Month: February 2017

So, as I go down the path of playing with MHN, I did an external scan of the Dionaea honeypot I recently put up and found that NMAP easily picked out the fact that it was running Dionaea. Since I am working on trying to capture some payloads, I knew I had to do something to disguise it better. I followed this post and was able to change it up. I may look in to building this in to the deploy package in the near future.

Now I wait.  🙂

Before:

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Dionaea honeypot ftpd
22/tcp   open  ssh          (protocol 2.0)
80/tcp   open  http?
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds Dionaea honeypot smbd
1433/tcp open  ms-sql-s     Dionaea honeypot MS-SQL server
3306/tcp open  mysql        MySQL 5.0.54
5060/tcp open  sip          (SIP end point; Status: 200 OK)

 

After:

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           ProFTPD 1.2.9
22/tcp   open  ssh           (protocol 2.0)
80/tcp   open  http?
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s?
3306/tcp open  mysql         MySQL 5.0.54
5060/tcp open  sip           (SIP end point; Status: 200 OK)

Lockdroid is throwing out a new twist. What could possibly go wrong here? Think about how often you have been annoyed by trying to get a machine to understand your voice. Imagine that after you have been ransomed. You are really screwed if you are Scottish (language warning)! 🙂

 

As usual, things in the cyber social engineering and ransomware world are moving along hot and heavy. W2s are the hot topic for a lot of people right now as they are a hot item with the scammers. Watch yourself and keep your company safe. At least let them know that this is happening.

So, having said that, let’s start the recap!

Trend Micro Ransomware File Decryptor Covers a Decent Number of Strains

While not perfect, this is a nice little tool to have in the toolbox just in case. I haven’t tried it personally, but it is said to decrypt files infected from the list below. Keep in mind there are some issues with certain strains, such as CryptXXX V3 and CERBER, so be sure to read the instructions and notes before proceeding. Hopefully you will never need this, but if you do, good luck.

 

Phishing attack nabs hospital employees’ W-2 info

Citizens Memorial Hospital got hit with a W2 scam. This is really big this time of year folks. Be careful with sensitive information I have seen a number of orgs, many of them school districts, hit with the W2 scams this year. Protect this info please.

 

Bingham County Idaho taken down by ransomware

Another County has been taken down by ransomware. The ransom demand here is $25-$30k via Bitcoin or Western union.

“Every department in the county is affected in some way,” “Phone systems, computer systems, everything. Some departments are handwriting documents.”  says Bingham County Commissioner Whitney Manwaring.

The IT staff thought the infection had been cleaned up, but a redundant, backup server was infected again, leading to the county going offline. “We had all kinds of firewalls in place to prevent these kinds of things from happening,” Manwaring told EastIdahoNews.com. “To prevent this from happening again there will likely be several more firewalls and more training for staff using county computers.” More firewalls? Really? I’m not sure if this was misquoted by the press, or if the County Commish was just not familiar with the terms, but firewalls do very little to stop ransomware. Perhaps they are going to do a better job segmenting the network, and the staff training is a good idea though.

 

Watch Dogs 2 New DLC Has a Ransomware Storyline

This may be the first time I’ve seen ransomware in a video game. It’s kind of telling as to how mainstream it’s becoming. I can’t speak for the game as I’ve never played it, but the premise of a ransomware fueled story mission is interesting. For those that do play,  it’s supposed to be available March 23rd. Let me know how it is.

 

Office Inbox Receives 6.2X More Phishing And 4.3X More Malware Than Your Inbox At Home

While this doesn’t mean you should let your guard down at home, it does mean that attacks are focused on organizations more than individuals. Interestingly enough, Companies active in real estate were the most targeted with malware, where  organizations active in Finance, Entertainment and IT were the most targeted by phishing as of Q1 2017.

 

Names, SSNs and W-2s of current and former employees of Lexington Medical Center lost in data breach

The names, SSNs, and W-2s of current and former employees at Lexington Medical Center are the latest victims of a data breach. They say no patient information was lost and it appears the attack was on the orgs Peoplesoft database. This comes on the heels of a Lexington Co. School District suffering a breach in January where, once again, W2’s were lost.

 

Things are picking up on my Kippo server

I’ve been playing around with MHN (Modern Honey Network) and some honeypots this week. I appear to have got Kippo running OK on my home network and just bought a server at www.cloudatcost.com (for $17.50 to own it forever, it was a no-brainer) where I will add another node. I just knocked out a snort instance on the Kippo box and will wait to see if it reports. I find it fascinating how quickly things get scanned. If you have any tips or tricks for MHN or honeypots in general, let me know please.

 

Have a great week and stay safe out there!

 

 

 

 

OK, so I am just getting started with this, so I’m not pretending to be an expert. I have no doubt some of you are going to say, “Hey stupid, it’s easier if you…” and I’m fine with that. I’m doing this as a learning experience and to keep from getting (too) rusty on the tech side. Besides, it’s fascinating.

What is it?

MHN stands for Modern Honey Network. It’s a pretty cool way to deploy and track many different types of honeypots. The software and description are located HERE

What’s involved?

Well, it’s not horribly tough actually. You need a Linux/Unix machine or VM and some time. According to the Git page, Ubuntu 12.0.4.3 x86_64 and Centos 6.7 are supported. I am running it on an Ubuntu 14 LTS x64 and it seems fine so far.

I’m not going to get in to the how-to install as that is already documented on the Git site, but I will share some tips and observations so far.

Number 1: You need a “server”. This will run the MHN server side. Overhead seems pretty low, so you don’t need a beast. Keep in mind that if you are putting sensors outside of your network, you will need to have ports 80 and 10000 open between the server and sensor(s). Port 80 can be closed when you are not doing installs, but will need to be open to the server during deployments as they use a WGET function from the server to dl the packages. Port 10000 needs to be open all the time to get reports from the honeypots. I have a NAT rule set up for port 80 in Pfsense that I enable when I’m deploying and disable when I’m not. So far so good.

Number 2: You need hardware or VM sensors. My first sensors were just VMs. I made a secondary network (192.168.2.x) and locked down almost all comms to my .1.x network to reduce the chance of things getting in the door on my real network. Only port 10000 can pass traffic between the .1 and .2 subnets. It still feels weird inviting in the bad guys, but I feel pretty safe. These sensors run Kippo and WordPot. My 3rd sensor was just deployed on a cheap server I got from CloudAtCost.com. It was a $17.50 fee and I own it forever, nothing recurring. It’s low power (1 CPU, 512MB RAM, 10GB SSD), but it seems fine for what it’s doing. (If you sign up for one of these, please contact me and I’ll give you my email address and I can get another server free). This one started getting traffic almost immediately. I installed Dionaea and Snort on this one, and it’s been lighting up pretty good.

Number 3: Deploy the software. It’s pretty easy, you go to the “Deploy” tab in MHN and it gives you a script to run on the sensor (an OS must be installed already). Make sure the IPs look good (should be the IP your sensor will use to hit the MHN server) and let it rip. One thing I found is, if it fails, make sure you run ‘apt-get update’ and try again. Once this is done, it should show up in the sensors section of the MHN webpage and it should start reporting shortly.

I’ll keep reporting progress as I play around

 

 

Deploy Script

I’ve been playing around with MHN and some honeypots this week. I appear to have got Kippo running OK on my home network and just bought a server at www.cloudatcost.com (for $17.50 to own it forever, it was a no-brainer) where I will add another node. I just knocked out a snort instance on the Kippo box and will wait to see if it reports. I find it fascinating how quickly things get scanned. If you have any tips or tricks for MHN or honeypots in general, let me know please.

While this doesn’t mean you should let your guard down at home, it does mean that attacks are focused on organizations more than individuals.

Interestingly enough, Companies active in real estate were the most targeted with malware, where  organizations active in Finance, Entertainment and IT were the most targeted by phishing as of Q1 2017.

This may be the first time I’ve seen ransomware in a video game. It’s kind of telling as to how mainstream it’s becoming. I can’t speak for the game as I’ve never played it, but the premise of a ransomware fueled story mission is interesting. For those that do play,  it’s supposed to be available March 23rd. Let me know how it is.

Another County has been taken down by ransomware. The ransom demand here is $25-$30k via Bitcoin or Western union.

“Every department in the county is affected in some way,” “Phone systems, computer systems, everything. Some departments are handwriting documents.”  says Bingham County Commissioner Whitney Manwaring.

The IT staff thought the infection had been cleaned up, but a redundant, backup server was infected again, leading to the county going offline. “We had all kinds of firewalls in place to prevent these kinds of things from happening,” Manwaring told EastIdahoNews.com. “To prevent this from happening again there will likely be several more firewalls and more training for staff using county computers.”

More firewalls? Really? I’m not sure if this was misquoted by the press, or if the County Commish was just not familiar with the terms, but firewalls do very little to stop ransomware. Perhaps they are going to do a better job segmenting the network, and the staff training is a good idea though.