For the last few weeks I've let three T-Pot honeypots in different parts of the world run with the goal of identifying what kind of Internet-based attacks and reconnaissance is used based on the geographical location of the target.

The three honeypots are set up in Amazon Web Services in different datacenters around the world:

  • Oregon - US-West-2
  • London - EU-West-2
  • Seoul - AP-Northwest-2

As you can see, we have one honeypot in the US, one in the EU and one in Asia. This will hopefully give us a basic understanding of what kinds of attacks are occurring based on the geographical location.

This is the second part of this little series, and here we will take a look at the honeypot in London.

Since it's been a while since i wrote the first part of this series regarding Oregon and the honeypots have had longer to gather data, I will use data from the whole previous week instead of just two days. This is why the following two honeypots will have more attack events and hopefully better information.


London - EU-West-2

As was the case in Oregon, Russia and China are the biggest culprits in London too, and Cowrie is still the honeypot which gathered the most data (was attacked the most).

  • Russia - 127247 Events
  • China - 87569 Events
  • United States - 37708 Events

Cowrie, Honeytrap, and Dionaea are still the three most attacked honeypots, but Mailoney and VNClowpot have a higher rate of occurrence than in Oregon. We can see spikes of VNC connections (port 5900) in the histogram which we will take a deeper look into later.

  • Cowrie - 216752 Events
  • Honeytrap - 99893 Events
  • Vnclowpot - 13159 Events
  • Mailoney - 7980 Events

Let's start off with taking a look at Cowrie and what kind of TELNET/SSH traffic we got.

Cowrie

For Cowrie in London we can see that Russia has taken the lead in number of events over China primarily because of a big spike that happened over October 10-11th, although I believe this to be a false positive since the spike seems to have happened on port 443 (HTTPS).

Let's take a look at what kind of usernames and passwords have been used:

Usernames used in brute force attempts against Cowrie
Passwords used in brute force attempts against Cowrie

As was the case in London, there really aren't any surprises here; weak and default passwords are used to try to find open and/or IoT devices on the internet. We see the return of 7ujMko0admin which is the default password for Dahua IP Camera, of which there are approximately 341,259 accessible via the internet according to Shodan.io.

Cowrie also saves input from connections established by the attacker. these are the top 10 inputs from the previous week:

Of course the first thing an attacker wants to know is what kind of system the attacker has taken control of. He does this with the command uname and various other commands. What i found interesting was the command grep '[Mm]iner', which we also found further down in the list of inputs as ps | grep  '[Mm]iner'. It looks like attackers are trying to identify and capture cryptomining rigs that are accessible on the internet.


Dionaea

This time Russia are the biggest in attacks against SMB, HTTP and databases (SQL, etc.)! During last week Dionaea identified 3902 attacks against said protocols, of which 520 (20.53%) where from Russia.

Nothing huge sticks out, except for the overwhelming focus against SMB and port 445. Attackers understand that a lot of possible victims still haven't updated their systems to protect from EternalBlue, and with Shodan.io showing at over 2.000.000 systems that are exposing port 445 (many of which still seem to run on SMBv1), they seem to be correct.


Honeytrap

With Honeytrap, which only gather information on transport layer (TCP & UDP) traffic, we can see three interesting spikes of traffic.

The first two on the 11th of October occurred from three seperate IP-Adresses which all originated in the US.

These three addresses and this spike accounted for approximately one-third of all traffic honeytrap received during last week!

This spike was focused on three distinct ports, with each IP attacking just one of these three:

  • Port 9022 Targeted by 50.56.243.59
  • Port 2280 Targeted by 104.131.119.129
  • Port 122 Targeted by 192.241.175.115

Port 122 seems to be recognized as belonging to something called Smakynet. I've tried to find any more information regarding this, but have not been able to gather any more information about this port, but shodan.io reported 12 devices as exposing port 122 out on the internet, all of which seems to have been responding to NetBIOS requests.
The IP adress that scanned/attacked port 122 resolves to employee.customcarpetcenters.com, which seems to be down:

But the domain belongs to customcarpetcenters.com, which seems to be a legit company which might have been overtaken.

Port 9022 is registered as belonging to CyberArk, a Access Security Infrastructure company, and used as their PrivateArk Remote Agent. According to shodan.io, port 9022 is also used for Distributed Hash Table nodes which could be used by CyberArk.
The IP seems to resolve to http://routingtool.com/ which claims to be a tool to check bank routing numbers.

Port 2280 is registered as LNVPOLLER. I have no idea what this is and was unable to find out anything about the port or LNVPOLLER, but there seems to be a range of port belonging to some kind of system:

  • Port 2281 - LNVCONSOLE
  • Port 2282 - LNVALARM
  • Port 2283 - LNVSTATUS - Used for HVL Rat 5 Trojan
  • Port 2284 - LNVMAPS
  • Port 2285 - LNVMAILMON

The IP-adress resolves to https://portal.harmonics-flooring.com/, a sub-page of harmonics-flooring.com, which seems to be a floor deliverer to Costco.

The second spike occurred on the same date, at around the same time, and was sent from a single IP-adress (51.254.130.87) in France against port 2313.
Port 2313 is registered as to be used for IAPP (Inter Access Point Protocol).
I was unable to find any more information regarding the IP-adress.

The third spike occurred on October 12th and was sent from IP 139.59.95.144 against port 3333.
Port 3333 seems to be used for connecting to Monero for crypto-mining.
The IP seems to host a default web page, FTP server and some other services, and is probably used as a Internet scanner for finding Monero miners.


VNClowpot

As we saw in the beginning, VNC attacks were a lot higher on the London Honeypot than on the Oregon Honeypot. This was caused by a continous barrage of VNC brute force attacks from China, from two IP-adresses: 222.186.138.19 (4123 events) and 222.186.138.22 (2000 events). Both of which are known as 'known attackers' by Cisco's Talos department.

For those of you who might be interested in the VNC handshakes used during the attacks, here are the top ten handshakes used during last week:

$vnc$*00000000000000000000000000000000*D29F6E7F0456F8DED29F6E7F0456F8DE $vnc$*00000000000000000000000000000000*DB6C002A7CCA479FDB6C002A7CCA479F $vnc$*00000000000000000000000000000000*D8436A7084EE537BD8436A7084EE537B $vnc$*00000000000000000000000000000000*ECF87B7A5D68C77FECF87B7A5D68C77F $vnc$*00000000000000000000000000000000*55A5BF699DC2C69855A5BF699DC2C698 $vnc$*00000000000000000000000000000000*7AA726BB808722957AA726BB80872295 $vnc$*00000000000000000000000000000000*587029A8254FAA2B587029A8254FAA2B $vnc$*00000000000000000000000000000000*6E7AE9B3FCC47CF56E7AE9B3FCC47CF5 $vnc$*00000000000000000000000000000000*9AEC969A3C3468C59AEC969A3C3468C5 $vnc$*00000000000000000000000000000000*57E28B229D1F91A857E28B229D1F91A

And finally, let's take a short look at Mailoney.

Mailoney

Through Mailoney we can inspect attacks against SMTP.

As a change of pace, Russia and China is nowhere to be seen! It seems that the most attacks against SMTP services on the internet are originating from South America (and Canada for some reason).
Mailoney has a similar functionality to Cowrie and VNClowpot wherein it can find what commands where sent to the honeypot after a successful login.

aW5mbw== is base64 of 'info'.

So nothing especially interesting; the attackers try to get more information about the system by trying to identify the domain and find users on the SMTP-server.


Lessons learned

  • China and Russia are still performing the majority of scans/attacks.
  • As we saw on the honeytrap there seems to be quite a few web-servers that have been taken over by attackers as springboards to other possible victims.
  • The majority of scans are as always against TELNET/SSH and SMB.

The attack patterns are not really very different from the previous Honeypot in Oregon. Will the honeypot in Seoul be any different? Stay tuned!