PCAP Analysis of MySQL Data Extortion Attacks in HoneyShare

Exposed databases are a common target for Data Extortion attacks, yet many of these attacks rely on bluffs rather than actual data theft.

Using MySQL honeypots in HoneyShare, a set of extortion attacks was detected. In this post we analyse the PCAPs to find what the attacks actually do, we extract a bitcoin address, and other key data points.

Analyzing Dropped Samples In HoneyShare's SSH Honeypots

HoneyShare runs SSH honeypots. Occasionally an attacker gains access to them and attempts to hijack the server.

In this blog post we analyze these attacks, specifically by looking at the dropped malware samples, and some HoneyShare data around this.

SSHD Hijacking

Analyzing a Hostname Blacklisted by HoneyShare

HoneyShare maintains a blacklist of hostnames and IPs. Let's take am example of a hostname and analyse it.

mail.telegrkwb.com

Fetching Data

Using HoneyShare API Python library, we can get some basic information out of the hostname.

from pprint import pp
from honeyshare import...


      
        
          
            Dissecting Redis Attacks with HoneyShare
It's surprising how much we can learn just by looking at what an attacker sends to an exposed Redis instance. Using only data from HoneyShare's honeypots we can:

List commands sent by attackers
Gather malicious URLs used for malware dropping
Collect malware samples

To start with this we must fetch some data.
Fetching...