INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Take Downs and the Rest of Us: Do they matter?
Published: 2024-02-27
Last Updated: 2024-02-27 17:19:25 UTC
by Johannes Ullrich (Version: 1)
Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)". The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials.
Why do nation-state actors go after "simple" home devices? Usually, these attacks are associated with simple "vandal ware" like Mirai and similar bots. Often, a Miner may be deployed as part of the attack. But even for more sophisticated attackers, these devices are attractive:
- They may provide access to more interesting networks. The Ubiquity Edge router attacked by this Moobot variant is often used as a perimeter device for smaller remote networks. This may provide access to a remote site of a power network or industrial equipment deployed remotely. Disabling this equipment may cause significant cost if a technician must visit the remote site.
- Due to the enormous scan volume for these default credentials, the attacker can hide in the noise created by vandals and miners. The attack tools are essentially identical. Even if the attack is discovered, it is likely considered a "nuisance attack" and not attributed to a particular actor. For a sophisticated attacker, winning with a simple default password is far preferred over winning using a zero-day vulnerability. Each time a vulnerability is exploited, the attacker risks being discovered, and the zero-day vulnerability may be fixed.
- "Innocent" home devices make a great attack platform. Some networks will, for example, block access from certain countries or specific hosting providers. Having access to a diverse set of commodity devices in different networks is a great asset to building up an attack infrastructure of proxies to obfuscate the source of the attack.
Read the full entry: https://isc.sans.edu/diary/Take+Downs+and+the+Rest+of+Us+Do+they+matter/30694
Utilizing the VirusTotal API to Query Files Uploaded to DShield Honeypot [Guest Diary]
Published: 2024-02-25
Last Updated: 2024-02-26 01:13:50 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Keegan Hamlin, an ISC intern as part of the SANS.edu BACS program]
Part of the SANS undergraduate program is a 20-week internship with the SANS Internet Storm Center. During that time, interns are tasked with setting up a DShield sensor to act as a honeypot, capturing data and generating logs for SSH/Telnet, Firewall activity, Web requests, and most interesting to me, file uploads. With those logs, we are expected to create attack observations, explaining what vulnerability is being exploited, what the attacker is attempting to accomplish, and how to defend against this attack. I wanted to give myself a project to help aid with creating these attack observations, and in my case, a way to quickly get information on the uploaded files. At the beginning of the internship, I had given myself a personal goal, which was to do something to build my Python skills. I thought this might be the opportunity to do that.
VirusTotal is a go-to source to upload or search for hashes of suspicious files and it is what I typically use when investigating files uploaded to the honeypot. They offer an API to automate this process, and it integrates well with Python.
Simple Command Line Query
I began by following the steps listed in the VirusTotal quick start page for their Python integration tool ...
Read the full entry: https://isc.sans.edu/diary/Utilizing+the+VirusTotal+API+to+Query+Files+Uploaded+to+DShield+Honeypot+Guest+Diary/30688/
[Guest Diary] Friend, foe or something in between? The grey area of 'security research'
Published: 2024-02-22
Last Updated: 2024-02-22 00:21:39 UTC
by Rachel Downs, SANS BACS Student (Version: 1)
[This is a Guest Diary by Rachel Downs, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.
Scanning on port 502
I’ve been running my DShield honeypot for around 3 months, and recently opened TCP port 502. I was looking for activity on this port as it could reveal attacks targeted towards industrial control systems which use port 502 for Modbus TCP, a client/server communications protocol. As with many of my other observations, what started out as an idea to research one thing soon turned into something else, and ended up as a deep dive into security research groups and the discovery of a lack of transparency about their actions and intent.
I analysed 31 days of firewall logs between 2023-12-05 and 2024-01-04. Over this period, there were 197 instances of scanning activity on port 502 from 179 unique IP addresses.
Almost 90% of scanning came from security research groups
Through AbuseIPDB and GreyNoise, I assigned location, ISP and hostname data (where available) to each IP address. GreyNoise assigns actors to IP addresses and categorises these as benign, unknown or malicious. Actors are classified as benign when they are a legitimate company, search engine, security research organisation, university or individual, and GreyNoise has determined the actor is not malicious in nature. Actors are classified as malicious if harmful behaviours have been directly observed by GreyNoise, and if an actor is not classified as benign or malicious it is marked as unknown.
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Friend+foe+or+something+in+between+The+grey+area+of+security+research/30670/