A good understanding of active threats is necessary to achieve a good security posture. The following report provides actual trends that emerge from the Internet Background Noise. The data are provided using two weeks of our worldwide honeypots’ logs.
SSH connection attempts: focus on 2 French IP addresses
These past two weeks, 10% of the SSH connection attempts on our European honeypots originated from just 2 French IP addresses :
The first one is 54.36.126[.]205, testing over 23,000 credentials in just 4 hours in the mornings of the 30th and 31st of March. The table below shows the top 10 credentials that were used:
| Login | Password |
| developer | mar20lt |
| nagios | 555555 |
| test | 333333 |
| wso2 | 123qwe |
| plex | abcd1234 |
| webdev | 54321 |
| mattermost | usr |
| matrix | 1qaz@WSX |
| start | start |
The targeted countries are distributed as follows:
The second IP address is 51.91.136[.]234, which – following the same pattern – tested over 13,000 credentials in a few hours on the Monday of March 30th. The table below shows the top 10 credentials that were used:
| Login | Password |
| steam | 0 |
| centos | 123456789 |
| deployer | 123456 |
| remote2 | remote2 |
| root2 | root2 |
| user1 | user1 |
| oracle | 1111 |
| oracle | 111111 |
| oracle | 123 |
| oracle | 123123 |
The targeted honeypots are distributed as follows:
AndroxGh0st scanning for Laravel debug mode information
AndroxGh0st is a python script available in open sources which is used to scan for and parse Laravel applications to find exposed .env files, revealing configuration data including and private keys. Laravel is an open-source platform used to create web application. When the Debug mode is enabled, it can disclose sensitive information such as database, passwords, application keys… This information is of interest for threat actors to pursue further attacks.
AndroxGh0st was discovered by the cybersecurity community at the end of 2022 and has been mentioned recently because it is included in a new toolset called AlienFox sold on Telegram channels. AlienFox is used to harvest API keys and secrets from popular services including AWS SES.
Packets containing “androxgh0st” have been increasingly detected on our honeypots over the course of March, almost doubling the amount over the course of the month.
4 IP addresses amount for almost 80% of the total requests:
| Ip address | Country | AS |
| 135.125.246[.]110 135.125.217[.]54 135.125.244[.]48 135.125.246[.]189 | FR | AS 16276 (OVH SAS) |
Most used usernames over SMB protocol
Over 2 million SMB connection attempts were registered over the past couple of weeks on our honeypots. The usernames most used by threat actors are the following:
Turkish IP address 88.255.215[.]2 (AS 9121 – Turk Telekom) that we mentioned in our February bi-monthly is still extremely active since its relentless requests amount for almost 50% of the total events.
Network traffic analysis in Europe and South Pacific Asia
Port 427 linked with VMWare ESXi ransomware campaign
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.
