Category Archives: HoneyPoint

The New Version of HPPE OR Whoop, Here It Is!

Posted on by
Reply

MSI is very proud to announce the release of HoneyPoint Personal Edition 2.00!

This update to the favorite product of many users, comes with all kinds of new power and flexibility, plus a greatly simplified and user friendly interface. Plus, it now supports Linux and Mac OS X in addition to Windows.

If you are new to the functions and capabilities of HoneyPoint Personal Edition, it basically serves up “fake” services on systems. These services then lie in wait for attackers and malware to probe them. When someone, or something, does interact with the service, all transactions are recorded, including their source IP address and timeline. Users are then alerted to the activity and can take defensive actions as needed. For more insight into how HPPE works, download the PDF we have designed for the product from here.

The new version includes many new features, including:

HornetPoints to leverage “defensive fuzzing” as an automated form of defense against hacker tools and malware

Plugins (just like HoneyPoint Security Server) to automate responses and allow user-designed/custom alerts, etc.

You can download the product from the link above for FREE and give it a try, then purchase a license when you are ready from the online store. Per seat licenses start at only $29.95!

Users with valid licenses of HPPE 1.XX can upgrade to the newest version and receive a new license key for the special upgrade price of $9.95 per seat by using the checkout coupon code “upgrade351” in the Digital River software store on the bottom of the page linked above.

Check out HoneyPoint Personal Edition for insight into just how fake applications can increase your security and help your users make better security decisions. If you would like a more enterprise-centric version or capability, we offer that and much more through HoneyPoint Security Server. Give us a call or drop us a line to learn more about it anytime.

Prepping for Release of HoneyPoint Personal Edition 2.00

Posted on by
Reply

Great news!

We are currently prepping for the public release of HoneyPoint Personal Edition 2.00 on Monday. The product has been through two closed Beta’s and a great period of pre-release testing. Thanks to all who helped with the testing and for all who contributed to our cause with product feedback. A special thanks to “DA” from a local organization who really held my feet to the fire on changes and interface updates. Hopefully, everyone will be pleased with the interface and features! (BTW – D – we kept the “lights”…<grin>)

Here is a screen shot of the new main interface on the Mac.

Snapz Pro X001.png

New features include:

HornetPoint defensive fuzzing (patent pending)

Plugins capability from HPSS

Public support for Linux and OS X in addition to Windows

and a few other goodies….

Also, this represents the beginning of the new line for HPPE. Development will remain ongoing on it and we have few more tricks up our sleeves. We are also working on HPSS 3.00 and will begin alpha testing of that new architecture very soon.

Stay tuned for the launch and for more details as they become public!

Poor Visibility is a Solvable Problem

Posted on by
Reply

One of the big thing that many organizations lack today is visibility into their information security posture. Sure, they have vulnerability management and some have “false positive generators” (otherwise known as NIDS), some even have log analysis and event engines. But, with all of that technology, they still are very likely to miss insider attacks and attacks of a subtle nature.

I am continually amazed when organizations demo HoneyPoint technology and they have their first real “AH HA” moment. Usually a bot-infected machine triggers a HoneyPoint during a scan (like with Conflicker) or makes a login attempt against a decoy virtual machine. Occasionally, you see full on attacks underway that get caught by the demo. For example, one unlucky client caught a scan against a POP3 HoneyPoint that was a brute force attempt with VALID logins and passwords. The HoneyPoint alerted and they began an incident that lead to the discovery of a compromised domain. The attackers had cracked the SAM and were using the key admin accounts to see what else they could get into. You can rest assured, that client very quickly went from demo to customer.

Until organizations understand the value of putting forth bait to lure suspicious activity, it is hard for them to grasp that this is not just another source for noise. Once they get their head wrapped around the idea that since a resource is not real, any activity with it is, by default, suspicious at best and malicious at worst, they struggle to understand the leverage that HoneyPoint brings. But, the bad news for attackers is that more and more are getting it. More IT managers are flipping on that light switch and stepping out of the “dark ages” of infosec and into the age of the HoneyPoint.

What can I say, once security folks think differently about the problems, the game changes for the better. The time for threat-centric security has arrived. Things will never be the same again…

Danger: Conflicker Growing at Massive Rate **ALERT**

Posted on by
1

Just a quick word of caution, the MSI::HITME (HoneyPoint Internet Threat Monitoring Environment) is getting nailed by Conflicker worm scans. New hosts (not seen in the last 24 hours) are probing the HITME every 5 mins or so! Scanning for port 445/TCP is growing HUGELY, if not EXPONENTIALLY!

This is important to you for the following reasons if you are an IT person or Infosec person:

  • The rate of spread is quite high. Likely, we will see Internet wide traffic impacts over the weekend or by early Monday if it continues at present growth rate.
  • Even when it plateaus and tapers, this will mean a HUGE INCREASE in infected bot-net machines, the likes of which will likely compare to Kraken or Storm
  • On Monday, you should be prepared for worm war. People who took their machines home and got infected over the weekend will be returning it to your office on Monday or when they come back to work. Look for scanning on a large scale in many organizations.
  • You are likely to get “those calls” from a competitor or other company about “why is your network scanning mine” — always fun!

What can you do?

  • HoneyPoint users (Personal Edition and Security Server) should deploy Linux or virtual decoy hosts (no SAMBA/CIFS) with a HoneyPoint listening on 445/tcp. (Note that you can’t bind to 445 on Windows systems as Windows is using it to host the possibly vulnerable service) Investigate any host that probes that open port.
  • Make sure all servers and as many workstations as possible are patched! (do this NOW!!!!!)(Servers first!!!!)
  • Make sure all AV is up to date. Most AV will catch the overt worm, though evolution and mutation seem likely.
  • Prepare yourself and your team for the battle ahead.
  • If you are a NAC person, pray to the various “NAC Daemons” that your solution actually works and is configured to actually protect you in this event.
  • Obviously, make sure all of your Windows hosts are protected by a real firewall and that port 445 is NOT Internet exposed. (Goes without saying, but obviously not…)

Please, pay attention to this one. It looks “slammer/code red” nasty…..

** 1/25 11:00 AM Eastern Update: After talking with many other folks on twitter and with some wonderful visualization help from @pophop, it appears that the growth is linear, AND NOT EXPONENTIAL. Much of the growth is coming from consumer broadband, especially Asia and Europe. Given the oddity of the source host increases and data from other scans, I am wondering if the infection scans for a while and then goes into a sleep mode to await further instructions. More analysis and such on Monday. Thanks to all for the help, especially @pophop and SANS **

Toata Moves On To Additional Targets

Posted on by
Reply

The Toata bot army has moved on to scanning for additional web-applications to target/catalog. Medium levels of scanning began last night and continue today. The new targets are:

/mantisbt/login_page.php

/tracker/login_page.php

/bugtracker/login_page.php

/bugtrack/login_page.php

/support/login_page.php

/bug/login_page.php

/bugs/login_page.php

/login_page.php

/statistics

/bin/statistics

/twiki/bin/statistics

/wiki/bin/statistics

/wikis/bin/statistics

/cgi-bin/twiki/bin/statistics

/cgi-bin/wiki/bin/statistics

/cgi-bin/wikis/bin/statistics

Check your systems to see if you have these files, if so, check with the responsible projects for updates. Consider additional monitoring and/or removal from service. Investigations should be performed, exploitation timelines and goals are unknown. It appears that Mantis Bugtracker and Twiki are the likely targets. Exploit vectors have not been researched at this time, though Mantis has had known XSS in the login page previously.

Our HoneyPoint Internet Threat Monitoring Environment (HITME) is tracking the scans, sources and payload evolutions. SANS and other groups have been notified.

More Toata Scans for a New RoundCube File

Posted on by
1

Last night, HITME began to pick up various sources scanning for a new file in the RoundCube Webmail product. The file “list.js” is being scanned for by the Toata bot and low levels of port 80 scans matching these probes are ongoing. SANS and the project owners have been informed.

No exploitation has been observed by us thus far in relationship to these scans, but cataloging is ongoing. Intent of the attacker is currently unknown, as is the vulnerability, if any, present in the file.

Following are the signatures captured from one host:

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:41 on port 80

Alert Data: GET /rc/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:39 on port 80

Alert Data: GET /roundcubemail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:38 on port 80

Alert Data: GET /roundcube/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:36 on port 80

Alert Data: GET /webmail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:35 on port 80

Alert Data: GET /email/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

Once again, users of RoundCube Webmail are urged to ensure they are doing additional levels of monitoring, staying current on all patches/updates and taking other precautions. Consider removing RoundCube from Internet exposure until these and other ongoing issues are mitigated.

PHP Threats Continue to Rise But More Work & Education Could Help

Posted on by
Reply

Threats against web applications developed in PHP continue to be an area of high activity and interest for attackers. PHP applications now represent a significant portion of the web-application attack footprints we see in our HoneyPoint Internet Threat Monitoring Environment (HITME). PHP scans and probes for new and emerging vulnerabilities are a common occurrence and one the driving forces behind our deployment of the HITME. Our unique insights into ongoing threat activities allows our vulnerability management and professional services clients to know that they are better protected, even against bleeding edge threats.

PHP security issues are so common that the folks at BreakingPoint Labs call it “one of the most commonly attacked pieces of software on the Internet today”. Even when deployed in so called, “safe mode”, PHP applications can still present a high level of risk. Until, at least, the release and wide scale adoption of PHP 6, issues are likely to continue to abound, maybe even beyond that if the attacker underground has anything to say about it.

PHP security problems also represent a major portion of known web vulnerabilities, especially over the course of 2008. Syhunt, the makers of Sandcat Pro, a web application vulnerability scanner and partner to MSI, has even created Sandcat4PHP, a special source code scanner to help organizations proactively secure their PHP applications during development. Recently, Syhunt created these images that show the impact that PHP vulnerabilities are having on their work. PHP security issues represent an overwhelming margin of their work for the year.

All of this is not to say that PHP development is a bad thing. In fact, PHP developed applications have empowered many new cutting edge applications, fueled the growth of web 2.0 and been a powerhouse for bringing average users the web maturity that they have come to expect. Combining the ease of PHP with the power of MySQL, Apache and other open source tools has become a virtual standard for the online world. PHP applications CAN BE DONE SECURELY, they just require additional work and effort to create secure code, just like any other language. The ease of PHP makes it a great language for learning development, but we, as a community, need to help even those budding developers among us learn the basics of creating secure code. Techniques like input validation, proper sanitization, strong authentication and role-based access controls need to be a core part of our outreach teaching to developers.

In the meantime, while education is being worked on, it might be a wise idea to take a check around your environment and audit any PHP applications in production or planned for use in the near future. Additional work, tools or monitoring may be required to better handle the risk you find. Let us know if we can be of any help or if you desire additional insight into PHP security problems. Keep your eyes on PHP, though, its powerful, flexible capabilities make it a big player in the future of the web!

** Have feedback on this post? Please feel free to leave a comment, drop me a line via email or send me a tweet to @lbhuston on twitter. Thanks for reading! **

Round Cube Webmail Probes Spreading Rapidly

Posted on by
21

Our HoneyPoint Security Server deployment has identified a set of 0-day scans and probes against the Round Cube Webmail system.

The probes are originating from infected Linux systems world wide and appear to be spreading rapidly. Infection of systems via a bot-net client or other form of malware is likely. The extent of compromise is currently unknown, but complete compromise or escalation to complete compromise may be possible.

Research and work with the developers is ongoing. Users of Round Cube Webmail systems should take steps to remove their systems from Internet access and/or implement additional controls for monitoring and protection. Removal of the msgimport.sh script file is highly encouraged, though additional entry points may emerge in the future.

New versions of the application may not have the msgimport.sh file present.

The current version of the attack is probing for the following files:

/nonexistenshit

/mail/bin/msgimport

/bin/msgimport

/rc/bin/msgimport

/roundcube/bin/msgimport

/webmail/bin/msgimport

Our HoneyPoint deployment has been reconfigured to trap additional data about this threat and additional information may be available soon. The MSI technical team is working with our clients to ensure they are protected against this and other emerging threats. Our threat detection capability, provided to us by our HoneyPoint line of products gives us uniquely deep insight and visibility into bleeding edge threats. As always, we strive to use that knowledge to protect our clients and the Internet at large.

More information can be found on this issue by following @lbhuston and/or @honeypoint on Twitter. You can also check back on our blog or schedule a call with one of our team members if you have additional needs.

** Update: @around 2:30pm Eastern, the “Toata” bot-net added the signature to its scans as well. In less than 24 hours there are now at least 2 known bot-nets scanning for the issue. Any bets on how long it will take before “morfeus” scans for it too??? Also, note that the URL request from “Toata” has a double // typo in it….

** Another Update: Syhunt has added tests to Sandcat for the issue. They are now available via update mechanism for clients.

Playing with Plugins for HoneyPoint

Posted on by
Reply

I have been playing with various plugins lately for HoneyPoint. In this case, I wanted to show the output of two plugins I am playing with currently.

The first one is the TweetCLI plugin that I have written about before. In this example, I am going to show an event that has come in and what the plugins did for me.

The TweetCLI plugin posted the following to the @HoneyPoint feed on Twitter:

Suspicious Activity Captured From: 41.205.122.150 on port 23

Then, the console also executed a plugin I lovingly call AutoPoke. It basically does a whois look up of the address and performs a basic nmap TCP port scan of a few common ports. This produced the following output:

OrgName: African Network Information Center

OrgID: AFRINIC

Address: 03B3 – 3rd Floor – Ebene Cyber Tower

Address: Cyber City

Address: Ebene

Address: Mauritius

City: Ebene

StateProv:

PostalCode: 0001

Country: MU

ReferralServer: whois://whois.afrinic.net

NetRange: 41.0.0.0 – 41.255.255.255

CIDR: 41.0.0.0/8

NetName: NET41

NetHandle: NET-41-0-0-0-1

Parent:

NetType: Allocated to AfriNIC

NameServer: NS1.AFRINIC.NET

NameServer: NS-SEC.RIPE.NET

NameServer: NS.LACNIC.NET

NameServer: TINNIE.ARIN.NET

Comment:

RegDate: 2005-04-12

Updated: 2005-07-12

OrgAbuseHandle: GENER11-ARIN

OrgAbuseName: Generic POC

OrgAbusePhone: +230 4666616

OrgAbuseEmail: abusepoc@afrinic.net

OrgTechHandle: GENER11-ARIN

OrgTechName: Generic POC

OrgTechPhone: +230 4666616

OrgTechEmail: abusepoc@afrinic.net

# ARIN WHOIS database, last updated 2008-12-29 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

Starting Nmap 4.68 ( http://nmap.org ) at 2008-12-30 xxx AST

Interesting ports on 41.205.122.150:

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp filtered telnet

25/tcp closed smtp

79/tcp closed finger

80/tcp filtered http

110/tcp closed pop3

135/tcp filtered msrpc

136/tcp closed profile

137/tcp closed netbios-ns

138/tcp closed netbios-dgm

139/tcp filtered netbios-ssn

443/tcp closed https

445/tcp filtered microsoft-ds

1433/tcp closed ms-sql-s

3389/tcp closed ms-term-serv

5800/tcp closed vnc-http

5801/tcp closed vnc-http-1

5900/tcp closed vnc

5901/tcp closed vnc-1

6666/tcp closed irc

6667/tcp closed irc

6668/tcp closed irc

6669/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 2.330 seconds

This output is kind of fun (at least to me) to watch. I get real time info about where scans and probes are coming from. I also get real time port info from the scanning hosts. Over time, this gives me some pretty interesting insight into common postures of hosts that appear to be compromised or infected.

In this case, this particular host was interesting because of the source. Our global HoneyPoint deployments don’t see too many offending hosts from this particular region. Over time, if I see more activity originating from there or the like, then I can decide if the threat levels in that area are increasing, but none the less, even this first one is interesting. A quick review of the host shows a likely vulnerable ssh deployment, which may indicate that the host is compromised and/or bot-net infected. Of course, this is all supposition, but interesting (to me) anyway.

Now you know how I spend my time. I love to watch the ebb and flow of attacks, probes and scans. I like to know the sources and virtual “look and feel” of the victim systems. I suppose that is where many of the capabilities in HoneyPoint come from. I think they are just toys that I would like to play with, thus they end up in the product. Do you have some plugins you would like to see or some new HoneyPoint toys or functions you would enjoy? If so, drop me a line. We are working on the plans for HPSS 3.xx as we speak, so now would be a great time to hear a want list from the public!

Thanks for reading!

New Twitter Feed of “Bad Touches” Available

Posted on by
Reply

For those of you interested in security, black listing or HoneyPoint stuff, check this out.

I used the TweetCLI tool I blogged about earlier to write a HoneyPoint Security Server plugin. The plugin fires for each event and tweets the attacker IP and source port that the deployed HoneyPoints covered by this console saw.

There are several hosts and networks reporting HoneyPoint alerts to this console. All of these HoneyPoints are Internet exposed, so you should be able to see some basic sources of scans, probes and malware attacks.

I am not presently publishing the payloads, though I may in other ways in the future or show aggregate data in some manner.

The basis for the “bad touches” is that these are hosts and ports not truly offering any services, thus any interaction with them could be considered suspicious at best and malicious at worst. An IP address will only be tweeted once per 24 hour period currently, regardless of the amount of interaction it has with HoneyPoints reporting to this console.

You can watch the stream via the web at http://www.twitter.com/honeypoint or by following @honeypoint on twitter. There could be a lot of tweets depending on attack trafffic, so know that up front.

Please let me know if you like the feed, any plans or ways you can think of that it might be helpful to you or other feedback. We are offering this up to the community and we hope that it is helpful to those interested in HoneyPoints, security trending and/or black list generation.

Let me know your thoughts and thanks for reading!