Our selection of alerts on honeypots: report 7 – april 2023

A good understanding of active threats is necessary to achieve a good security posture. The following report provides actual trends that emerge from the Internet Background Noise. The data are provided using two weeks of our worldwide honeypots’ logs.

SSH connection attempts: focus on 2 French IP addresses

These past two weeks, 10% of the SSH connection attempts on our European honeypots originated from just 2 French IP addresses :

The first one is 54.36.126[.]205, testing over 23,000 credentials in just 4 hours in the mornings of the 30th and 31st of March. The table below shows the top 10 credentials that were used:

LoginPassword
developermar20lt
nagios555555
test333333
wso2123qwe
plexabcd1234
webdev54321
mattermostusr
matrix1qaz@WSX
startstart

The targeted countries are distributed as follows:

The second IP address is 51.91.136[.]234, which – following the same pattern – tested over 13,000 credentials in a few hours on the Monday of March 30th. The table below shows the top 10 credentials that were used:

LoginPassword
steam0
centos123456789
deployer123456
remote2remote2
root2root2
user1user1
oracle1111
oracle111111
oracle123
oracle123123

The targeted honeypots are distributed as follows:

AndroxGh0st scanning for Laravel debug mode information

AndroxGh0st is a python script available in open sources which is used to scan for and parse Laravel applications to find exposed .env files, revealing configuration data including and private keys. Laravel is an open-source platform used to create web application. When the Debug mode is enabled, it can disclose sensitive information such as database, passwords, application keys… This information is of interest for threat actors to pursue further attacks.

AndroxGh0st was discovered by the cybersecurity community at the end of 2022 and has been mentioned recently because it is included in a new toolset called AlienFox sold on Telegram channels. AlienFox is used to harvest API keys and secrets from popular services including AWS SES.

Packets containing “androxgh0st” have been increasingly detected on our honeypots over the course of March, almost doubling the amount over the course of the month.

4 IP addresses amount for almost 80% of the total requests:

Ip addressCountryAS
135.125.246[.]110
135.125.217[.]54
135.125.244[.]48
135.125.246[.]189
FRAS 16276 (OVH SAS)

Most used usernames over SMB protocol

Over 2 million SMB connection attempts were registered over the past couple of weeks on our honeypots. The usernames most used by threat actors are the following:

Turkish IP address 88.255.215[.]2 (AS 9121 – Turk Telekom) that we mentioned in our February bi-monthly is still extremely active since its relentless requests amount for almost 50% of the total events.

Network traffic analysis in Europe and South Pacific Asia

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

Port 427 linked with VMWare ESXi ransomware campaign

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter


Information remain TEHTRIS sole property and reproduction is forbidden

TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

No warranty and liability

TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.

Cyber or not Cyber ?

Subscribe to the TEHTRIS newsletter.

Once a month, get the latest cyber news by subscribing to the TEHTRIS newsletter.

To explore the subject

Similar publications

Cyber or not cyber ?

Once a month, receive the essential news and cyber watch by subscribing to the TEHTRIS newsletter.