SpiderLabs Blog

Tough Times for Ukrainian Honeypot?

Written by Radoslaw Zdonczyk | Apr 15, 2022 9:46:00 PM

Intro

We've recently been inundated with news of increased cyberattacks and a general increase in cyber threats online. Hackers - both bad and good, government related or private groups - have their hands full every day as never before and compounding the situation is the Russia-Ukraine (UA) war which has sparked a cyber storm. This made us just more curious about Internet attacks on the UA telecom infrastructure. One would expect our research to at least turn up a few attacks from Russia, but, surprisingly, that was not the case.

More honeypots!

To take a closer look at the situation, I rented a VPS server located in UA. The requirement for this research was having an IP address originating from the UA pool. Unlike my previous study A handshake with MySQL Bots, I didn't use original software (e.g. MariaDB server for MySQL service) to gather information from the given service, but I decided to use open-source honeypot projects. There are good and bad sides of this approach, but was mainly focused in taking a general overview of what, how and from where attacks are made, rather than a detailed binary analysis, etc.

The honeypot operated for three weeks, collecting information about authentication attempts on several services, mainly SSH, but also: HTTP, Telnet, VNC and SMTP - and a few more:

 

 

SSH

The main idea of SSH sensor was monitoring and logging what is happening on one of the most sensitive sites on the Internet. For this purpose, I used a project called Kippo, which perfectly pretends to be an SSH service by mimicking an operating system. Kippo allowed me to not only to see how login strings and passwords are being brute-forced, but also what happens after getting into - in this case fake - operating system.

During the three weeks it operated, the honeypot counted over 50,000 authentication attempts. The honeypot was configured to simulate a successful login every other attempt. Analyzing logs, among simple Linux commands, we mainly notice attempts to download and run droppers and miners. More info about these files on the bottom of page.

 

 

Please note the numbers 3378 and 749 at the top of each screenshot. These are the numbers of the results of the same query, but without using the DISTINCT statement. This gives us some perspective on the real number of download attempts.

Only part of the addresses listed above were active. The samples that I initially analyzed turned out to be mostly part of the well-known Mirai botnet.

The top 20 most encountered passwords and usernames used during a brute-force attack are listed below.

 

 

And the number of connections made from single IP along with GeoIP information:

 

 

Albania and Vietnam top the list.

To monitor other services, I used the heralding project, which logs only login credentials and connection data. This honeypot collected information for two weeks. For the following services, I focused mainly on GeoIP information.

The numbers of authentication attempts for each service:

 

 

Telnet

Telnet, the archaic terminal connection is still quite popular - at least among attacking bots. Let's look at the collected data.

Top 20 login names:

 

 

The number of connections made from a single IP along with GeoIP information: 

 

 

China noticeably on the lead.

Virtual Network Computing (VNC)

We might think that Virtual Network Computing would not find many users today, but it turns out that VNC still has many followers. According to Shodan, there are more than 320,000 devices on the Internet with recognized VNC service, and more than 1 million devices with open port 5900/TCP. These numbers alone justify the bots activity.

 

 

We found only two active sources of attacks: Poland (7042 brute-force attempts) and Kazakhstan (62 brute-force attempts).

SMTP

Attacks on the mail transport protocol wasn't very heavy with just 14 unique addresses counted.

 

 

Netherlands and Lithuanian attack activity on the top.

HTTP

The honeypot wasn't able to collect any information about HTTPS activity, most likely because of self-signed certificate and the lack of related domain.

There were so few authentication attempts that I limited the results to just 10 in order to illustrate the activity.

 

 

Authentication attempts on the other services were so few that we can easily leave them out of the conclusions.

IOCs

Filename(s)

Description

MD5

1sh / 2sh

Simple dropper script

36a5b9303d671f49e404791d53d1d96c

8UsA.sh / 8UsA2.sh

Simple dropper script (multi-architecture targets)

f126deaee0a4958f2b8b5cacd5583617

bins.sh

Simple dropper script (multi-architecture targets)

6030879d276d5add08b96dc923843fa8

go.sh

Simple dropper script

025964a1bf4ae385de5c56835eca4033

Heisenbergbins.sh

Simple dropper script (multi-architecture targets)

faa93d8745cbdd0742d0db28e8108e2a

mirai.sh

Simple dropper script (multi-architecture targets)

ebedac22d41286ffba78439b94f1d131

Pemex.sh

Simple dropper script (multi-architecture targets)

199bf4a4cda2ed957a5efcfbfbf49af5

CocknBallsbins.sh

Simple dropper script (multi-architecture targets)

e0c2acdffbb36d8c85abce52629dded4

23s

Backdoor

b4ff3961cefcc5e151e319666bae6f5e

x86_64

Backdoor

7e360e93a48e2bc25e412885d3aed601

Zeus.x86

Backdoor

1a19659c1918dcc8aacad48f4ea484cc

stx.sh

Crypto-miner dropper

814e7f7f32964cbf5ec91dbb56768da8

setup_c3pool_miner.sh

Crypto-miner dropper

c476816858ba11425bb9ce4c39e323b5

systemd

Backdoor

2cee4f5e0252494ae3923c7f7b179cd5

 

Summary

Have tough times come for the Ukrainian Honeypot? Well, on this particular one, not really.

We didn't notice any IP coming from Russia. In fact, much of the exploitation we saw could have occurred regardless of the geography the honeypot was installed in.

There could be many reasons for this. Our first thought is elite hacking groups don't necessarily pounce on a newly emerging server on the Internet. Instead, these groups have set targets on which they focus their time and energy. What our honeypot experiment did prove was that bots still function, in their usual fashion. Lazily attacking everything they can connect to on the Internet. Additionally, we found that brute-force attacks are constantly a threat to poorly managed infrastructures, servers, and IoT devices.