Category Archives: HoneyPoint

MSI Launches New Threat Modeling Offering & Process

Posted on by
Reply

Yesterday, we were proud to announce a new service offering and process from MSI. This is a new approach to threat modeling that allows organizations to proactively model their threat exposures and the changes in their risk posture, before an infrastructure change is made, a new business operation is launched, a new application is deployed or other IT risk impacts occur.

Using our HoneyPoint technology, organizations can effectively model new business processes, applications or infrastructure changes and then deploy the emulated services in their real world risk environments. Now, for the first time ever, organizations can establish real-world threat models and risk conditions BEFORE they invest in application development, new products or make changes to their firewalls and other security tools.

Even more impressive is that the process generates real-world risk metrics that include frequency of interaction with services, frequency of interaction with various controls, frequency of interaction with emulated vulnerabilities, human attackers versus automated tools, insight into attacker capabilities, focus and intent! No longer will organizations be forced to guess at their threat models, now they can establish them with defendable, real world values!

Much of the data created by this process can be plugged directly into existing risk management systems, risk assessment tools and methodologies. Real-world values can be established for many of the variables and other metrics, that in the past have been decided by “estimation”.

Truly, if RISK = THREAT X VULNERABILITY, then this new process can establish that THREAT variable for you, even before typical security tools like scanners, code reviews and penetration testing have a rough implementation to work against to measure VULNERABILITY. Our new process can be used to model threats, even before a single line of real code has been written – while the project is still in the decision or concept phases!

We presented this material at the local ISSA chapter meeting yesterday. The slides are available here:

Threat Modeling Slides

Give us a call and schedule a time to discuss this new capability with an engineer. If your organization is ready to add some maturity and true insight into its risk management and risk assessment processes, then this just might be what you have been waiting for.

Yet More SSH Fun – This Time With Humans!

Posted on by
Reply

2b.jpg

OK, so last week we took an overview of SSH scans and probes and we dug a bit deeper by examining one of our HoneyPoints and the SSH scans and probes it received in a 24 hour period.

This weekend, we reconfigured that same SSH HoneyPoint to appear as a known vulnerable version. And, just in time for some Monday morning review activity and our blog posting, we got what appears to be an automated probe and then about an hour later, a few attempts to access the vulnerable “service” by a real human attacker.

Here is some of the information we gathered:

The initial probe occurred from a 62.103.x.x IP address. It was the same as before, a simple connection and banner grab. The probe was repeated twice, as per the usual activity, just a few seconds apart.

This time, ~40 minutes later, we received more connections from the same source IP. The IP address only connected to port 22, they did no port scanning, web probes or other activity from that address or in that time frame.

The attacker made several connections using the DropBear SSH client. The attacker seemed to be using 0.47, which has a couple of known security issues, according to the banner the client sent to the HoneyPoint.

The attacker performed various SSH handshake attempts and a couple more versions of banner grabbing tests. Over the next ~20 minutes, the attacker connected 5 times to the HoneyPoint, each time, probing the handshake mechanism and grabbing the banner.

Finally, the attacker decided to move on and no more activity has been seen from the source IP range for a day and a half.

The attacker source IP was from a Linux system in Athens, Greece that appears to belong to an ISP. That system has both OpenSSH 3.9p1 and regular telnet exposed to the Internet. The system advertises itself by hostname via the telnet prompt and the name matches its reverse DNS entry.

We contacted the abuse contact of the ISP about the probes, but have not received any comment as of yet.

The interesting thing about this specific set of probes was that the human connections originated from the same place as one of the banner grabbing scans. This is not usual and is not something that we have observed in the recent past. Usually, the probes come from various IP addresses (likely some form of worm/bot-net) and we rarely see any specifically identifiable human traffic. So, getting the attention of the human attacker is certainly a statistical anomaly.

The other interesting behavior piece here was that the attacker did not bother to perform even a basic port scan of the target. They specifically focused on SSH and when it did not yield to their probes, they moved on. There were several common ports populated with interesting HoneyPoints, but this attacker did not even look beyond the initial approach. Perhaps they were suspicious of the SSH behavior, perhaps they were lazy or simply concentrating on SSH only attacks. Perhaps, their field of targets is simply so deep that they just moved on to easier – more usual targets. It is likely we will never know, but it is certainly interesting, no doubt.

Thanks for the readers who dropped me emails about their specific history of SSH problems. I appreciate your interest in the topic and I very much appreciate the great feedback on the running commentary! I hope this helps some security administrators out there, as they learn more about understanding threats against their networks, incident handling and basic event research. If there are other topics you would like to see covered in the future, don’t hesitate to let me know.

Deeper Dive into Port 22 Scans

Posted on by
Reply

Today, I wanted to take a deeper dive into several port 22 (SSH) scans that a single HoneyPoint deployment received over the last 24 hours. SSH scanning is very common thing right now and our HoneyPoints and firewalls continually experience scans from hosts around the world.

The particular HoneyPoint we are using for this look at the issue is located outside of the US on a business-class network in South America.

Over the last 24 hours this HoneyPoint received SSH probes from 4 specific hosts. These hosts are detailed below:

60.191.x.x – a Linux system located in China on a telecomm company’s network

83.16.x.x – an unknown system located on a consumer (DHCP) iDSL segment in Poland – we could go no further with this host since it is likely to have changed IP addresses since the probe…

218.108.x.x – another Chinese Linux system on yet another Chinese telecomm company’s network (is there anything else in China??? )

216.63.x.x – a NAT device that is front-ending a business network and web server deployment for an optical company in El Paso, TX, USA

The pattern of the probes in each case was the same. Each host completed the 3 way TCP handshake and waited for the banner of the responding daemon. The system then disconnected and repeated the process again in about 90-120 seconds. Basically, simple banner grabbing. The probing system did not send any traffic, just grabbed the banner and moved on.

The HoneyPoint in question was configured to emulate the current version of OpenSSH, so the banner may not have been what the probing attack tool was looking for. It has since been reconfigured to emulate historic versions with known security vulnerabilities.

But, what of the hosts performing the scans? Well, all 3 of them that could be reliably analyzed were found to be running OpenSSH. Two were running 3.6.1p2 and the other was running 3.4p1. Both of these are older versions with known issues.

It is very likely that these are worm/bot infected hosts and the malware is merely looking for new hosts to spread to. Interestingly, 2 of these hosts appeared to be used for regular commerce. Both were acting as a primary web server for the company and one of them even had an e-commerce site running (it also had MySQL exposed to the Internet). No doubt, any commercial activity taking place on the device is also compromised.

MSI has alerted the relevant owners of these systems and at least one of them is moving to handle the security incident. Hopefully, their damage will be minimal and they can rebuild the system easily, since at this point it is likely to also be infected with a root kit. We will advise them as they need help and assist them until they get their problem solved.

In the meantime, I hope this gives you a better look at some of the SSH scanning that goes on routinely. On average, this particular HoneyPoint deployment is scanned for SSH every 5.25 hours. This time varies from locale to locale, with US sites getting scanned more often, particularly on commercial networks. The majority of these scans come from China, with Eastern Europe pulling a distant second. In some cases, some of our US HoneyPoint deployments get scanned for SSH every 1.5 hours on average, so it is a very common attack, indeed.

Obviously, you should check your own network for SSH exposures. You should also take a look at your logs and see if you can identify how your site stacks up against the average time between scans. Feel free to post comments with any insights or time averages you come up. It could make for some interesting reading.

Increase in European “Options” HTTP Scans from Linux Systems

Posted on by
Reply

Over the weekend, we saw a large increase in HoneyPoint captures of HTTP fingerprinting scans using the “Options *” technique. Even more interesting was that nearly all of these scans originated in Europe. The scans were all originated from Linux boxes and simple port probes show all of the boxes to be running OpenSSH 4.3 (some with p2). Other ports show no consistency on the originating systems.

Clearly, it could be a coincidence, but for multiple hosts to show only that correlating port, it could also be a specific exploit for OpenSSH 2.4. Additional research shows a few known issues with this version of OpenSSH. Perhaps a new bot-net is being launched by leveraging this vulnerability?

We are deploying additional SSH HoneyPoints to try and capture more data about possible exploitation of systems meeting these implementations.

Editor’s Note: The current version is OpenSSH 4.7/4.7p1 – so if you are using older versions (including 4.2/4.3) you should upgrade as soon as possible to the current revision.

Post revised to update for identified existing OpenSSH issues. 

More Chinese Scans for Web Bugs

Posted on by
Reply

This morning I was checking through my usual HoneyPoint deployments and it was a normal day. As usual, the last 24 hours brought a large number of web application bug scans from hosts in China. They are the normal PHP discovery probes, some basic malware dropper probes against known web vulnerabilities and a ton of web server fingerprinting probes from various Chinese hosts.

China has now surpassed the US as the source of most global probes and attacks, a least according to Arbor. Check out the China profile here.

One of my close friends, JK, claims that there is a massive initiative underway in China to map the Internet on a global scale and to have a fairly up to date global vulnerability matrix for the world’s systems. While this could be true, and is certainly possible, with a large enough set of bot-infected hosts that dropped data back to a centralized database, it is an interesting thought.

For sure, these probes and scans exist on a global basis. Our international HoneyPoints pick up much of the same Chinese traffic as our US ones. Perhaps a quick check of some of your logs will show the same. Much discussion of pro-active blocks against Chinese address space is underway in several organizations. Perhaps this is something we should all think about?

Laying the Trap with HoneyPoint Personal Edition & Puppy Linux Live CD

Posted on by
Reply

Recently, I have been capturing quite a bit of attacker probes and malware signatures using a very simple (and cheap) combination of HoneyPoint Personal Edition (HPPE) and a Puppy Linux Live CD. My current setup is using an old Gateway 333MHz Pentium Laptop from the late 90’s!

The beauty of this installation is that it lets me leverage all of the ease of a Live CD with the power and flexibility of HPPE. It also breathes new usefulness into old machines from our grave yard.

So, here is how it works. I first boot the machine from the Puppy Live CD and configure the network card. From my FTP server (or a USB key) I download the binary for HPPE Linux (available to licensed HPPE users by request), the license and my existing config file. That’s it – run the binary and click Start. Now I am set to trap attack probes and malware to my heart’s content!

It really is pretty easy and the new email alerting now built into HPPE allows me to remotely monitor them as well from my iPhone email. This makes a nice, easy, quick way to throw up HoneyPoints without needing a separate console or a centralized monitoring point.

This setup is very useful to me and has even got me thinking about adding a plugin interface to HPPE in future releases. That would essentially give you the power to write custom alerting mechanisms and even fingerprinting tools for attacking systems.

Give this setup a try and be sure to let me know your thoughts on HPPE. As always, MSI really wants to hear your ideas, input and feedback on our work.

Thanks for reading and have fun capturing attack data. Some of this stuff is pretty darn cool! 😉

VMWare Virtual HoneyPoint Host Appliance

Posted on by
Reply

MSI is proud to announce a VMWare appliance based on Damn Small Linux (DSL) for HoneyPoint hosting.

The VM appliance is available free from the HoneyPoint FTP site provided in your license documents. The appliance currently has all available HoneyPoints installed and configured to autostart with the installation.

Root and “dsl” account passwords are “hpss”. Obviously, please change the passwords when you configure the system!

All HoneyPoints have basic configurations provided, and will need to be edited for the location of your console. Currently, they point to 127.0.0.1.

The appliance is capable of being used in any of the VMWare products from Player to ESX and includes use in the OS X Fusion environment.

You can use the VM to emulate entire workstation(s) on the network using Player and such, or use ESX to sprinkle them around your virtual environments en masse. The image is smaller than 60Meg and needs less than 128 Meg of RAM at full utilization. In testing, we easily ran 10 of them on older machines still waiting in the lab for death or recycle….  😉

Let us know if you have any questions, or comments. We really dig this idea and folks seem to really want it.

A Month in the Life of a HoneyPoint Deployment

Posted on by
Reply

Hello. I am a HoneyPoint deployment. My administrator has deployed me on a small business network of a financial institution. I have around 25 HoneyPoints deployed throughout their network, all reporting back to my console. It has been an interesting first 30 days of my life, indeed.

It all started when I was initially deployed. The admin started my listeners on a small group of servers and a couple of virtual workstations. Almost immediately, there was trouble! In my first few hours, I picked up scans of my web server psedo-service HoneyPoints. I was getting continually bombarded by four workstations from the sales group that were probing my pseudo-web services for a whole bunch of PHP files! I alerted the admin, and she found that those four laptops had been infected with an evil bot-net that was systematically scanning our networks for vulnerable PHP applications that the human controllers would later exploit. Good thing I came online when I did, because those four sales folks had just returned from a conference in Las Vegas, and it looks like their systems should have been running my younger cousin HoneyPoint:Network Trust Agent, because they had really been compromised. Ah well, what happens in Vegas, stays in Vegas I always heard. I guess not this time.

All went well for a couple of weeks, but then I had to alert the admin again. This time I had some joker consultant who was poking at my SMTP HoneyPoints. From the looks of it, that guy was trying to send email to the Internet and was looking for an open mail relay inside our network that would let him get through our firewall. The admin had a stern conversation with him and he behaved from then on.

Then, things got really exciting!  Yesterday, a new event came into my proxy from our DMZ segment. My admin had stealthily added some HoneyPoints into the DMZ that listened for SQL database traffic on the appropriate ports. Sure enough, I suddenly caught wind of some odd packets that were hitting my listeners out there. Nothing sets me off like SQL traffic to systems that are not running SQL. I hated to have to bother the admin again, but she told me afterward that her old IDS used to send her thousands of alerts a day (and many of those were false positives!!!) – so I didn’t feel so bad after all when I sent an email to her cell phone with the news.

She came running and through some quick analysis found that an attacker had compromised one of the web-applications in the DMZ and had gained control of the web server! Of course, not knowing that I was on guard, they began to use SQL tools to search for database servers that might hold valuable data – like human credit card numbers or something called Social Security Numbers. Either way, their plan was foiled and my admin took the web server offline and rebuilt it – this time with the missing patch for the web-application hole.

So, that’s my story so far. Not too bad for my first 30 days, huh? Who would have thought that I would have such an interesting story to tell. I always feared I might not see much action, but it looks like I have found my home. I have a good admin, a cool server rack and enough security work to keep me busy. Heck, since I don’t have any signatures to update and don’t require my admin to do more than “deploy and forget” about me, I wonder what she will do with all of her new found time? Maybe she will take up a new hobby, or get to learn about something called vacation. No matter, I will be here, ever vigilant, just waiting for the next security issue to arise. Yes, sir, who could ask for more?

Blast(s) From the Past

Posted on by
Reply

A few of my HoneyPoints delivered an interesting blast from the past to me this morning. Around 2pm Eastern yesterday, one of our IP ranges got hit by a scan with this signature on port 80:

GET /level/16/exec/-///pwd HTTP/1.0

The web connection was then followed by a series of connections on port 23, though the tool did not do anything more than banner grabbing on the telnet port.

While the scan was obviously an attempt to exploit the old Cisco HTTP vulnerability (circa 2001), I had not seen probes for those issues in quite some time. I also had not seen a tool that also connected on port 23 of the same host and did banner grabbing, so thus why this stood out above the usual noise.

This brought about a very interesting point that many of these old vulnerabilities are making comebacks. Scans for old web vulnerabilities like Unicode issues, Double Decode, Code Red and the ASN.1 worm continue to be among the most seen probes on the Internet. Other folks have talked about the idea that perhaps as more third world countries become more Internet connected, that technology may not be updated there as rapidly – which could cause the lifecycle of older vulnerabilities to either be reborn or at least, eek out a longer existence. Could ancient vulnerabilities like RDS and .HTR buffer overflows still be leveraged for Internet compromise? The possibility is high that some small percentage of systems is likely available as a vulnerable target.

Does this mean that vulnerabilities will have a lifecycle that approaches infinity? If there are still systems out there that are vulnerable, why would some attacker without general worries of discovery not just keep building a super-worm that continually crawls the net looking for every known web vulnerability to date? If incorporated and distributed through bot-net style approaches, this is likely pretty feasible – particularly if you can make the attack smart enough to adapt its vulnerability testing to the specifics of a target – much like a modern scanning tool.

How will some of these older vulnerabilities fair? It remains to be seen, but my bet is that blasts from the past are likely to keep on rolling in some diminutive way. Let’s just say that I think it will be a long time before we live in a Code Red free world.