Coordinated Multi-Source IoT/Router Exploitation Campaign Against CDIC Honeypot Sensor MTS-Web-Server1
| Field | Value |
|---|---|
| Report ID | CDIC-CTI-2026-0710-01 |
| Date of Report | 10 July 2026 |
| Reporting Period | 2026-07-08 09:46 UTC — 2026-07-10 12:08 UTC |
| Data Sources | Suricata (EVE: http, alert, fileinfo, anomaly), Dionaea, Honeytrap |
| Event Volume | 1,450 events across 5 attacker source IPs |
| Threat Type | Automated IoT/SOHO router exploitation — Mirai-family botnet propagation (assessed) |
| Prepared By | CDIC Threat Intelligence — Incident Response & CTI Analysis |
1. Executive Summary
Between 8 and 10 July 2026, CDIC honeypot sensor recorded 1,450 events originating from five source IP addresses, all announced by a single autonomous system — AS197170 (TechTies Inc., Netherlands); a small hosting network whose address space is heavily represented in public abuse-reporting datasets. Three of the five source addresses carried a pre-existing “known attacker” reputation tag at time of collection.
The activity is assessed as automated, coordinated exploitation of consumer IoT and SOHO router vulnerabilities, consistent in tooling and targeting with Mirai-family botnet propagation (moderate confidence). Attackers issued high-volume HTTP exploitation traffic against alternate web ports 81, 8080, 8081, and 8088, triggering Suricata signatures for four distinct device-class exploits: D-Link HNAP1 buffer overflow (CVE-2022-37055), Linksys E-Series remote command execution (TheMoon-style tmUnblock.cgi abuse), Comtrend VR-3033 command injection (CVE-2020-10173), and ZTE cable modem RCE (CVE-2014-2321).
The strongest coordination indicator observed is a hand-off event on 8 July at 23:33 UTC: source 85.11.167.203 delivered a 199-event burst against port 81 in 88 seconds, ceasing at 23:33:48; source 45.153.34.252 initiated identical port-81 exploitation 6.98 seconds later. Combined with shared ASN, identical exploit sets, and complementary port allocation across sources, this indicates centrally tasked infrastructure rather than independent opportunistic scanners.
No honeypot compromise occurred and no credentials were harvested (the activity was exploit-based, not credential-based). 180 Suricata fileinfo events confirm HTTP file/body transfer attempts consistent with first-stage payload delivery within exploit requests. Recommended actions: block AS197170 prefixes at the perimeter, deploy/verify the listed ET signatures in production IDS, and feed the five source IPs plus associated context into the CDIC MISP instance as a linked event cluster.
2. Key Findings
- Single-operator infrastructure: all five source IPs resolve to AS197170 (TechTies Inc., NL, Eygelshoven). The 45.153.34.0/24 range contributed three of the five sources; sibling addresses in this prefix have thousands of AbuseIPDB reports at 100% abuse confidence.
- Coordinated tasking: a 6.98-second gap between the final event of 85.11.167.203 and the first event of 45.153.34.252, both targeting port 81 with the same exploit set, indicates automated hand-off between nodes.
- Port specialization: each node was assigned a primary port lane — 81, 8080, 8081, or 8088 — with two nodes rotating across two lanes each. This is characteristic of distributed scanning frameworks that shard target/port space across worker nodes.
- Burst-and-return cadence: the 45.153.34.0/24 nodes operated in discrete bursts of 80–280 events separated by roughly 11–24 hour dwell periods, returning to the same target — behavior typical of botnet loader/scanner rotation rather than one-shot mass scanning.
- Multi-vendor IoT exploit chain: four exploit families spanning D-Link, Linksys, Comtrend, and ZTE devices were fired indiscriminately at generic web ports — a spray pattern used by Mirai-family loaders to maximize infection yield across heterogeneous edge devices.
- Payload delivery attempts observed: 180 fileinfo events across all five sources confirm HTTP bodies/files transferred during exploitation attempts, consistent with embedded downloader commands (e.g., wget/curl shell one-liners typical of Mirai loaders).
3. Sensor and Collection Context
All telemetry originates from CDIC sensors, Internal container addresses 192.168.96.2 and 172.25.0.2 appear as NAT-translated destinations in a subset of events and refer to the same sensor. Contributing honeypot/IDS components for this event set:
| Component | Role in This Dataset |
|---|---|
| Suricata | 1,131 events — HTTP transaction logging (700), protocol anomaly detection (204), file transfer extraction (183), and 44 exploit/stream alerts including all CVE-tagged detections. |
| Dionaea | 274 connection events, exclusively on port 81 — capturing the raw TCP sessions behind the port-81 exploitation lane. |
| Honeytrap | 45 connection events, primarily port 8088 — dynamic capture of the non-standard port lane used by 45.153.34.231. |
4. Attack Narrative and Timeline
4.1 Phase 1 — Initial probing and 8080 lane (8 July, 09:46–17:01 UTC)
45.156.87.213 opened the campaign with a 7-hour, 230-event engagement against port 8080, delivered in three bursts (09:46, 16:xx, 17:01). This node fired the widest exploit set of any source — all four exploit families — and generated 46 fileinfo events, indicating repeated payload-bearing requests. A single Honeytrap event on ephemeral port 40372 suggests an incidental secondary probe. Concurrently, 45.153.34.231 began a 115-event burst at 11:00 UTC split across ports 8080 and 8088.
4.2 Phase 2 — Port 81 hand-off (8 July, 23:32–23:34 UTC)
85.11.167.203 executed the most aggressive action of the campaign: 199 events in 88 seconds (roughly 2.3 events/second) against port 81, blending Dionaea-captured TCP sessions with Suricata HTTP transactions and Linksys/D-Link exploit alerts. The burst terminated at 23:33:48 UTC. At 23:33:55 UTC — 6.98 seconds later — 45.153.34.252 commenced sustained port-81 exploitation with an identical signature profile, ultimately logging 415 events across three return visits through 10 July 08:04 UTC. The near-seamless transition between two distinct source addresses on the same port lane with the same exploit set is assessed as automated tasking hand-off within a common command infrastructure.
4.3 Phase 3 — Sustained rotation (9–10 July)
45.153.34.231 returned at 10:xx UTC on 9 July (172 events) and again at 12:08 UTC on 10 July (109 events), maintaining the 8080/8088 lanes. 45.153.34.195 joined on 9 July at 17:43 UTC, working ports 81 and 8080 across two bursts (86 and 123 events) ending 10 July 04:46 UTC. 45.153.34.252 delivered its largest burst (197 events, port 81/8081) at 20:xx UTC on 9 July. Activity was ongoing at collection cut-off (10 July 12:08 UTC); the campaign should be considered active.
5. Exploitation Analysis
Suricata alerting resolved four exploit families, all targeting consumer/SOHO edge devices. All were fired against generic alternate web ports rather than vendor-default management ports, confirming an indiscriminate spray methodology.
| Signature / Exploit | CVE | Alerts | Target Device Class |
|---|---|---|---|
| ET EXPLOIT Linksys E-Series Device RCE Attempt (tmUnblock.cgi ttcp_ip command injection — TheMoon worm lineage) | — | 18 | Linksys E-Series routers |
| ET WEB_SPECIFIC_APPS D-Link HNAP1 GetDeviceSettings Buffer Overflow Attempt | CVE-2022-37055 | 12 | D-Link GO-RT-AC750 / HNAP1 routers |
| ET EXPLOIT Possible Authenticated Command Injection Inbound — Comtrend VR-3033 | CVE-2020-10173 | 3 | Comtrend VR-3033 gateways |
| ET EXPLOIT ZTE Cable Modem RCE Attempt (web_shell_cmd.gch) | CVE-2014-2321 | 2 | ZTE F460/F660 cable modems |
| SURICATA STREAM anomalies (invalid timestamp / spurious retransmission) | — | 9 | Scanner TCP-stack artifacts |
The exploit portfolio is notable for its age spread — CVE-2014-2321 through CVE-2022-37055 — which is a hallmark of Mirai-derivative loader kits that accumulate exploit modules over successive forks rather than curating current-generation vulnerabilities. The Linksys tmUnblock.cgi technique in particular has been continuously recycled from TheMoon (2014) through modern Mirai/Moobot variants. The 204 Suricata anomaly events and stream irregularities (invalid timestamps, spurious retransmissions) further indicate a lightweight custom TCP scanner rather than a full OS network stack — again consistent with Mirai-family propagation modules.
6. Attribution Assessment
Assessment: this activity represents a single coordinated campaign operated from abuse-tolerant hosting, functioning as propagation/loader infrastructure for a Mirai-family IoT botnet (moderate confidence). Confidence is bounded because full HTTP payloads (URIs, user-agents, downloader commands) were not present in this export; recovery of the loader URL or binary would permit family-level attribution (e.g., Moobot, Condi, Gafgyt derivative).
Supporting evidence:
- Single ASN of origin (AS197170) across all five sources, with three sources in one /24 (45.153.34.0/24).
- Sub-7-second port-81 tasking hand-off between 85.11.167.203 and 45.153.34.252.
- Identical exploit signature sets across sources, with complementary (non-overlapping) port-lane assignments.
- Multi-vendor IoT exploit spray at wire speed (up to 2.3 events/sec) with TCP-stack anomalies indicating custom scanning tooling.
- Pre-existing “known attacker” reputation on 45.153.34.195, 45.153.34.231, and 85.11.167.203; heavy public abuse reporting across the wider 45.153.34.0/24 prefix.
Alternative hypotheses considered: (1) independent opportunistic scanners coincidentally sharing an abuse-friendly host — rejected due to the hand-off timing and complementary port sharding; (2) commercial/security research scanning — rejected due to active exploitation payloads, reputation history, and absence of identifying scanner conventions.
7. MITRE ATT&CK Mapping
| Tactic | Technique | Observed Behavior |
|---|---|---|
| Reconnaissance | T1595.002 — Active Scanning: Vulnerability Scanning | High-rate probing of ports 81/8080/8081/8088 with exploit-laden requests across five distributed nodes. |
| Resource Development | T1583.003 / T1584.005 — Acquire Infrastructure: VPS; Compromise Infrastructure: Botnet | Attack nodes staged in abuse-tolerant NL hosting (AS197170); campaign purpose is botnet expansion. |
| Initial Access | T1190 — Exploit Public-Facing Application | HNAP1 buffer overflow (CVE-2022-37055), Comtrend command injection (CVE-2020-10173), ZTE web_shell_cmd.gch RCE (CVE-2014-2321), Linksys tmUnblock.cgi RCE. |
| Execution | T1059.004 — Command and Scripting Interpreter: Unix Shell | Exploits carry embedded shell command injection; 180 fileinfo events evidence payload-bearing HTTP bodies (attempted stage-1 downloader delivery). |
| Command and Control | T1105 — Ingress Tool Transfer (attempted) | File transfer attempts within exploit traffic consistent with malware retrieval one-liners; no successful retrieval on sensor. |
8. Indicators of Compromise
8.1 Network Indicators
| Indicator | Type | Ports Targeted | Events | Reputation / Notes |
|---|---|---|---|---|
45.153.34.195 |
IPv4 | 81, 8080 | 209 | Known attacker (feed-tagged) |
45.153.34.231 |
IPv4 | 8080, 8088 | 397 | Known attacker (feed-tagged) |
45.153.34.252 |
IPv4 | 81, 8081 | 415 | Port-81 hand-off recipient |
45.156.87.213 |
IPv4 | 8080 | 230 | Campaign initiator; widest exploit set |
85.11.167.203 |
IPv4 | 81 | 199 | Known attacker; 88-second burst node |
45.153.34.0/24 |
CIDR | — | — | Prefix-level block candidate (AS197170) |
AS197170 |
ASN | — | — | TechTies Inc., NL — abuse-tolerant hosting |
8.2 Detection Content (Suricata / ET)
ET WEB_SPECIFIC_APPS D-Link HNAP1 GetDeviceSettings Buffer Overflow Attempt (CVE-2022-37055)ET EXPLOIT Linksys E-Series Device RCE AttemptET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)
9. Defensive Recommendations
- Perimeter blocking: deny 45.153.34.0/24 and the four individual non-prefix IPs at edge firewalls; evaluate ASN-level blocking of AS197170 for environments with no legitimate NL hosting dependencies.
- IDS coverage validation: confirm the four ET signatures above are enabled and alerting in production Suricata deployments; the CVE-2022-37055 rule fired most consistently and is the highest-value canary for this campaign.
- Attack surface review: audit internet-facing assets for services on ports 81, 8080, 8081, and 8088; these lanes are being actively swept. No consumer router management interface should be internet-exposed.
- MISP ingestion: publish the five source IPs, the /24 prefix, ASN context, CVE tags, and the hand-off relationship as a single linked MISP event (suggested tags:
tlp:amber,mirai-family,iot-botnet,AS197170) to preserve the coordination context for future pivots. - Continued monitoring: the campaign was active at collection cut-off. Recommend a 14-day watch on AS197170-sourced traffic across all CDIC sensors and a follow-up pull for full Suricata HTTP records (URI, user-agent, request body) to recover the loader URL and enable family-level attribution.
- Threat hunting pivot: HASSH/JA3 and payload-hash pivots are not possible from this export; if PCAP retention on MTS-Web-Server1 covers 8–10 July, extract the port-81 sessions from the 23:32–23:34 UTC window (85.11.167.203) as the highest-density sample.
Appendix A — Per-Source Event Statistics
| Source IP | Events | HTTP Txns | File Transfers | Anomalies | Active Window (UTC) |
|---|---|---|---|---|---|
45.156.87.213 |
230 | 93 | 46 | 75 | 07-08 09:46 → 17:01 |
45.153.34.231 |
397 | 160 | 80 | 99 | 07-08 10:59 → 07-10 12:08 |
85.11.167.203 |
199 | 90 | 13 | 0 | 07-08 23:32 → 23:33 (88s) |
45.153.34.252 |
415 | 203 | 25 | 0 | 07-08 23:33 → 07-10 08:04 |
45.153.34.195 |
209 | 154 | 19 | 30 | 07-09 17:43 → 07-10 04:46 |