Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Honeypot Installation. Show all posts

Introducing Dionaea with Darwis Threat Intel API Integration

Cyber Security and Privacy Foundation is pleased to inform that we have made opensource and made available our panel and code for integrating dionaea with our threat intel API.

This can be used as a honeypot to gain insight on attackers and attacker malware.

To get started you will require a linux machine with docker installed. Once done you can simply follow these steps.

More detailed instructions in: 

https://github.com/CSPF-Founder/dionaea-darwis


Clone this repoistory

git clone https://github.com/cspF-Founder/dionaea-darwis 

Setup commands:

 cd dionaea-darwis 

./install.sh

Once all three containers started, now go to browser and open

https://localhost:12443

It will take you to the setup page. Click "Setup" button, it will do base setup for the panel. If successful, then it will take to license activation page.

To get a license key you have to go to https://cysecurity.co/panel/keys/request and give your email. You will get an email with a link to follow. The page will contain the key that you should input into the panel above. (Please note that the key can only be viewed/activated once, so ensure that you keep a backup)


Once the license key has been given then you can setup a local user account and then login to the panel. In the panel you can click on "View logs" to get a granular view of the data.

It will allow you to see the files that are captured along with the time and the verdict and the malware name if applicable. You can also filter by time and date. This data can also be exported into multiple formats such as CSV, XLS.


JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Honeypots Experiment Discloses What Attackers Seek From IoT Devices

 

To understand why threat actor targets specific devices, researchers at the National Institute of Standards and Technology (NIST) and the University of Florida conducted a three-year-long honeypot experiment involving simulated low-interaction IoT devices of diverse sorts and locations. The honeypot was intended to create a fairly diverse ecosystem and gather the data to determine the aim of the opponent. 

According to researchers, IoT (Internet of Things) devices, which include tiny internet-linked gadgets like cameras, lights, doorbells, smart TVs, motion sensors, speakers, thermostats, and more, constitute an expanding business. Over 40-billion of these devices are expected to be linked to the Internet by 2025, providing network access points or computing resources that can be used in unauthorized encryption or as part of DDoS assaults. 

Server farms, a vetting system, and data collection and processing infrastructure were among the three components of the honeypot ecosystem designed by researchers. The researchers installed Cowrie, Dionaea, KFSensor, and HoneyCamera, which are off-the-shelf IoT honeypot emulators to create a diverse ecosystem.

The researchers designed their appearances to look like actual devices on censys and Shodan, two specialized search engines that find the internet-linked services. The following were the three primary types of honeypots: 

• HoneyShell – Emulating Busybox 
• HoneyWindowsBox – Emulating IoT devices running Windows 
• HoneyCamera – Emulating various IP cameras from Hikvision, D-Link, and other devices. 

The trial yielded data from 22.6 million hits, with the vast majority targeting the HoneyShell honeypot. The various actors used comparable attack patterns because their objectives and means of achieving them were identical. 

For example, the majority of attackers implement commands such as “masscan” to scan for open doors and“/etc/init.d/iptables stop” to deactivate the firewalls. In addition, many attackers execute "free -m", "lspci grep VGA", and "cat /proc/cpuinfo", all three aiming to gather hardware information about the target device.

Interestingly, nearly a million hits were discovered when the “admin / 1234” username-password combination was tested, suggesting that the credentials are overused in IoT devices. In terms of end goals, the researchers unearthed that the HoneyShell and the HoneyCamera honeypots were targeted mainly for DDoS recruitment and were frequently infected with a Mirai version or a coin miner.

“Only 314 112 (13 %) unique sessions were detected with at least one successful command execution inside the honeypots,” reads the research paper. “This result indicates that only a small portion of the attacks executed their next step, and the rest (87 %) solely tried to find the correct username/password combination.”

ZHtrap, the Latest Malware to Install Honeypots on Devices to Identify More Targets

 

The security researchers at 360 Netlab have discovered a new botnet that is targeting and converting the infected routers, DVRs, and UPnP network into honeypots that supports it in identifying other targets to exploit.

Security experts have named the malware ‘ZHtrap’ which is based on Mirai’s source code. ZHtrap comes with support for x56, ARM, MIPS, and other CPU designs. ZHtrap botnet prevents other malware from re-infecting their bots when it takes charge of the device. Whitelist supports the botnet to run the system process and it blocks all the attempts to run new commands. 

The latest malware uses a Tor command-and-control (C2) server to connect with other botnet nodes and a Tor proxy to hide malicious traffic. It is so powerful that it can be used for attacking DDoS and scanning other susceptible devices to infect and it comes with backdoor entry permitting the operators to download and implement additional malicious payloads.

ZHtrap uses exploits targeting four N-day security flaws in Realtek SDK Miniigd UPnP SOAP endpoints, MVPower DVR, Netgear DGN1000, and an extensive list of CCTV-DVR devices for its propagation. It also looks for the devices with weak Telenet passwords from a list of randomly generated IP addresses gather with the support of the honeypot it installs on devices already entrapped in the botnet.

“Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot. Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples. But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected Ips are used as targets in its own scanning module,” security researchers at 360 Netlab stated. 

Recently, security experts have also identified an upgraded version of the z0Miner cryptomining botnet, which now tries to corrupt susceptible Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency.