GLOBAL HONEYPOT TRENDS

Transcription

1

2 GLOBAL HONEYPOT TRENDS Elliott Brink October 27 th, 2015

3 Introduction Elliott Brink Senior associate, RAS security and privacy Internal penetration testing External penetration testing Social engineering Speaker at various infosec conferences: DEFCON, GrrCON, BSides Indy, Security Weekly TV Podcast Bachelor of Science, management information systems Bradley University, Peoria, Illinois Former top 10 consulting, prior sysadmin Honeypot crazy (coworkers/friends agree) Available for questions after the talk 3

4 10 second agenda What is a honeypot? Why run one? My research/results Initial results Study of attackers Global trends 4

5 Honeypots: introduction Honeypot: an intentionally vulnerable or fake system designed as a trap for potential attackers There is no good interaction with a honeypot Known accepted standards Outside the scope, majority of time isn t good Just because it isn t good doesn t mean it is bad Traditionally used on external facing side of network However, usage cases do exist for internal honeypots Detection of attacks aside from IDS/Firewall 5

6 Honeypots: introduction Active defense Annoying the attacker Trapping them, wasting their time 6 Winnie the Pooh Disney

7 7

8 8

9 Why run one? Personal: fun (the best reason) Corporate: detection of outside attacks aside from IDS/Firewall Internal detection scenarios possible Academia: research/thesis 9

10 Threat intelligence 10

11 Kippo Kippo: A medium interaction SSH honeypot written in Python (based on Kojoney) Emulates SSH login & full linux system ls, cat, echo, ifconfig, wget, etc. Records username/pass in MySQL Records user interaction Original: 11

12 However For the purposes of this talk, I used Kippo across nine systems located in USA, China, Russia and Singapore Cowrie, based on Kippo with added features 12

13 Kippo visualization Kippo Graph Kippo2ElasticSearch Tango Honeypot Intelligence Allows sending to Splunk instance 13

14 Start of the project January 2014 Raspberry Pi Low powered device Perfect for single use 14

15 Customization /proc/cpuinfo (edit CPU info) /proc/meminfo (edit memory info) Hostname (pick your favorite core banking product) Pre-logon banner 15

16 The first three months ~250,000 password attempts correctly guessed root/ per day 16

17 Top 10 usernames attempted 17

18 Top 10 passwords attempted 18

19 Location based passwords Location based passwords, not as clever as we think 19

20 Last hop of attack 20

21 User input! (what I was waiting for) 21

22 Hack back 22

23 User interaction Person logs in wget The plan: The Matrix 20 th Century Fox 23

24 Enter HFS (or HttpFileServer vx.x Beta) 24

25 Browsing around hacker note taking Huh 25

26 Wordlists (thanks!!) 26

27 27

28 Google hack? Yep (and I indexed those, too) 28

29 Findings Linux local root exploit (circa ) They login as root, and run a local root exploit Script kiddies You ALREADY HAVE ROOT there is no root 2 Windows DDoS exe, botnet etc. SSH backdoor perl/sh scripts SSH key to add to honeypot for continued access 29

30 server.exe 30

31 Freebsd 31

32 Freebsd

33 Oh and also A file containing 1000 SSH username/password Later found one with 5000 And ~3 months ago found one with 80,000 yikes! Winnie the Pooh Disney 33

34 Interesting attackers or Winnie the Pooh Disney AtomiccircuS on DeviantArt 34

35 The Script Kiddie Username changes Password is root every time... Hydra is hard #YOUAREDOINGITWRONG This was from someone in San Francisco/San Jose Success of this is debatable At least no account lockout? 35

36 Everything Under The Sun attackers Using dictionary/dictionary Very noisy, going to be picked up in a heartbeat on a corporate environment (hopefully) Seen worse attacks, but this isn t the best tactic They need to minimize their scope 36 Taken 20 th Century Fox

37 Coincidence? I think not 37

38 Better attackers postgres/changeme postgres/postgres postfix/ postfix/password ftp/password ftp/ftp ftp/admin mysql/mysql 38

39 The bizarre. webfootedhorsef**kerphenomite/loldongs Across all nine systems in the course of a day If a botnet exists with this username and password, I want to buy you a drink Or maybe they figured out it was a honeypot? If so, well done! 39

40 Expand! Russia China (Shanghai) (behind the great firewall) Singapore 40

41 Purchasing international VPS Surprisingly easy, but need to find the right companies Mainland China, hard to find, but exists. Hong Kong is easy. Takes paypal! Russia, easy, paypal Singapore, very easy, paypal All have 3-5 public IPv6 addresses, too 41

42 Cost of project Chicago, free (hosted at home) USA VPS ($12 per year, I have 5) Singapore ($48 per year) Russia (~$38 per year) China (~$76 per year) Total cost: ~$222 Minimal cost for excellent data! 42

43 More sensors = more data ~18 million password guess attempts (thus far) ~900k unique More user interaction Broader range of attackers 43

44 Russia, China and Singapore Added international sensors Further sensor analysis designed to answer important questions: Are there geographic differences in the attackers depending on country? China is main aggressor for USA, is USA main aggressor for China? Does anyone care about attacking Singapore? (the answer is apparently no, because there are barely any attacks ) 44

45 China VPS Honeypot Spooky Random netstat entries by default apt-get update; apt-get upgrade signals reinstall of the GRUB boot loader Need to further investigate this, had latest version from what I could tell Two IPs port scanning me every 30 seconds Owned by China telecom company Heartbeat across the network? All of IPv4? China has strange laws about port 80 Need something called ICP license for port 80 Change HTTP to 8080 or HTTPS is apparently okay 45

46 Country per unique IP (China VPS) Note: country per unique IP Take into account probes as mentioned and China gets ~95%+ 46

47 Honorable mentions (less than 1% of attacks) 47

48 China VPS interesting item No initial surge in successes per day 48

49 Singapore VPS Very few attacks, ~600k total password guesses Distinct IPs: ~5600 As opposed to most USA systems with 13k+ Primary Attackers Hong Kong ~50% Japan ~25% China ~10% Miscellaneous others remaining ~15% Interesting: 21 root password change attempts 49

50 Singapore VPS Separate system validates initial surge of successes upon hitting the Internet 50

51 Russia VPS Decent amount of attacks, ~1.5mil total Distinct IPs: ~4900 Primary Attackers Hong Kong ~60% Unknown IPs ~30% Miscellaneous others remaining ~10% Gap in statistics, many IPs with no known origin Interesting: GeoIP spread slightly different than USA systems 51

52 What s next? Guide to deploy a Kippo honeypot on your own Wordlist of all unique guessed passwords on website: More sensors across the world! Malware analysis Different types of sensors RDP Honeypot (began to implement some) 52

53 53

54 54

55 RSM US LLP 1 South Wacker Chicago, Illinois This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP RSM US LLP. All Rights Reserved.