LogSentinel Honeypot: Malicious Actors Don’t Wait

There’s an unwritten rule that every machine that becomes visible on the internet is under attack in under 5 seconds.

We recently deployed our LogSentinel SIEM honeypot with one of our customers and that rule proved correct – immediately malicious requests from all over the world started pouring in, on almost all the protocols that we support – SSH, RDP, SMB, HTTP, and they haven’t stopped since.

Some of the malicious IPs are not yet on any public threat intel feed, so honeypots are a good way to get early warnings (or late warnings, if they are already trying to abuse other parts of your infrastructure that you are not monitoring properly). Since we collect the IPs, they can be used to automatically block those IPs at the firewall.

The LogSentinel SIEM Honeypot collects structured information from the communication with the malicious actors, so here are some more interesting observations:

  • Almost all SSH requests are using “SSH-2.0-libssh-0.5.2”, “SSH-2.0-libssh2_1.8.2” and “SSH-2.0-AsyncSSH_2.1.0”, though interestingly, some are using “SSH-2.0-Go”
  • Most SSH requests attempt to log in as root, trying various standard passwords, as well as database-related passwords (apparently looking for exposed database servers) – “oracle”, “postgres”, “mysql”, “hadoop”. An attempted username is also “usuario” (which is “user” in Spanish)
  • An oddly specific password that can be found in many honeypot reports is “J5cmmu=Kyf0-br8CsW”. It would be interesting to know where that originally came from – we’ve seen it on some blogposts with authors wondering “where did that come from”
  • There are still attempts to exploit potential unpatched Netgear devices, as described here
  • HTTPS is preferred compared to HTTP, which is odd – one would expect that the unpatched and more vulnerable would not have gone the extra mile to set up TLS.

The LogSentinel SIEM Honeypot (a part of our open-source collector) is a nice addition to our threat detection capabilities and has a flexible configuration, supporting multiple protocols and ports, the option to block the target IP after certain attempts as well as extracting structured information like URLs, headers and attempted credentials and passing them on to the SIEM for further analysis.

Malicious actors are automated and don’t sleep – if you leave anything open in the wild, it will be brute-forced and exploited in any way possible. A honeypot just reminds us of this reality and that we should take the necessary measures to monitor and protect our environments.

If you’re interested to see how you can leverage LogSentinel SIEM’s honeypot to prevent malicious attacks, book a demo today:


Like this article? Share it with your network!