Lebahnet Project 2018 Threat Report

Introduction

Each day, the number of people who are using Internet all over the world keep rising without realizing that The Internet has become everyone’s necessity nowadays. Hence, while surfing through The Internet, users wouldn’t realize that they are expose to cyber threats and attacks. While performing these activities on the Web, how many of them are concerned with essential security measures that need to be taken? As technology emerge rapidly, so does latest threat appear. One way of detecting such malicious attack involved a luring agent that acts as a dummy for these kind of attack. This dummy agent is popularly known as a Honeypot.

CyberSecurity Malaysia through MyCERT, established a Honeynet project which is a collection of distributed honeypots to study on how exploits function as well as to collect malware binaries. Honeypots are computer software mechanism set up to mimic a legitimate site to ensnare malicious software into believing that it is a legitimate site which is in a weak position for attacks. Honeypot allow researchers to detect, monitor and counterattack malicious activity by understanding activities completed during intrusion phase and attacks’ payload.

Mid 2007, a major project overhaul of Honeypot took place under Cyber Early Warning System (CEWS) project and was known as LebahNET mini. MyCERT Honeynet initiatives later were changed to LebahNET 2.0 in 2015, a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This allowed vulnerabilities emulation of Operating Systems usually used in an enterprise infrastructure to alert security administrator on source of attacks owing to LebahNET 2.0 sensors deployed by CyberSecurity Malaysia.

Objectives

LebahNET 2.0 project aim to provide valuable supporting information such as network trends and malicious activities for MyCERT incident handling and advisory activities. LebahNET 2.0 also serves as a research network for analysts to experiment with germane security tools and techniques.

Components


LebahNET Sensor consists of 3 major components for service emulations.

  1. Glastopf – Web Application Honeypot

Glastopf is a python web application honeypot implemented to discover attacks that are based upon vulnerability type emulation rather than vulnerability emulation. This means that Glastopf will determine and handle attacks based on type emulation to be ahead of the attackers.

  1. Cowrie – SSH and Telnet Honeypot

Cowrie is a medium-interaction SSH Honeypot written in Python to log brute force attacks and the entire shell interaction performed by an attacker.

  1. Dionaea – Samba, MySQL, MSSQL, FTP Honeypot

Dionaea features a modular architecture, embedding Python as its language in order to emulate protocols. It is able to detect shellcodes using LibEmu and supports IPv6 and TLS. Dionaea aims to trap malware-exploiting vulnerabilities exposed through network services such as SMB in order to ultimately obtain a copy of the malware.

2018 Overall Report

Throughout the year of 2018, there were about 15,985,775 totals of events received by LebahNET2.0 sensors from about 207 countries. For this year, countries like Russia, United State and China remain to be top threat origins and targeted attacks were more focused to SSH and Telnet services respectively. We observed that about 1306 Unique Malware was used to perform that attacks.

Figure 1: Threat Origins Detected from LebahNET 2.0 (January ’18 to December ’18)

Figure 1 shows percentage of threat originating from mentioned countries. Among countries with highest significant attacks were from Russia (3,332,574), United States (3,078,236), China – (1,471,013), France (947,952), Vietnam (601,718), Ireland (593,118), Brazil (548,026), Netherlands (493,914), Republic of Korea (383,667), Cambodia (341,537) and other (3,939,377).

Figure 2: Targeted Services Timeline by LebahNET 2.0 (January ’18 to December ’18)

Figure 2 shows the monthly trend of attacks at system service since January 2018 up until December 2018. For Q4 of 2018, telnetd and sshd was found unusually and aggressively targeted compared to previous quarter 1, 2 and 3.

Figure 3: Type of Attack Detected from LebahNET 2.0 (January ’18 to December ’18)

Figure 3 shows the percentage of attack type in computer system throughout the whole year. Through LebahNET 2.0, it was found that the highest type of attacks performed were bruteforce (9,380,857), sshbanner (3,390,709), upnp_request (1,883,386), shellcmd (521,034), webattack (411,730), mysqlcmd (345,823), libemu (42,500), fileupload (9,297), mqtt_connect (245), uploadattempt (180) and others (14).

Figure 4: Type of Malware Binaries from LebahNET 2.0 (January ’18 to December ’18)

Figure 4 shows monthly trend of malware binaries in system service since January 2018  until December 2018. During quarter 4 2018, malware binaries show considerable amount of Trojan variant.

Figure 5: Type of Web Attack Detected from LebahNET 2.0 (January ’18 to December ’18)

Figure 5 shows the percentage of web attack in computer system throughout the whole year. Through LebahNET 2.0, it was found that the highest type of web attack performed were phpmyadmin (284,850), unknown (111,040), head (13,255), login (1,374), tomcat_manager (689), LFI (268), robots (119), style_css (66), php_cgi_rce (45), sqli (23) and other (1).

Attacks against xmlrpc.php

Figure 6: xmlrpc.php detected from LebahNET 2.0 (January ’18 to December ’18)

Interestingly, Figure 6 shows the graph identified a total of 106 brute force attempts that target on system service in MyCERT Lebahnet’s sensors which was identified as xmlrpc.php. Xmlrpc feature introduced by WordPress to enable update remotely from other applications. Basically, the brute force attempt in computer system targets WordPress’s XML-RPC interface at /xmlrpc.php. Common applications that use xmlrpc interface like WordPress mobile application and the popular plugin JetPack are often seen correlate with the request from associate user-agent strings. Hence, it is odd to see huge amount of failed login attempts as these applications typically store credentials locally.

Identifying xmlrpc entries “POST /xmlrpc.php HTTP/1.0” in web server logs and location of logs maybe varies according to linux distribution that runs on web server. For Apache, use this command “$ sudo grep xmlrpc /var/log/apache2/access.log” and for Nginx, use “$ sudo grep xmlrpc /var/log/nginx/access.log” to search for xmlrpc attacks. Example, if xmlrpc attack is available in WordPress, it should display such results and status enable the traffic to flow through “111.222.333.444:80 555.666.777.888 – – [17/Jan/2019:23:33:50 -0500] “POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”.

Through Apache and Nginx configuration, we can block xmlprc by applying few rules. However, bear in mind by applying this method; it will stop anything that applies xmlrpc from functioning. For Apache, we may edit configuration file with “$ sudo nano /etc/apache2/sites-available/000-default.conf” and add the lines between <VirtualHost> tags.

Next, save and close file. To enable this changes, restart the server with this command “$ sudo service apache2 restart” and this method also works vice versa to Nginx accordingly. By blocking all xmlrpc traffic, the result will display the error code despite various brute force attempts that show in the logs. For instance, apache log might look like this “111.222.333.444:80 555.666.777.888 – – [19/Jan/2019:14:33:46 -0500] “POST /xmlrpc.php HTTP/1.0” 500 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”.

Data gathered by LebahNET 2.0 sensors assist MyCERT to identify current trends of malware attacks. LebahNET 2.0 sensors will also grant researchers and cyber security experts to forecast new emerging type of attacks. LebahNET 2.0 sensors also act as a platform to ensure threat detection capabilities locally and globally thus making CyberSecurity Malaysia being a national asset. Continuous enhancement will be made by supporting more network services to emulate and adding extra vulnerabilities to detect that will ensure enriched and pertinent data collection.

Conclusion

LebahNET 2.0 developed by MyCERT assist participants to identify the cyber-attacks within their network. Identification of cyber threat trends will permit MyCERT to forewarn and counsel stakeholders regarding to cyber threats issues pertaining to Malaysia in order to mitigate successful cyber-attacks.

References

  1. https://www.wordfence.com/blog/2018/12/Wordpress-botnet-attacking-Wordpress/
  2. https://kinsta.com/blog/wordpress-xml-rpc/
  3. https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-from-xml-rpc-attacks-on-ubuntu-14-04
  4. https://www.hostinger.my/tutorials/xmlrpc-wordpress

Prepared by:

Nur Sarah Jamaludin

Reviewed by:

Ahmad Aizuddin Aizat Tajul Arif

 

Lebahnet Project Q3 2018 Report

Introduction

Security practitioners develop ways to detect cyber-attacks that are of potential risk to internet users. This is to secure computer system vulnerabilities, provide alerts to the community, as well as to learn on ‘the how to’ of such an attack occurring. One of the ways in detecting such malicious attack is developing a luring agent that act as a dummy for such attack. This dummy agent is known as the Honeypot.

CyberSecurity Malaysia through MyCERT, established a Honeynet project which is a collection of distributed honeypots to study on how exploits function as well as to collect malware binaries. Honeypots a computer software mechanism setup to mimic a legitimate site to lure malicious software into believing the system is a legitimate site, vulnerable for attacks. Honeypot allow researchers to detect, monitor and counterattack malicious activity by understanding the activities during intrusion phase and from the payload attack.

Mid 2007, a major project overhaul of the Honeypot took place under the Cyber Early Warning System (CEWS) project and was known as LebahNET mini. In 2015, as more resources were invested in the project, it is then successfully implemented a lightweight and passive honeypot at identified strategic locations. MyCERT Honeynet initiatives later were changed to LebahNET 2.0, a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This allowed for vulnerabilities emulation of Operating Systems used in an enterprise to alert security administrator on source of attacks at LebahNET 2.0 sensors deployed by CyberSecurity Malaysia.

Objectives

LebahNET 2.0 project aim to provide valuable supporting information such as network trends and malicious activities for MyCERT incident handling and advisory activities. LebahNET 2.0 also serves as a research network for analysts to experiment with relevant security tools and techniques.

Components

LebahNET Sensor consists of 3 components for service emulations:

1. Glastopf – Web Application Honeypot
Glastopf is a python web application honeypot implemented to discover attacks that are based upon vulnerability type emulation rather than vulnerability emulation. This means that Glastopf will determine and handle attacks based on type emulation to be ahead of the attackers.

2. Cowrie – SSH and Telnet Honeypot
Cowrie is a medium-interaction SSH Honeypot written in Python to log brute force attacks and the entire shell interaction performed by an attacker.

3. Dionaea – Samba, MySQL, MSSQL, FTP Honeypot
Dionaea features a modular architecture, embedding Python as its language in order to emulate protocols. It is able to detect shellcodes using LibEmu and supports IPv6 and TLS. Dionaea aims to trap malware-exploiting vulnerabilities exposed through network services in order to ultimately obtain a copy of the malware.

Q3 Statistics

Since July 2018, LebahNET 2.0 sensors received about 8,471,704 total attacks from about 198 countries. Threats origin mainly came from countries in United States and China while targeted attacks were more focused to telnetd and sshd servers respectively. It was also observed that about 632 Unique Malware were used to perform that attacks.

Figure 1: Threat Origins Detected from LebahNET 2.0 (July 18 to September 18)

The above Figure 1 shows the percentage of threat originating from the mentioned countries. Among the countries with the highest significant attacks were from Russia (831,273), United States (627,769), China (363,123), Vietnam (165,251), Ireland (156,227), Cambodia (129,573), Netherlands (127,679), Canada (111,756), France (99,249) and others (574,669).

Figure 2: Targeted Services Timeline by LebahNET 2.0 in Quarter 3

The above Figure 2 meanwhile shows the monthly trend of attacks at system service since July 2018 up until September 2018. For 3rd quarter 2018, targeted service attack of telnetd and sshd was found to spike unusually.

Figure 3.0 shows the percentage attack at targeted service in computer system. Through LebahNET 2.0, it was found that the highest targeted attacks in descending order were performed to sshd (1,711,406), telnetd (783,911), upnpd (372,030), httpd (221,208), mysqld (156,129), mssqld (36,626), smbd (375) and mqttd (40). Compared to Quarter 2 of 2018, it was observed that there was decrease of targeted service in Quarter 3 that can be inclined to the telnetd attacks. Figure 3.0 and Figure 3.1 below shows the percentage of targeted services attack for Quarter 2 and Quarter 3 2018.

 

Graph 3.0: Targeted Services Identified by LebahNET 2.0 (July 18 to September 18)

 

Figure 3.1: Targeted Services Identified by LebahNET 2.0 (Quarter 2)

Figure 4.0 shows the percentage of attack type in computer system. Through LebahNET 2.0, it was found that the highest targeted attacks in descending order were performed by bruteforce (1,697,913), sshbanner (859,285), upnp_request (372,030), webattack (221,208), mysqlcmd (113,136), shellcmd (17,737), fileupload (189), libemu (102), uploadattempt (85), mqtt_connect (35) and others (5).
Compared to Quarter 2 of 2018, it was observed that there was increase of attack in Quarter 3 that can be inclined to the bruteforce attacks. Figure 4.0 and Figure 4.1 below shows the percentage of targeted services attack for Quarter 2 and Quarter 3 2018.

Figure 4.0: Attack Type Identified by LebahNET 2.0 (Quarter 2)

 

Figure 4.1: Attack Type Identified by LebahNET 2.0 (July 18 to September 18)

Statistics Significant

The significant values of this statistics assist MyCERT to identify current trends of malware attacks within an organization. It will also allow for researchers and cyber security experts to forecast new emerging type of attacks. It is also acts as a platform to ensure the capability of detecting threats within Malaysia thus making CyberSecurity Malaysia being a significant value to the nation. Improvement also made from time to time by supporting more network services and adding more vulnerabilities supported by sensor to ensure more data can be collected.

Conclusion

LebahNET 2.0 developed by MyCERT assist the team members to identify the type of cyber attacks that are operating within the network of each organization the sensors are deployed Identification of cyber threat trends within the cyber landscape will therefore allow MyCERT to alert and advise cyber threats issues pertaining to its constituency in order to mitigate successful cyber attacks in Malaysia.

NanoSec x Wargames.MY CTF Write Up

Briefly, this is a simple write up for what was happening during the CTF games. Been participated in the event to just have an enjoy weekend time even though busy with family and celebrating my birthday anniversary.

 

Cryptography : warming up 1

Question: jztl{y0y_f0_3nfl}

Answer: wmgy{l0l_s0_3asy}

Explaination: Use ROT13 to answer.

 

Cryptography : warming up 2

Question: ZHRuZntxYnphXzRfczFhYXMzX2kxYV9vNHlrM3l9

Answer: wmgy{just_4_l1ttl3_b1t_h4rd3r}

Explaination: Decode using normal Base64 and use ROT19 afterwards.

 

Cryptography : warming up 3

Question: https://gudang.wargames.my/9457d98ad0244eb114133832bf486e8755ef29bbb53aa33a4852d81b/lol.7z (Reference #1)

 

Answer: wmgy{was_1t_fun_t0_d0_l00p_rolls?}

Explaination: The huge text was encoded with base64 n (not sure) times. Use the script as per below:

<?php
        $str = file_get_contents('lol.txt');
        while(true) {
                $str = base64_decode($str);
                echo $str."\n";
        }

 

Steganography : PEKIDA

Question: https://gudang.wargames.my/b711bad6b9d99dab1bde621eb4b4cfc64f7ef217fabfce31ed5a83f2/PEKIDA (Reference #1)

Answer: wgmy{m4ju_lu_s1n1_4nj1n9}

Explaination: Maybe obviously the title assist us to use IDA Pro (Reference #4) tool. PEK (pakai) IDA (IDA). ~= Pakai IDA lah. Change “Max number of nodes” under “Graph” tab option as many as possible, let say 100000. Right click and choose “Fit Windows”.

Note: Salutation to the question author.

 

Web : ScrewIt!

Question: https://screwit.wargames.my/ (not sure if the link will be deleted)

Answer: wgmy{did_u_brut3f0rc3-it?}

Explaination: Use LFI to get the content of /usr/lib/php/20121212/screwim.so (refer to php.ini) and flag.php files. Download and compile PHP 5.5 source codes. Configure php.ini to use downloaded screwim.so file as PHP extension. Use script as per below to decrypt.

<?php
        $t = file_get_contents('flag.php');
        echo screwim_decrypt($t);

The output as per below:

<?php
$flag = "wgmy{did_u_brut3f0rc3-it?}";
echo "<h2>The flag is encrypted</h2>";
echo "Its not that easy bois :P";
?>

Furthermore, use LFI URL as per below to get the server file content and decode using Base64 afterwards:

https://screwit.wargames.my/index.php?file=php://filter/convert.base64-encode/resource=flag.php

 

Thanks to CTF Overlords.

References:

  1. Artefacts
  2. http://nanosec2018.wargames.my/
  3. https://www.nanosec.asia/
  4. IDA PRO

LebahNET 2.0 – Distributed Honeypot Network

Author:(Nasim/Ramadhan/Hafiz/Shuaib)

Introduction

Security practitioners develop ways to detect cyber attacks that are of potential risk to Internet users. This is to secure computer system vulnerabilities, provide alerts to the community, as well as to learn on ‘the how to’ of such an attack occurring. One of the ways in detecting such malicious attack, is developing a luring agent that acts as a dummy for such attack. This dummy agent is known as the Honeypot.

CyberSecurity Malaysia through MyCERT, established a Honeynet project which is a collection of distributed honeypots to study on how exploits function as well as to collect malware binaries. Honeypot is a computer software mechanism setup to mimic a legitimate site to lure malicious software into believing the system is a legitimate site, vulnerable for attacks. Honeypot allow researchers to detect, monitor and counterattack malicious activity by understanding the activities during intrusion phase and from the payload attack.

Mid 2007, a major project overhaul of the Honeypot took place under the Cyber Early Warning System (CEWS) project and was known as LebahNET mini. In 2015, as more resources were invested in the project, it then successfully implemented a lightweight and passive honeypot at identified strategic locations. MyCERT Honeynet initiative later was changed to LebahNET 2.0, a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This allowed for vulnerabilities emulation of operating systems used in an enterprise to alert security administrator on source of attacks at LebahNET 2.0 sensors deployed by CyberSecurity Malaysia.

Objective

The aim of LebahNET 2.0 project is to provide valuable supporting information such as network trends and malicious activities for MyCERT incident handling and advisory activities. LebahNET 2.0 also serves as a research network for analysts to experiment with relevant security tools and techniques.

Components

LebahNET Sensor consists of 3 components for service emulations.

i. Glastopf – Web Application Honeypot

Glastopf is a Python web application honeypot implemented to discover attacks that are based upon vulnerability type emulation rather than vulnerability emulation. This means that Glastopf will determine and handle attacks based on type emulation to be ahead of the attackers.

ii. Cowrie– SSH and Telnet Honeypot

Cowrie is a medium-interaction SSH honeypot written in Python to log brute force attacks and the entire shell interaction performed by an attacker.

iii. Dionaea – Samba, MySQL, MSSQL, FTP Honeypot

Dionaea features a modular architecture, embedding Python as its scripting language in order to emulate protocols. It is able to detect shellcodes using LibEmu and supports IPv6 and TLS. Dionaea aims to trap malware-exploiting vulnerabilities exposed through network services in order to ultimately obtain a copy of the malware.

Q3 Statistics

Since March 2015, LebahNET 2.0 sensors received about 9,882,116 total attacks from about 212 countries. Threats origin mainly came from countries in United States and China while targeted attacks were more focused to SSH and Samba servers respectively. It was also observed that about 2,010 Unique Malware were used to perform that attacks.

Graph 1: Threat Origins Detected from LebahNET 2.0 (Mar ‘16 to Oct ‘17)

 

The above Graph 1 shows the percentage of threat originating from the mentioned countries. Among the countries with the highest significant attacks were from United States(2,268,628), Russia(928,141),China(818,061), Ethiopia(633,588), United Kingdom(539,452) France(380,130), Vietnam(314,859), Malaysia(283,572), Taiwan(234,428) and total of other countries origin (2,114,412 ).

Graph 2.0: Targeted Services Identified by LebahNET 2,0 (Mar ‘16 to Oct ‘17)

 

Graph 2 shows the percentage attack at targeted service in computer system. Through LebahNET 2.0, it was found that the highest targeted attacks in descending order were performed to SSH Server (3,239,426), Samba Server (1,484,243), uPnP(1,291,475) TFTP Server Handler(1277548), Web Server(1,121,928), Telnet Server (846055) and FTP Server.

 

Graph 3: Monthly Trend of attacks since March 2016 to October 2017

The above Graph 3 meanwhile shows the monthly trend of attacks at system service since March 2016 up until October 2017. For 3rd quarter 2017, targeted service attack of UPNP and Samba Server was found to spike unusually. This may be due to new sensors deployment at institution with high network activity.

As for the latest trend in Quarter 3 2017, MyCERT sensors received about 3,250674 total attacks. It was found that significant increase of targeted attacks were directed to uPnP server (1,211,993), followed by Web Server (660,680),Samba Server (652,826), SSH Server (645,783) MySQL Server (53,667), MsSQL Server (24,031) and Ftp server (1524). Out of the attacks, a total number of 2010 unique malware were captured by LebahNET 2.0 sensors.

Compared to Quarter 2 of 2017, it was observed that there was a 230.02% increased of targeted service in Quarter 3 that can be inclined to the uPnP Server attacks. Graph 4.1 and Graph 4.2 below shows the percentage of targeted services attack for Quarter 2 and Quarter 3 2017.

Graph 4.1: LebahNET 2.0 Q2 2017 data breakdown for targeted services

Graph 4.2: Q3 2017 LebahNET 2.0 data breakdown for targeted services

 

Statistic Significant

The significant values of the statistic assist MyCERT to identify current trends of malware attacks within an organization. It will also allow for Researchers and Cyber Security Experts to forecast new emerging type of attacks that might be created in future cyber attacks. It also acts as a platform to ensure the capability of detecting threats within Malaysia thus making CyberSecurity Malaysia being a significant value to nation. Improvement also made from time to time to by supporting more network services and adding more vulnerabilities to the sensor to ensure more data can be collected.

Conclusion

LebahNET 2.0 developed by MyCERT assist the team members to identify the type of cyber attacks that are operating within the network of each organization the sensors are deployed. Identification of cyber threat trends within the cyber landscape will therefore allow MyCERT to alert and advise cyber threats issues pertaining to its constituency in order to mitigate successful cyber attacks in Malaysia.

LebahNET Statistic – November 2015

1. Summary

CyberSecurity Malaysia has established a Honeynet project known as Lebahnet.

Lebahnet is a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This project was initiated in 2002.

Lebahnet as a lightweight and passive honeypot; emulate vulnerabilities of operating systems used in an enterprise to alert security administrator on source of attacks.

The project aims to provide valuable supporting information such as network trends and malicious activities for our incident handling and advisory activities currently carried out by MyCERT. Lebahnet also serves as a research network for our analysts to experiment with relevant tools and techniques.

MyCERT has deployed the LebahNET Sensor in several areas in Malaysia.

2. Analysis

The data is collected from LebahNET Sensors from 2015-11-01 to 2015-11-30.

Summary of collected data

Number of Hits: 82698
Total Malwares: 579
Unique Malwares: 101

Targeted Services

Top 10 Threat Origins

Top 10 IPs

# Source IP Total
1 92.222.66.177 (FR) 5465
2 222.186.30.215 (CN) 5457
3 61.147.103.166 (CN) 3837
4 91.223.180.141 (UA) 3532
5 61.147.103.106 (CN) 2875
6 201.33.229.234 (BR) 2330
7 23.228.81.69 (US) 2251
8 5.35.244.67 (DE) 1416
9 117.79.146.58 (CN) 1270
10 222.186.34.74 (CN) 912

Web Attack

Bruteforce Attack

Targeted Services

Top 10 Username

# Username Total
1 root 13205
2 sa 10471
3 admin 5517
4 ubnt 1445
5 user 661
6 test 570
7 oracle 475
8 support 465
9 mysql 443
10 app 373

Top 10 Password

# Password Total
1 admin 2182
2 root 2120
3 ubnt 1005
4 123456 951
5 12345 714
6 password 534
7 support 321
8 249
9 1234 231
10 123qwe 229