Open in app

Sign in

Write

Sign in

Heisenberg Robbing The Honey

Joshua Johnson
3 min readMar 6, 2022

Cyber Honey

The Introduction:

Project: To further my education and understand the world of cybersecurity, I deployed a HoneyPot to asset real world attacks.

HoneyPot Technical Overview

· A HoneyPot is a pretend system that looks real to attract outsiders. The goal is to see what an attacker will do to the system. The honeypot deployed for this project is more vulnerable than others. The ultimate purpose is to gather information to understand the risks to your organization.

The honeypot specifics:

· AWS EC2 instance; Region: EU-West2 (London)

· Debian 10 Buster.

· Installed onto the image >> T-Pot Software bundle

Honeypot Duration and Analysis

· The honeypot was operational from Feb 24, 2022 to Feb 28, 2022.

· The below shows how attacks for each honeypot on the server

· The analyst filtered attacks on the Cowrie honeypot. There were 2,556 attacks with most IP addresses coming from the United States and Europe.

Username and Password Analysis

A chart showing which type of account the user attempted to compromose the most

Interestingly, the attackers attempted to infiltrate a user account. The assumption is once they have access to a user that can move laterally or escalate their privileges.

This displays which usernames and passwords the attackers used.

  • *most common guesses were user, admin and root.
  • It is advised to change these common usernames in your environment if the OS and/or policies allow
  • The common passwords are seen all the time and are usually defaults for systems. These must be changed as well.

The Heisenberg

After much analysis and filtering, an interesting attempt was found. The attacker (IP 143.198.77.103) attempted to have the honeypot download a malicious file called Heisenbergbin.sh. Heisenburg is more than likely a play on a alternative name for Mr. White in the tv show Breaking Bad.

A check of the IP address and the hash of the file met with malicious results on VirusTotal. The IP address resolved to the United States however this could have been rerouted.

The Heisenberg threat’s ultimate goal was to take control of your machine. The steps the malware takes can be found here. Once an attacker has escalated privileges they can do anything on your machine.

The malware would:

  • **attempt a brute force attempt
  • download the Heisenbergin.sh into the tmp folder and grant escalate privileges
  • download misc OS profiles to further escalate privileges

--

--

Joshua Johnson

Written by Joshua Johnson

1 Follower

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams