For the last couple of days I've let three T-Pot honeypots in different parts of the world run with the goal of identifying and analyzing any possible patterns regarding what kind of Internet based attacks and reconnaissance is used, based on the geographical location of the target.

The three honeypots are set up in Amazon Web Services in different datacenters around the world:

  • Oregon - US-West-2
  • London - EU-West-2
  • Seoul - AP-Northwest-2

As you can see, we have one honeypot in the US, one in the EU and one in Asia. This will hopefully give us a basic understanding of what kinds of attacks are occurring based on the geographical location.

Disclamer! For more detailed analysis and a better grip around the patterns, three honeypots really aren't enough. There should at least be a couple in each region for getting enough data to come to any conclusion. This is primarily just for me to show of T-Pot and dig into what T-Pot can deliver. If we find anything interesting on the way, so be it!

With that out of the way, let's start off in Oregon!

Oregon - US-West-2

as we can clearly see, the most attacking countries are China and Russia. no big surprise there!

The majority of data gathering has been done by:

  1. Cowrie
  2. Honeytrap
  3. and Dionaea

So let's take a closer look on each of them:

Cowrie, which collects information about Brute Force attacks and shell interactions via TELNET/SSH is the clear 'winner' in number of attacks with about 105.000 events in 48 hours from 365 unique IP-addresses. 78.18% of these attacks are aimed against SSH services, while 21.82% are aimed against Telnet. The most attacks are originating from China.

Cowrie doesn't provide us with a lot of interesting data;

the data flow is pretty even with a small spike on TCP port 2222 on the 9th of October. From the Suricata Alert Signatures we can tell that a lot of the attacks are focusing on devices running Busybox which most typically would be run on IoT devices. We can't tell the attacks or payloads just from the signature, but we know that Bickerbot, Mirai, and some of its' variants are attacking IoT-devices running on Busybox.

we can also see that Cowrie believes the most popular SSH client for the attackers to use is PUTTY by quite a margin. This may be spoofed, or a false positive from Cowrie since PUTTY is a primarily Windows-based program. I have a hard time believing attackers to use PUTTY for reconnaissance.

Cowrie has the ability to filter out which usernames and passwords have been used in the brute force attacks into nice-looking clouds:

Cowrie - Usernames used in attacks
Cowrie - Passwords used in attacks
Show all used usernames

Show all used passwords

No big surprises there either! We get the typically bad default credentials for systems such as IBM databases, HP printers  and switches, Avaya network equipment, EMC unified storage plattforms and multiple IOT devices.

What's scary about this is that it probably still is extremely effective to just brute force internet-facing devices using basic default credentials.
The supposed creator of the Mirai botnet stated in 2016:

With Mirai, I usually pull max 380k bots from telnet alone [...]

This was quite a while ago, and after Mirai I would like to believe that users and administrators have cleaned up their act regarding default credentials, but unfortunately that doesn't seem likely.

Honeytrap, which gathers data regarding attacks against TCP and UDP services comes in at a second place with 19.835 events. The majority of events occured against TCP port 8088, which I guess is a typical port to set your web server to when you want it to not be completely visible on port 80. not exactly the best security control! The majority of events are sent from Russia.

What's interesting is the spike in events on port 81 on Oktober 9th at around 20:00 GMT+1 from China:

Port 81 is a port typically associated with the WICKED botnet; an offspring of Mirai which wreaked havoc on the internet in 2016-2017 with it's ability to hijack and capture IoT-devices such as IP-Cameras and home routers using default credentials to said devices. Mirai would then use said devices in advanced DDoS attacks.

In October 2016, after a huge DDoS Attack against who was one of the first to report on the botnet, the source code for Mirai was released to the public. Since then we have seen various variants of Mirai appear, including WICKED which was detected in May of 2018.

WICKED uses preexisting exploits to infect devices instead of the original Mirai which only used default login credentials. One of these exploits are used against CCTV-devices on port 81.
The spike lasted for about 10 minutes and created 482 events which all originated form a single specific IP-address from ASN 4837 -  CHINA UNICOM China169 Backbone.

Except for the spike in traffic on port 81, we identified about 500 packets trying to authenticate to our 'server' using HTTP Authorization header.

The request is base64 encoded but just for fun, I grabbed all ca 500 headers, decoded them and saved the login credentials. Unfortunately, the were as interesting as the information we got from Cowrie: Default credentials for primarily IoT-Devices.

Dionaea, which collects information about attacks on SMB, HTTP, FTP, TFTP, MSSQL, MySQL and SIP comes in at a strong third place with 1,448 events in two days.

We can clearly see that the majority of attacks (72.61%) have been executed against TCP port 445. Since the release of the NSA developed exploits EternalBlue and DoublePulsar (the combination which made WannaCry possible) in early 2017 we have seen a large amount of attacks against SMB ports on the internet. To verify that the attacks on port 445 actually is EternalBlue (EB)/DoublePulsar (DP), we can take a look at the suricata dashboard, or Suricata Alert Signatures in the main dashboard:

We can see that 135.095 alerts for DoublePulsar have been generated through Suricata. Through T-Pot and their implementation of ELK I can search Logstash and filter any event on port 445 that includes the keyword: "DoublePulsar" to find the number of DP attacks on the honeypot for the last 48 hours.

So out of all 135.095 attacks against TCP port 445, only 4.944 were not identified to be using the DoublePulsar exploit.

So what have we learned?

  • China, Russia and USA are the biggest attackers.
  • Mirai is alive and well in some fashion.
  • DoublePulsar and EternalBlue is still used.
  • Default credentials are a bad idea.
  • Default credentials are a really bad idea if you plan on facing your system towards the internet.
  • There are more attacks against SMB than Telnet or SSH.
  • Russia likes SMB attacks. China likes Telnet/SSH attacks.

This became quite a bit larger than I previously thought, so I will probably split this project in four parts: Oregon, London, Seoul and a summary of everything found.

I hope this has been interesting to some of you. Stay tuned for the coming articles regarding London and Seoul!