T-Pot Cowrie analysis, Pt. 1
Summary:
I launched a Deutsche-Telekom T-Pot (https://github.com/telekom-security/tpotce) via Google Cloud Platform on 11/25/2023. This review is being published after the first 12 hours of operation of the honeypot, and focuses on the top two IP addresses, the available information on those IP addresses, and the command-line interface activity associated with said IP addresses.
IP Address 1: 45.95.146.44
The Talos Intelligence report on this IP, located here : https://www.talosintelligence.com/reputation_center/lookup?search=45.95.146.44#ip-addresses shows the potential for this being a cloud provider of some sort based on the associated domains. The WHOIS information here shows the address is located out of the Netherlands, under the name ALSYCON-CUSTOMERS. Searching this name via Google indeed shows that they are a cloud services provider.
inetnum: 45.95.146.0 - 45.95.146.255
netname: ALSYCON-CUSTOMERS
org: ORG-AB247-RIPE
descr: Alsycon B.V. | VPS - Dedicated Servers - Colocation
descr: www.alsycon.nl -
@alsycon.nl
country: NL
admin-c: AB39270-RIPE
tech-c: AB39270-RIPE
status: ASSIGNED PA
mnt-by: Alsycon-BV
created: 2019-07-10T10:43:00Z
last-modified: 2020-09-27T15:34:25Z
source: RIPE
organisation: ORG-AB247-RIPE
org-name: Alsycon B.V.
country: NL
org-type: LIR
address: Bruynvisweg 11
address: 1531 AX
address: Wormer
address: NETHERLANDS
phone: +31224712026
abuse-c: ACRO31910-RIPE
mnt-by: RIPE-NCC-HM-MNT
mnt-by: Alsycon-BV
mnt-ref: Alsycon-BV
mnt-ref: SpectraIP
mnt-ref: MNT-HOSTUS
created: 2019-05-13T14:08:46Z
last-modified: 2021-07-28T21:55:27Z
source: RIPE # Filtered
role: Alsycon B.V.
address: NETHERLANDS
nic-hdl: AB39270-RIPE
mnt-by: Alsycon-BV
created: 2019-05-25T23:20:21Z
last-modified: 2019-05-25T23:20:57Z
source: RIPE # Filtered
% Information related to '45.95.146.0/24AS49870'
route: 45.95.146.0/24
origin: AS49870
mnt-by: Alsycon-BV
mnt-by: Alsycon-BV-mnt
created: 2020-12-07T14:00:00Z
last-modified: 2020-12-07T14:00:00Z
source: RIPEIP Address 2: 139.59.99.254
The Talos Intelligence report, located here: https://www.talosintelligence.com/reputation_center/lookup?search=139.59.99.254 shows us again that this is another cloud-based attacker, this time using Digital Ocean. I’ve embedded a copy of the WHOIS information below, to support the assertion.
inetnum: 139.59.96.0 - 139.59.111.255
netname: DIGITALOCEAN-AP
descr: DigitalOcean, LLC
country: SG
admin-c: DOIA2-AP
tech-c: DOIA2-AP
abuse-c: AD699-AP
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-DIGITALOCEAN-AP
mnt-irt: IRT-DIGITALOCEAN-AP
last-modified: 2020-05-31T21:36:27Z
source: APNIC
irt: IRT-DIGITALOCEAN-AP
address: 101 Avenue of the Americas, 10th Floor, New York NY 10013
e-mail:
@digitalocean.com
abuse-mailbox:
@digitalocean.com
admin-c: DOIA2-AP
tech-c: DOIA2-AP
auth: # Filtered
remarks:
@digitalocean.com is invalid
mnt-by: MAINT-DIGITALOCEAN-AP
last-modified: 2023-03-15T13:08:34Z
source: APNICCLI activity
Reviewing the CLI activity logged by the honeypot, the top CLI input was ‘while read i’, which I note as informative but not useful, as it is obviously part of a bash script. The next top two hits, however, I am going to notate as important: “./oinasf”, and “./oinasf; dd if=/proc/self/exe bs=22 count=1 || while read i; do echo $i; done < /proc/self/exe || cat /proc/self/exe;”. The following bash command was also of interest: “cat /bin/echo||while read i; do echo $i; done < /proc/self/exe;”. The individual bash commands don’t seem to make such sense as a standalone, we would need to review the activity of the “oinasf” script to understand the full context.
Username/Password brute force
Reviewing the username and password combinations entered as part of the brute force campaign are not especially creative; the usernames are almost all service names such as: hadoop, oracle, citrix, kafka, postgres, etc. The passwords entered are mostly number combinations, with the top password entered being “123456”. The combination numbers were relatively low, with the username “root” being the favorite at 152 entries, and the password “123456” being the top entry at 45 entries.
Takeaways
Based on the above information, I believe these threat actors are more opportunistic in nature, due to the fact that they had to run some of internet scan to locate exposed ports, then used a low count of brute-force attempts to take over the service. I googled the “oinasf” script to try and find any intelligence information that may have been published, and there are more reports available online that mention this script name.
The key difference between these reports and the one I am writing is the IP address associated, which is also leading me to believe that these attackers are solely using cloud resources as opposed to a VPN to scour for low hanging fruit. This also makes it difficult to try and blacklist the IP, as they can just delete and re-launch their VM instance. I will post more analysis in the coming weeks.