Anti-virus companies, information security experts, and simply enthusiasts put bait systems on the Internet – hanipots to “catch live bait” of a fresh virus or to identify unusual hacker tactics. Hanipots are so common that cybercriminals have developed a kind of immunity: they quickly identify that there is a trap in front of them and simply ignore it. To explore the tactics of modern hackers, we created a realistic haniot, which for seven months lived on the Internet, attracting a variety of attacks. About how it was, we described in our study “Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats“. Some facts from the study are in this post.
Hanipot development: checklist
The main task in creating our super trap was to prevent us from being exposed by hackers who showed interest in it. To do this, I had to do a lot of work:
- Create a realistic legend about the company, including the name and photo of employees, phone numbers and e-mails.
- To invent and implement a model of industrial infrastructure that corresponds to the legend of our company.
- Decide which network services will be available outside, but not get involved in opening vulnerable ports so that it does not look like a trap for coots.
- Organize the visibility of information leakage about the vulnerable system and disseminate this information among potential attackers.
- Implement discreet surveillance of hackers in the trap infrastructure.
And now, first things first.
Create a legend
Cybercriminals are already accustomed to the fact that they encounter a lot of manipulations, so the most advanced part of them conducts an in-depth study of each vulnerable system to make sure that this is not a trap. For the same reason, we strove to achieve not only a realistic hanipot in terms of design and technical aspects, but also to create the appearance of a real company.
Putting ourselves in the place of a hypothetical kulhacker, we developed a verification algorithm that would distinguish a real system from a trap. It included searching for company IP addresses in reputation systems, reverse researching the history of IP addresses, searching for names and keywords related to the company, as well as its counterparties and many other things. As a result, the legend turned out to be quite convincing and attractive.
We decided to position the trap factory as a small industrial prototyping boutique, working for very large anonymous clients from the military and aviation segment. This eliminated the legal difficulties associated with using an existing brand.
Next, we needed to come up with a vision, mission and name for the organization. We decided that our company would be a startup with a small number of employees, each of which is a founder. This added credibility to the legend of the specialization of our business, which allows it to work with delicate projects for large and important customers. We wanted our company to look weak in terms of cybersecurity, but at the same time it was obvious that we were working with important assets in target systems.
A screenshot of the MeTech Hanipot site. Source: Trend Micro
As the name of the company, we chose the word MeTech. The site was made on the basis of a free template. Images were taken from photo banks, using the most unpopular and refined to make them less recognizable.
We wanted the company to look real, so we had to add employees with professional skills corresponding to the profile of our business. We came up with names and personalities for them, and then we tried to select images from photo banks according to their ethnicity.
A screenshot of the MeTech Hanipot site. Source: Trend Micro
So as not to reveal us, we were looking for good quality group photos from which we could choose the faces we needed. However, then we abandoned this option, as a potential cracker could take advantage of reverse image search and find that our “employees” live in only photo banks. In the end, we took advantage of photographs of nonexistent people created using neural networks.
The employee profiles published on the site contained important information about their technical skills, but we avoided the instructions of specific educational institutions and cities.
To create mailboxes, we used the server of the hosting provider, and then rented several phone numbers in the USA and combined them into a virtual telephone exchange with a voice menu and an answering machine.
To avoid exposure, we decided to use a combination of real industrial equipment, physical computers, and secure virtual machines. Looking ahead, we say that we checked the result of our efforts using the Shodan search engine, and he showed that the hanipot looks like a real industrial system.
The result of scanning a hanipot using Shodan. Source: Trend Micro
As the “iron” for our trap, we used four PLCs:
- Siemens S7-1200,
- two AllenBradley MicroLogix 1100,
- Omron CP1L.
These PLCs were selected for their popularity in the global market for control systems. And each of these controllers uses its own protocol, which allows us to check which of the PLCs will attack more often and whether they will interest anyone in principle.
The equipment of our “factory” trap. Source: Trend Micro
We did not just put pieces of iron and connected them to the Internet. We programmed each controller to perform tasks, among which were
- burner and conveyor belt control,
- palletizing using a robotic arm.
And to make the production process realistic, we programmed the logic to randomly change feedback parameters, simulate starting and stopping engines, turning the burner on and off.
Our factory had three virtual computers and one physical. The virtual machines were used to control the plant, the palletizing robot, and as a workstation of a PLC software engineer. The physical computer worked as a file server.
In addition to monitoring attacks on the PLC, we wanted to monitor the status of programs downloaded to our devices. To do this, we created an interface that allowed us to quickly determine how the states of our virtual actuators and installations were modified. Already at the planning stage, we found that it is much easier to implement this using a control program than through direct programming of the controller logic. We opened access to the device management interface of our hanipot via VNC without a password.
Industrial robots are a key component of modern smart manufacturing. In this regard, we decided to add a robot and an AWP to control it in the equipment of our trap factory. To make the “factory” more realistic, we installed real software on the AWP control, which engineers use to graphically program the robot logic. Well, since industrial robots are usually located in an isolated internal network, we decided to leave unprotected VNC access only to the workstation management.
RobotStudio environment with a 3D model of our robot. Source: Trend Micro
On a virtual machine with a robot control workstation, we installed the RobotStudio programming environment from ABB Robotics. Having set up RobotStudio, we opened in it a simulation file with our robot so that its 3D image was visible on the screen. As a result, Shodan and other search engines, having discovered an unprotected VNC server, will receive this image from the screen and show it to those who are looking for industrial robots with open access to control.
The meaning of such attention to detail was to create an attractive and most realistic goal for attackers who, having discovered it, would return to it again and again.
To program PLC logic, we added an engineering computer to the infrastructure. Industrial software for PLC programming was installed on it:
- TIA Portal for Siemens,
- MicroLogix for Allen-Bradley controller,
- CX-One for Omron.
We decided that the engineering workstation would not be accessible outside the network. Instead, we set the same password for the administrator account on it as on the workstations of the robot control and workstations of the factory accessible from the Internet. This configuration is quite common in many companies.
Unfortunately, despite all our efforts, not a single attacker got to the engineer’s AWP.
We needed it as a decoy for intruders and as a means of backing up our own “work” in a trap factory. This allowed us to share files with our haniot using USB devices, without leaving traces in the network trap. As the OS for the file server, we installed Windows 7 Pro, in which we made a shared folder accessible for reading and writing to anyone.
At first, we did not make any hierarchy of folders and documents on the file server. However, then it turned out that the attackers were actively studying this folder, so we decided to fill it with various files. To do this, we wrote a python script that created a file of random size with one of the specified extensions, forming a name based on the dictionary.
A script for generating attractive file names. Source: Trend Micro
After running the script, we got the desired result in the form of a folder filled with files with very interesting names.
The result of the script. Source: Trend Micro
Having spent so much effort on creating a realistic company, we simply could not afford to inject ourselves into the environment for monitoring our “visitors”. We had to get all the data in real time so that the attackers did not notice that they were being watched.
We implemented this using four USB-Ethernet adapters, four SharkTap Ethernet-couplers, Raspberry Pi 3 and a large external drive. The scheme of our network looked like this:
Network diagram of a hanipot with monitoring equipment. Source: Trend Micro
We arranged three SharkTap taps in such a way as to monitor all external traffic to the PLC, accessible only from the internal network. The fourth SharkTap monitored the traffic of guests of the vulnerable virtual machine.
SharkTap Ethernet coupler and Sierra Wireless AirLink RV50 Router. Source: Trend Micro
Raspberry Pi carried out daily capture of traffic. We established an Internet connection using the Sierra Wireless AirLink RV50 cellular router, which is often used in industrial enterprises.
Unfortunately, this router did not allow selective blocking of attacks that did not meet our plans, so we added the Cisco ASA 5505 firewall to the network in transparent mode to perform blocking with minimal impact on the network.
Tshark and tcpdump are appropriate for quickly resolving current issues, but in our case their capabilities were not enough, because we had a lot of gigabytes of traffic, which were analyzed by several people. We used the open-source analyzer Moloch developed by AOL. In terms of functionality, it is comparable to Wireshark, but it has more features for collaboration, description and tagging of packages, export and other tasks.
Since we did not want to process the collected data on the Hanipot computers, PCAP dumps were exported to the AWS repository every day, from where we already imported them to the machine with Moloch.
To document the actions of crackers in our hanipot, we wrote a script that took screenshots of the virtual machine at a given interval and, comparing with the previous screenshot, determined whether something was happening there or not. When activity was detected, the script included screen recording. This approach has proven to be the most effective. We also tried to analyze the VNC traffic from the PCAP dump in order to understand what changes occurred in the system, but in the end, the screen recording we implemented turned out to be easier and more visual.
Monitoring VNC Sessions
For this, we used Chaosreader and VNCLogger. Both utilities extract keystrokes from a PCAP dump, but VNCLogger handles keys like Backspace, Enter, Ctrl more correctly.
VNCLogger has two drawbacks. First: it can only extract keys by “listening” to traffic on the interface, so we had to simulate a VNC session for it using tcpreplay. The second drawback of VNCLogger is common with Chaosreader: they both do not show the contents of the clipboard. To do this, I had to use Wireshark.
We created a hanipot to be attacked. To achieve this, we staged an information leak designed to attract the attention of potential crackers. The following ports were opened on the hanipot:
The RDP port had to be closed shortly after the start of work, because due to the huge amount of scanning traffic in our network there were performance problems.
VNC-terminals first worked in the “view only” mode without a password, and then we “mistakenly” switched them to full access mode.
To attract the attackers, we posted two posts with leaked information about the available industrial system on PasteBin.
One of the posts posted on PasteBin to attract attacks. Source: Trend Micro
Hanipot lived online for about seven months. The first attack occurred a month after the release of the Hanipot online.
There was a lot of traffic from scanners of famous companies – ip-ip, Rapid, Shadow Server, Shodan, ZoomEye and others. There were so many of them that we had to exclude their IP addresses from the analysis: 610 out of 9452 or 6.45% of all unique IP addresses belonged to completely legitimate scanners.
One of the biggest risks that we had to face was the use of our system for criminal purposes: for buying smartphones through a subscriber’s account, redeeming airline miles with gift cards and other types of fraud
One of the first visitors to our system turned out to be a miner. He uploaded Monero mining software to it. He would not have been able to earn much on our specific system due to low productivity. However, if we combine the efforts of several tens or even hundreds of such systems, it could turn out quite well.
During the work of the hanipot, we twice encountered real ransomware viruses. In the first case, it was Crysis. Its operators logged on to the system through VNC, but then installed TeamViewer and already performed further actions with it. After waiting for a ransomware message demanding a ransom of $ 10,000 in BTC, we entered into correspondence with the criminals, asking them to decrypt one of the files for us. They fulfilled the request and repeated the ransom demand. We managed to bargain up to 6 thousand dollars, after which we simply reloaded the system on a virtual machine, because we got all the necessary information.
The second ransomware was Phobos. The hacker who installed it for an hour looked through the file system of the hanipot and scanned the network, and then still installed the ransomware.
The third ransomware attack turned out to be fake. An unknown “hacker” downloaded the haha.bat file to our system, after which we watched for some time how he was trying to make it work. One attempt was to rename haha.bat to haha.rnsmwr.
“Hacker” increases the harmfulness of the bat-file, changing its extension to .rnsmwr. Source: Trend Micro
When the batch file finally started to run, the “hacker” edited it, increasing the ransom from $ 200 to $ 750. After that, he “encrypted” all the files, left a ransomware message on the desktop and disappeared, changing the passwords on our VNC.
A couple of days later, the hacker returned and, to remind himself, launched a batch file, which opened many windows with a porn site. Apparently, in this way he tried to draw attention to his demand.
During the study, it turned out that as soon as information about the vulnerability was published, the hanipot attracted attention, and the activity grew day by day. In order for the trap to attract attention, we had to commit many security breaches of our fictional company. Unfortunately, this situation is far from rare among many real companies that do not have full-time IT and information security employees.
In the general case, organizations should use the principle of least privilege, while we have implemented the exact opposite to it to attract intruders. And the longer we watched the attacks, the more sophisticated they became compared to standard penetration testing methods.
And most importantly: all these attacks would fail if adequate security measures were implemented when setting up the network. Organizations must ensure that their equipment and industrial infrastructure components are not accessible from the Internet, as we specifically did in our trap.
Although we did not record a single attack on the engineer’s workstation, despite using the same local administrator password on all computers, we should avoid this practice to minimize the possibility of intrusions. Ведь слабая безопасность служит дополнительным приглашением для атаки на промышленные системы, которые уже давно вызывают интерес киберпреступников.