This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of October to December 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here .
Packets observed from products under development
JPCERT/CC analyzes the data collected by TSUBAME on a daily basis. In this article, I will focus on a product developed by a Japanese developer that we found while analyzing the data and investigating the IP addresses of the scan source. Multiple ports were open on the source IP address, and we could see the WebUI associated with multiple products. In such cases, there is a high possibility that the user has configured port forwarding. Therefore, we contacted the developer identified from the WebUI to inform them of the problem and asked about the product being used. The developer immediately responded, and it turned out that the product was installed and used by themselves. We then had a conference call with the developer and learned that the product had most likely been compromised by malware while it was being developed with another company's product embedded in it and connected to the Internet. In addition, the administrator was unaware until it was pointed out that the WebUI of another product which became the initial entry point, had been exposed. We see similar cases a few times every year, and thus we present such cases to product developers at seminars and other events. If you are a product developer and do not have any contact with JPCERT/CC, please take note of the following three points:
- Check specifications when integrating products from other developers.
- If the specifications allow a closed network, use it and do not assign a global IP address (SIM card specifications are often overlooked).
- After installation, perform a port scan to check if any unintended ports are open.
I believe that similar cases will continue to occur in the future. If you receive an email from JPCERT/CC regarding vulnerability information or product usage, we would appreciate your response and cooperation.
Comparison of the observation trends in Japan and overseas
Figure 1 is a monthly comparison of the average number of packets received in Japan and overseas. Overseas sensors received more packets than those in Japan.
Figure 1: Monthly comparison of the average number of packets received in Japan and overseas |
Comparison of monitoring trends by sensor
A global IP address is assigned to each TSUBAME sensor. Table 1 shows the top 10 ports of each sensor which received packets the most. Although the order is different in each sensor, almost all the sensors observed the packets for 23/TCP, 6379/TCP, 22/TCP, and 80/TCP. This suggests that these protocols are being scanned in a wide range of networks.
Table 1: Comparison of top 10 packets by domestic and overseas sensors
#1 | #2 | #3 | #4 | #5 | #6 | #7 | #8 | #9 | #10 | |
Sensor in Japan #1 | 23/TCP | 22/TCP | 6379/TCP | 8080/TCP | 80/TCP | ICMP | 443/TCP | 3389/TCP | 445/TCP | 4719/TCP |
Sensor in Japan #2 | 37215/TCP | 23/TCP | 6379/TCP | ICMP | 22/TCP | 8080/TCP | 80/TCP | 3389/TCP | 445/TCP | 443/TCP |
Sensor in Japan #3 | 23/TCP | 6379/TCP | 22/TCP | 8080/TCP | 80/TCP | 443/TCP | 3389/TCP | ICMP | 445/TCP | 4719/TCP |
Sensor overseas #1 | 23/TCP | 80/TCP | 8080/TCP | 22/TCP | 445/TCP | 3389/TCP | 443/TCP | 1433/TCP | ICMP | 8081/TCP |
Sensor overseas #2 | 23/TCP | ICMP | 445/TCP | 22/TCP | 80/TCP | 8080/TCP | 3389/TCP | 443/TCP | 1433/TCP | 2375/TCP |
Sensor overseas #3 | 443/TCP | 23/TCP | 445/TCP | 8080/TCP | 22/TCP | 6379/TCP | 37215/TCP | 80/TCP | ICMP | 3389/TCP |
In closing
Monitoring at multiple locations enables us to determine if certain changes are occurring only in a particular network. Although we have not published any special alerts as an extra issue or other information this quarter, it is important to pay attention to scanners. We will continue to publish blog articles as the Internet Threat Monitoring Quarterly Report becomes available every quarter. We will also publish an extra issue when we observe any unusual change. Your feedback on this series is much appreciated. Please use the below comment form to let us know which topic you would like us to introduce or discuss further. Thank you for reading.
Keisuke Shikano
(Translated by Takumi Nakano)
Article Link: TSUBAME Report Overflow (Oct-Dec 2023) - JPCERT/CC Eyes | JPCERT Coordination Center official Blog
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Post a Comment
Post a Comment