Today in Edworking News we want to talk about What is a honeypot?
A honeypot detects and records attacks when an attacker tries to break into a system. The honeypot we will discuss here is an SSH honeypot.
Environment Login Attempts
There were a total of 11,599 login attempts. Divided by 30 days, this means an average of 386 login attempts per day.
Used Usernames
As expected, many attacks target customary and default usernames. For the `345gs5662d34` user, according to the Aalborg University of Denmark, this could be the default credential for a Polycom CX600 IP telephone.
SweetCam: an IP Camera Honeypot
Passwords
Once again, the same as the default username for Polycom CX600 IP telephone.
Commands Executed After Login
Now the interesting part starts:
The oinasf Script
The execution of a mysterious script, `./oinasf`, followed by attempts to read and display the system's executable content, indicates a probing strategy for vulnerabilities or valuable information. The use of `/ip cloud print` suggests that bots target MikroTik routers to access or disrupt cloud-based services, while `uname -s -m` provides them with essential details about the operating system and machine architecture, valuable for crafting further actions tailored to the system's specifics.
In conclusion, these commands represent a clear strategy to infiltrate, assess, and establish control over targeted systems. They emphasize the bot's preference for direct manipulation and sustained access, highlighting the critical need for robust defenses against such common, yet potentially devastating tactics.
The mdrfckr Crypto Miner
This miner would simply create a cron job that would delete everything on the `.ssh` folder and add a single SSH key to lock other users out. After that, it would kill other miners if they exist and then have an open field. You can check this repo of someone who already got hacked and the miner was used on his server.
The MIPS Malware
Probably another MIPS (Multiprocessor without Interlocked Pipeline Stages) architecture malware, targeting routers and IoT devices. Here is a good read and analysis of the behavior of a MIPS Malware.
The Sakura.sh Script
This script is part of the Gafgyt Malware, also known as BASHLITE, a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks. Here is A Detailed Analysis of the Gafgyt Malware Targeting IoT Devices.
---
Remember these 3 key ideas for your startup:
Stay Proactive with Security: Implementing honeypots can help detect and analyze intrusion attempts, offering valuable insights into attack vectors and malware tactics. For instance, honeypots can identify default credential usage and scripting threats, enabling better defenses. Check out these free productivity tools for teams.
Understand Attack Patterns: Knowledge about common threats like the Gafgyt malware or crypto mining scripts allows your startup to prepare against similar attacks. This includes monitoring default credentials and unusual login attempts, a step that many may overlook. Discover how to effectively assign tasks to team members.
Leverage Detailed Reports: Use the data gathered from honeypots to create detailed security protocols tailored to the specific threats your startup or SME might face. This includes setting up cron jobs to monitor system integrity and securing all entry points against IoT-based attacks.
Edworking is the best and smartest decision for SMEs and startups to be more productive. Edworking is a free superapp of productivity that includes all you need for work powered by AI in the same superapp, connecting Task Management, Docs, Chat, Videocall, and File Management. Save money today by not paying for Slack, Trello, Dropbox, Zoom, and Notion.
For more details, see the original source.
