LebahNET 2.0 – Distributed Honeypot Network

Author:(Nasim/Ramadhan/Hafiz/Shuaib)

Introduction

Security practitioners develop ways to detect cyber attacks that are of potential risk to Internet users. This is to secure computer system vulnerabilities, provide alerts to the community, as well as to learn on ‘the how to’ of such an attack occurring. One of the ways in detecting such malicious attack, is developing a luring agent that acts as a dummy for such attack. This dummy agent is known as the Honeypot.

CyberSecurity Malaysia through MyCERT, established a Honeynet project which is a collection of distributed honeypots to study on how exploits function as well as to collect malware binaries. Honeypot is a computer software mechanism setup to mimic a legitimate site to lure malicious software into believing the system is a legitimate site, vulnerable for attacks. Honeypot allow researchers to detect, monitor and counterattack malicious activity by understanding the activities during intrusion phase and from the payload attack.

Mid 2007, a major project overhaul of the Honeypot took place under the Cyber Early Warning System (CEWS) project and was known as LebahNET mini. In 2015, as more resources were invested in the project, it then successfully implemented a lightweight and passive honeypot at identified strategic locations. MyCERT Honeynet initiative later was changed to LebahNET 2.0, a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This allowed for vulnerabilities emulation of operating systems used in an enterprise to alert security administrator on source of attacks at LebahNET 2.0 sensors deployed by CyberSecurity Malaysia.

Objective

The aim of LebahNET 2.0 project is to provide valuable supporting information such as network trends and malicious activities for MyCERT incident handling and advisory activities. LebahNET 2.0 also serves as a research network for analysts to experiment with relevant security tools and techniques.

Components

LebahNET Sensor consists of 3 components for service emulations.

i. Glastopf – Web Application Honeypot

Glastopf is a Python web application honeypot implemented to discover attacks that are based upon vulnerability type emulation rather than vulnerability emulation. This means that Glastopf will determine and handle attacks based on type emulation to be ahead of the attackers.

ii. Cowrie– SSH and Telnet Honeypot

Cowrie is a medium-interaction SSH honeypot written in Python to log brute force attacks and the entire shell interaction performed by an attacker.

iii. Dionaea – Samba, MySQL, MSSQL, FTP Honeypot

Dionaea features a modular architecture, embedding Python as its scripting language in order to emulate protocols. It is able to detect shellcodes using LibEmu and supports IPv6 and TLS. Dionaea aims to trap malware-exploiting vulnerabilities exposed through network services in order to ultimately obtain a copy of the malware.

Q3 Statistics

Since March 2015, LebahNET 2.0 sensors received about 9,882,116 total attacks from about 212 countries. Threats origin mainly came from countries in United States and China while targeted attacks were more focused to SSH and Samba servers respectively. It was also observed that about 2,010 Unique Malware were used to perform that attacks.

Graph 1: Threat Origins Detected from LebahNET 2.0 (Mar ‘16 to Oct ‘17)

 

The above Graph 1 shows the percentage of threat originating from the mentioned countries. Among the countries with the highest significant attacks were from United States(2,268,628), Russia(928,141),China(818,061), Ethiopia(633,588), United Kingdom(539,452) France(380,130), Vietnam(314,859), Malaysia(283,572), Taiwan(234,428) and total of other countries origin (2,114,412 ).

Graph 2.0: Targeted Services Identified by LebahNET 2,0 (Mar ‘16 to Oct ‘17)

 

Graph 2 shows the percentage attack at targeted service in computer system. Through LebahNET 2.0, it was found that the highest targeted attacks in descending order were performed to SSH Server (3,239,426), Samba Server (1,484,243), uPnP(1,291,475) TFTP Server Handler(1277548), Web Server(1,121,928), Telnet Server (846055) and FTP Server.

 

Graph 3: Monthly Trend of attacks since March 2016 to October 2017

The above Graph 3 meanwhile shows the monthly trend of attacks at system service since March 2016 up until October 2017. For 3rd quarter 2017, targeted service attack of UPNP and Samba Server was found to spike unusually. This may be due to new sensors deployment at institution with high network activity.

As for the latest trend in Quarter 3 2017, MyCERT sensors received about 3,250674 total attacks. It was found that significant increase of targeted attacks were directed to uPnP server (1,211,993), followed by Web Server (660,680),Samba Server (652,826), SSH Server (645,783) MySQL Server (53,667), MsSQL Server (24,031) and Ftp server (1524). Out of the attacks, a total number of 2010 unique malware were captured by LebahNET 2.0 sensors.

Compared to Quarter 2 of 2017, it was observed that there was a 230.02% increased of targeted service in Quarter 3 that can be inclined to the uPnP Server attacks. Graph 4.1 and Graph 4.2 below shows the percentage of targeted services attack for Quarter 2 and Quarter 3 2017.

Graph 4.1: LebahNET 2.0 Q2 2017 data breakdown for targeted services

Graph 4.2: Q3 2017 LebahNET 2.0 data breakdown for targeted services

 

Statistic Significant

The significant values of the statistic assist MyCERT to identify current trends of malware attacks within an organization. It will also allow for Researchers and Cyber Security Experts to forecast new emerging type of attacks that might be created in future cyber attacks. It also acts as a platform to ensure the capability of detecting threats within Malaysia thus making CyberSecurity Malaysia being a significant value to nation. Improvement also made from time to time to by supporting more network services and adding more vulnerabilities to the sensor to ensure more data can be collected.

Conclusion

LebahNET 2.0 developed by MyCERT assist the team members to identify the type of cyber attacks that are operating within the network of each organization the sensors are deployed. Identification of cyber threat trends within the cyber landscape will therefore allow MyCERT to alert and advise cyber threats issues pertaining to its constituency in order to mitigate successful cyber attacks in Malaysia.

LebahNET Statistic – November 2015

1. Summary

CyberSecurity Malaysia has established a Honeynet project known as Lebahnet.

Lebahnet is a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This project was initiated in 2002.

Lebahnet as a lightweight and passive honeypot; emulate vulnerabilities of operating systems used in an enterprise to alert security administrator on source of attacks.

The project aims to provide valuable supporting information such as network trends and malicious activities for our incident handling and advisory activities currently carried out by MyCERT. Lebahnet also serves as a research network for our analysts to experiment with relevant tools and techniques.

MyCERT has deployed the LebahNET Sensor in several areas in Malaysia.

2. Analysis

The data is collected from LebahNET Sensors from 2015-11-01 to 2015-11-30.

Summary of collected data

Number of Hits: 82698
Total Malwares: 579
Unique Malwares: 101

Targeted Services

Top 10 Threat Origins

Top 10 IPs

# Source IP Total
1 92.222.66.177 (FR) 5465
2 222.186.30.215 (CN) 5457
3 61.147.103.166 (CN) 3837
4 91.223.180.141 (UA) 3532
5 61.147.103.106 (CN) 2875
6 201.33.229.234 (BR) 2330
7 23.228.81.69 (US) 2251
8 5.35.244.67 (DE) 1416
9 117.79.146.58 (CN) 1270
10 222.186.34.74 (CN) 912

Web Attack

Bruteforce Attack

Targeted Services

Top 10 Username

# Username Total
1 root 13205
2 sa 10471
3 admin 5517
4 ubnt 1445
5 user 661
6 test 570
7 oracle 475
8 support 465
9 mysql 443
10 app 373

Top 10 Password

# Password Total
1 admin 2182
2 root 2120
3 ubnt 1005
4 123456 951
5 12345 714
6 password 534
7 support 321
8 249
9 1234 231
10 123qwe 229

LebahNET Statistic – October 2015

1. Summary

CyberSecurity Malaysia has established a Honeynet project known as Lebahnet.

Lebahnet is a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This project was initiated in 2002.

Lebahnet as a lightweight and passive honeypot; emulate vulnerabilities of operating systems used in an enterprise to alert security administrator on source of attacks.

The project aims to provide valuable supporting information such as network trends and malicious activities for our incident handling and advisory activities currently carried out by MyCERT. Lebahnet also serves as a research network for our analysts to experiment with relevant tools and techniques.

MyCERT has deployed the LebahNET Sensor in several areas in Malaysia.

2. Analysis

The data is collected from LebahNET Sensors from 2015-10-01 to 2015-10-30.

Summary of collected data

Number of Hits: 103622
Total Malwares: 626
Unique Malwares: 95

Targeted Services

Top 10 Threat Origins

Top 10 IPs

# Source IP Total
1 222.186.61.6 (CN) 6360
2 222.186.61.10 (CN) 5588
3 222.186.61.17 (CN) 5185
4 222.186.34.74 (CN) 4923
5 61.147.103.166 (CN) 4486
6 180.97.215.126 (CN) 3823
7 60.169.74.139 (CN) 3681
8 61.147.103.106 (CN) 3458
9 177.43.8.13 (BR) 1976
10 36.48.159.93 (CN) 1480

Web Attack

Bruteforce Attack

Targeted Services

Top 10 Username

# Username Total
1 sa 26677
2 admin 16476
3 root 13594
4 mysql 2347
5 user 1746
6 ubnt 1665
7 test 1416
8 oracle 1143
9 server 834
10 support 497

Top 10 Password

# Password Total
1 admin 2319
2 root 2153
3 123456 1222
4 ubnt 1066
5 password 481
6 support 362
7 352
8 openelec 292
9 1234 280
10 12345 251

LebahNET Statistic – September 2015

1. Summary

CyberSecurity Malaysia has established a Honeynet project known as Lebahnet.

Lebahnet is a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This project was initiated in 2002.

Lebahnet as a lightweight and passive honeypot; emulate vulnerabilities of operating systems used in an enterprise to alert security administrator on source of attacks.

The project aims to provide valuable supporting information such as network trends and malicious activities for our incident handling and advisory activities currently carried out by MyCERT. Lebahnet also serves as a research network for our analysts to experiment with relevant tools and techniques.

MyCERT has deployed the LebahNET Sensor in several areas in Malaysia.

2. Analysis

The data is collected from LebahNET Sensors from 2015-09-01 to 2015-09-30.

Summary of collected data

Number of Hits: 35294
Total Malwares: 571
Unique Malwares: 47

Targeted Services

Top 10 Threat Origins

Top 10 IPs

# Source IP Total
1 222.186.61.10 (CN) 5032
2 222.186.34.74 (CN) 4711
3 61.147.103.166 (CN) 3688
4 45.35.33.50 (US) 1105
5 80.82.64.134 (NL) 659
6 117.21.176.17 (CN) 650
7 112.5.16.68 (CN) 630
8 58.63.245.217 (CN) 558
9 45.34.1.183 (US) 432
10 89.163.144.80 (DE) 360

Web Attack

Bruteforce Attack

Targeted Services

Top 10 Username

# Username Total
1 sa 9703
2 root 4018
3 admin 1663
4 ubnt 464
5 mysql 158
6 support 150
7 user 124
8 test 119
9 oracle 114
10 DUP root 99

Top 10 Password

# Password Total
1 admin 1247
2 root 615
3 ubnt 375
4 password 260
5 123456 222
6 1 112
7 support 108
8 12345 89
9 00 81
10 1234 78

LebahNET API – Malware Information

FireShot Screen Capture #038 - 'LebahNET - Distributed Honeypot Network' - dashboard_honeynet_org_my

We are pleased to announce that we have provided access to public to obtain information on malwares collected by our LebahNET Sensor. Interested parties may access this information by using our Public API.

These are public API that we’re offering to public:
– List of Malware MD5
– List of latest 10 Malware MD5 with timestamp
– Malware Information
– Download malware binary

Please email to us following information in order to receive the API key:

– Your First & Last Name (may not be a third party contact)
– Your Organization and Address
– Contact information for verification.

Our email address is: lebahnet@cybersecurity.my

Dionaea: Malwr Module

We have noticed the following tweet from malwr:

As we use Dionaea Honeypot as our sensors, we decided to make it easy for our analyst to work with.  So, we have created a module to automate the malware submission to malwr.

The following code is for malwr module and step-by-step installation.

Create file modules/python/scripts/malwr.py with the following code

Available on gist

Open file modules/python/scripts/ihandler.py and find the following code:

Then Add this code:

and it should looks like the following:

Open file conf/dionaea.conf and find following code:

Add malwr configuration after the above code and it will look like below:

within same file as above, find following code

add “malwr” after “logsql” and it will look like below, and save 😀