Organizations can use so called Threat Intelligence feeds to purchase lists of IP addresses of potential malicious actors. Commercial parties like FireEye offer them at steep prices, but you could also look at freely available ones through for instance MISP.
These lists consist of millions of IP addresses where at one point in time it was assumed that an adversary was using time. However, often within 72 hours already, this IP address is no longer relevant because the criminal went on to use another IP address.
Due to the large amount of IP addresses it certainly feels like using a ‘hail cannon’ while at conferences such as BlackHat it is already proven that these feeds have less than 3% of usable information.
A better way to collect rogue IP addresses is to use Honeypots. Software that emulates a certain application and vulnerability, which then logs the IP address and the way he or she is trying to abuse the CVE.
By placing these Honeypots in strategic places in your network, you’ll achieve two things:
- Adversaries are trying to hack your honeypot instead of your production server. The honeypot won’t break, just log.
- The collected IP addresses and other information is relevant to your organization. You’ve proven that they are active and targeting your organization.
Wortell Enterprise Security just released a Honeypot for CVE-2020–0618, emulating a SQL Reporting Services server, and logging the source IP addresses and the payload being used.
MDSec, an UK cybersecurity company, uncovered on Valentine Day 2020 that they had found a vulnerability in SQL Reporting Services.
Because that had disclosed the information to Microsoft ahead of time, Microsoft was able to fix the vulnerability and release it as part of patch tuesday of February 2020.
The only robust way to fix this vulnerability is to patch. The malicious requests containing a payload for unauthed RCE look a lot like regular HTTP requests, therefore a Web Application Firewall (WAF) and/or other network-based solution will likely not provide the right level of security.
After the malicious actors succesfully have abused the vulnerability, they can pretty much run any command on the server. For instance, open up a ‘reverse shell’, getting them access to the network from the outside.
Looking at the MITRE ATT&CK framework, this could be classified as T1190 and the Initial Access tactic.
Wortell Enterprise Security shared the code and instructions for their honeypot on Github.
PRO TIP: Wortell is sharing other great projects on its Github repo, such as the powershell module for Azure Sentinel: https://github.com/wortell/AZSentinel
The CVE-2020–0618 honeypot can be found here: https://github.com/wortell/cve-2020-0618
Linux or Docker
The honeypot is written in Go. The easiest way to run it is on a Linux-based OS (like a VM in Microsoft Azure, or on a Raspberry Pi). There is also a Dockerfile in the repository to build your own Docker image, and the Docker container can also be found on DockerHub.
On the Github page you’ll find instructions to generate a self-signed certificate. After that, the Honeypot will listen on ports 80 and 443.
If you visit the IP address of the Honeypot with a regular browser you’ll get a (fake) SQL Reporting Services page. If you try to target the IP address with the known vulnerability, the Honeypot will log your IP address, payload and other relevant information.
If the malicious actor wants to abuse the vulnerability, they will need to create a specific HTTP request with the payload embedded. Here’s an example:
* Host: target
* Content-Type: application/x-www-form-urlencoded
* Content-Length: X
The payload is base64 encoded and needs a specific contents. With the help of programs such as ysoserial.exe this contents can be created.
The base64 encoded payload will be written to the clipboard:
Simulating an attack
With help of a website such as https://reqbin.com you could tailor the HTTP request and send it to your Honeypot:
In the folder ‘logs’ you’ll find the honeypot logs. There is an allrequests.log that shows all traffic. And there is a cve.log where only the (potential) attacks are shown that are trying to abuse the vulnerability:
Here’s an example of a log entry from an attempt to use the CVE. You can clearly see the IP address and which payload is being used:
If we want to understand what the contents of this payload is, we’ll need to decode it. Here’s decoding the base64 string using Cyberchef:
We find that they’re trying to use a PowerShell command, which is again base64 encoded. If we also decoded this string, we find the real commands:
Conclusion: somebody is trying to establish a reverse shell.
Microsoft Defender ATP
It’s good to know that these Base64 encoded commands and programs such as ysoserial.exe will be detected and blocked by Microsoft Defender ATP.
Is an adversary already present in your network and are they trying to abuse the vulnerability for ‘lateral movement’ then these signals will be shown in the Microsoft Defender ATP console:
— Maarten Goet, MVP & RD
Honeypot for CVE-2020–0618 aka SQL Reporting Services vulnerability was originally published in Wortell on Medium, where people are continuing the conversation by highlighting and responding to this story.