When talking about cybersecurity, people often think about hacking systems or actively fighting hackers. However, one of the most important (and often considered to be boring) activities of a cybersecurity expert is to monitor (and search) for IOCs (Indicators of Compromise). These IOCs are, then, used to detect (and prevent) attacks against your infrastructure, services or users.

Usually, you monitor everything that can be monitored (kinda like a Big Brother): from your devices, services to the wild, wild Internet. While your local network is accessible, monitoring the rest of the Internet might be a really tricky task. One of the most challenging tasks is to monitor the dark web since it is usually only accessible via TOR. This blog post presents some general aspects of how a cybersecurity analyst can use TOR to analyze artifacts that can only be found on the dark web.

It has been silent around here as of late, but for good reason: we're starting the year (a bit late) with a presentation on web honeypots! Join us Monday, the 17th of March, for "Intercepting Potentially Malicious Payloads with Web Honeypots". The presentation will take you through all the steps you need to follow if you want to do this yourself: Docker containers, Elastic Stack, some good SysDevOps practices...

... But we know you are here for the threat intelligence, so don't worry, there will be some of that too, but only for your eyes.

Don't miss out! Register here and we'll send you an invite!

The Christmas season brings, besides joy and lights, warm emails with a twist. Good samaritans who want to share their joy and money with you will send you an email with an incredible offer that cannot be refused.

If you are enticed by their offer, you can send them your personal information in return (name, bank information and so on).

Everybody knows the Internet is full of crawlers, bots, scanners and other opportunistic traffic. This is not breaking news, but sometimes you come across a scanner so aggressive it makes you think you are actively targeted for a second.

We first noticed this particularly aggressive scan on our support ticketing platform during September 2024, with over 18 000 requests in the span of 20 minutes from 52.86.221.173.

[root@server tmp]# cat osticket_syslog.txt | grep 52.86.221.173 | grep 2024-09-07 | less | wc -l
18546

Every publicly exposed server will be, at some point, attacked by botnets. In this blog post, we will concentrate on the SSH botnets, i.e., the ones that try to connect via SSH to vulnerable endpoints (due to weak user:password combinations, SSH daemon misconfigurations and so on). After connecting to an endpoint, they usually run various commands (e.g., download and execute malware).

As part of the SOCcare project where Politehnica Bucharest is one of the partners, we deployed a honeypot to detect and study the SSH botnets’ behavior. During the month of August, we discovered some interesting patterns.

The SOCcare project is aimed at building better cyber threat intelligence through improved analysis of digital artefacts, and then sharing this threat intelligence across the Eastern Europe region and beyond to increase cooperation and cyber resilience of Digital Europe.

Welcome to our SysDevOps and Security corner. Here you will find sysadmin and security stuff and random facts.