| Date range | loading... |
| Updated | |
| Total logins | |
| — honeypot Charlie | |
| — honeypot Delta | |
| Unique credentials | |
| Unique IPs | |
| Honeypots | |
| Files uploaded | |
| Malware uploaded |
| SHA256 Digest | First Discovered | Freq. |
|---|
| Command | Freq. |
|---|
Coming up in today's blog post: I'll be exploring recent cyber attacks targeting my SSH honeypots. Since 2018/19, we've known that SSH servers around the world have been targeted by cryptocurrency mining operations. So I'm curious to analyse my honeypot's logs to understand A) if threat actors are still motivated by cryptocurrency, and B) what techniques are used by threat actors.
Just over 1 month ago I deployed my new SSH honeypots (built in Python, containerised in Docker, see: Secure Honey v2.0 has been launched!). Since then, my honeypots have received 129,122 unauthorised logins (username:password credentials) from 3,780 unique IP addresses. 132,479 (77,214 unique) shell commands have been executed, and 91,927 (64,156 unique) files have been uploaded to the honeypot -- of which 23,874 (53 unique) were malicious.
So let's crack on and explore the data!
I was sifting through my SSH honeypot logs recently and noticed a suspicious file drop. The file's payload is on trend with other popular cryptomining malware attacks. However, this particular attack goes after miners running Hive OS: a popular management and monitoring tool for mining rigs.
The attack's modus operandi changes Hive OS's wallet configuration to ensure the attacker receives all mined coins. The malware also regularly updates the Hive OS wallet configuration -- so changing the wallet config back won't stop the attack. At the time of writing this blog post, the attack file isn't marked as malicious by VirusTotal.
Blimey, how times flies! It's been a while since I wrote a blog post for Secure Honey. This is just a quick update to explain the new honeypot and why I've re-launched.
Back in 2016, I took my original honeypot offline. The main reason was because the data that was being sent from the honeypot to the website hosting account was triggering IDS (intrusion detection system) warnings. At the time, I couldn't think of a way around the problem so I decided to leave the honeypot offline.
However, fast forward to 2021, and I'm curious to know if SSH attacker methodology has changed. Plus, I found a way around the IDS triggering problem. So, I've launched a brand new version of Secure Honey!
Wow, what an amazing way to end the final year project: SecureHoney.net went viral, the project won an award (left) from the British Computer Society and I've been offered a scholarship to study a cyber security PhD.
It's been nearly three months since the last blog post in which we looked at the Android Simplocker Ransomware.
I decided it would be a good idea to take some time off over the summer so I'm ready and energised for the next adventure which starts later this month.
So what's been happening since the last blog post? Quite a lot as it turns out...
In yesterday's blog post (How To Dissect Android Simplelocker Ransomware) we dissected the new Android Simplelocker ransomware.
In this blog post we'll be creating an antidote for the ransomware to decrypt any files it encrypts.
The process of creating the antidote is actually very simple because the ransomware comes with a built-in decrypt method and cipher password. This means we're able to create our own Java class and copy the decryption code from the ransomware into our antidote class.
So let's jump right in and start creating our antidote for Simplelocker!
