top of page
  • Nello Verde

Botnet Activity From Azerbaijan



Since the morning of 25 December 2023, Clipeus honeypots have been targeted with malicious traffic, primarily directed towards a vulnerable telnet port.


Based on the available indicators, Clipeus assessed this malicious traffic to be consistent with a botnet leveraging compromised networking devices in Azerbaijan. However, the available data does not enable a more precise attribution or provide additional context.


The malicious traffic peaked at midnight on 26 December and subsequently decreased until reaching a low volume of attacks at the time of writing.


Temporal Overview
Temporal Overview

The commands executed against the honeypot instances are consistent with an attempt to perform reconnaissance and discover the system configuration. Logged commands include attempts to kill processes and enable services, potentially indicative of evasion techniques and attempts to achieve persistence, respectively.


The traffic originates from 41 separate IP addresses geolocated in Azerbaijan.


IP Geolocation

An analysis of the top ten IP addresses in attack count reveals that at least six are consistent with internet-facing assets, namely networking devices (router, optical network terminal, VPN node), a Windows server, and a number of VoIP devices. Based on available data, the Windows server appears to be used for IoT device management. These observations led our analysis to attribute the events to a botnet.


Collected Indicators: Top Ten Source IP

Source IP

Attack Count

Passive Analysis of the Asset

85.132.39[.]233

159

Server: Boa/0.93.15; 220 RTK_GW FTP server (GNU inetutils 1.4.1)

89.147.208[.]189

159

SIP/2.0 User-Agent: eXosip/3.6.0

89.147.228[.]181

129

Unknown

89.147.225[.]64

129

Unknown

89.147.226[.]176

117

SIP/2.0 User-Agent: eXosip/3.6.0

89.147.198[.]55

117

Windows Server 2019, Version 1809/Windows 10, Version 1809, NetBIOS_Domain_Name: DESKTOP-[REDACTED] / GoAhead-Webs

89.147.209[.]143

102

Initiator security parameter index Internet Key Exchange version 2 (IKEv2)

89.147.209[.]151

102

Unknown

89.147.230[.]22

102

User-Agent: HUAWEI-EchoLife HG8245C/V3R015C10S115

89.147.237[.]243

102

SIP/2.0 User-Agent: eXosip/3.6.0



Comments


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to info@clipeusintelligence.com with your inquiry. We would be glad to assist you

bottom of page