A small snapshot of data being collected in #EternalPot

Aweek ago I started building #EternalPot, a honeypot for the Equation Group SMB exploits leaked by the Shadow Brokers last month.

Some background here. The long story short is these were (and are) cutting edge default install, unauthenticated remote Windows exploits which will be exploited for the next decade.

I predicted this would happen back in April:

The EternalPot data has shown advanced attacks, multiple coin miners, remote access trojans and lateral movement attempts into corporate networks — all via the Windows SMBv1 service.

The Shadow Brokers’ dump contain technically the best exploits I’ve seen in my almost two decades of InfoSec. I spoke to the LA Times about them here.

One of the exploits — EternalBlue — was used by the WannaCry ransomware spreader, which made headlines around the world due to infecting largely corporate systems.

As I said to the Washington Post in August 2016, this is what happens when you have security agencies hoarding exploits insecurely — poorer security for all. Note that I’ve got no problem with global security services developing and using exploits — it’s their remit and often responsibility — but I do think work needs to be done around, er, Data Loss Prevention in Equation Group. It’s got kinda embarrassing, peeps.

Anyway, back on topic — I decided to share some of the lessons I have learnt from trapping SMB things in the wild.

The name of the Equation Group SMB implant used to deliver WannaCry, and the name of my website.

Designing a new kind of honeypot

Be cynical of everything, but open to new ideas

One of the first things I needed to do was architect a system which applied for the real world situation.

There has been a lot of vendor and press coverage of WannaCry which has been inaccurate. Despite what has been said, WannaCry was not spread via phishing or email — in fact, it was an SMB worm. Seeing a constant stream of misinformation from InfoSec vendors still around this has been depressing — it still continues to this day, long since the major players and initial victims walked back the email line.

Here is Symantec’s endpoint data for SMB EternalBlue exploit attempts on their users with the Symantec firewall/network IDS protection enabled:

Figure 2. Number of exploit attempts blocked by Symantec of Windows vulnerability used by WannaCry per day

As you can see, that’s a lot of exploit attempts — made more interesting by the fact the data comes from corporate PCs sitting inside internal corporate networks.

The graph above with Symantec’s data per hour

As you can see pre-WannaCry (left diagram), these SMB attacks were almost non-existent. It’s an SMB worm like the ones from the prior decade.

Another angle to the press coverage was Windows XP being impacted — in fact, an entire weekend of UK mainstream media and political commentary ran about this. While SMBv1 has serious issues on Windows XP and 2003 (and on later OSes!) and should be patched and firewalled (aka disabled), the reality was the WannaCry spreader didn’t work on Windows XP SP3.

Here’s Kaspersky’s graph of infected operating systems:

Infected systems. XP unlisted as too small. 10 x64 caused by shared file detections.

So, I knew I needed SMB honeypots which would look like Windows 7. It needed to be low budget, and probably a mix of quite radical and radically basic (Oxymoron? Not today, Wordsworth).