1. Executive Summary
Honeypot data captured an automated, rapid scanning and reconnaissance attempt originating from a DigitalOcean IP address (188.166.160.102). The activity primarily targeted the VMware vSphere SOAP API endpoint and included general probing on port 5000.
The most critical indicator is a SOAP POST request to /sdk containing the RetrieveServiceContent function call, which is a key signature of attacks or reconnaissance targeting VMware ESXi and vCenter Server environments. The use of a distinct “Odin” User-Agent suggests the attacker may be using a known scanning tool or botnet component.
2. Indicators of Compromise (IOCs)
| Type | Indicator | Context |
| Source IP Address | 188.166.160.102 | Attacker IP. Associated with DigitalOcean (Data Center/Web Hosting). Low risk reputation but with 16 past reports and 12 distinct users, indicating shared infrastructure or a disposable attack platform. |
| Target Path | /sdk | Primary target for VMware vSphere SOAP API access. |
| Request Body Signature | <soap:Body><RetrieveServiceContent xmlns="urn:internalvim25">... | SOAP API call used to enumerate and retrieve service information from a VMware vCenter/ESXi host. This is a common reconnaissance step in attacks against VMware infrastructure. |
| User-Agent | Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) | Custom or identified bot User-Agent. “Odin” is associated with internet scanning tools/platforms. |
| Target Port | 5000 | General probing via GET requests to http://0.0.0.0:5000/. Port 5000 is often used for web services (e.g., Flask/Python default) or other application-layer services. |
Export to Sheets
3. Vulnerabilities and Exploitation Attempts
The SOAP request body containing <RetrieveServiceContent> strongly suggests the attacker is attempting reconnaissance against a VMware vCenter or ESXi SOAP endpoint.
- Vulnerability Target: The requests are likely a precursor to exploiting a known or zero-day vulnerability in VMware vCenter Server or ESXi that relies on initial enumeration via the API. While the request itself is reconnaissance, successful enumeration is often followed by exploitation.
- Reconnaissance Technique: The
RetrieveServiceContentcall is a non-destructive way to confirm the presence and version of a VMware vSphere environment, which could then be targeted with exploits for known vulnerabilities like:- CVE-2023-34048 (VMware vCenter Server Out-of-Bounds Write): A critical vulnerability used for Remote Code Execution (RCE), often preceded by such reconnaissance.
- CVE-2022-22948 (vCenter Server Incorrect Default File Permissions): Used to gain access to sensitive information.
- CVE-2024-37085 (VMware ESXi Authentication Bypass): Could be the follow-up attack if an ESXi host is identified.
4. Campaign and Attribution
- Campaign/Activity: The rapid, focused nature of the requests (8 requests over approximately 1 minute and 22 seconds) is consistent with an automated Mass Scanning operation. This activity is typical of botnets or widespread exploitation attempts seeking vulnerable targets at scale.
- Attribution (APT/Threat Group): Due to the generic nature of mass scanning, a specific Advanced Persistent Threat (APT) group cannot be definitively attributed. However, high-value targets like VMware infrastructure are frequently targeted by various threat actors, including state-sponsored groups and e-crime gangs, for initial access, corporate espionage, or ransomware deployment (e.g., attacks observed targeting VMware for deployment of ESXiArgs or other ransomware strains).
- Tooling: The use of the “Odin” User-Agent aligns with open-source and commercial internet-scanning engines or, in some cases, custom tooling. Prior cyber security reports also mention “Odin” as a generic bot or a search engine used for asset cataloging, but its use in this context is clearly for active port/service scanning.
5. Recommendations and Mitigations
- Block IOCs: Immediately block all traffic originating from the source IP address 188.166.160.102 at the perimeter firewall.
- VMware Patching: Ensure all VMware vCenter Server and ESXi instances are patched to the latest versions, specifically addressing:
- All critical vulnerabilities from 2023 and 2024 (e.g., CVE-2023-34048, CVE-2024-37085, etc.).
- Consult vendor advisories for a complete list of relevant patches.
- Network Segmentation: Isolate vCenter/ESXi management interfaces from the public internet. Access should be restricted to VPN or internal administrative subnets only.
- Monitoring: Implement monitoring rules to alert on:
- Any requests to the /sdk path from external or unexpected internal sources.
- Unusual or unapproved User-Agents (e.g.,
Odin) attempting to access administrative services. - Failed or successful login attempts to VMware management interfaces.
- SOAP/API Access Control: Restrict access to the VMware SOAP API endpoint to known, trusted source IP ranges via firewall or WAF policies.