Since the morning of 25 December 2023, Clipeus honeypots have been targeted with malicious traffic, primarily directed towards a vulnerable telnet port.
Based on the available indicators, Clipeus assessed this malicious traffic to be consistent with a botnet leveraging compromised networking devices in Azerbaijan. However, the available data does not enable a more precise attribution or provide additional context.
The malicious traffic peaked at midnight on 26 December and subsequently decreased until reaching a low volume of attacks at the time of writing.
The commands executed against the honeypot instances are consistent with an attempt to perform reconnaissance and discover the system configuration. Logged commands include attempts to kill processes and enable services, potentially indicative of evasion techniques and attempts to achieve persistence, respectively.
The traffic originates from 41 separate IP addresses geolocated in Azerbaijan.
An analysis of the top ten IP addresses in attack count reveals that at least six are consistent with internet-facing assets, namely networking devices (router, optical network terminal, VPN node), a Windows server, and a number of VoIP devices. Based on available data, the Windows server appears to be used for IoT device management. These observations led our analysis to attribute the events to a botnet.
Collected Indicators: Top Ten Source IP
Source IP | Attack Count | Passive Analysis of the Asset |
85.132.39[.]233 | 159 | Server: Boa/0.93.15; 220 RTK_GW FTP server (GNU inetutils 1.4.1) |
89.147.208[.]189 | 159 | SIP/2.0 User-Agent: eXosip/3.6.0 |
89.147.228[.]181 | 129 | Unknown |
89.147.225[.]64 | 129 | Unknown |
89.147.226[.]176 | 117 | SIP/2.0 User-Agent: eXosip/3.6.0 |
89.147.198[.]55 | 117 | Windows Server 2019, Version 1809/Windows 10, Version 1809, NetBIOS_Domain_Name: DESKTOP-[REDACTED] / GoAhead-Webs |
89.147.209[.]143 | 102 | Initiator security parameter index Internet Key Exchange version 2 (IKEv2) |
89.147.209[.]151 | 102 | Unknown |
89.147.230[.]22 | 102 | User-Agent: HUAWEI-EchoLife HG8245C/V3R015C10S115 |
89.147.237[.]243 | 102 | SIP/2.0 User-Agent: eXosip/3.6.0 |
Comments