<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>Between March 2 - 5, we detected a significant increase in scanning activities over Tenet ports via the target, ''NoThink! Telnet HoneyPot – IPs," provided by NoThink. To put this in perspective, the magnitude includes an increase of 4,000 IPs to about 130,000 IPs that were a part of the scanning on telnet ports, as presented in <strong>Figure 1</strong> below.</p> <p><!--more--></p> <p><img src="https://info.threatstop.com/hubfs/Figure1.png" alt="Figure1" width="1240" style="width: 1240px;"></p> <p style="text-align: center;"><strong><em>Figure 1: Increase of IPs blocked by the target: ''NoThink! Telnet HoneyPot.” March 2019.</em></strong></p> <p>&nbsp;</p> <p>Afterwards, an additional increase was seen at the start of April, from initially ~400 IOCs to ~130,000 IOCs. The quantity of IOCs in the target in this time is presented in <strong>Figure 2</strong>. The number of hits blocked in our policy, by this target, is presented in <strong>Figure 3</strong>.</p> <p><img src="https://info.threatstop.com/hubfs/Figure2.png" alt="Figure2" width="1254" style="width: 1254px;"></p> <p style="text-align: center;"><em><strong>Figure 2: Increase of IPs blocked by the target: ''NoThink! Telnet HoneyPot." April 2019.</strong></em></p> <p style="text-align: center;">&nbsp;</p> <p style="text-align: center;">&nbsp;</p> <p><img src="https://info.threatstop.com/hubfs/Figure3.png" alt="Figure3" width="774" style="width: 774px;"></p> <p style="text-align: center;"><em><strong>Figure 3: Quantity of IPs blocked in our policy by the target: ''NoThink! Telnet HoneyPot.”</strong></em></p> <p style="text-align: center;">&nbsp;</p> <p style="text-align: left;">This significant increase may have been a preliminary step to an increased number of attempted attacks to servers vulnerable to these types of scans. With that, there is a high probability that it is a part of increased Mirai activity, as has been reported in the past few days by Bad Packets. Their reporting includes a review of Mirai-like activity distribution over the past year and the ports targeted. <strong>(Figure 4)</strong></p> <p><img src="https://info.threatstop.com/hubfs/Figure4.png" alt="Figure4" width="1290" style="width: 1290px;"></p> <p style="text-align: center;"><em><strong>Figure 4: Report of Mirai-like malware infections in the last 365 days by port targeted, completed by <a href="https://docs.google.com/spreadsheets/d/1xRGdVmVgV8_KgrXMBTHe9mO2sYjDvY0CuMabj7-bjHc/edit#gid=1509269923" rel="noopener" target="_blank">Bad Packets</a>.</strong></em><a href="https://docs.google.com/spreadsheets/d/1xRGdVmVgV8_KgrXMBTHe9mO2sYjDvY0CuMabj7-bjHc/edit#gid=1509269923"></a></p> <p>&nbsp;</p> <p>As seen in <strong>Figure 4</strong>, there seems to be a significant increase in Mirai-like activity specifically targeting Tenet ports (23 and 2323).</p> <p>This is also supported by the information reported by ISC after the Mirai attack outbreak in August 2016. ISC found there was a large increase in Tenet scanning, as presented in <strong>Figure 5</strong>.</p> <p>&nbsp;</p> <p><img src="https://info.threatstop.com/hubfs/Figure5.png" alt="Figure5" width="1018" style="width: 1018px;"></p> <p style="text-align: center;"><em><strong>Figure 5:&nbsp;TP/23 port event sources collected by ISC.</strong></em></p> <p>&nbsp;</p> <p style="text-align: center;"><strong>With our compilation of&nbsp;research and&nbsp;data, we advise to have targets blocking inbound scanning attempts to prevent any future attack attempts, which you can&nbsp;implement through ThreatSTOP. If you'd like to be protected from threats like Mirai, request a demo or try us out, 14 days, for free.</strong></p> <p>&nbsp;</p> <p style="text-align: center;"></p></span>
