Every action movie thrives on a basic principal, we cannot help but root for the underdog. So grab your popcorn and dive into the ever suspenseful world of cyber security with me.
I'm sure you have all seen movies where a hacker types things for 15 seconds and finds the bad guy, yeah? Well, the reality of that is actually kinda possible? There is a wide network of open source intelligence gathered on I.P addresses that generate suspicious network activity. This information is piled into databases that can be searched against once you run an I.P. You can get information like: known email addresses associated, the operating system, the country of origin and sometimes even a specific address. Freaky right? Dont worry, it is highly unlikely your favorite aunts address is popping up on these databases unless she is moonlighting as a member of anonymous.
These databases exist to aid cyber security professionals in protecting- what I eye roll to - as "the new frontier" aka the internet. In the early times of the internet being created we could not fathom the possibilities of needing cyber security or how much the internet would change technology and how we engage in the world. In modern days it is a thing expected to be accessible everywhere! Well, if you build something that can be accessed from anywhere, how do you protect it or even know what to protect it from? (here's the fun part)
As much as any job, a good portion of effective cyber security defense is research. Know what kind of cyber attacks are most common and be familiar and up to date on the standard safety protocols to protect your information. Beyond this, we can set up something called a honey pot, you entice the enemy with something that looks tasty and once inside, you can see everything their sticky little hands did. This is particularly relevant now in the world of crypto currency and the desire to mine for all the money you can, why have your computer do it if you can have someone else's?
Back tracking for a moment and expanding on what we are talking about here. Let's go over a few terms so we at least start on the same page:
Honeypot: a vulnerable virtual machine hosting information attracting hackers to break in and in turn documenting everything they do once inside.
Vulnerable: hackable! there are weaknesses in the defense that are able to be exploited by attackers.
OSINT: acronym for open source intelligence
Spiderfoot: a software that scans OSINT and produces detailed reports
Kibana: a software that tracks network activity and presents it in a manipulatable GUI (graphic user interface) allowing you to add filters to narrow down your search.
I.P address: think of this as a bag check ticket for your computer, anytime you connect to a different network you are given a specific IP address while you are on that network, each device getting a unique IP.
GUI: Graphic user interface, think of this as instead of reading everything in lists you use visual icons to navigate
GitHub: A website for writing and storing code in a way that is accessible to others to build out from
Instance: a virtual server in the Amazon Web Services Cloud
SSH: secure shell, a tunnel between two devices allowing one to run commands on the others terminal
Telnet proxy: provides a virtual terminal relay and blocks or allows connections based on source and destination IP addresses.
Alright now that we've done the table setting, let's dig into the details!
For this project I made use of Amazon Web Services (AWS) elastic computing (EC2) capabilities and spun up an instance. Once the configurations were set and I could connect from my own virtual machine, I was able to download the honeypot from git hub and install it. Once everything was installed, as long as I kept the instance running I was inviting any and everyone in to attack, and carefully logging anyone who did.
For this post we are going to focus on a honeypot called Cowrie, which logs brute force attacks and the shell interactions performed by the attacker by emulating a UNIX system in Python, or by functioning as a SSH and telnet proxy to observe attack behavior. We are able to view all of this logged data by making use of a software called Kibana which was a part of our T-pot/Honeypot package from github.
Once you log into Kibana and select the cowrie machine, you are presented the logs in a Dashboard format giving you a high level overview of the traffic. In this snap shot, towards the upper right corner, you can see that I narrowed our visible results to an 8-hour window, February 26th from 2pm-10pm. In that time frame, my Cowrie was attacked 22,532 times by 107 unique IP addresses. To break that down, 107 different devices generated over 22,000 lines of logs. I bet you're wondering what the heck they were doing....Well!
Kibana provides us an alternative interface that allows us to filter the logs and search by more specific parameters. Once I filtered by keyword inputs of any value, I was able to see what commands were actually being executed. You can see a list of commands in the screen shot above and if you were able to scroll you would notice almost every IP runs that same list of commands in the same order. Weird right? why would every person do the same thing every time....unless! it was automated, meaning the IP's attacking me may be bots and not individuals at all. Which could make anyone just want to.....
In order to understand a bit more about bots, let's dissect some of the commands that were being repeated by each IP and see what it is they were getting back. In order to do this I used SSH to get into the honey pot directory and ran the commands in order. Follow along in the snapshot below as we go through the commands to see more of what i'm talking about.
cat /proc/cpuinfo | grep name wc -l
- First off let's talk syntax, just incase you're unfamiliar reading a command line.
- We have commands, followed by arguments, and then there are directive symbols that allow you to group different commands into the same line.
- cat is our first command, it stands for concatenate file and then it prints the output to the terminal.
- /proc/cpuinfo is a file path where cpuinfo is a file in a directory called proc
- the | symbol is called a pipe and it means take what i just told you to do and do what i am about to tell you to do with the output of the first command.
- grep is a command that searches a file for a specific input, in our case we are searching the file for name
- wc is a command meaning word count and is followed by the -l argument which is asking for the number of lines or times that name appears in the file cpuinfo
cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4, $5, $6, $7, $8, $9;}
- we can see similar commands as used above, we are searching the same file for the same thing but adding in other commands to do with that information once we have it.
- head is a command instructing to take the first result, coupled with the argument -n it means take the first n amount of lines with this command n=1.
- from that return we only want to run it through awk which is a command similar to grep but better at filtering larger files of data and returning information based on column locations. (which is what all those $2, $3 etc are..)
- this returns the attacker with information on our processor.
free -m | grep Mem | awk '{print $2, $3, $4, $5, $6, $7}'
- the free command returns information on the total amount of physical, swap, free and used memory. The -m argument displays the output in mebibytes (MiB).
- we take that and search for Mem and then only return specified columns of information.
- we can see the return to the terminal is 16428 16428=3 779 31 2250 2994. Which is ultimately telling our attacker there are a total of 16428 MiB and 2994 are free.
ls -lh $(which ls)
-ls tells the computer to list information about a specified file. the -l and -h argument tell us that we want the long list version of that information and we want it to be human-readable.
- the $(which ls) part of the command allow us to insert another command as an argument.
- the result from this gives us information on wether the file permissions are. To understand more about reading file permissions check out this post.
crontab -l
-crontab is a program that makes executable commands automated by setting them on a reoccurring timer.
- this is useful for hackers because it creates persistence of access/doing what the attacker wants it to on the machine
- as we can see from the screen shot my crontab returned that there is not a file to edit under the admin user.
So what does all of this mean? In short, the bots are scoping out what my processing capabilities are. This could be for a variety of reasons but considering cryptocurrencies growing popularity my guess would be to install a miner onto my machine so I can make them money all while being none the wiser. To learn more about crypto currency mining read this.
Normally we would be able to confirm this theory by checking the uploaded files where we would see the miners and what other files were uploaded. I was not so lucky to have that kind of traffic within this time window so we will have to find out more on that later, if the attackers came back to exploit later.
The last thing I want to go over is how we can find out information on the pesky I.P addresses. This is where spiderfoot and Talos come into play, we can use this software to review OSINT on any IP and see if there is a history of malicious behavior.
My top three offenders:
223.197.175.91
Country Name: Hong Kong
Software Used: Apache Tomcat/Coyote JSP engine, Open SSH
E-mail Address: abuse@imsbiz.com
Open TCP Ports: 443, 80, 8021, 8022
202.137.26.9
Country Name: Indonesia
Software Used: Apache httpd, Microsoft RPC Endpoint Mapper
E-mail Address: abuse@link.net.id
Open TCP Ports: 135, 137, 143, 161, 2082, 2087, 3128, 3306, 443 etc.
58.35.59.77
Country Name: China
E-mail Address: anti-spam@chinatelecom.cn
Open TCP Ports: 49152, 500, 5060
My instance ran for a total of 4 days, it was not listed anywhere and was the equivalent of a new fish in the ocean and still generated about 60,000 attacks in that time. Seeing just how ever-ready the bad guys of the cyber-world are to exploit any vulnerability makes me that much more excited to jump into being part of the solution.