One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8610693 |
| Date de publication | 2024-11-13 22:39:54 (vue: 2024-11-13 23:08:22) |
| Titre | Lessons from a Honeypot with US Citizens Data |
| Texte | ## Snapshot
The Trustwave SpiderLabs team set up a honeypot operation to analyze cyberattacks targeting the US election system. Though no information that may have potentially affected the election process was discovered at any time during the research, the honeypot did capture a variety of attack types including brute force, directory enumeration, and SQL injection attempts, targeting both web applications and databases.
## Description
The honeypot identified high activity levels in web protocols and recorded the most exploited CVEs, including [CVE-2017-9841](https://security.microsoft.com/intel-explorer/cves/CVE-2017-9841/), [CVE-2019-17558](https://security.microsoft.com/intel-explorer/cves/CVE-2019-17558/), [CVE-2022-41040](https://security.microsoft.com/intel-explorer/cves/CVE-2022-41040/), and [CVE-2014-2120](https://security.microsoft.com/intel-explorer/cves/CVE-2014-2120/). These vulnerabilities were targeted using botnets like Mirai and Hajime, as well as exploit frameworks such as Metasploit or [Cobalt Strike](https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc). Attackers use tools like Zgrab2, Masscan, and Odin.io for reconnaissance, with the dark web serving as a hub for cybercriminals to collaborate and share knowledge.
The honeypot\'s analysis of web traffic revealed extensive use of the FFUF tool for discovering hidden files and directories, and SQL injection attacks were observed, with time-based SQLi used to probe database structures. The honeypot also recorded brute-force attempts on the MySQL server, particularly targeting the "root" username, and identified two unknown threat actor groups through the analysis of JA3 fingerprints, which are unique SSL/TLS client signatures. The research underscores the importance of continuous monitoring and response mechanisms to address the ongoing threat landscape, highlighting the persistent threat to election infrastructure and the need for proactive security measures to ensure the integrity of democratic processes.
## References
[Lessons from a Honeypot with US Citizens Data](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lessons-from-a-honeypot-with-us-citizens-data/). Trustwave (accessed 2024-11-13)
[CVE-2017-9841](https://security.microsoft.com/intel-explorer/cves/CVE-2017-9841/). Microsoft (accessed 2024-11-13)
[CVE-2019-17558](https://security.microsoft.com/intel-explorer/cves/CVE-2019-17558/). Microsoft (accessed 2024-11-13)
[CVE-2022-41040](https://security.microsoft.com/intel-explorer/cves/CVE-2022-41040/). Microsoft (accessed 2024-11-13)
[CVE-2014-2120](https://security.microsoft.com/intel-explorer/cves/CVE-2014-2120/). Microsoft (accessed 2024-11-13)
[Cobalt Strike](https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc). Microsoft (accessed 2024-11-13)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot The Trustwave SpiderLabs team set up a honeypot operation to analyze cyberattacks targeting the US election system. Though no information that may have potentially affected the election process was discovered at any time during the research, the honeypot did capture a variety of attack types including brute force, directory enumeration, and SQL injection attempts, targeting both web applications and databases. ## Description The honeypot identified high activity levels in web protocols and recorded the most exploited CVEs, including [CVE-2017-9841](https://security.microsoft.com/intel-explorer/cves/CVE-2017-9841/), [CVE-2019-17558](https://security.microsoft.com/intel-explorer/cves/CVE-2019-17558/), [CVE-2022-41040](https://security.microsoft.com/intel-explorer/cves/CVE-2022-41040/), and [CVE-2014-2120](https://security.microsoft.com/intel-explorer/cves/ |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 17558 17558/ 2014 2017 2019 2022 2024 2024** 2120 2120/ 41040 41040/ 9841 9841/ accessed activity actor address affected all also analysis analyze any applications are attack attackers attacks attempts based blog/lessons both botnets brute capture citizens client cobalt collaborate com/en com/intel content continuous copyright cve cves cyberattacks cybercriminals dark data data/ database databases democratic description did directories directory discovered discovering distribution during election ensure enumeration exploit exploited explorer/cves/cve extensive ffuf files fingerprints force frameworks from groups hajime have hidden high highlighting honeypot https://security https://www hub identified importance including information infrastructure injection integrity ja3 knowledge landscape lessons levels like masscan may measures mechanisms metasploit microsoft mirai monitoring most mysql need observed odin ongoing operation part particularly permission persistent potentially proactive probe process processes profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc prohibited protocols reconnaissance recorded references reproduction research reserved response revealed rights root security server serving set share signatures site snapshot spiderlabs sql sqli ssl/tls strike structures such system targeted targeting team thereof these though threat through time tool tools traffic trustwave two types underscores unique unknown us/resources/blogs/spiderlabs use used username using variety vulnerabilities web well which without written zgrab2 |
| Tags | Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.