Introduction
The Bournemouth 2600 group recently embarked on a research project involving honeypots posing as legitimate corporate gateways to attract threats towards them.
Once the honeypots are targeted, we can gather targeting information such as exploit source IPs, payload hosts, HTTP.URI fields, and HTTP.RequestBody fields. From analysing these attempts, we can then also link them to known exploited CVEs in various devices and software.
The overall goal of the Bournemouth 2600 Honey Net (B26HN) project is to gather indicators of compromise (IOCs), Malware Samples, Exploit techniques, and share them with the community for analysis, detection, and prevention.
This project began with the help of B2600 members:
- Will
- Adam
- Nico
- Olloy
- Levi
GreyNoise Sensors
This research project was supported GreyNoise, who has a community service that lets you install sensors on to devices and servers to turn them into honeypots. The data is then collected and made available via the GreyNoise platform. We can then download raw packet capture (PCAP) files for analysis in Wireshark or inspect the data with GreyNoise's own Analyze Tab in the platform.
The image below shows a GreyNoise sensor script being installed onto a Raspberry Pi belonging to Olloy (a Bournemouth 2600 member part of the B26HN project).
Our Honeypots
Using GreyNoise's Profile Library for Sensors, we decided to make our honeypots appear to be enterprise gateway devices (a sort of deception tech).
In the image below, you can see we decided to masquerade as devices such as a Fortinet SSL-VPN, Ivanti SSL-VPN, a Cisco ASA SSL-VPN, and a Citrix NetScaler ADC gateway.
When the attackers scan our honeypots, they will see the correct HTTP Response Headers matching those of real devices as well as the HTML of the real login pages if they browse to them on TCP/Port 80 too.
Malware & Bots
In the first week of running the Bournemouth 2600 Honey Net project, we observed several malware and bot families. This includes RedTail, RondoDox, Mozi, and Androxgh0st.
All of the indicators of compromise (IOCs) for these malware and bot families have been made available in the link below.
Using JA4 for Fingerprinting
One of the analysis methodologies we used to investigate data from our honeypots involved exporting the PCAP files from GreyNoise and loading them up into Wireshark. Then, using the JA4 plugin for Wireshark, we were able to find a TLS Handshake fingerprint that match multiple IP addresses belonging to the RedTail malware family.
Threat Data Sharing
Following the analysis of the data in our honeypots, we were able to extract IOCs related to various malware and bot families. This includes exploit source IPs, payload host IPs, payload delivery URLs, related file hashes, and JA4 fingerprints. Other indicators such as HTTP.URI request data, and HTTP.RequestBody data have also been made available for analysis.
All the relevant threat data from our honeypots will be shared via our GitHub rep here:
Conclusion & Call to Action
So far, this has been a fun and interesting research project looking at live data and extracting real-time threat information.
Hopefully the IOCs and threat data we share via our public GitHub will be useful for other researchers. For anyone wishing to learn more about the data, feel free to raise a GitHub issue and we can investigate the data for you and reply.
We recommend defenders use the raw info we share to create detection rules that can identify and prevent these threats, stopping adversaries and incidents before they turn into breaches.
The B26HN project shall continue to track the data we receive from our GreyNoise sensor array and publish any interesting findings via this blog and our GitHub.