Security practitioners develop ways to detect cyber-attacks that are of potential risk to internet users. This is to secure computer system vulnerabilities, provide alerts to the community, as well as to learn on ‘the how to’ of such an attack occurring. One of the ways in detecting such malicious attack is developing a luring agent that act as a dummy for such attack. This dummy agent is known as the Honeypot.
CyberSecurity Malaysia through MyCERT, established a Honeynet project which is a collection of distributed honeypots to study on how exploits function as well as to collect malware binaries. Honeypots a computer software mechanism setup to mimic a legitimate site to lure malicious software into believing the system is a legitimate site, vulnerable for attacks. Honeypot allow researchers to detect, monitor and counterattack malicious activity by understanding the activities during intrusion phase and from the payload attack.
Mid 2007, a major project overhaul of the Honeypot took place under the Cyber Early Warning System (CEWS) project and was known as LebahNET mini. In 2015, as more resources were invested in the project, it is then successfully implemented a lightweight and passive honeypot at identified strategic locations. MyCERT Honeynet initiatives later were changed to LebahNET 2.0, a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This allowed for vulnerabilities emulation of Operating Systems used in an enterprise to alert security administrator on source of attacks at LebahNET 2.0 sensors deployed by CyberSecurity Malaysia.
LebahNET 2.0 project aim to provide valuable supporting information such as network trends and malicious activities for MyCERT incident handling and advisory activities. LebahNET 2.0 also serves as a research network for analysts to experiment with relevant security tools and techniques.
LebahNET Sensor consists of 3 components for service emulations:
1. Glastopf – Web Application Honeypot
Glastopf is a python web application honeypot implemented to discover attacks that are based upon vulnerability type emulation rather than vulnerability emulation. This means that Glastopf will determine and handle attacks based on type emulation to be ahead of the attackers.
2. Cowrie – SSH and Telnet Honeypot
Cowrie is a medium-interaction SSH Honeypot written in Python to log brute force attacks and the entire shell interaction performed by an attacker.
3. Dionaea – Samba, MySQL, MSSQL, FTP Honeypot
Dionaea features a modular architecture, embedding Python as its language in order to emulate protocols. It is able to detect shellcodes using LibEmu and supports IPv6 and TLS. Dionaea aims to trap malware-exploiting vulnerabilities exposed through network services in order to ultimately obtain a copy of the malware.
Since July 2018, LebahNET 2.0 sensors received about 8,471,704 total attacks from about 198 countries. Threats origin mainly came from countries in United States and China while targeted attacks were more focused to telnetd and sshd servers respectively. It was also observed that about 632 Unique Malware were used to perform that attacks.
Figure 1: Threat Origins Detected from LebahNET 2.0 (July 18 to September 18)
The above Figure 1 shows the percentage of threat originating from the mentioned countries. Among the countries with the highest significant attacks were from Russia (831,273), United States (627,769), China (363,123), Vietnam (165,251), Ireland (156,227), Cambodia (129,573), Netherlands (127,679), Canada (111,756), France (99,249) and others (574,669).
Figure 2: Targeted Services Timeline by LebahNET 2.0 in Quarter 3
The above Figure 2 meanwhile shows the monthly trend of attacks at system service since July 2018 up until September 2018. For 3rd quarter 2018, targeted service attack of telnetd and sshd was found to spike unusually.
Figure 3.0 shows the percentage attack at targeted service in computer system. Through LebahNET 2.0, it was found that the highest targeted attacks in descending order were performed to sshd (1,711,406), telnetd (783,911), upnpd (372,030), httpd (221,208), mysqld (156,129), mssqld (36,626), smbd (375) and mqttd (40). Compared to Quarter 2 of 2018, it was observed that there was decrease of targeted service in Quarter 3 that can be inclined to the telnetd attacks. Figure 3.0 and Figure 3.1 below shows the percentage of targeted services attack for Quarter 2 and Quarter 3 2018.
Graph 3.0: Targeted Services Identified by LebahNET 2.0 (July 18 to September 18)
Figure 3.1: Targeted Services Identified by LebahNET 2.0 (Quarter 2)
Figure 4.0 shows the percentage of attack type in computer system. Through LebahNET 2.0, it was found that the highest targeted attacks in descending order were performed by bruteforce (1,697,913), sshbanner (859,285), upnp_request (372,030), webattack (221,208), mysqlcmd (113,136), shellcmd (17,737), fileupload (189), libemu (102), uploadattempt (85), mqtt_connect (35) and others (5).
Compared to Quarter 2 of 2018, it was observed that there was increase of attack in Quarter 3 that can be inclined to the bruteforce attacks. Figure 4.0 and Figure 4.1 below shows the percentage of targeted services attack for Quarter 2 and Quarter 3 2018.
Figure 4.0: Attack Type Identified by LebahNET 2.0 (Quarter 2)
Figure 4.1: Attack Type Identified by LebahNET 2.0 (July 18 to September 18)
The significant values of this statistics assist MyCERT to identify current trends of malware attacks within an organization. It will also allow for researchers and cyber security experts to forecast new emerging type of attacks. It is also acts as a platform to ensure the capability of detecting threats within Malaysia thus making CyberSecurity Malaysia being a significant value to the nation. Improvement also made from time to time by supporting more network services and adding more vulnerabilities supported by sensor to ensure more data can be collected.
LebahNET 2.0 developed by MyCERT assist the team members to identify the type of cyber attacks that are operating within the network of each organization the sensors are deployed Identification of cyber threat trends within the cyber landscape will therefore allow MyCERT to alert and advise cyber threats issues pertaining to its constituency in order to mitigate successful cyber attacks in Malaysia.