Romanian Distillery Scanning for SMTP Credentials

    Published: 2025-03-04. Last Updated: 2025-03-04 15:53:21 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Lately, attackers have gotten more creative and aggressive in trying to find various credential files on exposed web servers. Our "First Seen" page each day shows many new versions of scans for secrets files like ".env". 

    Yesterday, I noted a couple of requests that stuck out a bit:

    /admin/smtp_keys.json
    /admin/smtp_tokens.json

    The same attacker scanned for variations like "/api/smtp_keys.json" and "/backend/smtp_keys.json"

    Date URL
    2025-03-01 /admin/smtp_tokens.json
    2025-03-01 /api/smtp_tokens.json
    2025-03-01 /backend/smtp_tokens.json
    2025-03-01 /deploy/smtp_tokens.json
    2025-03-01 /staging/smtp_tokens.json
    2025-03-01 /testing/smtp_tokens.json
    2025-03-01 /user/smtp_tokens.json
    2025-03-01 /web/smtp_tokens.json
    2025-03-02 /admin/smtp_tokens.json
    2025-03-02 /api/smtp_tokens.json
    2025-03-02 /backend/smtp_tokens.json
    2025-03-02 /deploy/smtp_tokens.json
    2025-03-02 /staging/smtp_tokens.json
    2025-03-02 /testing/smtp_tokens.json
    2025-03-02 /user/smtp_tokens.json
    2025-03-02 /web/smtp_tokens.json

    The requests originate from one IP address, 193.41.206.202. According to Whois, the IP is associated with a Romanian Distillery (Alexandrion Saber 1789 Distilleries). Likely a compromised system in their network used for scanning. The scans started in February and they have been hitting possible secrets files since then ever so often slightly changing the set of files they are looking for.

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords:
    0 comment(s)

    Tool update: mac-robber.py

    Published: 2025-03-04. Last Updated: 2025-03-04 14:11:14 UTC
    by Jim Clausing (Version: 1)
    0 comment(s)

    Just a quick update. I fixed a big bug in my mac-robber.py script about 2 weeks ago, but realized I hadn't published a diary about it. I didn't go back and figure out how this one slipped in because I'm sure it worked originally, but it was generating bad output for soft/symbolic links. If. you are using the script, please update immediately.

    References:

    [1] https://github.com/att/docker-forensics/blob/master/mac-robber.py

    ---------------
    Jim Clausing, GIAC GSE #26
    jclausing --at-- isc [dot] sans (dot) edu

    Keywords: tools
    0 comment(s)
    ISC Stormcast For Tuesday, March 4th, 2025 https://isc.sans.edu/podcastdetail/9348

      Comments

      Login here to join the discussion.


      Diary Archives