Several weeks ago, the cybersecurity community was buzzing about a supposed botnet abusing vulnerable smart toothbrushes in order to launch DDOS attacks on a Swiss company. While the news captured attention with sensational headlines, the lack of technical details and the improbable nature of the attack – particularly given the large-scale infection of Bluetooth Low Energy (BLE) devices not directly connected to the internet – ultimately revealed it to be fake.
However, this kind of scenario, where a malware infects a very large number of vulnerable smart devices and forms a botnet, is not new. In 2016, the Mirai malware gained notoriety for its devastating impact on IoT devices. Mirai operated by scanning the internet for vulnerable IoT devices, including routers and cameras, that were still using default usernames and passwords. Once identified, Mirai infected these devices, turning them into bots that could be remotely controlled by the malware's operators.
The consequences of Mirai were severe and widespread. The massive botnet created by Mirai was utilized to launch powerful Distributed Denial of Service (DDoS) attacks against various targets, including prominent internet infrastructure providers like OVH (french cloud computing provider) with attack peaks at more than 1TB/s ! These attacks disrupted services, caused significant downtime, and incurred substantial financial losses for affected organizations.
The widespread impact of Mirai served as a wake-up call for both consumers and manufacturers, highlighting the urgent need for improved security practices in the design, deployment, and management of IoT devices.
Since 2016, many things have changed, technology is evolving at lightning speed, presenting both new opportunities and new challenges. Furthermore, the release of Mirai's source code into the public domain shortly after its initial wave of attacks opened the doors for a proliferation of modified versions. Malicious actors used the availability of the source code to create customized variants of the malware, such as using the Tor network to conceal command and control (C2) servers, expanding the scope beyond traditional DDoS attacks to include ransomware (cryptolockers) and cryptocurrency mining (cryptominers).
What are the latest goals and tactics of cybercriminals? How can we study these new digital threats and malwares, in order to better enhance the security of our IoT devices ? The answer lies in one word : Honeypot.
At Red Alert Labs, our IoT security evaluator Paul L, led by Natael, has been investigating the new IoT malwares and threats. Today, this article is the first in our series chronicling this comprehensive investigation. Our step-by-step tutorial provides a practical guide to help you set up an (IoT) honeypot and monitor the latest emerging threats.
I. Understanding Honeypots
A honeypot, far from being a glass recipient holding this sweet substance, is a very clever cybersecurity concept. The principle is to set up a server, a network service, or an IoT device and make it vulnerable. This way hackers are tricked into thinking it’s a real machine and proceed to attack it. We can distinguish two types of honeypots, the ones aiming to make attackers lose their time and resources, and the ones aiming to gather information about the hackers TTP’s (Tactics, Techniques & Procedures). This second type of honeypot is used in a specific cybersecurity field called CTI, short for Cyber Threat Intelligence.
Gathering data such as attack logs, malware samples and metadata, then analyzing and reverse-engineering those logs and samples gives us a better understanding of the way hackers break into our systems and IoT objects. This type of information is crucial as it allows us to enhance the security of our system by implementing countermeasures and patches directly into the designing step of the product or software : Security By Design.
Today, join us as we guide you through the installation of T-POTCE. T-pot stands as an all- in-one, open source, and multi-architecture (amd64, arm64) honeypot platform. It supports over 20 honeypots and offers an array of visualization options utilizing the Elastic Stack. T-pot includes animated live attack maps and incorporates numerous security tools which makes it very user-friendly.
II. Setting up TPOT
What you’ll need to get started with TPOT ? Several options are available for you to install this honeypot, either a VM on a server of your own, either a dedicated server or our favorite solution, a VPS. As cloud hosting offers ease of setup / deletion / resizing and scaling. No matter what option you will choose, your VM / VPS / Server will need to meet these requirements :
● At least 8-16 GB RAM
● At least 128 GB free disk space
● A working (outgoing non-filtered) internet connection
Then, the next step is to install Debian on your server and write down the version of Debian (mantic, focal etc..) as it may come in handy troubleshooting the installation process.
Once that is done, you need to select an authentication method to administrate your server via SSH. We highly recommend you use SSH Keys to authenticate to your server instead of a simple password. Especially since we are using it as a Honeypot, it would beat it all if a malicious actor would be able to have full control of our server..
To achieve this you first need to generate a pair of SSH keys. On a linux terminal the following command will generate a pair of keys for you, just copy paste the public key to digitalocean’s website and it will automatically add it to your server :
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa
This command generates a 2048-bit RSA key pair and saves it in the default location ~/.ssh/id_rsa. You can customize the options according to your preferences.
From there you are asked to create a passphrase in order to access the key everytime you want to login somewhere with your public key. Make sure you remember this passphrase or you might lose control of your VPS. A good practice would be to add it to a password manager like keepass to make sure you won’t forget it.
Once that is done you can power on your VPS, connect to it via SSH and run the following commands :
sudo apt update && sudo apt upgrade -y
Make sure the VPS is up-to-date and you have the latest repositories.
sudo apt install git
If it’s not already installed, make sure the git utility is installed as we are going to need it to clone into the Tpot project.
Clone into the tpotce repository to download all the necessary files and software, it may take a while, let it run.
chmod +x tpotce/iso/installer/install.sh
Make sure you can execute the installation script
sudo tpotce/iso/installer/install.sh --type=user
Execute the script with this argument and it will automatically set up everything for you.
If you encounter some errors during the installation process you can refer to the official documentation where they go over plenty of errors.
Once the script finishes to execute here is the output you should get a list of all the different services and their respective listening ports : pressing y will enable all of them.
You now are granted with this menu where you are asked to choose the edition of tpot you want to use, we will choose the standard edition :
And finally you need to configure a username and a password to login the web administration page : https://IP_OF_YOUR_VPS:64297/
Give it a few minutes to install and you should be able to login to the web administration page of your honeypot!
III. TPOT Interface Overview
Upon login, you are granted with a very user friendly web interface and a menu with the different services :
A few minutes after the first installation, you should receive some attacks and as your ip starts to be indexed in mass scanning services such as shodan, the attacks grow exponentially !
In less than 24 hours our honeypot received more than 30K malicious requests!
When using Tpot, the two main interesting services for us will be the attack map and the kibana dashboards. The logs generated from the different honeypots are sent to an ELK (Elasticsearch, Logstash, Kibana) stack. ELK provides a robust platform for log aggregation, parsing, and visualization.
ELK's Elasticsearch enables powerful searching and analysis capabilities, which greatly facilitates the identification of patterns, trends, or specific events within the honeypot data.
Kibana offers customizable dashboards and visualizations, aiding in the interpretation of honeypot data
Attack Map overview :
The attack map allows a real-time visualization of all malicious requests made to the honeypot. Requests are characterized by a protocol / port (mainly -> FTP / SSH / TELNET / SMB / MQTT /SIP / HTTP / RDP) and an IP address (--> helps analyze the requests : is it a botnet ? a targeted attack ? what country is the attack coming from ?). The attack map also informs on which honeypot is being targeted -> to go in depth into the logs and type of attack. Finally a timestamp is present on each request allowing for better log correlation.
Kibana dashboards overview :
Using T-POT for IoT Security
From the T-Pot landing page simply click on Kibana to access a wealth of dashboards and visualizations specifically tailored for T-Pot-supported honeypots. In the context of IoT security, our primary focus will be on three key honeypots:
- Cowrie: Cowrie supports SSH and Telnet. Remote administration of IoT objects is primarily done via these protocols and most of the time with poor/default credentials. Malwares such as Mirai target these specific protocols, thus it’s particularly interesting to monitor.
2. Dionaea: This honeypot supports protocols like HTTP and MQTT, both widely used in IoT > poorly implemented most of the time (no / bad credentials and no SSL / TLS).
3. Conpot: Specializing in industrial IoT, Conpot monitors modbus protocol attacks.
Kibana dashboards provide detailed insights into logs, which allows searching through entries using filters based on date, protocol, and country. Additionally, the dashboards offer statistics on various aspects of attacks, including payloads, attempted credentials, and uploaded binaries. As well as visual graphs and relevant stats.
With this honeypot, we have established a powerful tool capable of gathering a wealth of information on real-life threats and the latest malware samples targeting IoT devices. By monitoring and analyzing the data collected from the honeypot, we are able to stay updated on emerging threats and evolving attack techniques.
In the upcoming articles, we will dive deeper into the results of our investigation. We will provide detailed analyses of the collected logs and malware samples, both from a static and dynamic perspective, shedding light on the infection process, and the goals of the attackers. Additionally, we will explore effective countermeasures to enhance the security of your IoT devices.