OK, so I am just getting started with this, so I’m not pretending to be an expert. I have no doubt some of you are going to say, “Hey stupid, it’s easier if you…” and I’m fine with that. I’m doing this as a learning experience and to keep from getting (too) rusty on the tech side. Besides, it’s fascinating.

What is it?

MHN stands for Modern Honey Network. It’s a pretty cool way to deploy and track many different types of honeypots. The software and description are located HERE

What’s involved?

Well, it’s not horribly tough actually. You need a Linux/Unix machine or VM and some time. According to the Git page, Ubuntu 12.0.4.3 x86_64 and Centos 6.7 are supported. I am running it on an Ubuntu 14 LTS x64 and it seems fine so far.

I’m not going to get in to the how-to install as that is already documented on the Git site, but I will share some tips and observations so far.

Number 1: You need a “server”. This will run the MHN server side. Overhead seems pretty low, so you don’t need a beast. Keep in mind that if you are putting sensors outside of your network, you will need to have ports 80 and 10000 open between the server and sensor(s). Port 80 can be closed when you are not doing installs, but will need to be open to the server during deployments as they use a WGET function from the server to dl the packages. Port 10000 needs to be open all the time to get reports from the honeypots. I have a NAT rule set up for port 80 in Pfsense that I enable when I’m deploying and disable when I’m not. So far so good.

Number 2: You need hardware or VM sensors. My first sensors were just VMs. I made a secondary network (192.168.2.x) and locked down almost all comms to my .1.x network to reduce the chance of things getting in the door on my real network. Only port 10000 can pass traffic between the .1 and .2 subnets. It still feels weird inviting in the bad guys, but I feel pretty safe. These sensors run Kippo and WordPot. My 3rd sensor was just deployed on a cheap server I got from CloudAtCost.com. It was a $17.50 fee and I own it forever, nothing recurring. It’s low power (1 CPU, 512MB RAM, 10GB SSD), but it seems fine for what it’s doing. (If you sign up for one of these, please contact me and I’ll give you my email address and I can get another server free). This one started getting traffic almost immediately. I installed Dionaea and Snort on this one, and it’s been lighting up pretty good.

Number 3: Deploy the software. It’s pretty easy, you go to the “Deploy” tab in MHN and it gives you a script to run on the sensor (an OS must be installed already). Make sure the IPs look good (should be the IP your sensor will use to hit the MHN server) and let it rip. One thing I found is, if it fails, make sure you run ‘apt-get update’ and try again. Once this is done, it should show up in the sensors section of the MHN webpage and it should start reporting shortly.

I’ll keep reporting progress as I play around

 

 

Deploy Script

I’ve been playing around with MHN and some honeypots this week. I appear to have got Kippo running OK on my home network and just bought a server at www.cloudatcost.com (for $17.50 to own it forever, it was a no-brainer) where I will add another node. I just knocked out a snort instance on the Kippo box and will wait to see if it reports. I find it fascinating how quickly things get scanned. If you have any tips or tricks for MHN or honeypots in general, let me know please.

While this doesn’t mean you should let your guard down at home, it does mean that attacks are focused on organizations more than individuals.

Interestingly enough, Companies active in real estate were the most targeted with malware, where  organizations active in Finance, Entertainment and IT were the most targeted by phishing as of Q1 2017.

This may be the first time I’ve seen ransomware in a video game. It’s kind of telling as to how mainstream it’s becoming. I can’t speak for the game as I’ve never played it, but the premise of a ransomware fueled story mission is interesting. For those that do play,  it’s supposed to be available March 23rd. Let me know how it is.

Another County has been taken down by ransomware. The ransom demand here is $25-$30k via Bitcoin or Western union.

“Every department in the county is affected in some way,” “Phone systems, computer systems, everything. Some departments are handwriting documents.”  says Bingham County Commissioner Whitney Manwaring.

The IT staff thought the infection had been cleaned up, but a redundant, backup server was infected again, leading to the county going offline. “We had all kinds of firewalls in place to prevent these kinds of things from happening,” Manwaring told EastIdahoNews.com. “To prevent this from happening again there will likely be several more firewalls and more training for staff using county computers.”

More firewalls? Really? I’m not sure if this was misquoted by the press, or if the County Commish was just not familiar with the terms, but firewalls do very little to stop ransomware. Perhaps they are going to do a better job segmenting the network, and the staff training is a good idea though.

While not perfect, this is a nice little tool to have in the toolbox just in case. I haven’t tried it personally, but it is said to decrypt files infected from the list below. Keep in mind there are some issues with certain strains, such as CryptXXX V3 and CERBER, so be sure to read the instructions and notes before proceeding. Hopefully you will never need this, but if you do, good luck.

The tool will attempt to decrypt files encrypted by:

1. CryptXXX V1, V2, V3
2. CryptXXX V4, V5
3. Crysis
4. DemoTool
5. DXXD
6. TeslaCrypt V1
7. TeslaCrypt V2
8. TeslaCrypt V3
9. TeslaCrypt V4
10. SNSLocker
11. AutoLocky
12. BadBlock
13. 777
14. XORIST
15. Teamxrat/Xpan
16. XORBAT
17. CERBER V1
18. Stampado
19. Nemucod
20. Chimera
21. LECHIFFRE
22. MirCop
23. Jigsaw
24. Globe/Purge
25. V2:
26. V3:

So, I will unabashedly admit to failing miserably at making my weekly post the last couple of weeks. I’ve been traveling and webinaring and otherwise buried in stuff. Oh, and I was abducted by aliens. yeah, that’s it… aliens. Either way, my bad.

Careless Licking Gets a Nasty Ransomware Phishing Infection

Yeah, I totally took this headline from my employer. It was just too good to pass up. What happened is Licking County Ohio got hit by ransomware that took down about 1,000 machines and completely shut down the town government. The best quote I’ve seen for a while came from that when County Auditor Mike Smith commented: “Apparently, our clock still works”. Ouch!

 

Polish banks hit by malware sent through hacked financial regulator

Well, some smooth slick soul managed to upload malware to the Polish financial regular’s website which resulted in infections in some Polish banks. Not a good thing, not at all. Just goes to show, be cautious even when dealing with “trusted” sources.

 

There is a fake Netflix app that is ransomware

Trying to steal Netflix? It may cost you. Just pay the $8mo for crying out loud.

 

New campaign spreading ransomware and another trojan simultaneously

Because Locky doesn’t suck enough as it is, this campaign is also downloading a click-fraud trojan so they can make a few bucks on the side. Shameless.

 

Mirai is spreading via Windows malware

They have started spreading this via windows trojans as they work to build the largest, most terrifying IoT botnet ever known to man. When fridges revolt, nobody is safe!

 

Arby’s got breached

More than 350,000 credit and debit cards could be at risk after Arby’s POS systems were found to be malware laden. I’d say more, but I have no beef with them. (<- you see what I did there, right?)

 

Soda machines take down a university

A gaggle of  infected IoT devices, including vending machines, caused a lot of havoc at an unnamed university by flooding the DNS server with seafood-related lookups. Obviously something was fishy, so they took action and tracked it down.

 

That’s all I have this week. I’m going to work on doing more mini posts based on things I see during the week, so subscribe and you will get those notifications. Thanks

We hear the stories almost daily, we see the headlines in the news, but how worried should we be?

The answer really is, it depends. Today I have seen a few headlines including this whopper: “New ransomware could poison your town’s water supply if you don’t pay up“. Sounds very scary, and the idea is, however it is important to understand that this is based on a Proof of Concept (PoC) attack demonstrated at RSA. Is it possible that this can occur, I suppose it is, but the real question is if it is likely. The answer is, not right now. This makes it FUD, or “Fear, Uncertainty and Doubt”. There is a big difference between showing a PoC and doing it in the wild, so you can sleep well tonight.

but…

This is where it get’s a bit spooky. It is possible, and if the researchers that did this are thinking about it, you can bet our enemies and the bad guys just out for a big payout, are too. So research like this is important, but let’s not start stocking up on bottled water just yet.

What is the real threat RIGHT NOW?

The current threats deal more with making fast money and wreaking havoc on organizations by locking them out of records and data that is required to do business. Even that threat is expanding though as hackers are working to innovate. Before we see water supplies threatened, expect to see more and more attacks where the bad guys are threatening to, or actually publicly releasing, sensitive information. Imagine if your organizations “secret sauce” or proprietary information was made public. How much did it cost you to develop that, and how much of a competitive advantage would be lost if that happened? Take KFC’s “Secret Recipe” for example. Rumor is, it is guarded by eunuch Ninja cyborgs… or something like that.

The other real threat is CEO Fraud (aka BEC) and W2 scams that are happening right now. Just yesterday I spoke with an individual that signed up for our training because they sent all of their employees W2’s to some scammers. They were surprised to learn that they are not alone. Manatee County, FL (in my own back yard) was a victim, as was Argyle School District in Texas. Even Snapchat got caught in the crosshairs last year. This is real, this is in the wild, and it is happening to organizations of every size in every industry.

So, what do you about it?

The number 1 way to counter these attacks is through user training because the number 1 attack vector is via email phishing. You train your folks and phish them with non-malicious payloads and links. This way they get used to spotting these phishing emails before something real hits. Technical controls are just not reliable enough to catch and stop these targeted attacks, but making your users a “Human Firewall” is.

The number 2 thing is to have good backups. This really only matters for ransomware because once you send money or W2 info, backups won’t help. For those cases, number 2 is to have a plan to deal with it. Developing this plan will help you react quickly and help you develop policies to avoid these attacks (e.g. ALWAYS talk to the requestor on the phone BEFORE sending money or sensitive info). All should agree on this policy, and they will if you have trained them on the threats. Also, know who your local law enforcement contacts are, and how to contact them. Having a PR firm and/or lawyer in mind is also a good idea.

So, keep an eye on the new developments, but don’t get dragged in to the FUD. Focus on the real, current threats and you will do more to protect yourself than by chasing the possible (but not likely) ghosts of things to come.