top of page

HoneyPot Analysis: Studying The Malicious Behavior of Threat Actors In The Wild


What is a HoneyPot? It’s a sacrificial computer system that’s intended to attract threat actors… like a decoy! It mimics a target for cyber attacks, uses intrusion attempts to gain information about cybercriminals and the way they operate, and distracts hackers away from legitimate targets.
 

PROJECT OVERVIEW


I set up a HoneyPot for the purpose of identifying and analyzing the malicious techniques that hackers use to compromise a system. I configured an Amazon Web Services EC2 Instance within the US East(Ohio) Region using a Debian 11 OS to host my HoneyPot server. I then deployed the open-sourced “T-Pot” platform, developed by T-Mobile, onto my instance. “T-Pot” is a HoneyPot system that consists of some of the best HoneyPot technologies available today for open source intelligence (OSINT) gathering. For this project I used Cowrie within “T-Pot”. Cowrie is an interactive honeypot designed to log SSH/Telnet brute force attacks. Following is a look at 8 hours of traffic to the Cowrie HoneyPot.




 

HIGH LEVEL ATTACK ANALYSIS

A total of 5,761 attacks occurred from 46 unique IP addresses within my 8 hour overnight/early morning monitoring period. There was a high concentration of attacks coming from Japan (24% of all attacks), Singapore (22%), the United States (11%), and China (9%). Attacks coming from Japan peaked at 4:00am EST (5:00pm JST). Attacks originating in Singapore peaked between 5:30–6:00am EST (5:30–6:00pm SGT). Around 7:30am EST (6:30am CDT)the attacks arriving from Central Kansas, United States peaked. Attacks coming from China reached their peak at 6:30am EST and again at 8:30am EST (6:30pm CST and 8:30pm CST). I found it curious that the attacks arriving from Japan, Singapore, and China all peaked just after typical workday hours (considering the local times of each country). The attacks arriving from inside the US spiked just before work day hours.

SSH/TELNET ATTACKS

A whopping 99% of all attacks occurred utilizing SSH protocol! Secure Shell (SSH), is an encrypted method of connecting remotely to other computers. Upon connection the user has the power to issue commands and/or transfer files, by way of a command line interface, from a remote machine. SSH is vital to Network Administrators who need to perform server maintenance. Unfortunately, SSH can be exploited by hackers to grab data or upload malware to a machine.

Telnet functions similarly to SSH. While SSH uses digital keys to encrypt transmitted data, making it unreadable to outsiders, Telnet does not. Telnet transmits data in plain text; making it susceptible to eavesdropping. This is why hackers and non-hackers alike prefer using SSH over Telnet, and why 99% of the Honeypot attacks were attempts at using SSH protocol.

 

INVESTIGATING ATTACKS BY TOP SOURCE IP


The below chart lists the top attacking IP addresses.

Let’s see what a few of them were up to. . .


IP CHECK OF 101.32.74.109 | ABUSEIPDB.COM

Source IP 101.32.74.109, located in Hong Kong, has been reported for acting maliciously, according to AbuseIPDB.com. Cowrie recorded this IP executing a brute force attack on the system.


What is a Brute Force Attack? It’s a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys! It’s a minimalistic and reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems/networks. The hacker attempts multiple usernames and passwords, often using automation, to test an expansive range of combinations until they locate the correct login information.

Below is a collection of the commands run by source IP 101.32.74.109.


IP CHECK OF 178.128.57.52 | ABUSEIPDB.COM

A second Source IP trying to dip into the HoneyPot was 178.128.57.52 from Singapore. This IP has been reported extensively for malicious behavior. Also a brute force attacker, it attempted many of the same commands as the previous attacker examined.


IP CHECK OF 43.132.156.253 | ABUSEIPDB.COM

A look at a third of the top Source IPs, reveals a continued pattern of behavior. IP 43.132.156.253 has been reported 2,184 times for its malicious acting. Another brute force attacker, this IP input identical commands to the previous two attackers.


These three IPs executed the exact same number of attacks on the HoneyPot (304 per each). I highly suspect they are all “bots”executing the same brute force entrance attack on Cowrie.

“Bots”, you say?! Automated computer scripts, which most people refer to as “Bots” or “Robots”, take a firm hold on the majority of attempted access alerts on systems. These are simply scripts left to run on a computer without any human interaction which are constantly searching for vulnerable systems.

THE GOOD NEWS. . .

Brute force attacks are completely preventable! Keeping brute force attacks at bay and drastically improving data security for your personal self or your organization is as simple as:

  • having a strong password policy

  • limiting login attempts

  • enabling multi-factor authentication (MFA)

  • using CAPTCHAs

  • and blocking malicious IP addresses.

 
RUNDOWN OF USERNAMES/PASSWORDS ATTEMPTED


Most frequently used username values of the brute force attackers

Most common passwords attempted by the brute force attackers

While looking at the above data gathered from Kibana’s Visualize Library inside of T-Pot, it would have been easy to predict that these particular usernames and passwords were the top hits. Default credentials, sequential numbers, and bots for crypto-mining spraying out the “nproc” command to any area of the server that would take it.

Dont let this be you! Change those default credentials!

 

WHAT DO HACKERS WANT TO DO WITH YOUR DATA?

I am hopeful that my dip into a HoneyPot opened your eyes to the importance of securing the door to your data. Hackers are always on the hunt for an easy entrance to your treasure trove of information. But what exactly do they want to do with your data?

Data Ransom! Some hackers want to steal your data so they can hold it for ransom. This attack is one of the fastest-growing types of cyber attack, the ransomware attack. Hackers execute ransomware attacks by gaining unauthorized access to data (often by brute forcing credentials), then encrypting it or moving it, and charging a ransom in order to restore your access to it. The best way to prevent a ransomware attack is to make sure that access to data is restricted by strong access controls. In addition, making frequent backups of data can help. If you have your data backed up on servers that hackers can’t access, you won’t have to pay a ransom to get it back in the event that someone takes control of it.
Identity Theft! Data breaches are designed to steal personal information. Attackers can then exploit the information attained to break into other accounts, attempt to steal identities, etc. As an end-user, protect yourself against this threat by avoiding the use of the same password for multiple accounts. In the event that an attacker steals your password for one service, they won’t be able to use it to break into another one. Additionally, you should be careful about how you configure password recovery questions, which can do more harm than good. If you are an organization that is responsible for overseeing data that could be used for identity theft, you can mitigate the risk of identity theft by avoiding the collection of unnecessary personal information. You can also spread data across multiple storage locations so that a breach of one data set does not provide attackers with complete account information. Design strategic data retention policies. Store data for as long as you need (and make sure you meet compliance requirements in that respect), but avoid keeping it around longer than necessary. Unnecessary data storage is a security risk.

The internet can be a scary place. . . but it doesn’t have to be. Please use cybersecurity best practices and stay safe out there, friends!


bottom of page