Category Archives: Security

5Ghoul: Impacts, Implications and Next Steps, (Thu, Dec 7th)

This post was originally published on this site

The introduction of 5G networks has brought increased quality-of-life upgrades such as increased network speeds, the ability to handle concurrent users/network congestion and improved secure communication protocols compared to 4G technology. These benefits are expected to assist sectors such as medical, automation and internet-of-things (IoT) deployments where low-latency network communication is required. Ensuring the fidelity and security of 5G is imperative as organizations and users increasingly adopt it in their lives. Today, the Automated Systems SEcuriTy (ASSET) Research Group from the Singapore University of Technology and Design (SUTD) revealed the 5Ghoul family of implementation-level vulnerabilities in commercial 5G mobile network modems from major chipset vendors such as Qualcomm and MediaTek [1]. In this diary, I will give a brief background on 5G and 5Ghoul, highlight affected products and discuss the next steps affected users/organizations could consider.

A conventional 5G connection involves three key components – the gNodeB (gNB), User Equipment (UE) and the Core Network. The gNB is also known as the base station in traditional cellular networks and serves as the access point for wireless communication between the UE and 5G core network. UE refers to devices used by end users, such as 5G smartphones, tablets or mobile routers. Finally, the Core Network is the backbone of the 5G network architecture, providing control and management functions such as authentication, security, mobility management, session establishment, and data routing between network entities. With reference to Figure 1, an illustration of a clean 5G Standalone (SA) connection process between a 5G UE device (e.g., a smartphone) and a legitimate gNB is shown. Protocols such as Radio Resource Control (RRC), Non-Access Stratum (NAS), Medium Access Control (MAC), Packet Data Convergence Protocol (PDCP) and Radio Link Control (RLC) from both network layer (OSI layer 3) and data link layer (OSI layer 2) are involved to ensure that the connection is established successfully and securely.

Illustration of 5G Standalone (SA) Connection Procedure Between Legitimate gNB and UE
Figure 1: Illustration of 5G Standalone (SA) Connection Procedure Between Legitimate gNB and UE (figure reproduced with permission from ASSET Research Group)

The code name “5Ghoul” was coined from 5G and the word ghoul. In popular legends, a ghoul is a demon-like creature which tries to distract travellers and preys on them once it is successful [1]. Similarly, for the 5Ghoul family of vulnerabilities, UEs could be continuously exploited (e.g. dropping connections, freezing connections, which requires manual rebooting, or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNB. A total of 16 vulnerabilities were uncovered, of which 10 Common Vulnerabilities and Exposures (CVE) Identifiers (IDs) were issued, and 2 CVE IDs were pending assignment. The summary of vulnerabilities, affected devices and patch status are outlined in Table 1 below.

Table 1: Patch Status, Vulnerabilities and Firmware Version of Devices That Were Tested (*Qualcomm and MediaTek have already released security patches to the above-mentioned product vendors)
5G Modem

Software Version

Patch Status
Quectel RM500Q-GL
Qualcomm X55
USB Modem
Aug 03 2021


Not Yet Available*

Simcom SIM8202G
Qualcomm X55
USB Modem


Not Yet Available*
Fibocom FM150-AE
Qualcomm X55
USB Modem


Not Yet Available*
Telit FT980m
Qualcomm X55
USB Modem



Not Yet Available*
OnePlus Nord CE 2 5G
MediaTek Dimensity 900 5G



Not Yet Available*
Xiaomi Redmi K40
MediaTek Dimensity 1200 5G


Not Yet Available*

Asus ROG Phone 5s

Qualcomm X60


Not Yet Available*

At the point of writing, security patches for the devices listed in Table 1 were unfortunately not yet available. However, Qualcomm and MediaTek have already released security patches to the product vendors at least two months in advance before making the issues publicly available in their security bulletins. The corresponding security bulletins that covered the CVE IDs have just been published this week on December 4, 2023 [2, 3].

The 5Ghoul vulnerabilities were implementation-based (i.e., vulnerabilities were caused by implementing the 5G protocol in the affected products). It is trivial to exploit by an attacker as no information about the victim’s SIM card is required. Most vulnerabilities would lead to a Denial-of-Service (DoS), except for one vulnerability that led to a downgrade of 5G connectivity to 4G [1]. There are two scenarios where adversaries could target their victims. In the first scenario, a UE may not have yet connected to any gNB (e.g., alighting from a plane and their devices being in airplane mode). Upon turning the UE on and in the vicinity of a 5Ghoul-enabled gNB, the user will experience a DoS or downgrade attack (depending on the attacks being executed by the 5Ghoul-enabled gNB). In the second scenario, a user has an existing connection with a benign 5G gNB. An adversary could utilize various techniques (e.g. frequency jamming or social engineering to enable airplane mode on a smartphone briefly) to get the UE disconnected from the benign 5G gNB while having a 5Ghoul-enabled gNB broadcast at a stronger signal strength. After the victim attempts to reconnect to the 5G network, the stronger signal strength of the 5Ghoul-enabled gNB would make the UE connect to it, thus exposing the victim to 5Ghoul attacks.

The potential scale of devices affected by 5Ghoul is not merely limited to the seven devices listed in Table 1. Based on the devices that used vulnerable 5G modems from Qualcomm and MediaTek identified by the researchers and with reference to Figure 2, a total of 714 smartphone models were estimated to be affected (a wide variety of Android phone brands and Apple devices) [1]. However, it should also be noted that the affected 5G modems could be used in other 5G-enabled environments such as Industrial IoT solutions, home appliances and IP Cameras [2].

Total number of smartphone models across all affected chipsets affected by 5Ghoul

Figure 2: Breakdown of Device Brands Affected by 5Ghoul (figure reproduced with permission from ASSET Research Group)

How should everyone handle the usage of 5G-enabled devices, especially if the devices used are affected by 5Ghoul? One piece of good (or not so good) news is that 5Ghoul affects 5G Standalone (SA) mode only, so setting your device to connect to 5G Non-Standalone (NSA) mode could help reduce the risk brought by 5Ghoul. The downside is that the benefits brought by 5G SA would not be utilized. A slightly more drastic measure would be avoiding using 5G entirely, meaning a self-imposed DoS from 5G. Looking out for suspicious adversaries may not work if a network of well-established 5Ghoul-enabled gNBs with strong signal strength is deployed and the victim steps into the signal zone.

For end users, checking if the security patches are available for your device is highly recommended. As most of the 5Ghoul attacks are DoS related, a loss of 5G connection, especially if your phone was using 5G SA mode, could indicate that a 5Ghoul attack is ongoing. A persistent 4G connection, despite being in an area where a 5G signal is usually received, could also indicate an attack.

Organizations, governments, and critical infrastructure may also be using affected components. If stakeholders are still determining the extent of 5G usage and the associated devices, an audit of the devices/components in use should be carried out. A risk assessment should also be conducted to assess the risk posed by 5Ghoul to users or day-to-day operations. Keeping in mind the attack vector, an interim measure could very well be a policy to use 5G NSA or avoid the use of 5G while affected devices are patched/replaced.

5G UE Software Supply Ecosystem
Figure 3: 5G UE Software Supply Ecosystem (figure reproduced with permission from ASSET Research Group)

Finally, for 5G product vendors and service providers, it is highly recommended to contact the researchers for the PoC to test products for 5Ghoul vulnerabilities [4] now or implement the security patches that Qualcomm or MediaTek has provided. With reference to Figure 3, the importance of all involved parties (Chipset vendor, OS vendor and Product vendor) cannot be underestimated. A well-tested software development kit (SDK), along with well-tested implementations of technologies such as 5G, can affect the whole technology ecosystem. Chipset vendors must execute carrier recertification for every upstream 5G modem software version change before the updated firmware can be included in the OS security patches (e.g. Android/iOS). Additional time will also be needed by product vendors who may need to tweak the various smartphone firmware based on their product customizations. Equipment such as Customer Premises Equipment (CPE) routers and USB modems also face similar situations, albeit having matters slightly easier since adherence to the release schedule of OS vendors is not required. Security patches received from the chipset vendors could be directly implemented into their platform software (usually a customized Linux OS). As customers and users increasingly discern the need for their privacy and data to be protected, it is in the vendors’ best interests to ensure product security for continued presence in the market.


Yee Ching Tok, Ph.D., ISC Handler
Personal Site

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Revealing the Hidden Risks of QR Codes [Guest Diary], (Wed, Dec 6th)

This post was originally published on this site

[This is a Guest Diary by Jeremy Wensuc, an ISC intern as part of the BACS program]


QR codes, those square-shaped digital puzzles found on everything from advertisements, packaging, and even restaurant menus, have made our lives more convenient. However, this blog post aims to shed light on the often-overlooked dangers of QR codes and provide insights into how malicious actors can exploit them. Understanding these risks is essential to ensure your digital safety in an age where QR codes are omnipresent.

What Are QR Codes

QR codes, short for Quick Response codes, are two-dimensional barcodes that store information, such as website links, contact details, or app download links in a graphical black-and-white pattern. It was first created in 1994 by a Japanese company called Denso Wave for tracking automotive parts during manufacturing. When scanned, the QR code can direct the user to a website, display text, or trigger other actions such as adding contact information, connecting to a Wi-Fi network, or initiating a payment.

How do QR codes work

QR codes work by encoding information in a two-dimensional pattern of black squares and white spaces. The information is typically encoded as a series of binary digits (0s and 1s), and the specific arrangement of these elements within the QR code structure determines the data it represents. Here is a breakdown of a QR code: 

Finder Patterns

  • These are the three square patterns located at the corners of the QR code. They help the QR code reader locate and identify the code in an image. 

Timing Patterns

  • These are horizontal and vertical lines of alternating black and white modules that help the QR code reader determine the size and orientation of the code. 

Alignment Patterns

  • These are smaller square patterns strategically placed throughout the QR code. Alignment patterns assist the QR code reader in correcting distortions and tilts in the code, improving scanning accuracy. 

Quiet Zone

  • The quiet zone is the empty margin around the QR code. It ensures that there is enough space between the QR code and any other elements (graphics, text, borders) to prevent interference with the scanning process. 

Version Information

  • For QR codes of version 7 and above, a version information area is included, providing details about the QR code version, error correction level, and other parameters. 

Data and Error Correction Blocks

  • The central part of the QR code contains data modules, which store the encoded information (such as text, URLs, or other data). This section is divided into data blocks, each of which includes both data and error correction codewords. The error correction allows the QR code to be scanned accurately, even if part of it is damaged or obscured. 

Format Information

  • This section contains information about the QR code's format, including the error correction level and mask pattern used. It helps the QR code reader interpret and decode the data correctly. [1]

QR Code Attacks 

The use of QR codes has surged in recent years, with applications ranging from marketing campaigns to contactless payments. However, cybercriminals have recognized the potential of exploiting QR codes to their advantage. The risks associated with QR codes include:


  • Quishing, short for QR code phishing, involves creating fake QR codes that mimic legitimate ones. Cybercriminals then place these codes on, flyers, labels, posters, or any other public or space where unsuspecting people can scan them. A good example of this happened in Texas, where cybercriminals put fake QR code stickers on pay-to-park kiosks, tricking drivers into thinking they could use them to pay for parking. Once scanned, the QR code sent the drivers to a site where they could enter their credit card information, unknowingly providing their personal info to the cybercriminals. [2]


  • Quick Response Login (QRL) is a user-friendly authentication method that uses QR codes for logging into websites, applications, or any other digital services. QRLJacking, or Quick Response Code Login Jacking, is a type of attack where cybercriminals create a phishing site mimicking a login page to convince the victim to scan the QR code instead of the authentic one, leading to the compromise of sensitive information or unauthorized access to an account. A good example of this happened in August of 2023 when cybercriminals targeted the Steam gaming platform and attempted to steal the user's login information so the cybercriminals could impersonate them. [3]

Malware Distribution
Cybercriminals create QR codes that point to malicious websites that distribute malware through drive-by-download attacks. Which is an attack where the website will forcefully download software on your device when you visit the website. 

Scanner Apps
While most QR code scanner apps are legitimate and serve their intended purpose. There have been instances where Cybercriminals have created fake or compromised QR code scanner apps to distribute malware. A good example of this happened in December 2020 with the app Barcode Scanner. [4]

How to protect yourself

While QR codes are generally safe, there are some precautions you can take to protect yourself from potential risks associated with malicious QR codes.[5]

Use Your Smartphone's Built-in Scanner

  • Consider using the built-in QR code scanning feature in your smartphone's camera app. Many modern smartphones have this functionality, reducing the need for third-party apps.

Use Reputable QR Code Scanner Apps

  • Download QR code scanner apps only from official app stores, such as the Apple App Store or Google Play Store. Stick to well-known and reputable apps with positive reviews.

Update Apps Regularly

  • Keep your QR code scanner app, as well as all other apps, up-to-date. Developers release updates to address security vulnerabilities and improve performance.

Verify the Source

  • Be cautious when scanning QR codes from unknown or untrusted sources. Avoid codes received through posters, advertisements, unsolicited messages, emails, or from unfamiliar websites.

Check URLs

  • Before scanning a QR code, manually check the destination URL or use a URL Preview Service to see the destination URL before visiting the website. If it seems suspicious or doesn't match the expected content, avoid scanning the code.

Security software

  • Consider using security software on your device to provide an additional layer of protection against malware.


QR codes have become integral to our daily lives, but it's crucial to recognize that they come with hidden security risks. By taking the precautions outlined in this blog post, you can enjoy the convenience of QR codes while minimizing the dangers they may pose. In an era where QR codes are prevalent, staying informed and vigilant is key to protecting your digital safety.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns

This post was originally published on this site

The Russia-based actor is targeting organizations and individuals in the UK and other geographical areas of interest.


The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.

The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.

Industry has previously published details of Star Blizzard. This advisory draws on that body of information.

This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.

To download a PDF version of this advisory, see Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns.


Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.

Targets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia.

During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities.


The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.

Research and Preparation

Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts [T1589], [T1593].

Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [T1585.001] and have used supposed conference or event invitations as lures.

Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the target’s field of interest or sector.

To appear authentic, the actor also creates malicious domains resembling legitimate organizations [T1583.001].

Microsoft Threat Intelligence Center (MSTIC) provides a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, but this is not exhaustive.

Preference for Personal Email Addresses

Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses. The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.

Building a Rapport

Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now starts to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.

Delivery of Malicious Link

Once trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002], apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.

The malicious link may be a URL in an email message, or the actor may embed a link in a document [T1566.001] on OneDrive, Google Drive, or other file-sharing platforms.

Star Blizzard uses the open-source framework EvilGinx in their spear- phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [T1539], [T1550.004].

Exploitation and Further Activity

Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.

Star Blizzard then uses the stolen credentials to log in to a target’s email account [T1078], where they are known to access and steal emails and attachments from the victim’s inbox [T1114.002]. They have also set up mail- forwarding rules, giving them ongoing visibility of victim correspondence [T1114.003].

The actor has also used their access to a victim email account to access mailinglist data and a victim’s contacts list, which they then use for follow- on targeting. They have also used compromised email accounts for further phishing activity [T1586.002].


Spear-phishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success.

Individuals and organizations from previously targeted sectors should be vigilant of the techniques described in this advisory.

In the UK you can report related suspicious activity to the NCSC.

Information on effective defense against spear-phishing is included in the Mitigations section below.


This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.







Search Open Websites/Domains

Star Blizzard uses open-source research and social media to identify information about victims to use in targeting.



Gather Victim Identity Information

Star Blizzard uses online data sets and open-source resources to gather information about their targets.

Resource Development


Establish Accounts: Social Media Accounts

Star Blizzard has been observed establishing fraudulent profiles on professional networking sites to conduct reconnaissance.

Resource Development


Establish Accounts: Email Accounts

Star Blizzard registers consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity.

Resource Development


Acquire Infrastructure: Domains

Star Blizzard registers domains to host their phishing framework.

Resource Development


Compromise Accounts: Email Accounts

Star Blizzard has been observed using compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim.

Initial Access


Valid Accounts

Star Blizzard uses compromised credentials, captured from fake log- in pages, to log in to valid victim user accounts.

Initial Access


Phishing: Spear-phishing Attachment

Star Blizzard uses malicious links embedded in email attachments to direct victims to their credential-stealing sites.

Initial Access


Phishing: Spear-phishing Link

Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site, which then direct victims to credential-stealing sites.

Defense Evasion


Use Alternate Authentication Material: Web Session Cookie

Star Blizzard bypasses multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.

Credential Access


Steal Web Session Cookie

Star Blizzard uses EvilGinx to steal the session cookies of victims directed to their fake log-in domains.



Email Collection: Remote Email Collection

Star Blizzard interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens.



Email Collection: Email Forwarding Rule

Star Blizzard abuses email- forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim’s emails, even after compromised credentials are reset.


A number of mitigations will be useful in defending against the activity described in this advisory.

  • Use strong passwords. Use a separate password for email accounts and avoid password re-use across multiple services. See NCSC guidance: Top Tips for Staying Secure Online.
  • Use multi-factor authentication (2-factor authentication/two-step authentication) to reduce the impact of password compromises. See NCSC guidance: Multi-factor Authentication for Online Services and Setting Up 2-Step Verification (2SV).
  • Protect your devices and networks by keeping them up to date: Use the latest supported versions, apply security updates promptly, use anti-virus and scan regularly to guard against known malware threats. See NCSC guidance: Device Security Guidance.
  • Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion. You may recognize the sender’s name, but has the email come from an address that you recognize? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address rather than your corporate one? Can you verify that the email is legitimate via another means? See NCSC guidance: Phishing attacks: Defending Your Organization and Internet Crime Complaint Center(IC3) | Industry Alerts.
  • Enable your email providers’ automated email scanning features. These are turned on by default for consumer mail providers. See NCSC guidance: Telling Users to “Avoid Clicking Bad Links” Still Isn’t Working.
  • Disable mail-forwarding. Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor.


This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.

Refer any FOIA queries to

All material is UK Crown Copyright©.

Whose packet is it anyway: a new RFC for attribution of internet probes, (Wed, Dec 6th)

This post was originally published on this site

While going through newly published RFCs last week, I noticed one which may turn out to be quite useful for security practitioners, even though it is just an “informational” document. It is the RFC 9511 – Attribution of Internet Probes[1].

There are many organizations and individuals around the globe, who perform port scans of internet-connected systems belonging to third parties. Some of these are malicious actors, however, there is a significant number or well-meaning people and companies who do so as well (e.g., for the purposes of research or troubleshooting), and unsolicited packets may therefore be considered a “background noise” of the internet.

Nevertheless, there are times when one might wish to attribute a specific “scan” (i.e., unsolicited packet or set of packets) to its originator, or at least discover whether the traffic originated from a potential threat actor or a researcher/research organization – for example, if one saw that a new public IP address started to periodically scan all ports of one’s infrastructure in the last week.

So far, security analysts and administrators have had to rely mostly on WHOIS[2], RDAP[3], reverse DNS lookups and third-party data (e.g., data from ISC/DShield[4]) in order to gain some idea of who might be behind a specific scan and whether it was malicious or not. However, authors of the aforementioned RFC came up with several ideas of how originators of “internet probes” might simplify their own identification.

In the document, they define a "Probe Description File", which an originator of a scan may place in the path “/.well-known/probing.txt” on a web server, which is accessible on the same IP address, which originated the scan (and/or on a domain, to which a reverse DNS lookup of the IP address points). Format of the file is based on the security.txt file, as defined by RFC 9116[5], and should contain fields Canonical, Contact, Expires, Preferred-Languages and Description, as the following example taken from the RFC shows.

# Canonical URI (if any)

# Contact address

# Validity
Expires: 2023-12-31T18:37:07z

# Languages
Preferred-Languages: en, es, fr

# Probes description
Description: This is a one-line string description of the probes.

It should be noted that IANA has already added the “/.well-known/probing.txt” URI suffix to its “Well-Known URIs” registry[6].

The RFC also mentions the option of providing identifying information “in-band”, i.e., by including a “Probe Description URI” (URI pointing to a Probe Description File, an email address or a phone number) in a probe itself, in the data field or payload of a packet. In such cases, the URI must start at the first octet of the payload and must be null terminated (and if the URI can’t be placed at the beginning of the payload, then it must be preceded by an octet of 0x00). This means that if one wanted to include a Probe Description URI in packets sent by Nmap, for example, one could do so quite easily using the –data option[7].

To sum up, implementing the recommendations of this RFC might not be a bad idea for those who actively probe third-party systems as part of their research activities, and for security analysts and administrators, it is certainly good to know that this RFC exists, as it might potentially help them distinguish between a “benign” scan and a malicious one.

And while it should be stressed that threat actors might set up Probe Description Files on their servers as easily as anyone else, and blindly trusting information contained in such files is therefore unadvisable, RFC 9511 is still a useful document. As its authors themselves put it, the solution which they came up with “is not perfect, but it provides a way for probe attribution, which is better than no solution at all”[1].


Jan Kopriva
Nettles Consulting

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Cobalt Strike's "Runtime Configuration", (Tue, Dec 5th)

This post was originally published on this site

I published an update for my tool, a tool to extract the configuration from Cobalt Strike beacons. tries to extract the beacon configuration from payloads and process memory dumps. It looks for the embedded configuration, the TLV table that is XOR encoded (0x2E version 4).

Prior this version (0.0.20), process memory dumps were just handled as raw files.

This new version also looks for the "runtime configuration": this is a C/C++ array found on the heap, created by the beacon code by parsing the embedded configuration. This array contains values (integers and pointers) for each configuration item. An example can be found in this blog post.

For example, the portnumber is configuration item 2, and is stored as an integer in the third position of the array (array[2]).

The public key is configuration item 7, a binary sequence (ASN1 DER encoded). It is stored as a pointer (to the binary sequence) in the eigtht position of the array (array[7]). The binary sequence representing the public key, is also stored on the heap. Since we are dealing with pointer in C/C++, we have 32-bit and 64-bit implementations.

Since address translations need to take place, require the python module minidump to be installed.

If it is not installed and a runtime configuration is found, a warning will be displayed:

When the module is installed, can extract and parse the runtime configuration (if present in clear):

This is an example of a process memory dump that contains a runtime configuration, but no embedded configuration (or at least, with an encoding that 1768 recognizes).

It starts with "Runtime config" and tells you if it's 32-bit or 64-bit.

Process memory dumps can contain both an embedded and a runtime configuration, and then my tool will dump both:

Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers

This post was originally published on this site


The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.

This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

(XML, 23.83 KB
(JSON, 23.29 KB


Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.


Adobe ColdFusion is a commercial application server used for rapid web-application development. ColdFusion supports proprietary markup languages for building web applications and integrates external components like databases and other third-party libraries. ColdFusion uses a proprietary language, ColdFusion Markup Language (CFML), for development but the application itself is built using JAVA.

In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs. Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.

Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. No evidence is available to confirm successful data exfiltration or lateral movement during either incident. Note: It is unknown if the same or different threat actors were behind each incident.

Incident 1

As early as June 26, 2023, threat actors obtained an initial foothold on a public-facing [T1190] web server running Adobe ColdFusion v2016.0.0.3 through exploitation of CVE-2023-26360. Threat actors successfully connected from malicious IP address 158.101.73[.]241. Disclaimer: CISA recommends organizations investigate or vet this IP address prior to taking action, such as blocking. This IP resolves to a public cloud service provider and possibly hosts a large volume of legitimate traffic.

The agency’s correlation of Internet Information Services (IIS) logs against open source[1] information indicates that the identified uniform resource identifier (URI) /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc was used to exploit CVE-2023-26360. The agency removed the asset from the network within 24 hours of the MDE alert.

Threat actors started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful. Following additional enumeration efforts to obtain information about the web server and its operating system [T1082], the threat actors checked for the presence of ColdFusion version 2018 [T1518]—previous checks were also conducted against version 2016.

Threat actors were observed traversing the filesystem [T1083] and uploading various artifacts to the web server [T1105], to include deleting the file tat.cfm [T1070.004]. Note: This file was deleted prior to the victim locating it on the host for analysis. Its characteristics and functionality are unknown. In addition:

  • Certutil[2] was run against conf.txt [T1140] and decoded as a web shell (config.jsp) [T1505.003],[T1036.008]. Conf.txt was subsequently deleted, likely to evade detection.
    Note: Threat actors were only observed interacting with the config.jsp web shell from this point on.
  • HTTP POST requests [T1071.001] were made to config.cfm, an expected configuration file in a standard installation of ColdFusion [T1036.005]. Code review of config.cfm indicated malicious code—intended to execute on versions of ColdFusion 9 or less—was inserted with the intent to extract username, password, and data source uniform resource locators (URLs). According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g., by using the valid credentials that were compromised). This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin.
  • Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell [T1564.001]. Analysis of this phase found no indication of successful execution.
  • A small subset of events generated from various ColdFusion application logs identified that tat.cfm, config.jsp, and system.cfm failed to execute on the host due to syntax errors.

Threat actors created various files (see Table 1 below) in the C:IBM directory using the initialization process coldfusion.exe. None of these files were located on the server (possibly due to threat actor deletion) but are assessed as likely threat actor tools. Analysts assessed the C:IBM directory as a staging folder to support threat actors’ malicious operations.

Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions. Two artifacts are legitimate Microsoft files; threat actors were observed using these files following initial compromise for intended malicious purposes.

Table 1: Threat Actor Tools

File Name

Hash (SHA-1)




VirusTotal[3] flags this file as malicious. This was located in D:$RECYCLE.BIN.



The dynamic-link library (DLL) file msedge.dll attempted to execute via edge.exe but received an error.

Note: This file is part of the official Microsoft Edge browser and is a cookie exporter.



Analysis confirmed at least three subnets were scanned using fscan.exe, which was launched from the C:IBM directory [T1046].



RCDLL.dll attempted to execute via RC.exe but received an error.

Note: This file is part of the official Windows operating system and is called Microsoft Resource Compiler.

Note: The malicious code found on the system during this incident contained code that, when executed, would attempt to decrypt passwords for ColdFusion data sources. The seed value included in the code is a known value for ColdFusion version 8 or older—where the seed value was hard-coded. A threat actor who has control over the database server can use the values to decrypt the data source passwords in ColdFusion version 8 or older. The victim’s servers were running a newer version at the time of compromise; thus, the malicious code failed to decrypt passwords using the default hard-coded seed value for the older versions.

Incident 2

As early as June 2, 2023, threat actors obtained an initial foothold on an additional public-facing web server running Adobe ColdFusion v2021.0.0.2 via malicious IP address 125.227.50[.]97 through exploitation of CVE-2023-26360. Threat actors further enumerated domain trusts to identify lateral movement opportunities [T1482] by using nltest commands. The threat actors also collected information about local [T1087.001] and domain [T1087.002] administrative user accounts while performing reconnaissance by using commands such as localgroup, net user, net user /domain, and ID. Host and network reconnaissance efforts were further conducted to discover network configuration, time logs, and query user information.

Threat actors were observed dropping the file d.txt—decoded as d.jsp—via POST command in addition to eight malicious artifacts (hiddenfield.jsp, hiddenfield_jsp.class,, Connection.jsp, Connection_jsp.class,, d_jsp.class, and According to open source information, d.jsp is a remote access trojan (RAT) that utilizes a JavaScript loader [T1059.007] to infect the device and requires communication with the actor-controlled server to perform actions.[4] The agency’s analysis identified the trojan as a modified version of a publicly available web shell code.[5] After maintaining persistence, threat actors periodically tested network connectivity by pinging Google’s domain name system (DNS) [T1016.001]. The threat actors conducted additional reconnaissance efforts via searching for the .jsp files that were uploaded.

Threat actors attempted to exfiltrate the (Registry) files,, blank.jsp, and cf-bootstrap.jar. Windows event logs identified the actors were not successful due to the malicious activity being detected and quarantined. An additional file ( was created on the system; however, there were no indications of any attempt to exfiltrate it. Analysis identified these files resulted from executed save and compress data processes from the HKEY_LOCAL_MACHINE (HKLM) Registry key, as well as save security account manager (SAM) [T1003.002] information to .zip files. The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive.

Windows event logs show that a malicious file (1.dat) was detected and quarantined. Analysis determined this file was a local security authority subsystem service (LSASS) dump [T1003.001] file that contained user accounts—to include multiple disabled credentials—and Windows new technology LAN manager (NTLM) passwords. The accounts were found on multiple servers across the victim’s network and were not successfully used for lateral movement.

As efforts for reconnaissance continued, the threat actors changed their approach to using security tools that were present on the victim server. Esentutl.exe[6] was used to attempt this registry dump. Attempts to download data from the threat actors’ command and control (C2) server were also observed but blocked and logged by the victim server. Threat actors further attempted to access SYSVOL, which is used to deliver policy and logon scripts to domain members on an agency domain controller [T1484.001]. The attempt was unsuccessful. Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers.[7]

Note: During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion file via the web shell interface. The file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in file. Versions of ColdFusion 9 or greater use the file, which contains unique seed values that can only be used on a single server.


See Tables 2-9 for all referenced threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 2: Initial Access

Technique Title



Exploit Public-Facing Application


Threat actors exploited two public-facing web servers running outdated versions of Adobe ColdFusion.

Table 3: Execution

Technique Title



Command and Scripting Interpreter: JavaScript


In correlation with open source information, analysis determined d.jsp is a RAT that utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.

Table 4: Persistence

Technique Title



Server Software Component: Web Shell


Threat actors uploaded various web shells to enable remote code execution and to execute commands on compromised web servers.

Table 5: Privilege Escalation

Technique Title



Domain Policy Modification: Group Policy Modification


Threat actors attempted to edit SYSVOL on an agency domain controller to change policies.

Table 6: Defense Evasion

Technique Title



Masquerading: Match Legitimate Name or Location


Threat actors inserted malicious code with the intent to extract username, password, and data source URLs into config.cfm—an expected configuration file in a standard installation of ColdFusion.

Masquerading: Masquerade File Type


Threat actors used the .txt file extension to disguise malware files.

Indicator Removal: File Deletion


Threat actors deleted files following upload to remove malicious indicators.

Deobfuscate/Decode Files or Information


Threat actors used certutil to decode web shells hidden inside .txt files.

Hide Artifacts: Hidden Files and Directories


Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell.

Table 7: Credential Access

Technique Title



OS Credential Dumping: LSASS Memory


Threat actors attempted to harvest user account credentials through LSASS memory dumping.

OS Credential Dumping: Security Account Manager


Threat actors saved and compressed SAM information to .zip files.

Table 8: Discovery

Technique Title



System Network Configuration Discovery: Internet Connection Discovery


Threat actors periodically tested network connectivity by pinging Google’s DNS.

Network Service Discovery


Threat actors scanned at least three subnets to gather network information using fscan.exe, to include administrative data for future exfiltration.

System Information Discovery


Threat actors collected information about the web server and its operating system.

File and Directory Discovery


Threat actors traversed and were able to search through folders on the victim’s web server filesystem. Additional reconnaissance efforts were conducted via searching for the .jsp files that were uploaded.

Account Discovery: Local Account


Threat actors collected information about local user accounts.

Account Discovery: Domain Account


Threat actors collected information about domain users, including identification of domain admin accounts.

Domain Trust Discovery


Threat actors enumerated domain trusts to identify lateral movement opportunities.

Software Discovery


Following initial access and enumeration, threat actors checked for the presence of ColdFusion version 2018 on the victim web server.

Table 9: Command and Control

Technique Title



Application Layer Protocol: Web Protocols


Threat actors used HTTP POST requests to config.cfm, an expected configuration file in a standard installation of ColdFusion.

Ingress Tool Transfer


Threat actors were able to upload malicious artifacts to the victim web server.


CISA recommends organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

These mitigations apply to all critical infrastructure organizations and network defenders. CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices, limiting the impact of threat actor techniques and strengthening the security posture for their customers. For more information on secure by design, see CISA’s Secure by Design webpage.

Manage Vulnerabilities and Configurations

  • Upgrade all versions affected by this vulnerability. Keep all software up to date and prioritize patching according to CISA’s Known Exploited Vulnerabilities Catalog [1.E].
  • Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans.
  • Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards. This also includes disabling default credentials.

Segment Networks

  • Employ proper network segmentation, such as a demilitarized zone (DMZ) [2.F]. The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or local area network (LAN) remains secure. Organizations typically store external-facing services and resources—as well as servers used for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and web servers in the DMZ.
  • Use a firewall or web-application firewall (WAF) and enable logging [2.G, 2.T] to prevent/detect potential exploitation attempts. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
  • Implement network segmentation to separate network segments based on role and functionality [2.E]. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.
  • Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection systems (IDS) based on known-bad signatures are quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.

Application Control

  • Enforce signed software execution policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity.
  • Application control should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code. See NSA’s Enforce Signed Software Execution Policies.

Manage Accounts, Permissions, and Workstations

  • Require phishing-resistant multifactor authentication (MFA) [2.H] for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
  • Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
  • Restrict file and directory permissions. Use file system access controls to protect folders such as C:WindowsSystem32.
  • Restrict NTLM authentication policy settings, including incoming NTLM traffic from client computers, other member servers, or a domain controller.[8]


In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 2-9).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.



[1] Packet Storm Security: Adobe ColdFusion Unauthenticated Remote Code Execution
[2] MITRE: certutil
[3] VirusTotal: File – a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864
[4] Bleeping Computer: Stealthy New JavaScript Malware Infects Windows PCs with RATs
[5] GitHub: Tas9er/ByPassGodzilla
[6] MITRE: esentutl
[7] Microsoft: Active Directory – SYSVOL
[8] Microsoft: Restrict NTLM – Incoming NTLM Traffic


The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.


December 5, 2023: Initial version.

Zarya Hacktivists: More than just Sharepoint., (Mon, Dec 4th)

This post was originally published on this site

Last week, I wrote about a system associated with pro-Russian hacktivist scanning for vulnerable Sharepoint servers [1]. Thanks to @DonPasci on X for pointing me to an article by Radware about the same group using Mirai [2][3]. This group has been active for a while, using various low-hanging fruit exploits to hunt for defacement targets.

The group calls itself "Zarya" (). The Cyrillic alphabet does not contain the letter "z." After Russian troops used the "Z" symbol to mark their vehicles in their push on Kyiv early in 2022, the character became a popular symbol to express support for the war in Russia. It has often been used to replace the letter "," which is pronounced like the English "Z." Therefore, the name of the hacktivist group is likely supposed to be pronounced as "," or "dawn" in English.

But let's return to the IP address we identified last week: This IP address has not been idle since then. We have observed several different exploits with our honeypots.

Many of them are just simple recognizance. Requests for "/" to retrieve index pages. These are likely just used to identify possible targets.
There are also some directory traversal attempts. I have no idea if they will work with reasonably up-to-date systems. In particular, requests like "/../../../../etc/passwd". 

Some of the directory traversal attempts are going after more specific vulnerabilities: /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/config/nodogsplash . "nodogsplash" is a captive portal designed for OpenWRT based routers. I can't find a specific directory traversal vulnerability documented for this extension. If you have the nodogsplash installed, See if this works and let me know.

There are several additional exploit attempts like this, hunting for configuration files. For example /ajax-api/2.0/mlflow-artifacts/artifacts. Straight from the MLflow web page, "MLflow provides a unified platform to navigate the intricate maze of model development, deployment, and management." MLFlow has also been probed recently by, and that software may deserve some additional investigation.

And just simple access to admin APIs like, for example, this Coldfusion URL: ///CFIDE/adminapi/accessmanager.cfc . This URL was recently probed by 

None of the other IPs probing the same vulnerabilities ( and display the defacement page. However, the similarity of the exploit scans may suggest some coordination. However, the user agent strings suggest that different tools are used for the scans.

Currently, Shodan only shows two IP addresses with the defacement banner. and The second IP shows similar "random" attacks, searching for configuration files and other simple exploits.

Geolocation of the IPs is a bit tricky. Both IPs reverse resolve to, a low-cost hosting provider. The mailing address listed on the provider's homepage is a small townhouse in Sheffield, across the street from Sheffield Soccer Stadium. Aeza maintains data centers in several European locations but has a significant presence in Russia. Aeza uses Whois to point to a file with additional geolocation details for its address space [4]. According to this file, is in Vienna, Austria, and is in Helsinki, Finland. Traceroute results are inconclusive. The last responding hop for both hosts is, which appears to be in England.

google maps image of address for

I notified the ISP last week. The ISP has not responded, and the sites are still actively scanning. However, it is not unusual for ISPs and hosting providers to ignore abuse reports.

Zarya isn't exactly the type of threat you should be afraid of, but it is sad how these groups can still be effective due to organizations exposing unpatched or badly configured systems to the internet. Most of the attacks sent by Zarya will not succeed even if they hit a vulnerable system. For some added protection, you may consider blocking some of the Aeza network's traffic after ensuring that this network hosts no critical resources you need. Aeza uses ASN 210644.



Johannes B. Ullrich, Ph.D. , Dean of Research,

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today, (Thu, Nov 30th)

This post was originally published on this site

Last week, Jonah Latimer posted here about traffic he saw to his own EC2 web honeypot exploiting %%cve:2023-1389%%. I found this looking at new URL strings to our honepot network, and so for on 29 Nov 23, there have been about 300 detections for this vulnerability pulling a shell script from %%ip: a quick little shell script that does little more than figure out the architecture of the victim device and then attempt to download a architecture-specific variant of Mirai.

Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary], (Mon, Nov 27th)

This post was originally published on this site

[This is a Guest Diary by Alex Rodriguez, an ISC intern as part of the BACS program]

Honeypots can be an effective means of discovering the variety of ways hackers target vulnerable systems on the Internet.  The first thing you may ask yourself is, “What is a honeypot?”  In short, it is a magnificent tool that can be attached to your home router and is designed to lure potential hackers into attacking it by pretending to be a vulnerable system.  As part of my internship with the SANS Internet Storm Center, I have had the pleasure of setting up a honeypot and monitoring activity to assist me in identifying some of the trends hackers use to target vulnerable systems.

Monitoring activity on a honeypot usually entailed reviewing logs, which in my case meant combing through JSON-formatted, SSH and Web logs looking for activity that piqued my interest. According to my SSH logs, the honeypot captured 26171 IP addresses, 48548 Source Ports, 13201 Usernames, and 43794 Passwords between July 30, 2023, and October 30, 2023. Listed below are the Top 10 IPs, Ports, Usernames, and Passwords captured during the four-month period: 

Although Port 1024 is within the user server range, Trojan activity has been associated with Port 1024 as indicated by the SANS Internet Storm Center: 

What is interesting about this login data is that the ratio between successful and failed logins is vastly different despite the total number of username and password combinations that were utilized.  On the other hand, a change in simple password or default password usage would increase this disparity even more.

Commands Captured by Honeypot

During the same period, 27096 commands were captured on the honeypot. Listed below are the Top 10 commands seen during the period: 

Top 10 Commands

The most interesting commands listed above are the first two, as they are normally used together to help maintain system access once a system is compromised.  The first command upon execution removes any attribute that would prevent overwriting the .ssh hidden file.  The next command would effectively add an attacker’s own SSH public key to .ssh in authorized_keys, to maintain access:

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

This command has been directly associated to the Outlaw Hacker Group by TrendMicro in 2018. Additional information concerning its usage and association with a Crypto-Botnet can be found by navigating to this site [1].

Uploaded Honeypot Files

Uploaded honeypot files are files uploaded to a honeypot by threat actors. These files can contain malware, exploits, backdoors, or other malicious content that can be analyzed to gain insights into the attacker's methods and intentions. During the four-month period, 8 binaries, a Bash shell script, and an empty file with the following SHA256 hash values were uploaded to the honeypot:

According to VirusTotal, 9 of the hashes listed above are all indicators of compromise, which consist of various Trojan and Miner families as well as a Bash shell script. The empty file with no threat label as indicated above is an empty file with zero bytes. In addition, this file has been categorized as stealer malware based on two Dynamic Analysis Sandbox Detections [3].  It seems interesting that even amongst the VirusTotal community there seems to be some debate as to whether this file is a threat. There is still not enough known about this file.

On the other hand, the XorDDoS Trojan listed above is well known and was first discovered by a white hat malware research group, MalwareMustDie [4]. The Trojan uses an XOR encryption key to encrypt all the data related to its execution. This Trojan is interesting as it has rootkit capabilities that infect Linux devices, transform them into zombies and subsequently controlled by attackers to execute malicious tasks remotely, including a DDoS attack. 

In conclusion, honeypots provide a wealth of information that would be useful to cybersecurity professionals as they help identify both old and new emerging threats being used against systems on the Internet. While exploits will forever haunt our systems exposed to the Internet, simple configuration adjustments and continual patching of systems; as well as utilizing password complexity best practices could assist in thwarting successful attacks.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.