Honeypots TEHTRIS: Vulnerabilities focus of the week (Week 37)

This week, TEHTRIS observed the following activity on its computer decoys deployed all around the world.

Summary

Focus on 3 kinds of vulnerabilities scanning this week

Eternal Blue

TEHTRIS detected a large number of EternalBlue exploits using TCP/445. The EternalBlue computer exploit (CVE-2017-0144) developed by the NSA became infamous in 2017 when it was leaked by the Shadow Brokers resulting in WannaCry ransomware cyberattacks as well as NotPetya cyberattacks. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) version 1 protocol that facilitates shared access to files and printers. This vulnerability allows remote attackers to send crafted packets to remotely execute code on the target computer. Although the CVE was immediately patched in 2017, TEHTRIS notices that EternalBlue remains an effective tool used by threat actors in 2022, mostly due to the use of old unpatched computers, the computers unable to receive further security patches and the increasing use of EternalBlue for covert cryptojacking operations.

The top 5 IP addresses that conducted the attack attempts were:

IP source

Country

AS

40.128.65[.]161

US

AS7029 WINDSTREAM

181.49.176[.]37

CO

AS14080 TELMEX COLOMBIA S.A.

81.8.21[.]228

TR

AS15924 VODAFONE NET ILETISIM HIZMETLERI ANONIM SIRKETI

168.187.144[.]67

KW

AS6412 KW KEMS BLOCK-A

142.247.224[.]196

SA

AS25019 SAUDI TELECOM COMPANY JSC

They are all listed on public blacklist databases, although SA 142.247.224[.]196 is not as widely reported.

SipVicious

Another common vulnerability scanning consists in scans conducted with the Sipvicious tool. SipVicious is a set of tools used to audit SIP based VoIP systems. It is publicly available and was originally intended for legitimate auditing of internal networks. However, SipVicious is free and can be used by low-skilled hackers to scan and identify SIP servers to launch brute-force attacks. It is easy to identify a scan performed with SipVicious because the User Agent is set to “Friendly-Scanner”.

The top 5 IP addresses that conducted the scans were:

IP source

Country

AS

194.163.184[.]228

DE

AS51167 CONTABO GMBH

45.134.144[.]203

 DE

AS47154 HUSAM A. H. HIJAZI

15.204.25[.]65

US

AS16276 OVH SAS

85.114.131[.]220

 DE

AS24961 MYLOC MANAGED IT AG

151.106.40[.]169

 FR

AS34088 HOST EUROPE GMBH

These IP addresses have been reported on abuse sites and appear on public IP blacklists. DE IP address 194.163.184[.]228 ranks at the top of all malicious network traffic during week 37.

SSH scanning

These IP addresses have been reported on abuse sites and appear on public IP blacklists. DE IP address 194.163.184[.]228 ranks at the top of all malicious network traffic during week 37.

Also monitored this week, SSH scanning, which aims at probing port 22, the default listening port for SSH. If it responds, a bruteforce attack could be launched to try and authenticate on the system.

The top 5 IP addresses conducting SSH scanning were:

IP source

Country

AS

61.177.173[.]24

CN

AS4134 CHINANET

218.92.0[.]210

CN

AS4134 CHINANET

51.178.55[.]162

FR

AS16276 OVH SAS

178.162.147[.]10

NL

AS6078 LEASEWEB NETHERLANDS B.V.

167.172.152[.]18

US

AS14061 DIGITALOCEAN-ASN

These IP addresses have been reported on abuse sites and appear on public IP blacklists. CN 61.177.173[.]24 ranks 8th of all IP addresses conducting malicious network traffic during week 37, and CN 218.92.0[.]210 ranks 10th.

Attempts to abuse Ansible tools

According to data from TEHTRIS Deceptive Response Network, this week, 8 IP addresses (5 of which are registered in the US, either AS211252 Delis LLC or AS14061 DIGITALOCEAN-ASN) tried to abuse Ansible tools using login (“ansible”) associated with passwords (“ansible” or “123456”). For your information, Ansible is an opensource IT automation tool that automates provisioning, configuration management, application deployment, orchestration, and many other manual IT processes.

8 IoCs

  • US 80.76.51[.]189 – AS 211252 (DELIS LLC)
  • US 80.76.51[.]41 – AS 211252 (DELIS LLC)
  • US 80.76.51[.]46 – AS 211252 (DELIS LLC)
  • US 134.122.123.117 – AS14061 (DIGITALOCEAN-ASN)
  • US 167.172.152[.]18 – AS14061 (DIGITALOCEAN-ASN)
  • CH 179.43.145[.]74 – AS51852 (PRIVATE LAYER INC)
  • DE 193.142.146[.]50 – AS208046 (HOSTSLICK)
  • AZ 109.205.213[.]23 – AS23470 (RELIABLESITE)

We highly recommend that you change default passwords and use strong ones. Don’t hesitate to scan your own external IP addresses to see what services are exposed and determine your attack surface. Some services might be exposed without you knowing it 🧐

Scarcely known IP Adresses Abusing SMB

This week, TEHTRIS notices that within the top 10 of IP addresses attempting to abuse SMB on TEHTRIS Deceptive Response Network, most of them were not known on main global public databases:

7 IoCs

  • IN 112.133.224[.]221 – AS24186 RAILTEL CORPORATION OF INDIA LTD
  • BR 187.16.224[.]62 – AS262907 BRASIL TECNOLOGIA E PARTICIPACOES SA
  • BR 168.138.252[.]172 – AS31898 ORACLE-BMC-31898
  • SA 142.247.224[.]196 – AS25019 SAUDI TELECOM COMPANY JSC
  • IN 103.210.106[.]130 – AS134021 AIRGENIE COMMUNICATIONS PRIVATE LIMITED
  • TZ 41.59.197[.]83 – AS33765 TTCLDATA
  • CL 190.215.192[.]18 – AS14259 GTD INTERNET S.A.

SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files on a remote server. SMB can be abused for lateral movement technique for instance and is used in the Eternalblue exploit.

Our recommendations?

  • Use strong passwords
  • Scan your company’s public IP addresses to keep an eye on what is exposed online
  • Update Windows. If your machines do not support an update, use a VPN to limit access
  • If possible, prevent incoming network flow calling SMB ports (445 and 139)

Focus on a Bulletproof Hosting Provider

This week, 5 of the TOP 10 IP addresses that engage in malicious activities against TEHTRIS Deceptive Response Network are hosted by AS202425 IP VOLUME INC. This company is supposed to be based in the Seychelles but has servers in the Netherlands. IP Volume appears to have links with Ecatel, Quasi Networks and Novogara and is likely a Bulletproof Hosting Provider. In 2010, the company was granted the rank of “worst hosting company in the world” by HoistExploit because of cybercriminal activities. More recently, the 5 IP addresses listed below are mentioned in the WhoIs repository as belonging to the “RECYBER PROJET NETBLOCK”. This project claims to conduct legitimate scans for security companies. However, no information concerning involved actors has been disclosed, nor official communication about their activities.

5 IoCs

  • 248.165[.]68
  • 82.64[.]146
  • 248.165[.]97
  • 248.165[.]166
  • 248.163[.]237
Cyber or not Cyber ?

Subscribe to the TEHTRIS newsletter.

Once a month, get the latest cyber news by subscribing to the TEHTRIS newsletter.

To explore the subject

Similar publications

Cyber or not cyber ?

Once a month, receive the essential news and cyber watch by subscribing to the TEHTRIS newsletter.