Quick Intro
The Joint InfoSec Learning Lab (JILL) Project was a project between Malachi Technologies and other up and coming IT & Cybersecurity professionals to gain insight and knowledge about proper Cybersecurity controls & methods.
The honeypot was running on the commonly used all-in-one honeypot framework T-Pot (developed by T-Mobile). Some of the exposed services were: a Citrix login page, SSH, FTP, SIP, a DNS Server, an MS SQL Server, LDAP, POP3, SMTP, and more. Outlined below were some of the findings from the honeypot’s exposure to the internet.
Top 3 Targeted Systems
Session Initiation Protocol (SIP)
Out of the exposed services, the overwhelming majority of attacks were to SIP systems. There were 25,543 assumed attacks (connection attempts) over a 24 hour period. 53% of the attacks came from a Linksys client located in the United Kingdom, approx. 30% of attacks were targeting Cisco SIP systems, with those attacks coming from an IP in France. With the remainder of connection attempts targeting various PBX systems, with attacks coming from a variety of countries.
Telnet/Secure Shell (SSH)
Unsurprisingly, Telnet and SSH were the second most commonly targeted protocols. Lots of password guessing here, and a large variety of clients. Telnet is inherently insecure, and this is further proven by the statistics. Out of a combined 5,897 attacks, 81% targeted telnet as opposed to a measly 19% targeting SSHv2. The majority of attacks were common usernames paired with number-only passwords. Telnet should not be used by anyone under any circumstances, and in future data/intelligence gathering operations, Telnet will be excluded from results.
SSH attacks largely came from China, with the vast majority of those attacks coming from the same /24 IP block, one belonging to China Telecom.
Virtual Network Computing (VNC)
A notoriously vulnerable protocol, when configured incorrectly. It made up the third largest share of attacks (approx. 4,000). Nothing particularly noteworthy here, just bots trying common passwords).
Other systems that were targeted often were MS SQL, RDP, and FTP. Future reports will go into more detail about business-critical systems such as these.
Credentials
The most attempted user ID’s and passwords are not particularly noteworthy, as these are typically defaults used across a variety of platforms. However, one password that I did find noteworthy was the 6th most used password “7ujMko0admin”. Further digging revealed that it’s a password commonly used with a vulnerable model of IP Camera. It appears that most of the traffic to the honeypot is bot traffic, spraying common passwords at any exposed login pages, or services (SSH, FTP, etc).
CVE’s Matched
Below is a list of the top CVE’s flagged by the Suricata IDS. Next to each CVE ID is a short description.
CVE-2001-0540 – RDP Denial of Service (Memory Exhaustion)
CVE-2006-2369 – RealVNC Authentication Bypass
CVE-2012-0152 – RDP Denial of Service
CVE-2020-11899 – IPv6 Out-of-Bounds Read
CAN-2001-0540 – RDP Denial of Service (Memory Exhaustion)
CVE-1999-0265 – ICMP Redirect Denial of Service
Security “best practices” dictate that you should NOT expose port 3389 to the internet unless absolutely necessary. However, if you need to do so, the best way you can protect that service is to keep your software up-to-date and security patches current. All of the CVE’s flagged by Suricata are (at minimum) over a year old and have been patched already.
Conclusion
This is just a brief overview of the data that was obtained from the honeypot over a 24 hour period. A lot of the data has been simplified, and doesn’t reflect all of the services being tested. Future reports will eliminate the unnecessary honeypots (like Telnet), and will focus on business-critical systems. As is to be expected, the data here highlights the importance of strong, unique passwords, and keeping your systems patched. The majority of attacks mentioned above can be prevented with just those two measures, though to only improve those aspects of your security would be writing off the importance of your security.
