Honeypot check-in (03–29–22)
It’s been a while since I’ve spun up my honeypot to see what is going on out in the world so I decided to do that this weekend and provide a little bit of information about my observations.
For those who do not know, please reference this blog post where I explain what a honeypot is and how it is useful for cybersecurity professionals. That said, lets dive into the findings.
This week I spun up my honeypot for about 24 hours, and recorded a huge volume of attacks being performed against the different honeypot daemons.
The 24 hour window saw more than 150,000 total attacks being launched against the dockerized daemons, with a majority of attacks originating from IP addresses based in China; Netherlands was second on the list, followed by Ukraine, with Bulgaria and the United States rounding out the top-5.
The majority of the attackers, identified by their IP addresses, were classified as ‘known attackers’ accounting for approximately 61% of the attacks. ‘Anonymizers’ was next on the list, with 21% of attacks and ‘mass scanners’ registering 17% of attacks.
The most attacked port by far was port 445, which replaced ports 137–139 as the preferred port for carrying Windows file sharing and numerous other services. This data tracks with current SMB (Server Message Block), also known as “Samba”, vulnerabilities being actively exploited in the wild such as CVE-2022–24508.
The Suricata CVE — Top 10 shows the most popular vulnerabilities attackers attempted to exploit. Some of the vulnerabilities were reported within the last 3 years, while curiously enough, there were attempts at exploiting vulnerabilities that were reported as far back as 2001 (2001–0540). The most common vulnerability that was attempted more than 200 times at the time of this report, was a previously reported Linux vulnerability that allowed remote attackers to hijack TCP sessions via a blind in-window attack, CVE-2016–5696.
Next on the list was the vulnerability mentioned previously, CVE-2001–0540, a memory Leak vulnerability in Terminal servers in Windows NT and Windows 200 which allows remote attackers to cause a denial of service (memory exhaustion) via a larger number of malformed Remote Desktop Protocol (RDP) requests on port 3389.
See the list below for all Top-10 CVEs:
CVE-2016–5696 ……………………………………………………………….200
CVE-2001–0540 ……………………………………………………………….90
CVE-2012–0152 ……………………………………………………………….76
CVE-2002–0013 CVE-2002–0012 ……………………………………………40
CVE-2019–11500 CVE-2019–11500 …………………………………………21
CAN-2001–0540 ……………………………………………………………….18
CVE-2019–12263 CVE-2019–12261 CVE-2019–12260 CVE-2019–12255…4
CVE-2021–44228 CVE-2021–44228…………………………………………..4
CVE-2003–0825…………………………………………………………………2
CVE-2010–0569…………………………………………………………………2
Latly, and this usually helps make the case for complex passwords, and changing default credentials, is a snapshot of the most common passwords and usernames attempted on my honeypot. (See the graphic below. The bigger the font, the more frequent the password was attempted).
In summary, continue to keep up with those vendor fixes and patches. We’ve seen really ‘old’ vulnerabilities being exploited so if scan those systems and make sure they are up to date. Also, close those unnecessary ports and be diligent about setting those firewall rules to better protect yourself. Finally, change those default credentials; it is one of the simplest things that you can so which goes a long way to reduce your attack surface.
