe and Pacific Asia (see below), as well as 3389 / TCP more specifically in South Pacific Asia.
About 4070 / UDP
In January, 257 distinct IPs sent UDP requests on port 4070 of TEHTRIS European and Pacific Asian honeypots in order to identify vulnerabilities in door controllers VertX and Edge. 23% of these scans came from Chinese IP address 103.56.61[.]147 (AS 4837 – CHINA UNICOM China169 Backbone), and 15% from US IP 107.151.182[.]42 (AS 21859 – ZEN-ECN) – both flagged as malicious on public databases. This US IP address has also scanned for vulnerable versions of VMware vCenter Chargeback Manager that allows information disclosure (CVE-2012-1472).
About 111 / UDP
In January, 242 distinct IP addresses targeted port 111 with UDP packets in Pacific Asia and Europe. TEHTRIS NTA identifies those connections as attempts to perform Denial of Service attacks through Portmapper. Portmapper is an ONC RPC service that is used to map other ONC RPC services to their corresponding port number. It can be misused as an amplifier of traffic to perform DoS attacks.
About 3389 / TCP
In our South Pacific Asia honeypots, TCP requests on port 3389 ranked in the top 10 of network activities. More than 80% of those scans came from Chinese IP address 47.92.172[.]21 (AS 37963 – Alibaba-CN-Net.), which is not known from public database listing malicious IP addresses.
In most cases, port 3389 is used for remote desktop access. Using a VPN service to connect to your local area network is recommended, as to not expose port 3389 to Internet.
Turkish IP address abusing SMB
More than 15% of attack attempts using SMB protocol against our European honeypots are conducted by Turkish IP address 88.255.215[.]2 (AS 9121 – Turk Telekom). This IP address is not known from public databases on malicious IPs.
The attacker attempts to log in using the following usernames:
Old vulnerability in Alcatel-Lucent OMnixPCX Enterprise
2 Czech IP addresses have attempted to abuse an old RCE vulnerability in Alcatel-Lucent OMnixPCX Enterprise tracked as CVE-2007-3010, with the following request:
URL http[:]//vzwebsite[.]ir/fuez/potar.sh was last seen downloading Shell script potar.sh on the 30th of January, corresponding to SHA256 2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6. This file is known for being a Linux backdoor of the Mirai botnet.
|CZ||AS 211252 ( Delis LLC )|
Russian IP addresses exploiting several vulnerabilities to download miners
Log4shell exploit attempts
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.