HEY! YOU! GET OFF MY CLOUD! ATTACKS AGAINST CLOUD HONEYPOTS

Martin Lee Neil Rankin

Cloud Adoption

Choose two:

Fast Cheap Good

Cloud Models

Public

IaaS PaaS SaaS

Private

Cloud Models

Public

IaaS PaaS SaaS

Private

IaaS Cloud Security Layers

SECURE API / GUI

Application Code

Operating System

Virtual Machine

Hypervisor

Device

Network

Facility

Provider’s responsibility

Your problem

Threat Model

Cyber Criminal

Hacktivist APT

Elastic Computing

Development Deployment

Low utilisation Low cost

Heavy utilisation High cost

Elastic Computing

Source: Quora.com

Threat Types - Customers

application-attack

brute-force

suspicious-activity

recon

trojan-activity

denial-of-service

other

application-attack

brute-force

trojan-activity

suspicious-activity

recon

denial-of-service

other

Cloud Environment On Premise Environment

Source: Alert Logic ASR 2015

Relative Threats - Cloud vs On Premise

Source: Alert Logic ASR 2015

0 1 2 3 4 5 6

denial-of-service

suspicious-activity

recon

brute-force

application-attack

other

trojan-activity

Cloud Threats by Customer Industry Vertical

Source: Alert Logic ASR 2015

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Application attack

Brute force

Recon

Suspicious

DoS

Subtle Differences

Cloud threats ≠ On premise threats Your threats ≠ Your neighbour’s threats

Honeypot Infrastructure

Cloud Production

System Cloud Honeypot Cloud Honeypot

Threat Intelligence Threat Intelligence

Increased Protection

123.45.67.89 sys.example.com

123.45.67.90 db.example.com

123.45.67.88 share.example.com

Honeypot Types

•  Simulates high level services •  Collects basic information Low Interaction

•  Simulates generic functions •  Records interaction

Medium Interaction

•  Simulates specific environment •  Collects details of attack High Interaction

Medium Interaction

Kippo – medium interaction

https://github.com/desaster/kippo

•  Simulates SSH shell

•  Fake file system

•  Easily detected! – we use heavily modified version

•  We used to log brute force attacks & replay session

Medium Interaction

Dionaea – medium interaction

http://dionaea.carnivore.it/

•  Simulates network services

•  SMB / HTTP / FTP / MySQL / SIP (VOIP)

•  Simulates shellcode execution

•  We see mostly SMB activity

Low Interaction

Amun – low interaction

http://amunhoney.sourceforge.net/

•  Modular Honeypot

•  Simulates vulnerable services

•  We see mostly SMB activity

Low Interaction

p0f – low interaction

http://amunhoney.sourceforge.net/

•  Fingerprint connecting IPs

•  Run in tandem

Custom Interaction

Create your own

•  Modify modular honeypot

•  Reflect your environment

•  Respond to new threats

•  Research attacks against specific vulnerabilities

Results

What do we find? April 2015

Findings – Top 20 IP Addresses

82.211.147.147 114.47.9.182 61.227.174.2

186.92.54.111 93.118.46.197 190.37.94.20

36.236.150.66 186.92.51.249 186.92.36.215

43.255.190.167 190.204.147.44

177.143.161.164 186.92.122.154 186.92.180.244 43.255.190.119 43.255.190.130 186.92.57.234

177.143.167.30 177.143.161.1

198.101.193.22

0 20000 40000 60000 80000 100000 120000 140000

Number of Attacks

Findings – Top 20 Source Countries Japan Taiwan

Venezuela China

Brazil Georgia

Unknown Romania

United States Mexico

Russian Federation Netherlands

Bulgaria United Kingdom

Armenia India

Kazakhstan Korea, Republic of

Ukraine Iran, Islamic Republic of

Taiwan

Venezuela

China

Georgia Japan

Brazil

Findings – Attacker OS

Linux 2.4.x

Windows XP

Linux 3.1-3.10

Linux 2.2.x-3.x

Windows 7 or 8

Linux 2.6.x

Linux 3.11 and newer

Linux 2.4.x-2.6.x

Linux 2.2.x-3.x (no timestamps)

Linux 3.x

Linux 2.2.x-3.x (barebone)

Windows NT kernel

Linux 2.0

Linux 2.4.x

Win XP

Linux 3.1

Linux 2.2.x

Win 7/8

Findings – Top 20 Destination Ports Secure Shell (SSH) Microsoft Directory Service Remote Desktop Protocol NETBIOS Session Service SMTP HTTP Active API Server Port (Proxy) Telnet POP3 HTTP Alternate (Proxy) MySQL Microsoft SQL Server Abyess Web Server HTTPS FTP Socks (Proxy) Universal Plug 'N Play (UPnP) Microsoft DCOM IMAP Apple OSX RPC Services

SSH (22)

Active Directory Service / SMB (445)

Findings – Top 20 Brute Forced Usernames

root admin

oracle ubnt

support user

test guest

MGR ubuntu

administrator

ftpuser operator

admindb PlcmSpIp

info Administrator

pi db01

Root (98.5%)

Findings – Top 20 Brute Forced Username/Password

root/admin root/123456]

admin/admin root/654321

root/123654 root/administrator

root/default root/qazwsx

root/zaq1xsw2 root/888888

root/a123456 root/aaaaaa

root/11111111 root/root

root/changeme root/159357

root/qwerty root/meiyoumima

root/admin1 root/vision

Findings – Top 20 Uploads

Troj/Agent-AMRO PsExec

Unknown Mal/HckPk-A

Troj/Agent-AMRO Troj/DLoad-IK

Mal/PWS-JJ W32/Parite-B

Mal/HckPk-A Mal/Spy-Y

Unknown Unknown

Unknown Unknown

Unknown Unknown

Unknown Unknown

Mal/Spy-Y Unknown

Troj/Agent-AMRO

PsExec

? .exe

Mal/HckPk-A

Deployment

Honeypots in Operation

Honeypots for Managed Services

Customer Cloud System Cloud Honeypot

Blocklist update

Threat Intelligence

Security Agent

Connecting IPs

Honeypots for Managed Services

Customer Cloud System Cloud Honeypot

Correlate

Threat Intelligence

Security Agent

Malware

Conclusion

Cloud environments have a specific threat profile.

Well placed honeypots provide timely intelligence.

Apply intelligence to protect production systems.

Get Connected

@alertlogic @mlee_security www.alertlogic.com

linkedin.com/company/alert-logic

alertlogic.com/resources/blog/

youtube.com/user/AlertLogicTV

brighttalk.com/channel/11587

Thank you

Will Semple – VP ActiveIntelligence

Brian Wilson – Director, Intelligence

Michael Laughlin – Tools Engineer

Thank you.