Do try this at home – but carefully
The SANS Institute is hoping sysadmins can help it do what vendor’s won’t: improve Internet of Things security.
The call comes in the wake of not one but two IoShitT-based botnet attacks – the 600 Gbps-plus slam that sent security publication Krebs on Security from Akamai to Google Shield, and the same botnet escalating to nearly 1 Tbps in an attack on French hosting provider OVH – SANS wants suitably-skilled sysadmins to lay out the honey.
In this analysis, SANS asks that people “Consider running the latest version of cowrie on a honeypot to help us keep an eye on the passwords attempted to look for any shifts in the current pattern.”
The analysis focuses on digital video recorders (DVRs) that are either unpatched to remove old default telnet credentials, or they’re from manufacturers that haven’t bothered patching that kind of hole.
SANS’s Johannes Ullrich, PhD, writes that his honeypot setup shows lots of scans testing default passwords like xc3511 (for a generic Chinese device, DH-3004, since patched) and 7ujMko0 (which some DVRs add to their default Web password).
Ulrich’s own DVR honeypot, when he connected it to the Internet, was hit with so many telnet attempts that it had to be rebooted regularly.
The attempted attacks followed a predictable pattern:
Try to log in using the default credentials;
Try to detect if a honeypot is attached;
Fingerprint the target to work out its CPU and partition list;
Check if the disk is writable from telnet;
Test wget and tftp; and
See if the target will build binaries.
If the target passes the tests, the attacker loads its bot software, and starts scanning for more vulnerable hosts (at a rate of more than 100 connections/second).
Ulrich’s post includes the bot software he observed.
So if you decide to run up a honeypot, that’s what to expect. ®