Secure Honey

SSH honeypot, deployed in the wild, collecting and sharing data

Stats

Date range
loading...
Updated
Total logins
— honeypot Charlie
— honeypot Delta
Unique credentials
Unique IPs
Honeypots
Files uploaded
Malware uploaded

Top Usernames

Top Passwords

Top Countries

Logins

Top Clients

Top Ciphers

Top Malware IOCs

SHA256 Digest First Discovered Freq.

Top Shell Commands

Command Freq.

Cryptojacking Attacks Continue To Target SSH Servers

22 Jul 2021 • 13 min read

Bitcoin

Coming up in today's blog post: I'll be exploring recent cyber attacks targeting my SSH honeypots. Since 2018/19, we've known that SSH servers around the world have been targeted by cryptocurrency mining operations. So I'm curious to analyse my honeypot's logs to understand A) if threat actors are still motivated by cryptocurrency, and B) what techniques are used by threat actors.

Just over 1 month ago I deployed my new SSH honeypots (built in Python, containerised in Docker, see: Secure Honey v2.0 has been launched!). Since then, my honeypots have received 129,122 unauthorised logins (username:password credentials) from 3,780 unique IP addresses. 132,479 (77,214 unique) shell commands have been executed, and 91,927 (64,156 unique) files have been uploaded to the honeypot -- of which 23,874 (53 unique) were malicious.

So let's crack on and explore the data!

...continue reading

Sneaky Malware Reconfigures Hive OS Wallet for Profit

8 Jul 2021 • 7 min read

VirusTotal screenshot

I was sifting through my SSH honeypot logs recently and noticed a suspicious file drop. The file's payload is on trend with other popular cryptomining malware attacks. However, this particular attack goes after miners running Hive OS: a popular management and monitoring tool for mining rigs.

The attack's modus operandi changes Hive OS's wallet configuration to ensure the attacker receives all mined coins. The malware also regularly updates the Hive OS wallet configuration -- so changing the wallet config back won't stop the attack. At the time of writing this blog post, the attack file isn't marked as malicious by VirusTotal.

...continue reading

Secure Honey v2.0 has been launched!

23 Jun 2021 • 2 min read

New Secure Honey logo

Blimey, how times flies! It's been a while since I wrote a blog post for Secure Honey. This is just a quick update to explain the new honeypot and why I've re-launched.

Back in 2016, I took my original honeypot offline. The main reason was because the data that was being sent from the honeypot to the website hosting account was triggering IDS (intrusion detection system) warnings. At the time, I couldn't think of a way around the problem so I decided to leave the honeypot offline.

However, fast forward to 2021, and I'm curious to know if SSH attacker methodology has changed. Plus, I found a way around the IDS triggering problem. So, I've launched a brand new version of Secure Honey!

...continue reading

Thank You

8 Sep 2014 • 9 min read

Bernhard presenting Simon with the BCS award

Wow, what an amazing way to end the final year project: SecureHoney.net went viral, the project won an award (left) from the British Computer Society and I've been offered a scholarship to study a cyber security PhD.

It's been nearly three months since the last blog post in which we looked at the Android Simplocker Ransomware.

I decided it would be a good idea to take some time off over the summer so I'm ready and energised for the next adventure which starts later this month.

So what's been happening since the last blog post? Quite a lot as it turns out...

...continue reading

Creating An Antidote For Android Simplelocker Ransomware

17 Jun 2014 • 6 min read

Chemistry bottles

In yesterday's blog post (How To Dissect Android Simplelocker Ransomware) we dissected the new Android Simplelocker ransomware.

In this blog post we'll be creating an antidote for the ransomware to decrypt any files it encrypts.

The process of creating the antidote is actually very simple because the ransomware comes with a built-in decrypt method and cipher password. This means we're able to create our own Java class and copy the decryption code from the ransomware into our antidote class.

So let's jump right in and start creating our antidote for Simplelocker!

...continue reading