SpiderLabs Blog | Trustwave

To obtain a better perspective of attacks worldwide, Trustwave has implemented a network of honeypots located in multiple countries across the globe. By distributing honeypots in such a manner, we can gather a reliable set of information on the methods and techniques used by attackers and their botnets.

In our pursuit to explore the current threat landscape, we established a honeypot sensors network across six countries: Russia, Ukraine, Poland, UK, China, and the United States. In this blog, we present the most intriguing findings from our research into exposing vulnerable enterprise applications, such as Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP.

Figure 1. Honeypot Sensors Locations

 

Cyber Threats in the Wild: Key Observations

During a six-month period that ended in May 2023, we collected and analyzed vast amounts of data from over 38,000 unique IPs and downloaded more than 1,100 unique payloads served during exploitation attempts. Almost 19% of the total recorded web traffic was malicious, and botnets were responsible for over 95% of the malicious web traffic detected.

We encountered multiple targeted attacks directed at specific honeypots, where threat actors sought to exploit the enterprise applications under examination. The primary objective of these attacks was to upload a web shell, enabling attackers to carry out further actions against the potential victims that our sensors were mimicking. A web shell is a malicious script or program that provides unauthorized access and control over a compromised website or web server. It is typically uploaded by an attacker to gain administrative-level privileges and execute arbitrary commands on the target system.

One of such attacks hit our US and UK-based honeypots where the attackers used Fortra GoAnywhere MFT vulnerability – CVE-2023-0669 aiming to upload a web shell that had not been reported previously. In the case of Fortinet FortiNAC CVE-2022-39952, we witnessed active exploitation only six days after the release of the proof-of-concept (PoC) code. It shows how quickly threat actors leverage new exploits after PoCs are posted.

Through analysis of the payloads served in the exploits, we were able to identify the particular botnets targeting our sensors. Our investigation revealed that the Mirai, Mozi, and Kinsing botnets accounted for 95% of the recorded exploit   attempts conducted over the HTTP/HTTPS protocol. These malware families are the most widespread and their main objective is to exploit vulnerabilities in Internet-connected devices and assemble them into botnets used to either carry out Distributed Denial of Service (DDoS) attacks, or mine cryptocurrencies.

Figure 2. HTTP/HTTPS Traffic Classification Recorded by Honeypot Sensors

 

Mirai Botnet – Exploited Vulnerabilities

Mirai gained significant attention when its source code was leaked and made publicly available in 2016, leading to the emergence of new threat actors who have modified and enhanced its capabilities.  The original Mirai creators were prosecuted in 2017.

Mirai is self-propagating malware that specifically targets vulnerable IoT devices running Linux. Once a device is successfully compromised, it is transformed into a bot, which can then be utilized to launch Distributed Denial-of-Service (DDoS) attacks. The malware spreads by scanning the Internet for other susceptible devices to infect.

Figure 3. Mirai – Exploited Vulnerabilities Captured by Sensors and Exploit Traffic Volume Distribution

Our sensors in the US and Poland recorded increased Mirai botnet traffic compared to sensors in other countries, such as Ukraine, China, United Kingdom, and Russia. The observed trend was not particularly significant. It is possible that there were more infected devices on the network, but it is also likely that with a larger number of sensors deployed across Poland and the US, the results would have been more uniform.

All Exploited Vulnerabilities Uncovered During Reverse Engineering of Collected Mirai Botnet Samples 

Figure 4. Look at the functions and Exploit templates in one of the acquired Mirai samples

We captured the exploit attempts and downloaded the binaries. We can see there are exploit templates embedded in the code. Once installed, the binary automatically starts scanning the network using the templates in order to exploit and infect new devices to turn them into bots.

Method	Endpoint	Vendor/Product	CVE/EDB
GET	/shell	MVPower DVR	EDB-41471
GET	/adv,/cgi-bin/weblogin.cgi	ZyXEL NAS	CVE-2020-9054
GET	/setup.cgi	Netgear	EDB-25978
GET	/backupmgt/localJob.php	Seagate BlackArmor NAS	CVE-2014-3206
GET	/language/Swedish	TVT DVR/CCTV	–
GET	/index.php	NoneCms V1.3	CVE-2018-20062
GET	/cgi-bin/masterCGI	Alcatel OmniPCX	CVE-2007-3010
GET	/cgi-bin/rtpd.cgi	D-Link IP Cameras	CVE-2013-1599
GET	/cgi-bin/	Netgear R7000 / R6400	CVE-2016-6277
GET	/qsr_server/device/getThumbnail	LG SuperSign EZ CMS 2.5	CVE-2018-17173
GET	/board.cgi	Vacron NVRs	–
GET	/card_scan.php	Linear eMerge E3 1.00-06	CVE-2019-7256
GET	/stainfo.cgi?	Ubiquiti AirOS	CVE-2010-5330
GET	/cgi-bin/kerbynet	ZeroShell 3.9.0	CVE-2019-12725
GET	/status.cgi	FASTGate Fastweb	CVE-2018-20122
POST	/UD/act	Eir D1000 Router	CVE-2016-10372
POST	/HNAP1/	D-Link HNAP	CVE-2015-2051
POST	/picdesc.xml	Realtek SDK	CVE-2014-8361
	/login.gch
POST	/manager_dev_ping_t.gch	ZTE ZXV10 H108L	–
	/getpage.gch
POST	/cgi-bin/mainfunction.cgi	DrayTek	CVE-2020-8515
POST	/ctrlt/DeviceUpgrade_1	Huawei HG532	CVE-2017-17215
POST	ztp/cgi-bin/handler	Zyxel USG FLEX	CVE-2022-30525
POST	/GponForm/diag_Form	Dasan GPON Routers	CVE-2018-10561
POST	/tmUnblock.cgi	Cisco Linksys E Series	CNVD-2014-01260
POST	/apps/a3/cfg_ethping.cgi	CTEK SkyRouter	CVE-2011-5010
POST	/debug.cgi	Linksys WAP54G	CVE-2010-1573
POST	/	SonicWall GMS	CVE-2018-9866

Figure 5. Mirai Botnet – All exploited Vulnerabilities found in the collected samples

 

Mozi Botnet – Exploited Vulnerabilities

Mozi is a peer-to-peer (P2P) botnet that operates using a BitTorrent-like network and infects IoT devices such as network gateways, routers, and digital video recorders (DVRs). It operates by exploiting weak telnet passwords and taking advantage of numerous unpatched vulnerabilities in IoT devices.

Figure 6. Mozi Botnet – Exploited Vulnerabilities Captured by Sensors and Exploit Traffic Volume Distribution

Our honeypot framework design allowed us to capture the majority of payloads served by 1-step exploits utilized by the botnets. These exploits commonly involved operations such as ‘wget’ or ‘curl’. Furthermore, through the process of reverse engineering the botnet binaries provided us further insights into their behavior and the specific vulnerabilities exploited.

Figure 7. Look at the default passwords leveraged by Mozi to infect devices

Figure 8. Look at the Mozi sample Exploit templates

 

All Exploited Vulnerabilities Uncovered During Reverse Engineering of Collected Mozi Botnet Samples

Method	Endpoint	Vendor/Product	CVE/EDB
GET	/shell	MVPower DVR	EDB-41471
GET	/setup.cgi	Netgear DGN1000 / DGN2200	EDB-25978
GET	/cgi-bin/	Netgear R7000 / R6400	CVE-2016-6277
POST	/soap.cgi	D-Link DIR Routers	CVE-2013-7471
GET	/language/Swedish	TVT DVR/CCTV	–
GET	/board.cgi	Vacron NVRs	–
POST	/UD/act	Eir D1000 Router	CVE-2016-10372
POST	/HNAP1/	D-Link HNAP	CVE-2015-2051
POST	/picdesc.xml	Realtek SDK	CVE-2014-8361
POST	/ctrlt/DeviceUpgrade_1	Huawei HG532	CVE-2017-17215
POST	/GponForm/diag_Form	Dasan GPON Routers	CVE-2018-10561

Figure 9. Mozi Botnet – All exploited Vulnerabilities found in the collected samples

 

Kinsing Botnet – Exploited Vulnerabilities

Kinsing is a Golang-based malware with the objective of installing XMRig cryptocurrency miner.

Kinsing leverages multiple CVEs to achieve RCE in order to infect Linux systems. After successful exploitation, an installer script is downloaded and executed. It specifically targets and terminates competing processes, such as Docker images and instances involved in cryptocurrency mining. To avoid detection, it tries to disable and uninstall security solutions like Alibaba Cloud Security Center (Aegis), Tencent Cloud service, or AppArmor. In some cases, it also downloads and installs the Kinsing Rootkit module before proceeding to installation of the Kinsing Bot binary. To ensure persistence, the installer script is added to the cron schedule.

Once executed, Kinsing establishes communication with the C2 server and retrieves the spre.sh spreader script. This script enables lateral movement to other machines using SSH keys found on the victim’s file system. Finally, the XMRig crypto miner is downloaded and installed.

Figure 10. Kinsing Infection Chain on Linux

On Windows machines, the infection mechanism is simplified, with only one reported attack vector: CVE-2020-14883, a Remote Code Execution (RCE) vulnerability in Oracle WebLogic Server. Once the victim machine is successfully exploited, an XML file named wbw.xml is downloaded and executed. It then attempts to download a PowerShell script named ‘1.ps1’ onto the victim’s machine. Subsequently, the ‘1.ps1’ script downloads an executable file for the XMRig cryptocurrency miner, along with a json configuration file. We have confirmed the presence of this attack vector by downloading the wbw.xml and ‘1.ps1’ files from the payload servers used in the Linux infection chain.

Figure 11. XML file used by Kinsing’s Oracle WebLogic exploit for Windows

Unlike Mozi and Mirai botnets, Kinsing does not contain hard-coded exploit templates within its code.

Figure 12. Kinsing Botnet – Exploited Vulnerabilities Captured by Sensors and Exploit Traffic Volume Distribution

Figure 13. Look at the Kinsing sample functions and command dispatcher code

The dispatcher code is part of the code that processes the commands received from the attacker-controlled Command & Control (C2) server.

Kinsing stores RC4-encrypted C2 URL addresses in the binary, allowing for easy decryption using the hex encoded key referenced in the ‘getActiveC2Curl’ function. Communication with the C2 server utilizes the RC4 cipher as well but the encryption key is different.

Figure 14. Kinsing C2 URLs decrypted using CyberChef

Figure 15. Response from Kinsing C2 decrypted using CyberChef

Figure 16. Kinsing Infrastructure Pivot using data from collected samples

 

Enterprise Application Exploits and Persistence via Web Shells

During our observation, we encountered multiple targeted attacks directed at specific honeypot sensors, where threat actors sought to exploit the enterprise applications under examination.

The primary objective of these attacks was to upload a web shell, enabling attackers to carry out further actions against our sensors. However, due to the manner in which our honeypots were implemented, we were unable to scrutinize the subsequent actions that the attackers might have taken. Consequently, we can only speculate on what the attackers hoped to accomplish with their activities.

While we did not spot the exploitation of new vulnerabilities in the wild, we observed rapid adaptation of publicly disclosed proof-of-concept (PoC) code by attackers who targeted our honeypots.

In the case of FortiNAC CVE-2022-39952, we witnessed active exploitation only six days after the release of the proof-of-concept (PoC) code.

CVE-2023-0669 – Fortra GoAnywhere MFT RCE

Between March 5, 2023 and March 18, 2023, our honeypot sensors for Fortra GoAnywhere MFT were hit by scan traffic targeting vulnerable license endpoint ‘/goanywhere/lic/accept’. Attackers usedtwo IPs: 14.190.186.61 and 14.244.239.227, belonging to a Vietnamese ISP. The payload was meant to confirm presence of CVE-2023-0669 vulnerability by triggering a DNS lookup to specific domains.

Figure 17. Fortra GoAnywhere MFT – CVE-2023-0669 Attacks

Despite the not using the URL-safe variant of Base64 encoding, the documentation of the Apache Base64 method utilized in the vulnerable Servlet indicates that the decoding process seamlessly handles both variants. Therefore, the decryption of data would still succeed.

On March 29, 2023, our US-based honeypot sensors were targeted against CVE-2023-0669, from an IP address 89.45.6.52 belonging to Chinese data center provider. The payload carried by malicious request was aimed to ‘echo’ a simple Java web shell into the adminroot directory: ‘/home/goanywhere/HelpSystems/GoAnywhere/adminroot/goshell.jsp’.

Figure 18. Fortra GoAnywhere MFT – CVE-2023-0669 Attacks

Figure 19. Decoded Fortra GoAnywhere Exploit Payload with Functional Web Shell

Figure 20. Decoded Web Shell listening for cmd parameter submitted in the requests

Shortly after, the honeypot sensors were hit by requests from the same IP to the ‘/goanywhere/goshell.jsp’ endpoint and contained a ‘cmd’ parameter meant to verify whenever the exploitation was successful. 

Figure 21. Contents of the cmd parameter sent in request meant to verify successful exploitation.

On April 8, 2023, we observed the exact same behavior targeting our honeypots in the UK. This time however, the attacker used a different IP address: ‘185.44.77.144’ belonging to a UK ISP provider.

CVE-2022-36804 – Atlassian Bitbucket RCE

On December 26, 2022, our honeypot instances in Russia and one instance in Poland were targeted with the Bitbucket CVE-2022-36804 exploit. The attacker used IP address 207[.]148[.]27[.]4 belonging to a US-based hosting provider and aimed to install a simple Linux reverse shell. 

Figure 22. Look at the Linux reverse shell code used by the attacker.

On March 23, 2023, we observed additional attempts from this IP address trying to install a web shell following an exploit of a WordPress vulnerability.  

Figure 23. Decoded web shell code carried by malicious request targeting Bitbucket

Performing an open search provided us with interesting information about this attacker and his  possible motives  . As evidenced by his profile picture taken from an article about conflict in Libya, the attacker seems to be a politically motivated individual interested in developing and selling exploits and exploitation tools. Our investigation uncovered that he is also a member of Anonymous Morocco and ‘actively’ exploits vulnerable websites for defacement. 

Figure 24. Capitos Kamal GitHub repository

Figure 25. Capitos Kamal YouTube channel

Figure 26. Kapitos Kamal and his defacement statistics

 

CVE-2022-39952 – FortiNAC RCE

CVE-2022-39952 was disclosed on February 16, 2023, with PoC codes released a few days later. Not long afterwards, scans for this vulnerability and exploitation attempts started reaching our honeypot sensors. All the observed attackers used modified versions of the public PoC codes. We observed some attackers giving just minimal effort, modifying only the C2 server IP address, and leaving default names like ‘payload’ in their exploits. Below is the comparison between FortiNAC RCE PoC code available on GitHub and the payload captured on one of our honeypot sensors.

Figure 27. Attackers modifying only IP address in publicly disclosed PoC, leaving words like ‘payload’

 

CVE-2022-1388 – F5 Big-IP iControl REST RCE

F5 released a patch for CVE-2022-1388 on May 4, 2022, with PoC codes and first exploitation attempts being disclosed not long after. This vulnerability is being exploited to this day. On April 11, 2023, the attacker tried to exploit this vulnerability with C2 server 106[.]246[.]224[.]219.

Exploitation attempts of CVE-2022-0543 in Redis Debian packages and VMware Workspace One Access CVE-2022-22954 were also observed coming from this IP address more than a year ago. It’s interesting to see that while some IP addresses might be valid only for a few hours as IoCs, others are valid for an extended amount of time.

Conclusion 

Mozi, Kinsing, and Mirai botnets are persistent and continue to pose a threat in the cybersecurity landscape. These botnets exploit vulnerabilities in various applications, putting a wide range of unpatched systems at risk.

The observed targeted attacks utilizing web shells highlight the presence of threat actors exploiting specific enterprise applications. These attacks were aimed at gaining unauthorized access and conducting further malicious actions against potential victims. Organizations must prioritize robust security measures to protect against targeted attacks leveraging exploits and web shells. This includes regularly patching vulnerabilities, implementing strong access controls, conducting thorough security assessments, and monitoring network traffic for suspicious activities. The reliance solely on Indicators of Compromise (IOCs) as a defensive measure may prove ineffective in detecting and mitigating such attacks as actors are increasingly using VPN services and benign IP addresses belonging to various Internet Service Providers (ISPs) that lack a previous malicious reputation. This evasion technique allows them to bypass traditional IOC-based detection mechanisms. 

This type of research directly informs the rest of Trustwave on current TTPs used in the wild and allows us to better protect our software and service customers across all offerings. We published the IOCs relevant to this article instead of disclosing all of them as many are widely known and documented.

Indicators of Compromise:

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-enterprise-applications-honeypot-unveiling-findings-from-six-worldwide-locations/