Ballin on a Budget

a little loud too um I'm ready if you guys are good to go awesome all right so I guess over there my name is Andrew my talk is called Ballin on a budget tracking Chinese threat actors on the cheap so little bit about myself um my name is Andrew Morris I am a security engineer for a company called ISAC Partners uh I literally just moved back to South Carolina they're based in New York um but I just came back and I'm working remote now so glad to be back in South Carolina um I Partners actually doesn't do much of this stuff or I don't rather I'm a pentester there so I usually do um you know Network app stuff

all that all that fun stuff uh this is my Twitter information this is my email if you guys want to yell at me about how much my talk sucks or anything like that that is fine with me oh also before I even get started I had uh literally one hour of sleep last night uh because some crazy thing happened so if it starts getting real loopy up here that is completely my fault and I apologize in advance one way or another this is about to be hilarious so let's get started so today um basically I'm going to tell you how I tracked a group of thread actors uh with no money and I'm going to show you how you can do it

too so basically this is kind of the little synopsis that we're going to follow so what is threat Intel what is threat intelligence basically you're going to be gathering Gathering int it's threat intelligence is gathering Intelligence on your adversaries or bad guys in general predicting and preventing attacks before they happen or after they've happened whatever threat bad guys intelligence trying to predict the future hopefully that makes sense so tons of companies um do some kind of threat intelligence stuff I mean like you know we had Jason mention mandant earlier there's ton of companies that do that they they released like the AP1 report and you know crowd strike does that kind of stuff there there's there's

a ton of companies that do it and have been doing it for a long time but uh you know those are those are some of the big ones that market heavily we can do it too it's not that hard as it turns out it's hard to do it like crazy like how they do it but we can actually do it it's it's not too terribly hard to break into as an individual security researcher and start tracking bad guys and all that fun stuff so let's talk about it so how do you threaten intelligence uh basically what we're going to be talking about is setting up a network of sensors or honeypots monitoring them for attacks aggregating

said data locating securing and analyzing artifacts that are left behind by bad guys locating key adversary infrastructure stuff like command and control and like DNS servers and web servers that they're using to propagate malware whatever and then profiting how actual companies do it by the way like people who aren't just random security dudes uh doing presentations uh most organizations they have antivirus is software that that they installed they install in their client's machines and they drop managed little honeypots in the networks and stuff like that and then the sensors look for indicators of compromise ioc's if you've ever heard that before and that can be anything from like the md5 of a file that's known

to be evil or connecting to an evil domain that only is going to be connected to by malware or registry keys or user agents or anything like that there's a ton of different uh flavors that indicators of compromise can come in and a lot of the times they'll say like you know one isolated event is just like oh you know whatever it's a oneoff thing these things happen and then more than one of the same indicator across the Enterprise is like okay we've got like an AP or we've got somebody that's like moving around our infrastructure or whatever and then they you know they collect the targeted the malware artifacts of like the targeted attackers

and then they you know they reverse it and write up big reports and make make money and all that fun stuff this is how we are going to be Ballers on budgets cuz I'm assuming that you are trying to do the same thing that I did for the duration of this talk which is do really cool stuff without spending a lot of money we're going to be setting up our own honey pots we're going to be monitoring attacks we're going to have a management interface and we're going to be doing log review we're going to locate a group of attackers we're going to scrape their web servers and we're going to try to collect as much malware

as we can we're going to try to figure out who they are we're going to try to analyze their capabilities secure their artifacts correlate the data that we find we're going to try to track their other targets that's where it gets uh kind of exciting we're going to try to see who else other than us they're targeting see see what we can do there and then we're going to talk about some defenses if you run if you do run a network or an an Enterprise or anything like that um we're going to talk about you know like some firewall rules and indicators and writeups and all that good stuff so what we cannot do we are ballers on

budgets we're not big fancy companies that do incident response so we don't have access to a lot of really cool data um we we I'm assuming that for you know for what we're talking about today you don't do incident response and you your entire your attack surface is whatever it is that you're given it's whatever you set up you don't have an organization that you're trying to protect you you people are not calling you in and giving you access to to super cool malware that like China Elite unit one wrote um and we're going to be focusing on on mass attacks on the entire internet not so much targeted attacks and we're going to basically

just be tracking kind of dumb groups that have crappy operational security which we'll dig into a little bit and specifically uh what we're going to talk about today is groups that spread malware via crappy SSH passwords they just guess them and that's it and then install malware so just real quick a quick malware primer uh for people who have lives um most malware uses the conventional C2 model command and control model and most malware is used to perform distributive denial of service attacks uh or at least most unsophisticated malware is so the command and control model the conventional command and control model is basically basically you've got a bunch of computers that get infected with some kind of malware they All Join

one centralized thing or have some medium that they can connect to one thing or communicate with one thing maybe it's an IRC server maybe it's a web server or whatever and then the actual actor behind that as you can see over here the bot master I don't know where I found this by the way it's like one of the worst diagrams I've ever seen in my life but what are you going to do um the uh the guy behind the malware is is going to log into that so he can centrally manage all of the evil compromis computers and that's just kind of a dumb down a a pretty blanket way of describing kind of the conventional C2

model the groups that we're looking at scan the entire internet for SSH servers once they have found SSH servers they automate they run automated scripts that run Brute Force attacks on these and they look for common credentials and easily guessable credentials we'll dig into the ual specifics of what they're looking at in a little bit when they get a successful login they are there's it's basically an automated script that's logging into the server running something like uname Das a which is going to give you information on the system or any kind of command that's going to give it information on what kind of system it is that they've just compromised and then based on the output

of that based on what type of system it is that the malware has or that the script has logged into it's going to pull down a certain type of malware like for example if it's okay this machine is a 64-bit Linux system so then it's going to say like okay and then it's going to pull down some 64-bit Linux malware and it's going to run it like that so the next thing we're going to talk about is actually setting up our infrastructure we're going to talk about honeypots so can you by show of hands can you raise your hand if you know what a Honeypot is awesome I was giving this talk at another Point um and I asked

that question question and literally nobody raised their hand and I was like this talk is going to suck really bad for all of you so I'm glad that we've got a good show of hands for that what is a Honeypot just in case you were like the two people that didn't raise your hand just now a Honeypot is an intentionally vulnerable server or application that serves literally no business purpose its only purpose is to attract the attention of bad guys so that you can gain information about them so we're Ballers on budgets we want to set up some machines on the internet that are vulnerable we don't want to spend money or at least we want to spend

as little money as humanly possible so we're going to look for some cheap hosting options some cheap virtual private servers Some Cloud instances or whatever so I've got a couple of recommendations here things that I've used uh one of them is a company called Cloud at Cost um if you have heard of them they have this deal where you can get a server where you pay $35 one time every and you get that server forever I don't know how that's scalable but apparently it works out for them and I'm basically just buying as much as I can until they realize what a horrible business mistake they've made so what are you going to do um the cons are that it is actually they

do have kind of crappy up time and uh they are slow and kind of unreliable the vpss themselves um there's also another price Model where you can pay $1 a month which might be cool if you're just kind of dipping your toes in the old ball in on a budget plan and then another thing that you can use you can look at is Amazon web Ser uh Amazon web services or AWS they actually have a couple of like micro tier instances that anyone can get free um so you can get like really really simple like very very weak but you know effective vpss or servers that sit on the internet and you don't have to pay

anything so just a quick note about operational security when you're configuring your infrastructure here do not reuse any of your own passwords on your servers that you're using don't put any data on the machine don't put anything personally identifiable on these machines these machines are going to be targeted by the kinds of people that you don't want to piss off so try to be as shady as possible when you're setting these up assume that the machine will liter like your honey pots will be compromised literally at any moment put no data on them don't use them for mail server don't use them for anything else don't install a Honeypot on your own machine God help us

all so then step two management how do you manage it you've got one or maybe you've got five honey pots on the Internet or maybe you've got a 100 there's a company called threatstream they're one of those threat Intel companies that I was talking about earlier my cup has a hole in it what are you gonna do it's just one of those days um threatstream has a they're a thread Intel company and they have an open source product that they have released called the managed honey Network they've changed the name of it like a hundred times but whatever um you can get it on GitHub I've got it at the end of the presentation it looks like

this basically you log in you you tell all of your honeypots to communicate with one centralized kind of repository and they feed all of their logs and oh God you're the man thank you so much um I wish that happened like in real life when you're like I have a problem and someone's like yo I got you man um so it's basically you know you have one it's like a dashboard and Aggregates all your data together and it tells you you know here are your top attackers like here's the top stuff that we're seeing and it's cool because it's free and we're not trying to spend money right now so this is also it's got a

sweet little honey map feature where when you're getting attacks it actually puts these cool little dots so you can feel like a total badass like looking at the map light up and you're feeling like you're super cool um so it's a really neat project um and it's awesome that it's free so the actual honey pot that we're going to be using is called kippo and uh raise your hand if you've ever heard of kippo before awesome got a good show of hands there so kippo is written by some random dude in Python and it's basically a it's an SSH Honeypot and if you were just a random dude and you found a kippo instance and logged into it over SSH you

would have no idea right off the bat that it's not a real SSH server I mean like you can run commands you can do all this stuff but nothing's actually happening it's just pretending and it's logging everything you do so so it records attacker sessions you can configure it to accept however many passwords or however many usernames you want you can configure it to accept any username or password but that might kind of tip off attackers a little bit um and it hooks it hooks W get so when they like try to pull down malware or whatever it actually snags that sample um onto your file system that feature is kind of shady it's kind of Cy it doesn't always

work well so a couple notes about kippo though just so you know um there are some trck that you can use to as as I'm a pentester so I always think about this kind of crap you can identify kippo instances from the outside like when you're scanning it there are patterns that the um actual sequence numbers when it's responding to you will follow so before you even log in you can identify that something is a kippo instance fortunately the attackers that we're talking about right now are not sophisticated at all and they don't do any of this hopefully none of them ever see this presentation um internal tricks once you've logged in to a kipo

there are a couple little weird logic bugs like if you type ping 999999999999 like an IP address that blatantly cannot exist it's like oh yeah I'm pinging that address yeah that's good to go so that's another thing I mean there's there's a couple little things like that also no one's ever really done a review of like a Security review of the code itself so there are probably vulnerabilities there but yeah so we've set up our infrastructure we've set up our hippo instance we've set up the managed honey Network we've got our honey pots feeding all of the data into our centralized management system and we're still Balling on budgets we've spent at this point probably like

$6 so once the attacks begin we've got some Balling on a budget style data analytics which consist of some Bash one liners that I wrote to give you uh some pretty cool data that's not showing up too terribly well it kind of backfired I tried to look like Neo and use green text I'm going to remember that for next time but basically what we're seeing here is these are if you do if you run that command on the logs these it's going to return to you the top 25 passwords that attackers are using against your infrastructure this was the data that I pulled this is actually real data by the way so the number one

password that's used is just a dash the number two password is just an underscore and then after that you're going to see you know 1 2 3 4 5 679 password admin stuff like that this is the top 25 ATT haer IP addresses so this kind of stuff is really use oh actually before I even go on the reason that the passwords are useful is because the reason that they're using these passwords is because they are effective so if you have a password policy or anything like that make sure people make sure you're auditing things against stuff like this so people cannot use these things alternatively if you are a pentester use these lists because

they're tried and true when you're trying to break into other people's stuff because somebody else has spent a lot more time than you have gathering this data same thing with the IP addresses these are IP addresses that are either compromised or belong to bad guys there's some of these that like there are entire blocks of Ip space that you're just going to get so many attacks from and uh again like these are it's it's really useful from a from a lot of different ways if you're a defense kind of guy just block these IP addresses or you know whatever look or do research on them try to figure out who they are stuff like that I actually also wrote this thing

called tracker um it's a great name I know uh tracker that basically whenever you get whenever a bad guy successfully guesses one of the passwords to your Honeypot uh it actually sends you a text on your phone using Google uh Google Voice the it's on my GitHub it's kind of broken right now but if you actually care send me a text and I'll or shoot me an email and I'll fix it um so quick recap of what we've learned so far we've learned what threat intelligence is kind of and we've learned how to set up and operate our infrastructure so the next thing that we're going to look at is actually locating A specific group

right so successful logins with kippo look something like this you know you play them back and you're gonna oh God you guys can't see that um it's basically you know somebody logs in they try to pull down some M or whatever I actually I think I yeah I have a a quick demo I can do here hopefully this works can you guys see that okay great um can you guys see that if I run this so This is actually a recording of a set of an attacker literally running attacks against my machine and if you look really really closely you'll see that they're all pretty much failing because it's trying to do some janky bash

commands that are just the syntax is terrible and or either that or it's my box just doesn't like but anyway this is the what the form of the attx usually looks like and this is like real time kind of like this is exactly what bad guys are typing into your stuff as they're typing it into your stuff and I know you probably can't see it too terribly well but what What's Happening Here is there's it's running a command to stop your firewall to W get a piece of malware from some random server to CH mod it with executable permissions and then to execute that malware so if we were an actual server we would have just gotten owned but

we're not we're just a kippo instance because we have too much time on our hands so you're basically when you actually go back and you look at the URLs for um for uh where the these different scanners and like where these different actors are getting their malware from you are always going to like 99.9% of the time you're going to see these things called HFS or HTTP file servers and it's basically just it's like a web server that just serves files it's crazy and they in the cool thing about it is they index there's a directory index so you can see all of you can list the contents of all of the files not only that you can see the

sizes you can see the date of when it was uploaded and you can see how many times it has been downloaded which is awesome when you're trying to track like how big a campaign is or when they updated their malware last or anything like that but it's also cool because if you've got a bad guy that's running multiple malware campaigns or has a lot of different malware samples he's Balling on a budget too so he doesn't want to get a bunch of different um a bunch of different web servers he's going to put everything on one web server you can snag all of those malware samples and you can do analysis on all of them the reason it's pretty cool is

sometimes you'll actually get Windows malware through these attacks and like so it's it's really really awesome to see like the way that the attackers operate like this uh another note just kind of real quick the particular um web server that bad guys use again is HTTP file server HFS this thing has so many vulnerabilities like not saying I have ever done it nor would I ever but if you wanted to gain a lot of information on these bad guys and you also wanted to violate the Computer Fraud and Abuse Act you could like moonwalk into these servers and you know and figure out you know get a lot of other information I would advise against

that like I said there's a bunch of Windows malware on these things too um in addition to like Linux elf binaries so when you start to see binaries when you start to catch malware you can do some quick internet Recon to figure out if anyone else has seen that malware before just like Google the md5 or submit it to different places I love it when I get no results on this because I'm like yes I'm the first person to find this it's awesome nobody cares but I think it's awesome but like let's say like what if you suck at reverse engineering and you re like you have your malware samples but like you're not a reverse engineer you want to find out

like what is the capability of this malware why do I suck at this so bad it's actually it's all good because there's websites like malware.trace

uh it was written by or it's run by the same guys that wrote cuckoo uh it's got great reports there's like over 200,000 M or me like two million malware samples on there I have no idea um private options enabled so if you have a piece of malware that you don't want the rest of the world to have you can check a little box and say don't share this versus with virus total they're like nope I'm G to give it to everybody um but you know and it only does behavioral analysis with Windows binaries um this is what malware report looks like uh you can go over to like static analysis and like network analysis and drop files all that cool

stuff it's great uh virus total is like a cool snapshot of Av reports uh it has some behavioral analysis um but it doesn't really do behavioral analysis on elf Elf binaries or anything like that so this is kind of the fun stuff I'm going to talk about a particular group that I'm tracking and I've been tracking for like the last I don't know like three months or something um I call him Chang uh which is actually I work with this Chinese guy and I was like what does this word mean and he told me it actually means gang it's a word for there's a former or it is a gang it was a former uh this this

gang in China uh I named them that because there's a some of the malware passes that as a string when it's like checking in to the uh to the server so I was getting hit a lot by a particular group and when I say that like it's a particular group the reason that I know this is because it was coming from the same handful of Ip blocks um they were just guessing a massive amount of passwords across a lot of my different servers some of the malware samples that I was getting a lot of the times had a lot of similarities in it where it's like basically the same malware but it just had like a couple of different

bites changed so the md5 was different so I snagged a bunch of their malware samples one of those malware samples I actually kind of sucked at reverse engineering Linux malware so I was like I'm not going to do that but um but I got some of their Windows malware which is cool because I'm a little bit better at that um and I was giving giving this talk at one point and I had some people I really like I know that um you know Jason made some great points about like let's not blame everything on China and he's right um I am completely blaming this on China just because um there's just so I mean there's literally like we

wrote this for China I mean and it's not necessarily the government it's you see a lot a lot a lot a lot a lot of malware propagate there um and like literally people writing notes like wrote this for CN here's my email address all right dude um so reversing the actual malware itself is is kind of like a talk in and of itself that I'm not going to make you guys all suffer through um I also kind of suck at reversing so don't listen to anything I say about it I'm not a reputable Source um but I had through a lot of trial and tribulation did reverse a handful of these samples and uh wrote

up did some idb some Ida uh data files on it with uh a bunch of different like comments and stuff like that um but the good thing is sometimes you don't have to reverse anything you know you can just submit it um a quick analysis of what the particular malware sample did that I secured uh it dropped a couple of other binaries uh it added itself to Startup the usual crap but the functions in it were named stuff like sin flood and UDP flood so it's was like okay this thing's probably going to be used for distributed denial of service attacks so when I was actually executing the M doing some Dynamic analysis it's I all I

was seeing passed between the malware client and the server the C2 itself was just IP addresses like just IP addresses there were no like instructions nothing like that like a ton of IP addresses like random IP addresses figuring out like okay what why why are you passing all these IP addresses so I ran some like Geo lookups I wrote this tool called Geo you can find it on my GitHub um which basically just returns to you the rough geographical coordinates of a particular IP address on the command line um and they were all like in China or around China like all the and I'm like what what is going on what are all these IP

addresses um I also threw them up on a map so that's like yeah pretty pretty chines um after a lot of research I realized that these IP addresses were all like DNS servers and backbone routers and stuff like that um and so I'm still like okay why you know what is this um so as it turned out I reversed them hour a little bit more and I talked to some folks these IP addresses that it was passing were the malware targets it was it was the denial of service targets so the malware is connecting out to the C2 or whatever and the C2 is saying here's a bunch of IP addresses and then the malware is then spraying traffic at

those IP addresses and you can safely assume that the the malware C2 is probably sending the same instructions out to everyone because they want everyone to perform these denial of service attacks on whomever they're targets are so I did the only reasonable thing I could think of and spent the next like month writing my own malware emulator client that would let me log all of the IP addresses and track who they were track who they were targeting in real time I spent hours staring at wies shark and I had try not to kill myself but I succeeded I wrote this thing um this is what the code looks like uh it's pretty it's got a bunch of

binary blocks you can download it from my GitHub um this is what the code actually does um it connects to the C2 and it tells me in real time who the actors behind this are targeting as they're sending out the instructions to all their malare so in real time we can actually track who it is that they're trying to perform no service attacks as they're sending the instructions out to the different compromise machines so we've gone from setting up honeypots to identifying bad guys to tracking who the bad guys are targeting while they're targeting them I think I have I have a quick demo let's check literally right now and see who they are targeting hopefully they have

targets sometimes they just don't have any Targets um I'm gonna like blow this up as much as I possibly can all right let's see if they have any Targets right now so that's the first response you get and this is probably going to take like I'm running on a hot spot right now this is probably going to take like maybe maybe like 30 seconds seconds um but if they are targeting anybody what's going to happen is we're eventually going to get a response back and we're going to see the IP address or the IP addresses of the people that literally this very second they're targeting uh with denial of service attacks and oh we got a

response and come on there we go got an IP address right there this is an IP address of who the bad guys are targeting literally this very second so if we wanted to we could find the contact information for who owns that IP address we can send them an email and be like hey what up guys you're about to get hit with a denial of service attack you know or we can fig we can learn more about the group by learning well why who would perform denial of service attacks on you know a random like internet service provider maybe a university or maybe a company or anything like that uh it looks like we're getting more well

whatever you get the you get the gist of it so so basically oh God so summary of the group themselves they are based in China um they're not necessarily a Chinese government you know that's just where they live um they're not Advanced at all all they do is they guess credentials um and then they download malware they they package up their malware a lot of the times with like Auto exploit kits like for stuff that's like really old like MSO 8067 which is a really common like the bread and butter of bugs of like compromising other machines um and they just guess passwords and their goals are basically build bot Nets and DS people they don't

send spam they don't do stuff like that they just perform denial of service attacks to do some kind of censorship or maybe they're just a gang of people who are you know whatever or maybe they even sell their botn Nets to people so that they can dos people but the thing that I did learn is that they are actually somewhat smart about their targeting um they target things like DNS servers and uh like backbone routers and stuff like that because you know if if your goal is to take down a website uh it's going to make more sense to just go after the DNS server so people can't resolve DNS to get to your website instead of trying to

just like spam the crap out of you know an Apachi server until it goes down or at least that's one thing so another quick recap we have captured malware we have analyzed it to identify what their capabilities are and we have reversed the little custom binary protocol between them to figure out who the targets are in real time so some of my kind of closing notes the end result of this is we are able to track the group's Targets in real time we have malware artifacts and we have C2 IP addresses to block from our networks we know who the c2s are we know where the attacks are coming from we know a lot of different things so we've

gathered a lot of information from these guys and what another one of the cool things I mean there there's a list I think I actually go into it from here I'll go on the majority of this intelligence is gathered just from one piece of malware from one campaign uh there are a lot of these campaigns happening literally right now all the time you just need to find them so set up some honeypots you know do uh do you know read through this and take anything that's useful to you set up Honeypot start looking at bad guys as they're executing attacks on my to-do list um I want to track more of these c2s I've actually started doing that

since I wrote this slide um I want to build an NSE script like an end map scanning script so that because there's a custom signature that I've identified for the c2s and I want to be able to see um where the other c2s are and like maybe if there are other groups using the same piece of software um it was actually interesting the guy who helped me um uh reverse some of the malware is this guy uh he runs they it's a it's a group of people um that run a group called malware must die and uh really really smart group of people and I was talking to the guy and I was like yeah

you know I'm trying to do all this stuff and he was like he was like yeah let me help you blah blah blah and I was like oh this so cool of you like can I donate some money like you're really really helping me out can I like just donate like for like hosting and he goes no we don't do it for malware we do it we don't do it for money we do it because we hate malware Jesus all right man that's that's awesome I wish I'd loved anything as much as you hate malware um the other thing is that I would like to I would like to fuzz the the the custom service that is written actually kind of

going back to Mr malare Must Die um they recently don't know how um acquired a copy of the same software that belongs that was being used by the same group that I've been tracking and they like posted a picture of it but they haven't released it yet and the reason it's so or the reason that I knew this is because the default port number is this like really random uh really high port number and when I was looking at the screenshot I was like oh holy crap that's the same screenshot of the group that I'm tracking so I've been like blowing this guy Twitter up trying to get him to send me the file but he's not

doing it um some other stuff that I want to do is I want to figure out how to identify other um compromised clients uh conventionally there are a lot of different ways to do this uh like if if it's like uh if you're if you've got malware that's using like an IRC server or something like that sometimes you can literally just log into the IRC server and see like all of the host names and IP addresses of other compromised clients I'd like to let people know hey your box got popped um I would like to build up an automated notification system so that as these Target IP addresses are are leaked out of the um

out of the C2 or they as the instructions are sent out there's like an automatic who is lookup of that IP address and then an email gets sent out to like the contact email address and says like hey guys you know batting down the hatches because you guys are about to get hit with a Dos attack I also would like these people to not know who I am um because that would not be fun and I would also like to build uh a map of their targets that auto that updates itself in real time because like that would just be like super cool why wouldn't I want to do that um so kind of some things that I'm hoping uh that I've

been trying to convin May a little bit is that threat intelligence is not that hard to do kind of as an individual or something that you want to get into it's easy to bow on a budget um it's not it's not rocket science necessarily get out there and track some targets install honey Poots uh start looking for bad guys uh warning your personal hygiene and your interpersonal relationships with other people will suffer tremendously because you will get obsessed um and you'll stop bathing and you'll just start spending all time all day on your computer which I mean who am I kidding I was doing that anyway um and don't forget any information that you get share your information with other

people give back uh you know there there are companies that charge a lot of information for this kind of stuff and uh you know and do really really cool stuff right now we're just Ballers on budgets give your information to everybody um share the attacker IP addresses that you find share the malware samples stuff like that um you know and give back to other people uh just to give some credit to people we've got of course Mr malware Must Die um cardo DB is the um the database the thing that I used to render that map earlier malware.trace

[Music]

[Music]

awesome slide uh do you guys have any questions anyone yes in the

back sure no totally understood so the question was uh during the course of my research did I identify any lowcost visualization software there is a package called like kippo H it's called like kipo visualizer kipo visualization um it's a separate thing that I think someone else wrote but it basically gives you graphs of like you know this is a pie chart of this one IP address is doing this here are the top passwords that we're seeing be used that somebody did already do I'm sorry kaph oh yeah kipo graph thank you kipo graph is what it's called um but yeah that's I haven't used it but it it looks it looks cool uh any other question yes in the

back what's yourth what what's my GitHub link wow crap how did I forget to put that here um it's my first name Dash my last name Andrew Das Morris somewhere it's somewhere on here if you want my slides I'll send them out to everybody um anybody else have any other questions yes seen

CH interesting so the question is have I seen a change recently because uh attackers traditionally were using WG and they switched over to secure FTP I have not um I see a lot of wget and a lot of curl yeah but I haven't seen I mean the guys that I'm looking at they're real dumb and the other thing that I've noticed is if you use different hosting providers like if you use AWS for some of your honey Poots and you use cloud at cost for some of your other ones what you want to do is you want to find like the shadiest VPS as you can possibly find like buy a prepaid credit card to pay with them because

those are the ones that no one's paying any attention to them like AWS at least Aggregates security statistics on all their stuff but like if you get you know Grandma's VPS in Russia or whatever uh they don't do anything and so you will actually attract more attacks if you use like a shadier VPS um like a a shadier hosting provider uh there is a there is a different demographic of people that go after AWS stuff or the AWS attack space than there are people that go after like Cloud it cost stuff which I can't really explain that but it's something that I have observed uh does anybody have any other questions no okay awesome my name's

Andrew uh this is my Twitter that's my uh that's my email address and that's me really drunk holding on to a dog thank you very much [Applause]