CSIRT-IE Honeypot HTTP Scanner Events Report.
Description
This report contain a list of hosts that have been identified and reported for suspicious or malicious activity involving a honeypot instances (performing HTTP-based scanning activity, including exploitation attempts).
HTTP scanning may be regarded as a beign activity, it may be a search engine indexing the web, or a research project, however, it may be part of a network reconnaissance in the preparatory phase of an attack or an attempt to exploit a vulnerability or it may be emanating from a botnet that is actively looking to infect new sites or devices. Popular targets include various IoT (routers, nas, webcam devices) or VPN devices, CMS systems, Application Servers, Application Delivery Controllers or mail servers (such as Microsoft Exchange Server).
Suspicious & Malicious Activity involving a Honeypot instances.
| No. | Activity | Description |
|---|---|---|
| 1. | Interaction. | Interacting with a honeypot, scanning for and attempting to exploit vulnerabilities, attempting to gain access, accessing restricted areas, attempt to exfiltrate or the exfiltration of data, attempt to deploy or the deployment of malware. |
| 2. | Network Reconnaissance. | Port scanning, is often the first step in an attack. |
| 3. | Exploitation of Vulnerabilities. | An attempt to exploit, or the exploitation of the vulnerabilities of the honeypot. |
| 4. | Exfiltration of data | An attempt to exfiltrate data, or the exfiltration of data from the honeypot. |
| 5. | Network Traffic. | Unusual or unexpected network traffic directed at the honeypot is an indication of potential malicious activity. |
Honeypot
A honeypot is a security mechanism that acts as a decoy, attracting cyber attackers to interact with it instead of the real systems, it is designed to protect. These interactions, whether with a low, medium, or high-interaction honeypot, provide valuable insights into attack methods, techniques, and potential vulnerabilities.
Types of Honeypot Designs
There are two (2) primary types of honeypot designs.
| No. | Design | Description |
|---|---|---|
| 1. | Pure Honeypots. | Pure Honeypots serve as a decoy system, often as part of an intrusion detection system (IDS)., which can be a device or software application that monitors a system for malicious activity or policy violations. Pure honeypots deflect the attention of malicious attackers from the real system while at the same time allowing for their activity to be monitored and analysed, which may highlight vulnerabilities which can then be addressed and mitigated. |
| 2. | Research Honeypots. | Research honeypots are used for educational purposes and to enhance security awareness. These honeypots contain data that appears to be legitimate, information or resources of value to the malicious attackers but with unique identifying properties, making it trackable, the data can be track after it has been stolen and exfiltrated so the attack can be analysed and connections between different participants in an attack identified. |
Types of Interaction Level Honeypots
| No. | Design | Description |
|---|---|---|
| 1. | Low-Interaction Honeypots. | These honeypots simulate basic services and functionalities that are commonly targeted by attackers, offering limited interaction. They are easier to deploy and manage but provide less detailed information about an attacker's behavior. |
| 2. | Medium-Interaction Honeypots. | These honeypots offer a more realistic environment than low-interaction honeypots, allowing for more complex interactions. They can simulate various services and potentially capture more detailed attack information. |
| 3. | High-Interaction Honeypots. | These honeypots provide a full system environment for the attacker to interact with, mimicking a production system as closely as possible. This allows for an in-depth analysis of attacker behavior but also poses a higher risk due to the potential for the attacker to compromise the honeypot and pivot to other systems. |
How Honeypots Work
| No. | Action | Description |
|---|---|---|
| 1. | Attacker is Lured. | Attackers' are drawn to the honeypot by its deceptive nature, believing it to be a vulnerable system. |
| 2. | Interaction. | Attackers' interact with the honeypot, scanning for and attempting to exploit vulnerabilities, attempting to gain access, accessing restricted areas, attempt to exfiltrate or the exfiltration of data, attempt to deploy or the deployment of malware. |
| 3. | Monitoring and Analysis. | Security teams monitor the interactions and analyse the attacker's actions, including the commands used, the files accessed, and the techniques employed. |
| 4. | Defense Enhancement. | The insights gained from the honeypot interactions are used to improve security measures, such as patching vulnerabilities, updating security policies, and enhancing threat detection capabilities. |
Benefits of Honeypots.
| No. | Benefit | Description |
|---|---|---|
| 1. | Early Threat Detection. | Honeypots can alert security teams to active attacks and potentially malicious activity early in the attack lifecycle. |
| 2. | Improved Security Posture. | By understanding the attacker's behavior, organizations can can improve and strengthen their defenses and mitigate risks. |
| 3. | Reduced Risk to Production Systems. | Honeypots divert attackers away from critical systems, minimizing the potential for data breaches or system damage. |
| 4. | Research and Development. | Honeypots provide valuable data for security researchers to study the tactics of attackers' and to develop new security solutions. |
| 5. | Cost-Effective Security. | Honeypots can be a cost-effective means to enhance security, especially when compared to the costs associated with a data breach or system compromise. |
Guidlines, actions and recommendations for the removal of malware from a computer.
| No. | Action | Recommendations |
|---|---|---|
| 1. | Disconnect host from network. | It is recommended that the host identified in the report be disconnected from the network immediately, either by disconnecting the network cable or by turning off the Wi-Fi. This will prevent an attacker from accessing the device. |
| 2. | Reboot host in safe mode. | In Safe Mode, only essential system services are started. This will restrict the operation of any malware on the computer. During the Windows startup process, the F8 key is the designated short cut to access the Advanced Boot Options menu, which will allow users to boot into Safe Mode. |
| 3. | Investigate reported host. | It is recommended that the host identified in the report be investigated to establish and confirm the facts, access the computer logs to establish if the host performed the Suspicious and Malicious Activity (HTTP-based scanning activity, including exploitation attempts) involving a honeypot, at the communication endpoint (Dstination Port) at the timestamp reported. The Shadowserver Foundation does not publicly disclose the IP addresses of their honeypots. The following three (3) items, list web applications and the typically location of their respective log files. |
| 4. | Apache Web Server. | Apache Web Server log files. On Linux systems like Debian (Ubuntu), access logs are typically found in /var/log/apache2/access.log and /var/log/httpd/access_log, Error logs are found in /var/log/apache2/error.log or /var/log/httpd/error_log. |
| 5. | IIS log files on Windows. | IIS (Internet Information Services) logs files are typically found. in C:\Inetpub\logs\LogFiles. |
| 6. | HTTPERR logs on Windows. | HTTPERR logs on Windows Operating Systems. These files are are typically found in C:\Windows\System32\LogFiles\HTTPERR. |
| 7. | Perform a full anti-virus scan. | It is recommended that a full anti-virus scan of the reported host, is performed to ensure the successful removal of any malware, and in particular of any Remote Administration Tool (RAT) malware that may have been inserted by malicious actors. The Windows Defender which is the built-in security feature in Windows operating systems is designed to protect against malware and other threats. Windows Defender, which is pre-installed, is automatically enabled on Windows 10 and 11. Microsoft continually updates the security intelligence in their Windows Defender Antivirus to cover the latest threats and to constantly tweak detection logic, enhancing its ability to accurately identify threats. |
| 8. | Reset all passwords. | It is recommended that after the completion of the Anti Virus Scan, that all passwords are reset, including passwords for e-mail accounts and in particular accounts in relation to financial services. It is recommended that two-factor authentication be enabled for added security. |
| 9. | Reinstall the operating system. | In the event that problems or doubts persist. Backup important data with a secure method. Ensure the backup does not contain infected files. Reinstall the operating system. |
| 10. | Security against future threats. | Ensure that the operating system and all software, included patches and updates released by the vendor are updated on a regularly basis. Use automatic updates from trusted providers when availabled. Pirated software should be avoided. Ensure that Anti-virus scans are also performed on a regularly basis and that the Anti-virus application used is kept uptodate with the newest virus definitions and security patches to detect and neutralise emerging malware. This is essential for maintaining robust protection against the latest cyber threats. |
| 11. | Monitor Reported Host. | It is recommended that the host identified in the report received is monitored, and continues to to be monitored to ensure the prevention of any future infection or recurrence. |
| 12. | DNS Firewall. | A DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats (APTs). This is a DNS service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, preventing data exfiltration. |
Additional Information
Shadowserver Foundation - Daily Honeypot HTTP Scanner Events Report.Shadowserver Foundation - April 2022 Honeypot HTTP Scanner Events Report.