HoneyPot Analysis: Studying The Malicious Behavior of Threat Actors In The Wild
I set up a HoneyPot for the purpose of identifying and analyzing the malicious techniques that hackers use to compromise a system. I configured an Amazon Web Services EC2 Instance within the US East(Ohio) Region using a Debian 11 OS to host my HoneyPot server. I then deployed the open-sourced “T-Pot” platform, developed by T-Mobile, onto my instance. “T-Pot” is a HoneyPot system that consists of some of the best HoneyPot technologies available today for open source intelligence (OSINT) gathering. For this project I used Cowrie within “T-Pot”. Cowrie is an interactive honeypot designed to log SSH/Telnet brute force attacks. Following is a look at 8 hours of traffic to the Cowrie HoneyPot.
HIGH LEVEL ATTACK ANALYSIS
A total of 5,761 attacks occurred from 46 unique IP addresses within my 8 hour overnight/early morning monitoring period. There was a high concentration of attacks coming from Japan (24% of all attacks), Singapore (22%), the United States (11%), and China (9%). Attacks coming from Japan peaked at 4:00am EST (5:00pm JST). Attacks originating in Singapore peaked between 5:30–6:00am EST (5:30–6:00pm SGT). Around 7:30am EST (6:30am CDT)the attacks arriving from Central Kansas, United States peaked. Attacks coming from China reached their peak at 6:30am EST and again at 8:30am EST (6:30pm CST and 8:30pm CST). I found it curious that the attacks arriving from Japan, Singapore, and China all peaked just after typical workday hours (considering the local times of each country). The attacks arriving from inside the US spiked just before work day hours.
A whopping 99% of all attacks occurred utilizing SSH protocol! Secure Shell (SSH), is an encrypted method of connecting remotely to other computers. Upon connection the user has the power to issue commands and/or transfer files, by way of a command line interface, from a remote machine. SSH is vital to Network Administrators who need to perform server maintenance. Unfortunately, SSH can be exploited by hackers to grab data or upload malware to a machine.
Telnet functions similarly to SSH. While SSH uses digital keys to encrypt transmitted data, making it unreadable to outsiders, Telnet does not. Telnet transmits data in plain text; making it susceptible to eavesdropping. This is why hackers and non-hackers alike prefer using SSH over Telnet, and why 99% of the Honeypot attacks were attempts at using SSH protocol.
INVESTIGATING ATTACKS BY TOP SOURCE IP
The below chart lists the top attacking IP addresses.
Let’s see what a few of them were up to. . .
Source IP 188.8.131.52, located in Hong Kong, has been reported for acting maliciously, according to AbuseIPDB.com. Cowrie recorded this IP executing a brute force attack on the system.
Below is a collection of the commands run by source IP 184.108.40.206.
A second Source IP trying to dip into the HoneyPot was 220.127.116.11 from Singapore. This IP has been reported extensively for malicious behavior. Also a brute force attacker, it attempted many of the same commands as the previous attacker examined.
A look at a third of the top Source IPs, reveals a continued pattern of behavior. IP 18.104.22.168 has been reported 2,184 times for its malicious acting. Another brute force attacker, this IP input identical commands to the previous two attackers.
These three IPs executed the exact same number of attacks on the HoneyPot (304 per each). I highly suspect they are all “bots”executing the same brute force entrance attack on Cowrie.
THE GOOD NEWS. . .
Brute force attacks are completely preventable! Keeping brute force attacks at bay and drastically improving data security for your personal self or your organization is as simple as:
having a strong password policy
limiting login attempts
enabling multi-factor authentication (MFA)
and blocking malicious IP addresses.
RUNDOWN OF USERNAMES/PASSWORDS ATTEMPTED
While looking at the above data gathered from Kibana’s Visualize Library inside of T-Pot, it would have been easy to predict that these particular usernames and passwords were the top hits. Default credentials, sequential numbers, and bots for crypto-mining spraying out the “nproc” command to any area of the server that would take it.
WHAT DO HACKERS WANT TO DO WITH YOUR DATA?
I am hopeful that my dip into a HoneyPot opened your eyes to the importance of securing the door to your data. Hackers are always on the hunt for an easy entrance to your treasure trove of information. But what exactly do they want to do with your data?
The internet can be a scary place. . . but it doesn’t have to be. Please use cybersecurity best practices and stay safe out there, friends!