Honeypot Brute Force Events Report.
Description
This report contain a list of hosts that have been identified and reported for suspicious or malicious activity involving a honeypot instances (performing brute force attacks, including exploitation attempts).
A brute force attack is a type of cyberattack in which hackers try to gain unauthorised access to an account or encrypted data through trial and error, attempting several login credentials or encryption keys until they find the correct password. The legality of a brute force attack is dictated by intent. If the intent is to maliciously access a user account or an organisation's network to cause harm through financial or other motivations, the attack is illegal.
These brute force attacks include credential-based brute force attacks in an attempt to obtain access to an account or encrypted data. In the report, two (2) protocols have been identified and reported to have been used.
Protocols identified and reported used in credential-based brute force attacks.
| No. | Activity | Description |
|---|---|---|
| 1. | SSH. | SSH (Secure Shell) is a cryptographic network protocol that provides a secure channel for communication between two networked devices. It's primarily used for remote login and command execution, allowing users to securely access and manage remote servers, transfer files, and tunnel network traffic. |
| 2. | Telnet. | Telnet is a network protocol that enables text-based, two-way communication with a remote computer over a network. It essentially provides a virtual terminal, allowing users to interact with a remote system as if they were directly connected to it. While historically popular, Telnet's lack of encryption makes it vulnerable to security breaches and it's largely been replaced by SSH for secure remote access. |
Suspicious & Malicious Activity involving a Honeypot instances.
| No. | Activity | Description |
|---|---|---|
| 1. | Interaction. | Interacting with a honeypot, scanning for and attempting to exploit vulnerabilities, attempting to gain access, accessing restricted areas, attempt to exfiltrate or the exfiltration of data, attempt to deploy or the deployment of malware. |
| 2. | Network Reconnaissance. | Port scanning, is often the first step in an attack. |
| 3. | Exploitation of Vulnerabilities. | An attempt to exploit, or the exploitation of the vulnerabilities of the honeypot. |
| 4. | Exfiltration of data | An attempt to exfiltrate data, or the exfiltration of data from the honeypot. |
| 5. | Network Traffic. | Unusual or unexpected network traffic directed at the honeypot is an indication of potential malicious activity. |
Successful Brute Force Attack
Devices that have been compromised in a successful brute force attack may be utilised for other attacks.
| No. | Utilised | Description |
|---|---|---|
| 1. | Botnet Attacks. | Malicious software may be installed in devices that were successfully accessed that enables a device to function as part of a botnet. e.g. Mirai malware turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attack or to launch DDoS attacks. |
| 2. | Scan other Devices. | Devices that were successfully accessed may be used to launch scans of other Vulnerable Internet devices. |
Types of Interaction Level Honeypots
| No. | Design | Description |
|---|---|---|
| 1. | Low-Interaction Honeypots. | These honeypots simulate basic services and functionalities that are commonly targeted by attackers, offering limited interaction. They are easier to deploy and manage but provide less detailed information about an attacker's behavior. |
| 2. | Medium-Interaction Honeypots. | These honeypots offer a more realistic environment than low-interaction honeypots, allowing for more complex interactions. They can simulate various services and potentially capture more detailed attack information. |
| 3. | High-Interaction Honeypots. | These honeypots provide a full system environment for the attacker to interact with, mimicking a production system as closely as possible. This allows for an in-depth analysis of attacker behavior but also poses a higher risk due to the potential for the attacker to compromise the honeypot and pivot to other systems. |
How Honeypots Work
| No. | Action | Description |
|---|---|---|
| 1. | Attacker is Lured. | Attackers' are drawn to the honeypot by its deceptive nature, believing it to be a vulnerable system. |
| 2. | Interaction. | Attackers' interact with the honeypot, scanning for and attempting to exploit vulnerabilities, attempting to gain access, accessing restricted areas, attempt to exfiltrate or the exfiltration of data, attempt to deploy or the deployment of malware. |
| 3. | Monitoring and Analysis. | Security teams monitor the interactions and analyse the attacker's actions, including the commands used, the files accessed, and the techniques employed. |
| 4. | Defense Enhancement. | The insights gained from the honeypot interactions are used to improve security measures, such as patching vulnerabilities, updating security policies, and enhancing threat detection capabilities. |
Benefits of Honeypots.
| No. | Benefit | Description |
|---|---|---|
| 1. | Early Threat Detection. | Honeypots can alert security teams to active attacks and potentially malicious activity early in the attack lifecycle. |
| 2. | Improved Security Posture. | By understanding the attacker's behavior, organizations can can improve and strengthen their defenses and mitigate risks. |
| 3. | Reduced Risk to Production Systems. | Honeypots divert attackers away from critical systems, minimizing the potential for data breaches or system damage. |
| 4. | Research and Development. | Honeypots provide valuable data for security researchers to study the tactics of attackers' and to develop new security solutions. |
| 5. | Cost-Effective Security. | Honeypots can be a cost-effective means to enhance security, especially when compared to the costs associated with a data breach or system compromise. |
Guidlines, actions and recommendations for the removal of malware from a computer.
| No. | Action | Recommendations |
|---|---|---|
| 1. | Disconnect host from network. | It is recommended that the host identified in the report be disconnected from the network immediately, either by disconnecting the network cable or by turning off the Wi-Fi. This will prevent an attacker from accessing the device. |
| 2. | Reboot host in safe mode. | In Safe Mode, only essential system services are started. This will restrict the operation of any malware on the computer. During the Windows startup process, the F8 key is the designated short cut to access the Advanced Boot Options menu, which will allow users to boot into Safe Mode. |
| 3. | Investigate reported host. | It is recommended that the host identified in the report be investigated to establish and confirm the facts, access the computer logs to establish if the host performed the Suspicious and Malicious Activity (HTTP-based scanning activity, including exploitation attempts) involving a honeypot, at the communication endpoint (Dstination Port) at the timestamp reported. The Shadowserver Foundation does not publicly disclose the IP addresses of their honeypots. The following three (3) items, list web applications and the typically location of their respective log files. |
| 4. | Apache Web Server. | Apache Web Server log files. On Linux systems like Debian (Ubuntu), access logs are typically found in /var/log/apache2/access.log and /var/log/httpd/access_log, Error logs are found in /var/log/apache2/error.log or /var/log/httpd/error_log. |
| 5. | IIS log files on Windows. | IIS (Internet Information Services) logs files are typically found. in C:\Inetpub\logs\LogFiles. |
| 6. | HTTPERR logs on Windows. | HTTPERR logs on Windows Operating Systems. These files are are typically found in C:\Windows\System32\LogFiles\HTTPERR. |
| 7. | Perform a full anti-virus scan. | It is recommended that a full anti-virus scan of the reported host, is performed to ensure the successful removal of any malware, and in particular of any Remote Administration Tool (RAT) malware that may have been inserted by malicious actors. The Windows Defender which is the built-in security feature in Windows operating systems is designed to protect against malware and other threats. Windows Defender, which is pre-installed, is automatically enabled on Windows 10 and 11. Microsoft continually updates the security intelligence in their Windows Defender Antivirus to cover the latest threats and to constantly tweak detection logic, enhancing its ability to accurately identify threats. |
| 8. | Reset all passwords. | It is recommended that after the completion of the Anti Virus Scan, that all passwords are reset, including passwords for e-mail accounts and in particular accounts in relation to financial services. It is recommended that two-factor authentication be enabled for added security. |
| 9. | Reinstall the operating system. | In the event that problems or doubts persist. Backup important data with a secure method. Ensure the backup does not contain infected files. Reinstall the operating system. |
| 10. | Security against future threats. | Ensure that the operating system and all software, included patches and updates released by the vendor are updated on a regularly basis. Use automatic updates from trusted providers when availabled. Pirated software should be avoided. Ensure that Anti-virus scans are also performed on a regularly basis and that the Anti-virus application used is kept uptodate with the newest virus definitions and security patches to detect and neutralise emerging malware. This is essential for maintaining robust protection against the latest cyber threats. |
| 11. | Monitor Reported Host. | It is recommended that the host identified in the report received is monitored, and continues to to be monitored to ensure the prevention of any future infection or recurrence. |
| 12. | DNS Firewall. | A DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats (APTs). This is a DNS service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, preventing data exfiltration. |
Guidlines, actions and recommendations for the removal of Bot malware from computers or IoT devices.
Constituents are encouraged to update and secure their devices – particularly older devices – from being compromised and joining a botnet.
| No. | Action | Recommendations |
|---|---|---|
| 1. | Software Updates. | Apply software patches and updates regularly, Use automatic updates from trusted providers when available. |
| 2. | Disable Unused Ports. | Disable unused services and ports, such as automatic configuration, remote access, or file sharing protocols, which may be abused by malicious actors to gain initial access or to spread malware to other networked devices. |
| 3. | Replace Default Password. | Replace default passwords with strong passwords. |
| 4. | Implement Network Segmentation. | To minimize the risks associated with IoT devices in a larger network, implement network segmentation and apply the principle of least privilege. This involves creating isolated network segments or separate zones for IoT devices, sensitive data, and critical infrastructure restricting their access to only the resources necessary for their functions. |
| 5. | Monitor Network Traffic. | Monitor for high network traffic or unusual activity to detect and mitigate DDoS incidents. |
| 6. | Reboot Devices. | Plan for device reboots to remove non-persistent malware. |
| 7. | Replace End-of-Life Devices. | Replace end-of-life equipment with supported devices. |
| 8. | DNS Firewall. | A DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats (APTs). This is a DNS service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, preventing data exfiltration. |
Additional Information
Shadowserver Foundation - Honeypot Brute Force Events Report.Shadowserver Foundation - Honeypot Brute Force Events Report - March 2022.