Have I missed 99% of the content or is this purely to raise awarness? There is no description of the honeypot. Did the person running it manage to intercept any root kits, if yes what were they?
I remember years ago there was this vnc vulnerability that allowed one to login without a password. At the time I was doing "it support" for various small businesses in West Yorkshire, UK. All of my regulars had firewalls with (site to site) vpn for remote access, but often I'd get new clients I never saw before asking to fix something. When that vulnerability came out I was getting calls from such new customers daily about "their system is slow", "our email is not going out" (in these days even small businesses used to run their own email servers). Every single "new customer" I had during next few weeks was "hacked" by the vnc bug. It seems whoever used to do IT for them left vnc accessible from the Internet (not even limiting the source IPs on the firewall). Every single time the root kits I found had outputs in Chinese (it required changing windows cmds settings to even see it). Most were very basic, but they did manage to successfully kill the AV software and they all had their own storage drivers that hid certain folders unless I booted the system in the safe mode(tgese were mostly windows 2000/2003 sbs servers BTW). Frequently I'd find lists of other victims IPs on these systems and their scanning software. What was the goal of this campaign? Sending spam of course. As mentioned most clients only realised they were "hacked" when their system became horribly slow, or their outgoing email was cut off by their ISP blocking outgoing smtp traffic from their IPs following complaints. What was the spam? Viagra of course.... I saw lots of these. Many of these systems had personal data of people, I never noticed attempts to exfiltrate such data. The only time I dealt with proper attempt to steal money from a business account using the IT system was after a disgruntled it admin was fired.
This was almost 20 years ago. I'd love to find out how small network attackers try to "monetize" their victims today. Are they just searching for crypto, attempting "encrypting data" scams, or is there something more interesting? Curious minds want to know?
They’re actually set up as cloud providers for hire now, as part of the professionalization of the criminal underworld and its stratification into specialized operators.
He's serious. These people actually sell computing services powered by their network of cracked computers. They'll even manage their fleet by patchinf the vulnerabilities they exploited. Network proxies, redundant distributed storage... Compromised machines could be turned into storage for CSAM, proxies for scrapers or spammers, whatever people want.
I never want to know anything about CSAM and related. But it seems none of us can escape it.
I fear that if I ever make one of my hobby projects public, I'll be forced to learn all the security stuff.
Alas, I suck at security stuff. I left networking and admin for building CRUD apps, so many years ago, because I have no aptitude or interest. (Whereas I love solving customer use cases.)
To me it seems ISP CGNAT is the only thing keeping people relatively safe on the internet.
> What are noobs like me supposed to do?
I'm not about to claim I'm some kind of expert on security but...
Don't let your computers talk to strangers. Your computers should only be talking or listening to you really and maybe other people who you trust and have authorized. If someone is not in that group, they should not even send back an error page, they should not even answer pings.
So set up single packet authorization so that your machines literally drop all network packets unless you send a cryptographically signed packet first. To these bots, it will be like the servers are not even there.
Or better, only use a VPN to connect to your home network. Ideally one like Wireguard that doesn't respond to unauthenticated requests, so from a hacker's perspective is impossible to discern whether it even exists or not.
Totally serious. Botnets for hire are rented by spammers, DDoS extortionists and other scum, for much the same reason legitimate enterprises outsource to specialists so they can focus on their core competencies. Not sure how payment is brokered but I'm sure cryptocurrencies are involved.
It feels to me like someone who has only just noticed that the majority of internet traffic is nowadays malicious.
In about 2002 I set up my first domestic mailserver, and was shocked (and frightened) at the proportion of traffic that was malicious. Then I started digging into other system logs. In those days most malicious traffic was from Eastern Europe. I've run honeypots, for entertainment. It was engaging for a while. Eventually I realised that running a home honeypot was a waste of effort, and I just hardened my systems and instituted a bit of monitoring.
Not to me, actually; the mail honeypot I ran purported to be an open relay, but it didn't actually relay the incoming traffic. It dropped everything, and just wrote a log.
> This was almost 20 years ago. I'd love to find out how small network attackers try to "monetize" their victims today
Crypto mining, installing software to sell access to the host as a “residential proxy”, good ole theft of data, using the host for DDoS, click fraud, etc
I've build a simple telnet honeypot that emulated some embedded device.
I also got thousand of samples. I think it was mostly different strains of Mirai.
I learned some things about how bots fingerprint the honeypots, and patched it accordingly that they do not identify my service as a honeypot.
The funny thing about this was, that my ISP send me a letter (by post o.0),
that i run a vulnerable service on my network.
The honeypot had a "MOD" from an old nuclear power plant, and did some random tarpit and randomly let random user/password combinations to log in.
It is important that we all know that if we intentionally configure our networks to draw attention from automated scans that we will draw attention from automated scans.
Indeed, but remember that can also be a sacrificial defensive strategy
rather than a "scientific" data collection exercise (which as you say
would be biased by a Heisenberg/observability effect). Some honeynets
are put up there to simply sink the resources of, and discombobulate
attackers. Meanwhile, buried deep in there behind a couple of layers
of port knocking, is the real asset.
I’m pretty sure my router came with a UI for enabling a honeypot. Unifi. I never looked into it as it seemed an unwise place to tinker and a complete novice.
Attacks will originate from some cross-section of [country with many broadband connections] and [many outdated / unpatched OSes in use]. But no humans in the loop other than command & control, or people wondering why their device is slow / acting up.
<Insert usual suspect here> high up can be read just as "many internet users there, whose PC or other device is infected with malware that tries to spread itself".
As the article states: originating device can be silly IoT device like a router, TV, printer, Ring-style doorbell, etc etc etc. In fact, chance of random IoT device being vulnerable and/or been 'recruited' in a botnet, may be bigger than the same with random PC / tablet etc. Many IoT devices are junk that rarely see firmware updates (if any).
There’s a large volume of active attempts to access remote system, they are by definition attacks, regardless of their sophistication or likelihood of success.
Honeypot a popular, recent, public vulnerability and you’ll see a tonne of attacks.
I'm still convinced that the majority of IoT devices are unnecessary nonsense. And I don't think manufacturers care about their great contribution to botnets either.
Just drop all inbound and access your home network behind a vpn remotely for the ultimate protection, not perfect, but far more secure. And monitor at the DNS level, or have a service running to monitor network activity on the terminals.
I have a Mikrotik at my home too.
Beside securing the device, I suggest to filter and logs all the DNS queries and to export netflows and firewall logs somewhere (ELK or clickhouse).
I find it somewhat amusing that it is someone named Postman who “frames the information-action ratio in the context of the telegraph's invention”. Post vs Telegraph :-)
I have several honeypots on different services (some of them mimics industrial automation systems like SCADA), and the majority of these attacks are coming from China, followed by the US and then the Netherlands.
So may IPs from China. Would they not be stopped from Chinas firewall? I think you can't make an outging VPN or SSH connection. Is it possible somebody does a BGP hack and then reuse china IPs?
They do not care about outbound attacks. They care about anything that goes against the approved narrative. The only way I've managed to get them to care was to have a coworker translate my email into Chinese characters and give CIDR blocks to their government and say they are spreading democracy and those networks go silent. The ISP's will just ignore complaints otherwise.
This was ages ago. I try not to hold onto old corporate emails. And agree not to. I've honestly had mixed feelings about it given that some people probably got their door kicked in. In fairness to me they were DDoS'ing my customers. The CIDR blocks were part of a DDoS for hire farm.
I remember years ago there was this vnc vulnerability that allowed one to login without a password. At the time I was doing "it support" for various small businesses in West Yorkshire, UK. All of my regulars had firewalls with (site to site) vpn for remote access, but often I'd get new clients I never saw before asking to fix something. When that vulnerability came out I was getting calls from such new customers daily about "their system is slow", "our email is not going out" (in these days even small businesses used to run their own email servers). Every single "new customer" I had during next few weeks was "hacked" by the vnc bug. It seems whoever used to do IT for them left vnc accessible from the Internet (not even limiting the source IPs on the firewall). Every single time the root kits I found had outputs in Chinese (it required changing windows cmds settings to even see it). Most were very basic, but they did manage to successfully kill the AV software and they all had their own storage drivers that hid certain folders unless I booted the system in the safe mode(tgese were mostly windows 2000/2003 sbs servers BTW). Frequently I'd find lists of other victims IPs on these systems and their scanning software. What was the goal of this campaign? Sending spam of course. As mentioned most clients only realised they were "hacked" when their system became horribly slow, or their outgoing email was cut off by their ISP blocking outgoing smtp traffic from their IPs following complaints. What was the spam? Viagra of course.... I saw lots of these. Many of these systems had personal data of people, I never noticed attempts to exfiltrate such data. The only time I dealt with proper attempt to steal money from a business account using the IT system was after a disgruntled it admin was fired.
This was almost 20 years ago. I'd love to find out how small network attackers try to "monetize" their victims today. Are they just searching for crypto, attempting "encrypting data" scams, or is there something more interesting? Curious minds want to know?