Between March 2 - 5, we detected a significant increase in scanning activities over Tenet ports via the target, ''NoThink! Telnet HoneyPot – IPs," provided by NoThink. To put this in perspective, the magnitude includes an increase of 4,000 IPs to about 130,000 IPs that were a part of the scanning on telnet ports, as presented in Figure 1 below.
Figure 1: Increase of IPs blocked by the target: ''NoThink! Telnet HoneyPot.” March 2019.
Afterwards, an additional increase was seen at the start of April, from initially ~400 IOCs to ~130,000 IOCs. The quantity of IOCs in the target in this time is presented in Figure 2. The number of hits blocked in our policy, by this target, is presented in Figure 3.
Figure 2: Increase of IPs blocked by the target: ''NoThink! Telnet HoneyPot." April 2019.
Figure 3: Quantity of IPs blocked in our policy by the target: ''NoThink! Telnet HoneyPot.”
This significant increase may have been a preliminary step to an increased number of attempted attacks to servers vulnerable to these types of scans. With that, there is a high probability that it is a part of increased Mirai activity, as has been reported in the past few days by Bad Packets. Their reporting includes a review of Mirai-like activity distribution over the past year and the ports targeted. (Figure 4)
Figure 4: Report of Mirai-like malware infections in the last 365 days by port targeted, completed by Bad Packets.
As seen in Figure 4, there seems to be a significant increase in Mirai-like activity specifically targeting Tenet ports (23 and 2323).
This is also supported by the information reported by ISC after the Mirai attack outbreak in August 2016. ISC found there was a large increase in Tenet scanning, as presented in Figure 5.
Figure 5: TP/23 port event sources collected by ISC.
With our compilation of research and data, we advise to have targets blocking inbound scanning attempts to prevent any future attack attempts, which you can implement through ThreatSTOP. If you'd like to be protected from threats like Mirai, request a demo or try us out, 14 days, for free.