CERTHoneypots

Honeypots TEHTRIS: Vulnerabilities focus of the week (Week 37)

This week, TEHTRIS observed the following activity on its computer decoys deployed all around the world.

Focus on 3 kinds of vulnerabilities scanning this week

Eternal Blue

TEHTRIS detected a large number of EternalBlue exploits using TCP/445. The EternalBlue computer exploit (CVE-2017-0144) developed by the NSA became infamous in 2017 when it was leaked by the Shadow Brokers resulting in WannaCry ransomware cyberattacks as well as NotPetya cyberattacks. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) version 1 protocol that facilitates shared access to files and printers. This vulnerability allows remote attackers to send crafted packets to remotely execute code on the target computer. Although the CVE was immediately patched in 2017, TEHTRIS notices that EternalBlue remains an effective tool used by threat actors in 2022, mostly due to the use of old unpatched computers, the computers unable to receive further security patches and the increasing use of EternalBlue for covert cryptojacking operations.

The top 5 IP addresses that conducted the attack attempts were:

IP sourceCountryAS
40.128.65[.]161USAS7029 WINDSTREAM
181.49.176[.]37COAS14080 TELMEX COLOMBIA S.A.
81.8.21[.]228TRAS15924 VODAFONE NET ILETISIM HIZMETLERI ANONIM SIRKETI
168.187.144[.]67KWAS6412 KW KEMS BLOCK-A
142.247.224[.]196SAAS25019 SAUDI TELECOM COMPANY JSC

They are all listed on public blacklist databases, although SA 142.247.224[.]196 is not as widely reported.

SipVicious

Another common vulnerability scanning consists in scans conducted with the Sipvicious tool. SipVicious is a set of tools used to audit SIP based VoIP systems. It is publicly available and was originally intended for legitimate auditing of internal networks. However, SipVicious is free and can be used by low-skilled hackers to scan and identify SIP servers to launch brute-force attacks. It is easy to identify a scan performed with SipVicious because the User Agent is set to “Friendly-Scanner”.

The top 5 IP addresses that conducted the scans were:

IP sourceCountryAS
194.163.184[.]228DEAS51167 CONTABO GMBH
45.134.144[.]203 DEAS47154 HUSAM A. H. HIJAZI
15.204.25[.]65USAS16276 OVH SAS
85.114.131[.]220 DEAS24961 MYLOC MANAGED IT AG
151.106.40[.]169 FRAS34088 HOST EUROPE GMBH

These IP addresses have been reported on abuse sites and appear on public IP blacklists. DE IP address 194.163.184[.]228 ranks at the top of all malicious network traffic during week 37.

SSH scanning

These IP addresses have been reported on abuse sites and appear on public IP blacklists. DE IP address 194.163.184[.]228 ranks at the top of all malicious network traffic during week 37.

Also monitored this week, SSH scanning, which aims at probing port 22, the default listening port for SSH. If it responds, a bruteforce attack could be launched to try and authenticate on the system.

The top 5 IP addresses conducting SSH scanning were:

IP sourceCountryAS
61.177.173[.]24CNAS4134 CHINANET
218.92.0[.]210CNAS4134 CHINANET
51.178.55[.]162FRAS16276 OVH SAS
178.162.147[.]10NLAS6078 LEASEWEB NETHERLANDS B.V.
167.172.152[.]18USAS14061 DIGITALOCEAN-ASN

These IP addresses have been reported on abuse sites and appear on public IP blacklists. CN 61.177.173[.]24 ranks 8th of all IP addresses conducting malicious network traffic during week 37, and CN 218.92.0[.]210 ranks 10th.

Attempts to abuse Ansible tools

According to data from TEHTRIS Deceptive Response Network, this week, 8 IP addresses (5 of which are registered in the US, either AS211252 Delis LLC or AS14061 DIGITALOCEAN-ASN) tried to abuse Ansible tools using login (“ansible”) associated with passwords (“ansible” or “123456”). For your information, Ansible is an opensource IT automation tool that automates provisioning, configuration management, application deployment, orchestration, and many other manual IT processes.

8 IoCs

  • US 80.76.51[.]189 – AS 211252 (DELIS LLC)
  • US 80.76.51[.]41 – AS 211252 (DELIS LLC)
  • US 80.76.51[.]46 – AS 211252 (DELIS LLC)
  • US 134.122.123.117 – AS14061 (DIGITALOCEAN-ASN)
  • US 167.172.152[.]18 – AS14061 (DIGITALOCEAN-ASN)
  • CH 179.43.145[.]74 – AS51852 (PRIVATE LAYER INC)
  • DE 193.142.146[.]50 – AS208046 (HOSTSLICK)
  • AZ 109.205.213[.]23 – AS23470 (RELIABLESITE)

We highly recommend that you change default passwords and use strong ones. Don’t hesitate to scan your own external IP addresses to see what services are exposed and determine your attack surface. Some services might be exposed without you knowing it 🧐

Scarcely known IP Adresses Abusing SMB

This week, TEHTRIS notices that within the top 10 of IP addresses attempting to abuse SMB on TEHTRIS Deceptive Response Network, most of them were not known on main global public databases:

7 IoCs

  • IN 112.133.224[.]221 – AS24186 RAILTEL CORPORATION OF INDIA LTD
  • BR 187.16.224[.]62 – AS262907 BRASIL TECNOLOGIA E PARTICIPACOES SA
  • BR 168.138.252[.]172 – AS31898 ORACLE-BMC-31898
  • SA 142.247.224[.]196 – AS25019 SAUDI TELECOM COMPANY JSC
  • IN 103.210.106[.]130 – AS134021 AIRGENIE COMMUNICATIONS PRIVATE LIMITED
  • TZ 41.59.197[.]83 – AS33765 TTCLDATA
  • CL 190.215.192[.]18 – AS14259 GTD INTERNET S.A.

SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files on a remote server. SMB can be abused for lateral movement technique for instance and is used in the Eternalblue exploit.

Our recommendations?

  • Use strong passwords
  • Scan your company’s public IP addresses to keep an eye on what is exposed online
  • Update Windows. If your machines do not support an update, use a VPN to limit access
  • If possible, prevent incoming network flow calling SMB ports (445 and 139)

Focus on a Bulletproof Hosting Provider

This week, 5 of the TOP 10 IP addresses that engage in malicious activities against TEHTRIS Deceptive Response Network are hosted by AS202425 IP VOLUME INC. This company is supposed to be based in the Seychelles but has servers in the Netherlands. IP Volume appears to have links with Ecatel, Quasi Networks and Novogara and is likely a Bulletproof Hosting Provider. In 2010, the company was granted the rank of “worst hosting company in the world” by HoistExploit because of cybercriminal activities. More recently, the 5 IP addresses listed below are mentioned in the WhoIs repository as belonging to the “RECYBER PROJET NETBLOCK”. This project claims to conduct legitimate scans for security companies. However, no information concerning involved actors has been disclosed, nor official communication about their activities.

5 IoCs

  • 89.248.165[.]68
  • 80.82.64[.]146
  • 89.248.165[.]97
  • 89.248.165[.]166
  • 89.248.163[.]237