Antivirus companies, information security experts, and just enthusiasts expose honeypot systems on the Internet in order to “catch the live bait” of a fresh variety of a virus or reveal unusual hacker tactics. Honeypots are so common that cybercriminals have developed a kind of immunity: they quickly identify that there is a trap in front of them and simply ignore it. To explore the tactics of modern hackers, we created a realistic honeypot that lived on the Internet for seven months, attracting a variety of attacks. How it was, we told in our study "". Some facts from the study are in this post.
Honeypot Development: Checklist
The main task in creating our super trap was not to allow us to be exposed by hackers who showed interest in it. It took a lot of work to do this:
- Create a realistic legend about the company, including the full name and photo of employees, phone numbers and e-mails.
- Invent and implement an industrial infrastructure model that matches the legend of our company's activities.
- Decide which network services will be available from the outside, but do not get carried away with opening vulnerable ports so that it does not look like a trap for simps.
- Organize the appearance of information leakage about a vulnerable system and disseminate this information among potential attackers.
- Implement discreet monitoring of the actions of hackers in the infrastructure of the trap.
And now about everything in order.
Create a legend
Cybercriminals are already accustomed to seeing a lot of honeypots, so the most advanced part of them conducts an in-depth study of each vulnerable system to make sure that this is not a trap. For the same reason, we wanted to make the honeypot not only realistic in terms of design and technical aspects, but also to create the appearance of a real company.
Putting ourselves in the place of a hypothetical coolhacker, we developed a verification algorithm that would allow us to distinguish a real system from a trap. It included looking up the company's IP addresses in reputation systems, reverse researching the history of IP addresses, looking up names and keywords related to the company, as well as its counterparties, and many other things. As a result, the legend turned out to be quite convincing and attractive.
We decided to position the trap factory as a small industrial prototyping boutique for very large anonymous military and aviation clients. This saved us from the legal complexities associated with using an existing brand.
Next, we had to come up with a vision, mission and name for the organization. We decided that our company would be a startup with a small number of employees, each of which is a founder. This added credibility to the legend of the specialization of our business, which allows it to work with delicate projects for large and important customers. We wanted to make our company look weak in terms of cyber security, but at the same time it was clear that we were working with important assets in the target systems.
Screenshot of MeTech honeypot website. Source: Trend Micro
We have chosen the word MeTech as the name of the company. The site was made on the basis of a free template. The images were taken from photobanks, using the most unpopular ones and modifying them to make them less recognizable.
We wanted the company to look real, so we needed to add employees with professional skills that match the profile of the activity. We came up with names and identities for them, and then tried to select images from photobanks according to ethnicity.
Screenshot of MeTech honeypot website. Source: Trend Micro
In order not to be discovered, we looked for good quality group photos from which we could choose the faces we needed. However, we later abandoned this option, since a potential hacker could use a reverse image search and find that our “employees” live only in photo banks. In the end, we used photos of non-existent people created using neural networks.
The profiles of employees published on the site contained important information about their technical skills, but we avoided specifying specific educational institutions and cities.
To create mailboxes, we used a hosting provider's server, and then rented several phone numbers in the United States and combined them into a virtual PBX with a voice menu and an answering machine.
Honeypot infrastructure
To avoid exposure, we decided to use a combination of real industrial hardware, physical computers, and secure virtual machines. Looking ahead, we checked the result of our efforts using the Shodan search engine, and it showed that the honeypot looks like a real industrial system.
The result of scanning a honeypot with Shodan. Source: Trend Micro
We used four PLCs as the hardware for our trap:
- Siemens S7-1200,
- two Allen-Bradley MicroLogix 1100s,
- Omron CP1L.
These PLCs were chosen for their popularity in the global control systems market. And each of these controllers uses its own protocol, which allowed us to check which of the PLCs would be attacked more often and whether they would be of interest to anyone in principle.
The equipment of our "factory" is a trap. Source: Trend Micro
We didn't just install pieces of iron and connect them to the Internet. We programmed each controller to perform tasks, among which were
- mixing,
- burner and conveyor belt control,
- palletizing using a robotic arm.
And to make the production process realistic, we programmed logic to randomly change the feedback parameters, simulate starting and stopping motors, turning the burner on and off.
Our factory had three virtual computers and one physical. Virtual machines were used to control the plant, the robot palletizer and as the workstation of the PLC software engineer. The physical computer acted as a file server.
In addition to monitoring attacks on PLCs, we wanted to monitor the status of programs downloaded to our devices. To do this, we created an interface that allowed us to quickly determine how the states of our virtual actuators and installations were modified. Already at the planning stage, we found that it is much easier to implement this with a control program than through direct programming of the controller logic. We opened access to the device management interface of our honeypot via VNC without a password.
Industrial robots are a key component of modern smart manufacturing. In this regard, we decided to add a robot and an workstation to control it to the equipment of our trap factory. To make the "factory" more realistic, we installed real software on the control workstation, which engineers use for graphical programming of the robot's logic. Well, since industrial robots are usually located in an isolated internal network, we decided to leave unsecured access via VNC only to the control workstation.
RobotStudio environment with a 3D model of our robot. Source: Trend Micro
On a virtual machine with a robot control workstation, we installed the RobotStudio programming environment from ABB Robotics. Having set up RobotStudio, we opened the simulation file with our robot in it so that its 3D image could be seen on the screen. As a result, Shodan and other search engines, when they find an insecure VNC server, will get this screen image and show it to those who are looking for industrial robots with open access to control.
The point of this attention to detail was to create an attractive and as realistic target as possible for attackers who, having found it, would return to it again and again.
Engineer's workstation
To program the PLC logic, we added an engineering computer to the infrastructure. Industrial software for PLC programming was installed on it:
- TIA Portal for Siemens,
- MicroLogix for Allen-Bradley controller,
- CX-One for Omron.
We have decided that the engineering workplace will not be available outside the network. Instead, we set the same password for the administrator account on it as on the Internet-accessible robot control workstation and factory control workstation. This configuration is quite common in many companies.
Unfortunately, despite all our efforts, not a single attacker reached the engineer's workstation.
File server
We needed it as a bait for intruders and as a means of backing up our own "works" in the trap factory. This allowed us to share files with our honeypot using USB devices without leaving a trace on the trap network. As an OS for the file server, we installed Windows 7 Pro, in which we made a shared folder available for reading and writing to anyone.
At first, we did not create any hierarchy of folders and documents on the file server. However, later it turned out that the attackers were actively studying this folder, so we decided to fill it with various files. To do this, we wrote a python script that created a file of a random size with one of the given extensions, forming a name based on a dictionary.
Script to generate attractive filenames. Source: Trend Micro
After running the script, we got the desired result in the form of a folder filled with files with very interesting names.
The result of the script. Source: Trend Micro
Monitoring environment
Having put so much effort into creating a realistic company, we simply couldn't afford to fail in the environment for monitoring our "visitors". We needed to get all the data in real time in such a way that the attackers would not notice that they were being watched.
We did this using four USB to Ethernet adapters, four SharkTap Ethernet taps, a Raspberry Pi 3, and a large external drive. Our network diagram looked like this:
Honeypot network diagram with monitoring equipment. Source: Trend Micro
We positioned three SharkTap taps in such a way as to monitor all external traffic to the PLC, accessible only from the internal network. The fourth SharkTap tracked the traffic of the guests of the vulnerable virtual machine.
SharkTap Ethernet tap and Sierra Wireless AirLink RV50 router. Source: Trend Micro
Raspberry Pi performed daily traffic capture. We connected to the Internet using a Sierra Wireless AirLink RV50 cellular router, which is often used in industrial enterprises.
Unfortunately, this router did not allow us to selectively block attacks that did not match our plans, so we added a Cisco ASA 5505 firewall to the network in transparent mode in order to block with minimal impact on the network.
Traffic analysis
Tshark and tcpdump are appropriate for quickly resolving current issues, but in our case their capabilities were not enough, since we had many gigabytes of traffic, which were analyzed by several people. We used the open-source Moloch analyzer developed by AOL. In terms of functionality, it is comparable to Wireshark, but has more options for collaboration, describing and tagging packets, exporting, and other tasks.
Since we did not want to process the collected data on the honeypot machines, the PCAP dumps were exported every day to the AWS storage, from where we already imported them to the Moloch machine.
Screen recording
To document the actions of hackers in our honeypot, we wrote a script that took screenshots of the virtual machine at a given interval and, comparing with the previous screenshot, determined whether something was happening there or not. When activity was detected, the script turned on the screen recording. This approach proved to be the most effective. We also tried to analyze the VNC traffic from the PCAP dump to understand what changes had occurred in the system, but in the end, the screen recording we implemented turned out to be simpler and more visual.
Monitoring VNC sessions
For this we used Chaosreader and VNCLogger. Both utilities extract keystrokes from the PCAP dump, but VNCLogger handles keys like Backspace, Enter, Ctrl more correctly.
VNCLogger has two drawbacks. First, it can only retrieve keys by "listening" to traffic on the interface, so we had to simulate a VNC session for it using tcpreplay. The second drawback of VNCLogger is common with Chaosreader: they both do not show the contents of the clipboard. For this I had to use Wireshark.
We lure hackers
We created a honeypot to be attacked. To achieve this, we staged an information leak designed to attract the attention of potential hackers. The following ports have been opened on the honeypot:
The RDP port had to be closed shortly after the start of work, because due to the huge amount of scanning traffic on our network, there were performance problems.
VNC terminals first worked in "view-only" mode without a password, and then we "by mistake" switched them to full access mode.
In order to attract the attackers, we posted two posts with "leaked" information about the available industrial system on PasteBin.
One of the posts posted on PasteBin to attract attacks. Source: Trend Micro
Attacks
Honeypot lived online for about seven months. The first attack occurred a month after the honeypot went online.
Scanners
There was a lot of traffic from scanners of well-known companies - ip-ip, Rapid, Shadow Server, Shodan, ZoomEye and others. There were so many of them that we had to exclude their IP addresses from the analysis: 610 out of 9452 or 6,45% of all unique IP addresses belonged to completely legitimate scanners.
Scammers
One of the biggest risks that we have faced is the use of our system for criminal purposes: to buy smartphones through a subscriber's account, cash out airline miles using gift cards and other types of fraud
Miners
One of the first visitors to our system turned out to be a miner. He loaded it with Monero mining software. He would not have been able to earn much on our particular system due to low performance. However, if we combine the efforts of several tens or even hundreds of such systems, it could turn out quite well.
Extortionists
During the operation of the honeypot, we encountered real ransomware viruses twice. In the first case it was Crysis. His operators logged into the system via VNC, but then installed TeamViewer and used it to perform further actions. After waiting for an extortionate message demanding a ransom of $10 in BTC, we entered into a correspondence with the criminals, asking them to decrypt one of the files for us. They complied with the request and repeated the ransom demand. We managed to bargain up to 6 thousand dollars, after which we simply uploaded the system to a virtual machine, since we received all the necessary information.
The second ransomware was Phobos. The hacker who installed it went through the honeypot's file system and scanned the network for an hour, and then installed the ransomware.
The third ransomware attack turned out to be fake. An unknown "hacker" downloaded the haha.bat file to our system, after which we watched for a while as he tried to make it work. One attempt was to rename haha.bat to haha.rnsmwr.
"Hacker" increases the maliciousness of the bat-file by changing its extension to .rnsmwr. Source: Trend Micro
When the batch file finally began to run, the "hacker" edited it, increasing the ransom from $200 to $750. After that, he "encrypted" all the files, left an extortionate message on the desktop and disappeared, changing the passwords on our VNC.
A couple of days later, the hacker returned and, to remind himself, launched a batch file that opened many windows with a porn site. Apparently, in this way he tried to draw attention to his demand.
Results
During the study, it turned out that as soon as the information about the vulnerability was published, the honeypot attracted attention, and activity grew day by day. In order for the trap to attract attention, many security breaches of our fictitious company had to be made. Unfortunately, this situation is far from uncommon among many real companies that do not have full-time IT and information security employees.
In general, organizations should use the principle of least privilege, while we have implemented the complete opposite to attract attackers. And the longer we watched the attacks, the more sophisticated they became compared to standard penetration testing methods.
And most importantly, all these attacks would have failed if adequate security measures had been implemented during the network setup. Organizations must ensure that their equipment and industrial infrastructure components are not accessible from the Internet, as we specifically did in our trap.
Although we have not recorded a single attack on the engineer's workstation, despite using the same local administrator password on all computers, this practice should be avoided in order to minimize the possibility of intrusions. After all, weak security serves as an additional invitation to attack industrial systems that have long been of interest to cybercriminals.
Source: habr.com