Some adversaries never get bored of the same, old techniques. This month, we caught in our honeypot a self-spreading Linux malware targeting Raspberry Pi devices.

The script we investigated is a bash-based IRC bot that self-propagates by abusing weak or default SSH passwords. Once enrolled in the botnet, the infected victim awaits for base64 encoded commands signed with the adversary RSA key, effectively enabling authenticated remote command execution over IRC. What makes this incident interesting is not the complexity of the attack - quite the opposite. It highlights how low‑effort techniques still succeed in the wild, especially poorly configured IoT systems.

Honeypots like Cowrie are a great source of knowledge about attack vectors and new IOCs, but analyzing them can become a cumbersome task - especially because their number can get quite big. That’s where Dissect comes into play. By leveraging its API, you can streamline forensic analysis and automate snapshot processing. This opens up the road to fully automated IOC extraction pipelines that are able to analyze honeypot data and publish threat intelligence to be further processed by IDS tools.

This post is a short guide on how to configure Dissect API to work with Cowrie's snapshots.

Once again, we found ourselves investigating a compromised WordPress server. In this blog post, you'll see how we investigated the attack and what useful information we have uncovered.

This time, the attack was discovered after a manual inspection on the hosting facility, where we observed several connections initiated by the hosting server to external IPs. This is not something we expected to see, so we did some further inspection. First, we extracted the executable files that started the processes and we upload their hashes on Virustotal. Most of them are flagged as malicious, and we could see some connected IP addresses, but nothing more (a report for one of the files is here).

This time, we've been requested to take a look into a compromised WordPress server. In this blog post, you'll see how we approached the post-incident forensics and what interesting artifacts we've uncovered.

For this incident, we were provided with a disk snapshot of a compromised Wordpress server stored as a qcow2 image. Extracting forensic data from a snapshot is a great task for using Dissect because it allows us to analyze targets without mounting or booting them. Dissect is actually a collection of modular tools that can be combined or extended to retrieve common information from the targets (users, cron jobs, services, history, filesystem entries).

Join us Monday, the 26th of May, for "From Honeypot to Discovery: Forensic Analysis with Dissect". The presentation will show you how we use Dissect, an open-source tool, to investigate the content of a potentially infected qcow2 disk image. Then, we'll talk about how we integrate and automate the analysis of the qcow2 snapshot images generated by our cowrie-based SSH honeypot.

Don't miss out, we have juicy threat intelligence stuff as well (but only for your eyes)! Register here and we'll send you an invite!

When talking about cybersecurity, people often think about hacking systems or actively fighting hackers. However, one of the most important (and often considered to be boring) activities of a cybersecurity expert is to monitor (and search) for IOCs (Indicators of Compromise). These IOCs are, then, used to detect (and prevent) attacks against your infrastructure, services or users.

Usually, you monitor everything that can be monitored (kinda like a Big Brother): from your devices, services to the wild, wild Internet. While your local network is accessible, monitoring the rest of the Internet might be a really tricky task. One of the most challenging tasks is to monitor the dark web since it is usually only accessible via TOR. This blog post presents some general aspects of how a cybersecurity analyst can use TOR to analyze artifacts that can only be found on the dark web.

It has been silent around here as of late, but for good reason: we're starting the year (a bit late) with a presentation on web honeypots! Join us Monday, the 17th of March, for "Intercepting Potentially Malicious Payloads with Web Honeypots". The presentation will take you through all the steps you need to follow if you want to do this yourself: Docker containers, Elastic Stack, some good SysDevOps practices...

... But we know you are here for the threat intelligence, so don't worry, there will be some of that too, but only for your eyes.

Don't miss out! Register here and we'll send you an invite!

The Christmas season brings, besides joy and lights, warm emails with a twist. Good samaritans who want to share their joy and money with you will send you an email with an incredible offer that cannot be refused.

If you are enticed by their offer, you can send them your personal information in return (name, bank information and so on).

Everybody knows the Internet is full of crawlers, bots, scanners and other opportunistic traffic. This is not breaking news, but sometimes you come across a scanner so aggressive it makes you think you are actively targeted for a second.

We first noticed this particularly aggressive scan on our support ticketing platform during September 2024, with over 18 000 requests in the span of 20 minutes from 52.86.221.173.

[root@server tmp]# cat osticket_syslog.txt | grep 52.86.221.173 | grep 2024-09-07 | less | wc -l
18546

Every publicly exposed server will be, at some point, attacked by botnets. In this blog post, we will concentrate on the SSH botnets, i.e., the ones that try to connect via SSH to vulnerable endpoints (due to weak user:password combinations, SSH daemon misconfigurations and so on). After connecting to an endpoint, they usually run various commands (e.g., download and execute malware).

As part of the SOCcare project where Politehnica Bucharest is one of the partners, we deployed a honeypot to detect and study the SSH botnets’ behavior. During the month of August, we discovered some interesting patterns.