Fishing for Malware — Part Five: Finale | Sid's Blog
~ / Posts $ cat 'Fishing for Malware — Part Five: Finale.md'

Fishing for Malware — Part Five: Finale

    6 Min     Posts

⇤ Start from the beginning

Finally, here we are — the conclusion of my honeypot experiment. My original intention was to aim for a total of one million logged attacks, at which point I would shut down the honeypot. However, schoolwork fully occupied my attention for a brief period. Thus, I considered it a better idea to continue collecting data until I could find time to perform a proper analysis. That time is now, and instead of blocking traffic upon “only” the millionth attack, the Elastic dashboard looks like this:

Screenshot of Elastic Dashboard

The million-attack target was surpassed by a significant margin. But, without further ado, let’s examine the results.

Preliminary Information

All bait services were exposed to the Internet on 19 January 2022 at 3:00 PM PST. I restricted all traffic on my VPC to my IP address on 09 February 2022 at 6:00 PM PST. Thus, services were exposed for external attack for 21 days and 3 hours.

In that time, over 1,566,300 attacks were recorded by the following honeypots:

Setup was automated by Telekom’s T-POT. Since Dionaea (757,121), Heralding (418,182), Honeytrap (294,052), Cowrie (71,204), Adbhoney (12,440), Rdpy (5,567), and Tanner (4,093) logged the vast majority of the attacks, I will maintain focus on them for the most part.

The honeypot was hosted for the duration of its uptime on a Google Cloud instance in The Dalles, Oregon on us-west1. The host OS was Debian 10 and firewall rules permitted ports UDP and TCP 1 to 64000 ingress access from any IP address. This honeypot was not intended to appear as a legitimate target for hackers to manually compromise, but rather a target for malicious bots. As could be seen on Shodan (screenshot below), the host was undisputably a honeypot. Tip: click or tap the image to zoom in.

Screenshot of the Honeypot in Shodan

No legitimate host would have that many open ports, and if so… Well, respectfully, the sysadmin in charge should consider re-evaluating their security policy.

All binaries examined in previous sections of this series have been sourced from the honeypots executed here within the aforementioned timeframe.

Data

By far, the most common type of attack was brute-forcing common credential sets against services that support login, especially SSH, VNC, RDP, and FTP; I suppose naive attacks are to be expected. Let’s take a look at which usernames and passwords were used. T-POT uses Elastic to generate useful word clouds of these points of data.

Usernames

Screenshot of the Username Tagcloud

Note that not all usernames are shown here. Download the full dataset here. The top five usernames attempted across all services were:

All of these, especially root, seem pretty reasonable to me.

Passwords

Screenshot of the Password Tagcloud

Note that, as with the usernames, not all passwords are shown here either. Download the full dataset here. The top five passwords attempted across all services were:

Again, all quite reasonable. Here are some that are perhaps less than reasonable:

Always set unique, secure passwords! The bots that targeted my honeypot take advantage of those who want the convenience of only remembering 123456 as their password.

Origins of Attack

Things get particularly interesting here — see the breakdown of attacks by country below. Note that even though an attack comes from an ASN located within certain borders, the attacker(s) may very well have routed their traffic in a complex manner to hide their identities. Thus, attacks that originate from the United States but route through Utrecht with a VPN will, of course, appear to be Dutch attacks instead.

Screenshot of Attack Distribution by Country

Numerical breakdown in terms of attacks by country:

Damned Dutch and their… cyber criminals? I did not expect these results at all. A map of estimated attack origins is shown below, which can also be downloaded here.

Screenshot of Attacks Across the World

Here is more information:

Screenshot of Attacks Across the World Screenshot of Attacks Across the World

Here is a list of the most common attack origins by IP address:

Curiously, as of the time of publication, I appear to be one of the only reporters of 185.232.52.40 on VirusTotal; surprising, given the volume of attacks.

And, finally, here is a list of the top ten attacks by the ASN the origin address belongs to:

Attacks

I have included several charts below. Patterns can easily be seen, especially relating to activity from the Netherlands.

Screenshot of Attacks Across the World Screenshot of Attacks Across the World Screenshot of Attacks Across the World Screenshot of Attacks Across the World

Attempted brute-force attacks towards port 5900 (VNC) by the Netherlands remain the most significant pattern overall in terms of scope — the Netherlands composed over one-third of all 1.5 million attacks on its own. Of particular note is the measurable spikes of activity during those attacks. In all, just under 400,000 attempts were made by what I assume is the same bot or group of bots routing traffic through the Netherlands.

Brief Conclusions

So, what can we learn here? The most significant point to me is that the vast majority of automated attacks that targeted me used naive methods. My findings here only serve to reinforce the idea that the most dangerous elements in computer security are us. Attackers here were not abusing zero-day flaws, nor using sophisticated methodologies.

Instead, bots were used to perform mass reconnaissance, searching for low-hanging security fruit, namely default passwords. The attackers were looking for those of us who habitually neglect to employ comprehensive initial security configurations. Those of us who put off applying security patches for years (the most common exploit attempt by far was CVE-2006-2369). Those of us who leave all of our services exposed to the Internet at all times unnecessarily. Ransomware was deployed nearly 100 times, but it wasn’t novel technology; no, it was mainly WannaCry, patched by Microsoft in 2017.

As a security community, we can certainly do better. These attacks wouldn’t occur if they weren’t successful at times. Even the most basic security policy would mitigate the majority, if not all of the attacks I received. Let’s make sure we change our passwords, use firewalls — they exist for a reason — and patch our software to keep our environments safe.

← Fishing for Malware: Part 4


Share 'Fishing for Malware — Part Five: Finale'

Thank you so much for reading this entry. Note that I am open to questions, comments, and criticism — I learn alongside you. Do you see something that's not quite right or that I could otherwise improve upon? Please, do not hesitate to suggest an edit.

Email Twitter LinkedIn GitHub