To One of the first document the actions of hackers in our honeypot, we wrote a script that took screenshots of the virtual machine at a given interval and, by comparing it with the previous screenshot, determined whether something was happening there or not. When activity was detected, the script included a screen recording. This approach turned out to be the most effective. We also tried telegram data analyzing VNC traffic from a PCAP dump to understand what changes had occurred in the system, but in the end, the screen recording we implemented turned out to be simpler and more visual.
Monitoring of VNC sessions
For this purpose, we used Chaosreader and VNCLogger. Both utilities extract keystrokes from a PCAP dump, but VNCLogger handles keys like Backspace, Enter, Ctrl more correctly.
VNCLogger has two drawbacks. First: it can only wms warehousing: how to improve the efficiency of your warehouse? extract keys by “listening” to the traffic on the interface, so we had to simulate a VNC session for it using tcpreplay. The second drawback of VNCLogger is common with Chaosreader: both do not display the contents of the clipboard. To do this, I had to use Wireshark.
We lure hackers
We created a honeypot to be attacked. To achieve this, we organized an information leak to attract the attention of potential attackers. The following ports were open on the honeypot:
Indescribably attractive: how we created a pot of honey that can’t be displayed
The RDP port had to be closed shortly after we saudi data went live because the huge amount of scanning traffic on our network was causing performance issues.
The VNC terminals were first running in view-only mode without a password, and then we “mistakenly” switched them to full access mode.
To attract attackers, we published two posts with leaked information about the available industrial system on PasteBin.
Indescribably attractive: how we created a pot of honey that can’t be displayed
One of the posts posted on PasteBin to attract attacks. Source: Trend Micro
attacks
The honeypot lived online for about seven months. The first attack occurred a month after the honeypot went online.
scanners
There was a lot of traffic from scanners of well-known companies – ip-ip, Rapid, Shadow Server, Shodan, ZoomEye, etc. There were so many of them that we had to exclude their IP addresses from the analysis: 610 out of 9452 or 6.45% of all unique IP addresses belonged to completely legitimate scanners.
scammers
One of the biggest risks we face is the use of our system for criminal purposes: to purchase smartphones through a subscription account, withdraw airline miles using gift cards, and other types of fraud.
Miners
One of the first visitors to our system turned out to be a miner
He downloaded the Monero mining software onto it. He wouldn’t be able to make much money from our particular system due to its low performance. However, if we pool the efforts of several dozen or even hundreds of such systems, it could work out pretty well.
Ransomware
During the honeypot operation, we encountered real ransomware viruses twice. The first case was Crysis. Its operators log in to the system via VNC, but then install TeamViewer and use it to perform additional actions. After waiting for a ransom message demanding a ransom of $10,600 in BTC, we entered into correspondence with the criminals, asking them to decrypt one of the files for us. They complied and repeated the ransom demand. We managed to negotiate up to $6,000, after which we simply re-uploaded the system to a virtual machine, as we had all the necessary information.