Profile picture
Vess @VessOnSecurity
, 14 tweets, 5 min read Read on Twitter
OK, folks, the month of October is over here, so it is time for my honeypot report. Let's start with our Telnet & SSH honeypot.
First, the big picture. As always, the USA is at the top of the list of countries where the attacks are coming from. Three TIMES more attacks from there than from the next contender, Germany. The latter is somewhat unusual, Germany is rarely near the top.
Next, a graph of the number of attacks per hour. The honeypot is being attacked nearly once every second on average!
About 7% of the attacks are via SSH (mostly Gafgyt variants) and nearly 93% are via Telnet (mostly Mirai).
The top 5 URLs from which the malware is taken the most often when uploading it to the honeypot. All of them point to Mirai variants.
Details about the top 20 attacking IPs. Surprisingly, DigitalOcean isn't at the top, FranTech is, but DigitalOcean makes it up in volume:
The top ISPs from which the attacks are coming. DigitalOcean is way ahead of everybody else - three TIMES more attacks from it than from the next contender, despite my daily reports to them about the misuse of their services.
Finally, the most often used passwords during the attacks. Nothing unusual here.
But, hey, we also have an SMB honeypot now! We're still fiddling with it and it is occasionally down for maintenance, thus the gaps on some of the following charts.
Let's start with the big picture. Here China is firmly in the top spot among the attackers, closely followed by Russia. The USA is a distant third.
Graph of the number of connections every hour. Averagely once per minute. Not every connection results in malware upload and they often (but not always) go in pairs. Could be just scans or misconfigurations - hard to tell, since there are no logins and commands issued here.
The different uploaded malware files, according to Symantec's scanner (I chose that, because its names are more readable). A handful of files are not detected or not known to VirusTotal. WannaCry is prewalent (89%), Downadup is Conficker (6%), the rest are mostly downloaders.
Details about the top 20 attacking IPs. The topmost one is no longer active, I have no information about the second one. Most are Chinese.
Details about the top 20 attacking ISPs. China and Russia occupy the top spots, no suprise here. Yay, DigitalOcean is present here too.

This concludes the monthly report.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Vess
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @VessOnSecurity see all

Profile picture
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner...

First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.)
The script is quite sophisticated, unlike the usual Mirai crap. It eventually downloads the executable for the appropriate CPU architecture, like

http://104.237.218.85/0/DIGIT1/DIGIT2

where DIGIT1 and DIGIT2 are two decimal digits.
I downloaded one of the executables - zero detections in VirusTotal both for it and for the script.

virustotal.com/#/file/cf3bfd3…

virustotal.com/#/file/9ef5864…
Read 3 tweets
Profile picture
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini No, the code isn't there, although there is something strange...

You are looking at the raw file with a hex editor and are seeing stuff that's in unallocated clusters that aren't part of the OLE2 stream structures at all. You need a more intelligent tool.

Take a look:
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini First, we have the OLE2 structure of the file. This is what you have to look at. The VBA structures are there. The module streams are:

Module1
UserForm1
ThisDocument
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini Now, let's inspect each one of them as a stream, not as raw sectors from the file. Again, you need a tool that understands this. The compressed source is at the end of the stream, with the p-code immediately preceding it.

Module1:
Read 10 tweets
Profile picture
So, some time ago, the site of a customer of ours gets breached, because they used a version of Joomla that's older than my shoes.

Suddenly, all their visitors are forced to mine crypto currencies in their browsers, which tends to be a tad annoying for them.
But no problem, hey? Can happen to anyone. That's why you call a security team - to fix up your shit that's messed up.

Sysadmin doesn't give us full access to their system because "security". We're given access only to the webroot folder.
We clean up the crypto mining scripts but find something else.

Somebody has installed a web shell. Whoever could enter through that web shell has wider access to the system than is given to us for investigating it.
Read 15 tweets

Related threads

Profile picture
IT BEGAN NOT by tapping enemy insurgents’ phones or capturing their emails, but by #FollowingTheMoney

Cache of 328 NS theintercept.com/2018/08/15/nsa…

#Snowden
Aug. 15 2018, 13:00 p.m.

The Intercept's largest-ever SIDtoday release, with 328 documents

#Qanon
#FlashbackFriday
#WWG1WGA
When the #NSA discovered that #Iran may have been buying computer chips from the #UnitedStates routing them through a U.S. ally
&
Potentially supplying them to detonate #bombs against U.S. forces in Iraq & #Afghanistan
It credited so-called economic intelligence with the find.
The solution wasn't a death blow delivered by the #military but rather a new regulation on the export of certain #technologies via the #CommerceDepartment which the #NSA said would end up “saving #American & coalition lives.”

#Qanon
#DARKtoLIGHT
#WWG1WGA
#FridayThoughts
Read 136 tweets
Profile picture
#Khashoggi Case Thread: I am going to ‘pin’ this post to use it as an ‘Info Thread’ on the #Khashoggi Case. I am in #Turkey. I’ve been following the case closely and with access to sources & experts here. This is a very ‘sensitive’ criminal case due to ‘Diplomatic Booby Traps’!!!
The Evidence Obtained Outside Cameras will not show any evidence of ‘tempering’ but other than license plates of dozens of diplomatic cars (Many with tinted windows-large trunks) with related time stamp, drivers Info, model/year: Nothing.
#Turkish Intel-Investigative Bodies also have the list of all Diplomatic & Private Saudi & “other significant’ Planes in #Turkey for the period of ‘interest.’ Many of the Target airports have their own security cameras & related evidence.
Read 335 tweets
Profile picture
Angry Turkish man smashing iPhones with sledgehammer to protest of #USA & Trump !
Different iPhone & USA protests in Turkey @AppleSupport
Another Turkish man smashing an iPhone
Read 13 tweets
Profile picture
Does AUSA Moira Kim Penza, prosecutor in the fed. #NXIVM #RICO criminal racketeering case, realize that her indictments of #NXIVM leader, Keith Raniere aka "Vanguard," last March, may have affected the outcome of the 2018 Mexican Presidential Election? #ArizonaMafia #Democrats
Moira Kim Penza is 1 of the main prosecutors in the federal #NXIVM #RICO criminal case. A #RICO case is very serious; it is 1 of the most complex types of prosecutions the U.S. Government can initiate. Moira's boss is Richard P. Donoghue, U.S. Atty for the Eastern District of NY.
Penza is a smart lawyer. According to publicly available information, she studied at Cornell Law School, a private Ivy League University located in Ithaca, New York. Cornell was ranked the #13 law school in America, out of 203 law schools, by U.S. News & World Report, in 2018.
Read 117 tweets
Profile picture
If the #USA is worried about south #Syria ops it means the establishment is afraid of #SAA's success. Obviously, #SAA took eastern Ghouta with 35K jihadists and the south today has with 20k-25k jihadists & FSA and the geography is much easier.
Actually, the #USA has nothing to do in the south of #Syria. the area is not part of US national security nor it affects #US citizens or interest. It is #Israel that is extremely worried about #SAA regaining demarcation line with #IDF.

#Israel is aware #SAA and its #NDF have gained enough experience and is afraid the long 30-40 years of "peace on the borders" is over: #Damascus next step after the war will be the #GolanHeights, an area rich of oil and exploited by #US companies.

Read 7 tweets
Profile picture
#BreakingNews
@POTUS Trump colluded with American people to #MAGA

The House Intel Committee concluded that Trump went out every single day to touch the hearts & lives of the working class & thats why @realDonaldTrump WON

LETS NOW #KeepAmericaGreat
#MarchForOurLives
#NeverAgain
#RETWEET
@POTUS Trump has replaced Secretary of State Rex Tillerson with former CIA Director Mike Pompeo

He also hired Gina Haspel as the first female director of the CIA

Trump treats the Presidency like a business & if youre not doing your job, YOURE FIRED

#KeepAmericaGreat
#RETWEET
(1)The Felonious "Littering" of 7,000 pairs of shoes by #MarchForOurLives #NeverAgain "Forced Protestors" Needs to STOP Manipulating #USA Youth into these Criminal acts

Next "Protect" like this dont say #Metoo that you Participated
Punishments: ncsl.org/research/envir…
Read 161 tweets

Trending hashtags

#HR #boom #MSM #Arizona #USA #PayAttention #s #Austria #Merkel #notallgeographers #ussstrike #Morality #transparency #Idlib #FIREMCCABETODAY #Uranium #UK #WashingtonPost #entrepreneur #Chinese #Peace #RadicalLiberalTerrorist #Patriots #tightening #Family

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!