F*** Around & Get Found Out: Disinformation As A Service by Andy Gill

Well, that was really anticlimactic. Come on. No. Um, so thanks for coming. This is not the last talk of the day, but I've been kind of stressing about this all day because it's a lot of research that I've been doing and usually I stand up and just rant, whereas this is a lot of content that I've been researching for the last 18 months. So, the title is [ __ ] around get found out. That's our phrase of service, but what most people know it as is HoneyPOC. There are a few Easter eggs throughout the talk. So, if you can read the text at the top, you can you can just have a little bit of a try.

Um, for those of you who are not who don't know me, most people in the room do, but as this is being recorded, my name is Andy Gill. I'm known as known as Zephyrfish on most platforms. I'm the UK lead and principal consultant at Larus Consulting. This is our logo. Um, I'm mainly focused on red and purple teaming with more of a kind of offensive nature of things. I'm also an insomniac. So, most of my productivity happens between like 11:00 at night to 6:00, 7:00, 8:00, 9:00 in the morning and then I need to get up at half nine. So, it's not ideal. Outside of security, I do quite a lot of photography. I love taking pictures of

Scotland. It's probably one of the most beautiful countries in the world. I really enjoy driving when my car works. It's kind of in a bit broken at the moment. I'm also I do karate. I'm a first-dan black belt in karate. So, not only am I a keyboard ninja, I also break your legs. So, not on not not just yet. Anyway, I'm also co-host of a podcast called We Geek Together, which is very not safe for work. It's myself and my my one of my good friends, Dave. We speak to people in the industry about how they got into industry and what they're doing right now and what their path was. And we're on about 24, 25 episodes. So, the

last last episode we had was Cybergibbons, which was very not safe for work, but it's very worth a a shot. And if you want to follow my photography, it's ZephyrSnaps on Twitter. So, anyway, into the actual talk. Um, the original project was started in July last year. So, round about I think it was like the 18th or 19th of July 2020, there was a vulnerability and there's always vulnerabilities that come out, but there was a vulnerability called Segred, which was being hyped up cuz it was a Windows vulnerability. It affected DNS and could ex could trigger remote code execution. And I was having a discussion with some of my colleagues at the time about how long would it be until a proof of

concept came out because often people hype these things up and then a proof of concept is never released. So, I was like, ah, I'll make a POC. What's the worst that could happen? So, I'm I mean, I didn't know what the vulnerability was, but I made a curl a bash script that would make a curl request to um, Rick Astley's video. And it pulled in the video and and Rick Rolled people. And it was designed purely for a bit of fun to kind of play a trick on people and and kind of highlight that you should read things before you run them. And that started getting a lot of traction really quickly. So, when I So,

it was round about 8:00 at night that this happened. And I think the announcement was like West Coast American time. So, it was like round about lunchtime West Coast America. And by about half past eight, so half an hour in, it was getting about 100 hits a second. So, it was getting a lot of a lot of hits. People just running things going, oh, this is fine. And one of my good friends, um, maybe not, it's John Carroll, recommended that I go and look at Think Canary. Think Canary have this service called canary tokens, where you can generate a URL or a binary or lots of other different um, kind of mediums and that when the request is sent to that URL, it

will trigger an email and be like, this is the source IP, this is the geographic location of that IP and this is a little bit of information about what was run. So, I baked that in and I built a Windows binary and I built a bash script and uploaded those. And a lot of people ran it. So, this is everyone loves a nice graph. Um, this is essentially the information from the first POC. There was a lot of interest from the States and that was mostly because the vulnerability came out round about lunchtime in the States. So, people were online checking things out. And second in command there is China. A lot of interest came from

actors, script kiddies, general researchers. I put researchers in massive inverted commas cuz we'll get onto later on as to why that's total nonsense. Um, and they were interested in it. So, this was around 2, 3,000 IPs. It wasn't a lot, but it was it was quite quite a lot. And the kind of lasting impact of that was that there was a lot of distrust in raw proofs of concept that had been uploaded. And as a result, most of my colleagues don't trust anything that I put in Slack. And I'm like, oh, check this out. They're like, no, Andy, not clicking on that. Last time I clicked on that, I got Rick Rolled. I'm like, well, you see, uh, it's just one of

these things that happens. And what it also did is it built a lot of mistrust and misinformation in threat intelligence feeds. And I say threat intelligence feeds because a lot of people were taking what was my HoneyPOC and just chucking it to anyone going, oh, look at this legitimate POC that's come out. It's really cool. Not checking what the code did and as a result, lots of people clicked on it. And the kind of lasting impact of that is it makes folks a little bit safer cuz people were more aware of what they were clicking on and what they were running. Well, you say that. They were meant to be. So, it prevented kind of scared some script

kiddies or as Alex said earlier, script people, which is a bit more collective, um, running proofs of concept, downloading them, and etc. What it also did in the first instance and we're going to talk about kind of the more broad aspect of it a bit later on is it kind of identified foreign threat actors. And I mean, doing red teaming, I don't really get involved too much in the threat intelligence side of things, but I do deal with kind of the digestion of bits and pieces. And it found kind of genuine There was I think like on on the original HoneyPOC, there was like two or three genuine insider threats where people had downloaded the the the Segred fake POC

and pointed at a internal host. And as a result, I'd gotten source IP addresses from inside of companies which I never thought I'd be inside, which is pretty pretty terrifying, actually. So, roll roll forward. This was in July last year. Roll forward to round about April this year and two vulnerabilities came out, not related to each other. And I was just chatting to one of my friends and he was like, you should go and make one for these. So, I made a a second proof of concept fake proof of concept honeypot for the Pulse Secure. There was a remote code execution affecting that. And also the Microsoft Exchange bugs. So, there was like tons of Exchange bugs

that came out in April. And I decided, you know what? I'm going to create another fake POC, but it's only going to be a binary this time. And then that that got me blocked by quite a lot of people on Twitter. So, this this tweet here is me subtweeting a a threat intelligence feed called Vfeed.io. They blocked me on Twitter. Don't really care. Their name's multiple times in this. And they're like, oh, check out this legitimate POC, blah blah blah. It's new, blah blah blah. And and Kevin Beaumont kind of weighed in and went, right, why don't we automate this? This will be a lot of fun. So, basically, anyone who's watching this, blame Kevin Beaumont.

It's not my fault, right? Sorry Kevin. That's when Honey AutoPOC was born. So, what is AutoPOC? AutoPOC is disinformation as a service. What it does essentially, now, if you can't read that at the back, essentially what it does is it pulls for the latest CVEs from a URL. The URL being like Mitre. So, Mitre release CVEs for vulnerabilities affecting lots of different systems. And it does that it collects the the CVE IDs. So, like CVE-2021 leaked. It will then create a Git repository for that that So, just a shell repository. So, blah blah blah. And then builds the POC from templates, which I'll talk about in the next slide. And then once it's done that, it kind of

starts the disinformation campaign. So, what a disinformation campaign does is it posts the GitHub link to Pastebin, Ghostbin, Twitter, and a couple of other sites. And the reason I picked those sites in particular is because what I was noticing from the first POC was the source traffic for a lot of threat intelligence companies was going to those specific sites. So, I picked those to try and flood feeds. Once that was all built, it would then send me an email alert to honeypoc.io, which is the main inbox specifically for this. And then fun would ensue. So, templating for maximum reach. When I started building this, bit of a side topic, but Aiden, one one of my good

friends, was teaching me Russian. Don't know any Russian. I only know suka. It's a swear word. So, yeah, you can count that as a a swear. It's it You can look it up. I'm not going to not going to translate it. But we got talking about Python and Go. And he's like, why don't you just automate this and make templates? So, I got I got kind of we were up to like three or four in the morning making templates for what AutoPOC became. And essentially what the templates do is they are um, find and replace documents. So, there's a Go template, there's a Unix template, and there's a readme template. Now, what the Go binary does

or the template is it pulls the CVE ID, it pulls a canary token ID. So, kind of scroll back to fast. So, go back a bit. I spoke to Think Canary. I was like, you guys have got an open source solution. I want to use it for automated at mass scale. And they went, no, that doesn't work. And I was like, okay, cool. What can I do to kind of make this better? And they went, how about we give you paid access to our kind of dashboard and things and you can generate as many POCs as you want. And spoiler alert, they didn't think I was going to generate over 5,000. They were like, oh, maybe a couple hundred.

Shouldn't be too bad. But I The numbers are later on, but I generated quite a lot. So, what we do is I generate a unique URL. I would then pack it into the binary, build the binary, and do a lot of collection information. The Unix template, so this this would build an EXE and the EXE would go onto the the Git repository. So, you can't really check source that, but it's a raw binary on GitHub. You shouldn't be running raw binaries on GitHub. It wasn't like it was a release. The source code wasn't released. It was just up there. The second template was the Unix uh, just a just a bash script, which essentially made a curl request with the dash

capital A flag. That capital A means you can set the user agent. Now, what the user agent was set to was the host name. So, the host parameter. So, it would send that to the URL and I'd get the information about host names. Then finally was the readme, which is kind of where the disinformation aspect of things was. In the readme, it had the CVE ID, the title, the description about what the CVE actually was. So, people who were trawling GitHub and Pastebin and things, it was pulling all the information together and putting it into one place. What it also had, cuz everyone in threat intelligence and blue team, they love to check hashes and things, it would on the

fly do a SHA-256 hash of the binary, cuz obviously it's a legitimate binary. Like, they're going to check it, it'll be fine. And it would drop it in, and as a result, that was showing up in a lot of threat intelligence feeds. So, that's how templates work. Who was it actually designed for? So, originally, the original POC was a bit of a joke, a bit of a troll to [ __ ] with people and do a bit of pieces LPS world, right? And it was designed to poison threat intelligence feeds, because most people, if you're in if Hands up, who does threat intelligence? There's like three people. Keep your hand up if you don't use

Excel. Yeah, so basically, threat intelligence is Excel. Um and I just wanted to just wanted to get into threat intelligence, get into the feeds. What I also wanted to do, because I was doing a lot of research from a red team perspective as to how threat actors pick up vulnerabilities and I wanted to try and poison threat threat actors' stuff, which, spoiler alert, not a good idea. Um cuz they've got a lot of money and they like calling people and things, but anyway, I'm not going to name any people in this talk, because I've been told not to name people. I'll just name the threat intelligence feeds, because I value my life. Um Anyway uh

it was also verifying the lack of verification where people would pull things through and and just publish them. This is a prime example of a Chinese um account that would pull from GitHub. They pointed out that this account was fake, and we'll talk about the accounts in a second. Um and it was designed to kind of tease script kiddies. This was one of the nicer Chinese messages I got. I got a lot of very threatening messages from fake people in in Chinese, which was interesting. Where was it actually located? So, I talked about GitHub a little bit. Um the the process was uploaded to to GitHub, and I created multiple GitHub accounts just to try and disperse and

and disperse spread out the the the um nonsense. Let's just say [ __ ] but spread out the nonsense. Um said [ __ ] anyway. Um So, hey, it's one of these things. Um it was it was just distributed chaos essentially. And then once that was done, it was to Pastebin and then Twitter. But, one of the things I learned from the original honey POC was I became the boy who man who cried POC. So, every time I put something out, it was like, "Oh, it's a honeypot." So, I decided to create fake Twitter accounts to push this out, because everybody loves a bit of misinformation. Got me a lot of hate from some government agencies, but we

won't get into that. Um The actual timeline of events, so we sort of touched on this already. Honey POC started in July last year. Right about April, um two these two CVEs were made up and then a bit of fun. And then the auto campaign ran for about six to eight months. And we're all here to see the kind of beautiful data and the kind of output things. So, in total, there were just about 5,000 canaries and CVEs generated. And from that that that was across multiple GitHub accounts, and there's there's a there's a table later on that kind of breaks it down. But, that was pulling So, so auto POC went through a lot of different stages.

It started off where I was just pulling for specific CVEs around Microsoft that had a CVSS score of like 10. And there wasn't that many of them, so then I started to pull it back to eight eight to 10. And I mean, everyone loves CVSS, so I was like, "You know what? [ __ ] it. All of the CVSS just for Windows." And then what I found was the information I was getting I was getting quite a lot of data, but I wanted to go one step further. So, I just I went one step further and I went, "Right, okay, I'm going to just go for everything." So, I went for all CV CVEs between CVSS five and CVSS 10, so in in

actual real terms, a medium to a critical. Um and built proof of concept for that. And out of all the data, there were 6,641 unique IP addresses. So, that's 6,641 people. And that's that number is also um minus So, that number doesn't include sandboxes. If you include sandboxes, it's round about 70 or 80,000 IPs that are unique. But, what I was finding with a lot of sandbox software um is that they would generate a kind of kind of They generate an IP on the fly, use it for analysis once, and then bin it. So, as a result, you would get a lot of false positives, because it was one IP and multiple instances were coming from

multiple IPs. Kind of kind of good, cuz you can't put them on a deny list, etc. And the project ran for six months. This is the kind of data I got. So, again, another nice nice um lookage. As you can see again, the states are at the top. Um what I found So, just just a kind of disclaimer, this is a um graph of all of the source IP addresses. I haven't mapped out the targets, because there was a lot of them, and some of if if you were to look If I was to put that up here, you'd be able to identify some of the companies, and obviously that's not great. Um I've got a blog post

that'll be coming out soon. I think it comes out in like 20 minutes, so you can go and read about it afterwards. It doesn't list the target IPs either, but I might still do a blog post about it, because it's it's quite interesting. But, anyway, what we found This is also been deep run from sandbox information, but it's not been deep run from like VPN and Tor. So, there's quite a lot of information coming from hosting where people were spinning up VPSs, so like EC2 instances, um whatever Azure uses, whatever GCP uses, and just chucking it into a kind of a pot of chaos and pointing things at things. Technical. Um So good. And that was really really popular. Up

top left here, we've got top people using GCP, then people using AWS, then China. And then I don't know what that ASN is, but I found it multiple times listed. And then China again, cuz everybody loves China. Um and then the cities we've got kind of random. Um I'm not 100% certain how IP info, which is what this dashboard is from, pulls their geographic locations, because it might not be accurate, but it's a kind of rough idea. And then there's a bit of information there. This will all be in the blog post, so don't worry about photographing and stuff, it's not a problem. So, by generating the proof of concept, I kind of bit off a little

bit more than I could chew. So, what I was talking about earlier on was when I was building auto POC, it was kind of incrementally getting a bit more um sketchy would be the best word for it. So, initially, the the binary was built to just call out to a URL, and that was it. It would take the source IP and get the geograph- geographic information of the host. But, then from speaking to people, I was like, "Right, okay, I'll get the host name." And then I'll get the username, and then I'll get the fully qualified domain name, and then I'll get the environmental path, and I'll get the environmental variables, and then I'll get a little

bit more information. So, it was slowly becoming malware without it being malware. And I had a discussion with someone about this. They went, "Technically, it's not malware, because you're not It's the intent." I'm like, "Okay, yeah, cool. I'll go with that. That's fine." Um So, so yeah. On the left-hand side here is some of the ridiculous information I got from people running these binaries. Um I got get tokens for some intelligence agencies, foreign intelligence agencies. Not the UK. I know the NCSC might be in the room. I'm not a criminal, guys. I've got ethics somewhere. Um I found a lot of internal domain names as well. And I'll talk about this later on, cuz this is how I found insider

threats. As a result of that, I also found internal username formats. Now, when we do red teams and and blue teams and all that sort of stuff, one of the things we do in reconnaissance is we try and find out what the username format is, so we can phish people, social engineer them, and target them. And what I found was a lot of companies will either use the first letter of their company name. So, if we're using B size, it would be B, and then they'll use a random six-character number. So, B123456 might be a username. And in my head, I was like, "Well, that doesn't match up to the email format, cuz the email

format's usually first.last first.last or last.first, etc." And it was really interesting to see what different companies did, cuz I could map the internal domain name to the internal username and start to work out quite quickly. So, all this data I was collecting, I got about I think it was two 28 GB JSON files, right? So, a JSON file is usually they're all 100 kilobits. Talking gigabytes of data. But, quite a lot of data, quite scary. What I also found was because I was capturing stuff in headers, I was also getting information about internal tooling. So, I found from my honey POC data, I found that there was actually internal honeypot data, because it was it was appending a header

being like, "This is honeypot X that is doing Y." And I was identifying internal tooling as a result. There was also a lot of other mental interesting stuff. I'm not going to talk about that too much, because I've written a 6,000-word blog post about it, and you can go and read about it. On the on the kind of left-hand side, I If you're right, my left is the Anyway, these are the kind of host names I found from VirusTotal. So, anyone who uploads a a document or a binary or whatever to VirusTotal, if you ever upload Cobalt Strike and you see beacons from these host names, it's probably coming from VirusTotal. The reason I know this is

because there were a couple of indicators of compromise on VirusTotal. The first one is a random host name, um which is going to be win followed by like a bunch of characters. The second one is just a single username, and the third one is usually host names. There's another There's a fourth IOC if it's been uploaded to the kind premium uh VirusTotal. What I managed to differentiate between VirusTotal was VirusTotal Enterprise has a different user agent to standard VirusTotal. But, this isn't a talk about profiling VirusTotal. It this is just information I observed. So, talking about kind of um OS execution, most of the information I was gathering was around Windows endpoints. So, as you

can see, quite a large proportion was on Windows. The kind of other split there is quite interesting. So, the middle one there is kind of anyone who ran the um the Unix space, so the Mac and and Lin- Linux and and Unix hosts. There was about 23%. The unknown OS is quite interesting. What I was finding was sandboxes and blue teams and things were taking my binaries, ripping them apart, and dropping the URLs into random things. So, as a result, I was getting really interesting user agents, which weren't mapped to any host name. Like, for example, I'm pretty sure it's a troll, but I found Red Star OS from North Korea, which was running these

things. I'm like, "Pretty sure that can't even run go, let alone like whatever, but so it was it was pretty interesting. This is all based off of like the path variables and and bits and pieces. So, I had a map of the original honeypot. This is the the kind of geographic information from Auto POC. So, this is from all the the POCs collectively. Um there were a total of 97 countries, 660 cities spread across six continents. Um this is the map there. So, quite quickly you can see that Europe's a bit of a hotspot, America's a bit of a hotspot, and over in a bit China's a bit of a hotspot. There was a little bit throughout Russia. You can't

see it, but there was one in the Arctic Circle. I'm not 100% sure who's running proofs of concept in Antarctica, but who knows? It was pretty interesting. So, seeing it visually, decided to make a bar graph cuz everyone loves a bar graph. As we can see here, China number one, um followed by United States, Germany, Japan, India, Hong Kong, Netherlands, Kraft off, South Korea. There were in total from the IP space I could see round about 15 20 hosts coming out of what looked like North Korea, but North Korea don't have their proper IP space from what I could see, so it's pretty interesting. People correct me on that, but it's what I found. Um the interesting ASNs and

sources, so the kind of IP blocks. Um there was a lot of China, a lot of China backbone, be it um targeting Chinese companies or American companies or whatever. I wasn't 100% sure if these were threat actors, researchers, or or a bit of everything. Um there was a commercial bank in there in Thailand, and I tried to get in contact with them, and they didn't contact me back, but hey. Um this is what I was talking about earlier on. The user agent there is for Red Star OS, which is North Korea's um operating system, and they use that for their they just use it. And then, surprise surprise, Russia. There is the Federal Guard Service of

the Russian Federation in there, which is uh the KGB. Well, that's scary. Um some more graphs. So, the kind of distribution of execution, this is purely based on the Windows host. Um I've broken up into kind of four main categories. Um the first one is threat intelligence, cuz you're not very intelligent if you're running binaries, you know. Um sorry for the threat intelligence researchers in the room. Um this is companies trawling through GitHub or um sharing things that they'd found on the dark net or Pastebin or whatever. And these were these were these were based on IP, based on hostname, based on less and less pieces. The only advice I'm going to give you in this talk, I mean

I'll give you a lot of advice, but is if you're doing threat intelligence or malware research, don't run it on your host machine. Don't run it on your corporate domain against your corporate hosts. And if you're going to do that, don't give it outbound internet access, cuz that's just asking for a bad time. So, when I launched um Honey POC, what happened was um there were multiple um malicious POCs that were released not by myself, but by actual threat actors. And there were some um fake proofs of concept for certain vulnerabilities released that had Cobalt Strike packed in them. People would download them, run them anyway. I'm like guys come on. We've been through this. So,

anyway, the other split here was kind of opportunistic hackers. So, the the script folks, they they run random CVEs, they point them at things, and they hope they're vulnerable. And what I found from that was, which was pretty interesting, is because they were downloading these and pointing them at hosts, there was a lot of bug bounties in there. And they were pointing them at hosts that were actually vulnerable. So, I was going away and suppose this is the bit of gray ethic. I was going away and getting the actual exploits for these things and pointing them at bug bounty programs and making a little bit of cash on the side as a result of that.

So uh click [ __ ] get hit, basically. Um the other split here is the insider threat. So, there was a very small percentage of genuine insider threat where people were either perceived idiots downloading things and running them, or actually malicious downloading things and running them and pointing them at hosts. And then there was other uncategorized traffic. And it's uncategorized cuz I'm not really sure where to put it because I'm not sure if it was sandbox traffic, or if it was genuine uh researchers or security companies or people trawling, cuz don't feed the trolls, just troll them back. The other kind of information I got, so we talked a little bit about IP addresses earlier on. Um there were 357

unique ASNs. Um this whole campaign was spread across eight, technically nine accounts, but eight accounts of them had um content on them. The ninth account was honey@honeypot, which mysteriously got immediately blacklisted by GitHub. GitHub were just like, flag that [ __ ] and it got kicked off um GitHub, which was really weird. Um I'm not sure if somebody flagged it, or if it was just immediately picked up by like um kind of AI or whatever. Um the number down there is the unique executions on Windows hosts. So, there was 19,461 unique executions on Windows hosts from 6,000 odd IP addresses. So, that's quite a lot of people downloading stuff and running it. Um this table here didn't come out so well,

but this is on the blog post. Uh this is the distribution across GitHub accounts. So, at the time that this was taken, um the kind of top ones had different POCs. Now, this doesn't add up to the 5,000 because they were split across split across and multiple CVEs CVE links were um generated. So, in the first instance, what I was doing was generating one canary token per um campaign. So, like CVE 2020-1234 would have one URL. But what I was doing later on was actually like, I want to work out what the ones are Unix hosts, I want to work out what's Windows. So, I was generating a URL per uh so, a URL per um binary or

per template. So, as a result, there was um two for the readme, cuz there was a there was a click click through this link to find out about the CVE, which had a canary redirect. There was download this um request, and it will rickroll you, but it will also take you to the canary token. Then there was the binary that had two callouts. The first callout was just purely on execution, uh which was to check that it was running, a bit like malware, I suppose. Um and the second one was to gather information about the hostname, username, fully qualified domain name, DNS name, path variables, and environment variables. So, a lot of data. Um what I didn't talk about in the

framework is this data wasn't just being sent out. What I was doing with the data, and I found bypasses for DLP solutions as a result of this, it would take all the data and chunk it into a a block of text. It would reverse the text, hex encode it, and then base 32 encode it. Not encrypted, just encoded, and then chuck it through whatever proxies. And as a result, it was getting through things. And having spoken to a couple of companies about this, that was and still is for some things a valid bypass for data loss prevention. So, if anyone's malicious in the audience and at home, you can get stuff out of networks by using base 32

and hex. And if there's defenders in the audience, look for base 32. People use base 64 much more often than they use base 32, but base 32 is still a valid encoding mechanism. So, pretty interesting. Um one of the things that got requested quite a lot when I was uh pulling this on Twitter was the kind of CVE spread. So, what was the kind of most interesting CVEs? Um those at the back of the category see, I mean the the the brown on browns are really bad choice, I apologize. Um the kind of top top three up there is the Honey POC one, two, and three. So, the 2020-1350 is Honey POC one. This is after I start This is from

April round the initial executions, and this is from one repository that I uploaded them to. So, I uploaded them all to one place just to see how many how many hits they got. Um in terms of CVEs, hopefully, I mean, if there's people in the audience who have got like Rain Man um like characteristics where they can see the see a CVE and know what OS it affects. To give the people that aren't like that in the audience a bit of an insight, all of these, bar about three of them, affect kind of what I classify as third-party applications, so not first-party operating system applications. Um there's most of them are either affect things like Confluence,

Jira, uh VPN solutions. Um there's things like Elastic Search are affected in there. I mean, there's there's there are CVEs for everything. Um the 2020-1350 affects Windows, and there's a few other ones that affect Windows in there. Um the the kind of interesting stuff. So, the insider threat aspect of stuff. There were a few. Um so, but when I was making these slides, um I was chatting to a lot of people about a lot of things. And one of the things that people were like, "Oh, you should name all the companies, just name and shame." And I was going to do that, but then I was like, it's probably not a good idea because there's some interesting

companies in here, and because of that, just yeah. My my sanity prevailed. So, from the from the kind of companies that I contacted, there were two airlines, one bank, two threat intelligence companies, and one games video games vendor, which ran the POCs against legitimate hosts internally. And the reason I was able to identify them was based on the IP address and the target that they were pointing at. So, what the binaries would do is they would collect the basically collect the target IP or target hostname that you're pointing at, and it would append that to a header, which was X-Target-IP. All of the detection response information is in the blog, so I've written YARAs. There's a YARA at the end

of this. How to detect it, all the different bits and pieces, so don't worry, it's not just here's [ __ ] whatever. Um there's also a ton of other random in lots of different industries, which we'll talk about later on, lots of different industries, which we'll talk about later on. Um who didn't reply to any of them. So, these are the only people that replied to me, who were like, yep, we acknowledge that this was run inside our environment. Thanks for letting us know. Um one of the one of the companies in here actually triggered an incident response. Um so, what I'd actually identified, well, I think it was like a Monday afternoon, I'd got a ping back to

my host, and I was like, oh, that's pretty interesting. So, I I happen to know somebody who worked at the company. I was like, yo, this this has happened. Pretty sure this shouldn't be happening. Do you want to maybe look into this? And they got back in touch with me and went, "That's pretty bad. Yeah, you've just spotted what is a legitimate insider threat. We've been breached." And I'm like, oh, cool. That's cool. That's your problem though. I'll let you deal with that. Um so, it's pretty pretty fun. Um there was a lot of hate. There were a lot of fails in this. So, this is where I'm naming and shaming people, right? So, there

were three feeds in this that named me as a legitimate POC. McAfee take from that what you will. Um Vuln Mon and Vfeed.io. Vfeed.io blocked me on Twitter cuz they got a little bit upset that they were being told that when they tweet stuff out that says this is a legitimate POC, it's come out blah blah blah. It's not legitimate. They weren't checking things. It was just automatic. And even after being told by myself, Kevin Beaumont, a bunch of other people, this is fake by the way, don't waste it in your feed, they ignored me and just blocked me anyway. Because threat intelligence, what's that? Down the bottom here, um I've I've kind of censored the people's accounts out

cuz I don't want people to look them up. I mean, you can find the tweets if you want, but um they were internal intelligence teams who'd reported um the the CVEs as legitimate. They're like, "Oh, look at this POC has come out blah blah blah." So, that was a bit of fun. Um the feeds kind of continued. This is a screenshot of McAfee listing the original um honey POC. Um Tim's talk, which is in track two at the moment, um replying to be like, "You know, this is fake by the way. It's not legitimate." Um I believe this guy is actually at B sides. I do apologize for naming and shaming in the talk. Um this down here,

this tweet's been deleted, but essentially what happened was somebody took the original honey POC um round about I want to say January this year and chucked it on netsec. Um so, on /r/netsec on Reddit. Um and there's a lot of bots that automatically automatically pull Reddit and as a result they push them out to Twitter. A lot of like big companies, between here an example, person who I don't work with anymore, and the tweet's been deleted so you can't find it. Um They're like, "Oh, yeah, this is legitimate." So, this got like a hundred retweets really quickly cuz this person had loads of followers. I was like, "Oh, this is going to get quite fun."

Um A lot of people ran it. So, talking about the kind of insider threat stuff, um I thought naming the companies cuz I value my life. Um There was a lot of ICS, industrial control systems companies, cuz one of the or I think there was two or three CVEs that that I put out POCs for affected industrial control systems. So, as a result, people who work for those companies would run them. So, there was a lot of water filtration plant in the Middle East that ran this just no no bother. We've all heard of Stuxnet, that went down really well. Um wasn't me by the way, just to just clarify. Um there was a couple of foreign

intelligence. Uh I've scored out intelligence there. It was espionage basically going on. There was what I could see threat actors targeting other countries. There was a games company there. There was a lot of security companies. Now, I say security companies because there's a lot of companies both in the UK and the US that have their own IP ranges that say, "This belongs to this company." I'm like, "All right, yeah, cool." Look up the company and like, "They're a consultancy. I'm pretty sure they shouldn't be running this." And it turned out they were running them on client engagements from their VPNs. Not going to name them, but there were some UK consultancies in there. So, take from that what you will. There

was also several financial companies. Now, I say financial companies because there were um two banks. There were uh a large portfolio companies to like management and a couple of other like fintech companies who were running things. Now, that could have been people trying it in a lab, but I was still getting pinged back, so it was pretty interesting. Uh some people got upset, as you can imagine. Um Vfeed blocked me. Um someone tweeted this out at the start of October. Um and I've I've scored the name out, but they they were really happy about all the POCs that I was flooding to Twitter. Um and what I did there was I I I wrote I

wrote a script to essentially change the the the get URL each time. So, as a result, then somebody on one of the POCs opened an issue and like, "Can you please take this down? I can't patch it." Which is quite nice, but they also come in [ __ ] so I decided to to name and shame them. I haven't scored out the names, so you can go and look them up on GitHub and give them [ __ ] Um The upset continued. Um so, some of my friends got a little bit upset as well. Um when I initially released the um the POC, one of my mates was like, "What have you done now?" Like, "You've I was

like, "I've got a great idea." I was like, "I've got a mate who's like, "Oh, what what have you done?" I was like, "Oh okay." Then they became war crimes. Just to clarify, these two screenshots on the left are different conversations with different people. Um Morgan, um she she was really upset at me and removed me from the group chat. She was like, "Right, that's it. Andy's not in here. [ __ ] this." And I got added in later on, like 20 minutes later I got added back in. I got put on the naughty step. Um this here, I I have actually had to step off the end of it cuz I actually named the the company involved. But,

this was uh threat intelligence company working with a government agency in the states being like, "Oh, we saw this legitimate POC. Um why have you not told us about it?" It was like, "Cuz it's fake." They're like, "No, no, no, you should definitely go and check it out." And then he was really upset with me and I haven't I haven't saved the tweet cuz he deleted the tweet, but it was pretty interesting. Um So, it's the upset. Detection and identification. So, there are arguments on Twitter all of the time about lots of different things. There's an argument going on at the moment about if if using zero days in in red teams is ethical. Not going to comment on that today. But,

one of the things I wanted to do in this talk was talk a lot about detection and identification because while showing you all the data is really interesting, actually detecting it in your environment retrospectively and retroactively. Basically, after the fact that words are hard, all right? Um I wrote a YARA rule. So, I'm not I'm not a blue teamer by trade. Um my colleague um Anton, who works in our product team at Alaris, helped me write this this um YARA rule. What this YARA rule does is it detects the um URLs that were used in the POCs. Now, it's worth caveating this. If you use Think Canary, take out line uh two because canarytokens.org is legitimate um or it

can be legitimate. So, that might flag up false positives, but it's just just a bit of help. That URL will be displayed at the end. Talk about it in a minute. These are all the domains and patterns and things that were used throughout the campaigns. So, these are all the but minus the honey POC accounts, didn't have anything hosted on it. These are all the GitHub accounts. They'll be in the blog post so you can you can read about the backdoors um that were used in the campaign. So, the kind of Is this going to Ooh. Ooh, [ __ ] Like, hold on. Ready? There we go. So, Google Project Zero. That's pretty cool. I didn't realize it

did that. Um Technology's hard, folks. Um so, I use Google Project Zero because Google like to release POCs and and kind of when like pointing them at companies. So, I thought that'd be a really good idea. I got a I got a takedown notice from Google Project Zero being like, "Take those accounts down." Which is pretty cool. Um I got a couple letters from people being like, "You not do this." So, as a result, stopped doing it. Um The example of the pastebin here. So, this link here, I'm not sure if it's live anymore. Um obviously, don't click on links that Andy sends you. We've learned this from this talk, hopefully. Um that's an example of what the

disinformation campaign looks like on pastebin and ghostbin and other sites. I've written a separate YARA rule for detection of that, but templated. Um so, you can look through your DNS logs, you can look through your HTTP logs and things like that and identify possibly retroactively if there have been instances of honey POC in your state that you might not know about. And equally, I might not have contacted you because I might not be able to identify from my IP address, which I suppose is good from a netsec perspective, but also yeah. It's a war. And then at the bottom down here, we've got the two domains that were used. So, the first one's a little bit

self-explanatory. honeypoc.io. Um the actual subdomain was cve.honeypot.io, but there are other ones that were used in earlier campaigns. The second one's a bit of fun. So, I am a bit of a bit of an off-topic side track, but um the couple couple of mates and I were on on a call one night and um they were like, "I'm never clicking a link from Andy cuz it's always like give me a password.ninja or something." I was like, "That's a domain that's available. I'm going to buy that and use that for for honeypot." So, so as a result, I did. And one of the things that I mean, so kind of this I should have said at the

start. This talk isn't sponsored by anyone. I'm just here myself speaking the things, but Think Canary gave me a lot of information, so they didn't sponsor it directly, but they gave me access to things. Um what you can do with their their platform is you can get have any subdomain. So, I was looking through all the things that we use in red teams and I found that under the radar cuz people go and read the docs for things developers do. So, as a result, I set the sub domain to docs.givemeapassword.ninja. Now docs.givemeapassword.ninja isn't that kind of um subtle, is it? So, as yeah. It's one of these things. The last thing impacted this campaign. So,

I got a lot of accounts flagged on GitHub. The eight that are listed there is the eight that were actually successful. In actual fact, there were about 210 GitHub accounts that I created cuz I managed to script it using Selenium to to create them automatically. Um the the kind of insider threats that were caught or thwarted. There were six companies, two of which were FTSE 500 companies. So, pretty high-profile companies. And they were they were running these things blindly. Almost dropped that. That'd be really bad. Um What What it also did is it raised general awareness to these techniques and malicious campaigns. Um and it caught malicious threat actors inside of networks, too, which was pretty

interesting. Um when I was putting the talk together, I asked a lot of people in some in various um intel sharing groups. And one of the things that came up was kind of we'd like to know what the time to execute was. Keep thinking I'm clicking this, but it's the screen moving about. Um the the average time to execute was about an hour upon release to someone that executing it. I say payload here, but it was a fake POC on an endpoint. Um the large amount of interest was mostly from Russia and China. And they tend to be the two kind of threat actors, but what I found was some um accounts were automatically indexing GitHub. And as soon as

something that mentioned a CVE was released, they would download it, run it, and point it at domains. But, they were pointing at them they were pointing at domains blindly. Like, I I found things that were like really strange, like myperfectgroceries.cn. I don't know why, but that's an example. Um It was really interesting. So, what I also found off the back of this, which isn't in the slide deck, but I found accidentally front companies of threat actors. So, companies that have been set up to to act as a as a like legitimate front. So, Joe's Ramen, for example, was actually the [ __ ] Chinese National Guard. I don't know, that's an example, but that kind of stuff. It was pretty

interesting. Um and I was like, "Oh, this is this is a bit strange." So, that's when I kind of took my foot off the accelerator for a while. Just going to stop there and hope for the best. So, that was that was the last thing I did. Now, before I finish this off, there's a couple of people I need to thank. Um the first one is Stix. So, Stix took my code so took my code that was one big Python script and made it into a modular and extensible framework. So, I'm not going to release the framework because releasing it is actually probably pretty dangerous cuz what the framework enables you to do is point it at uh Canary Token

IP or any IP um and it will generate URLs, it will generate CVEs, and it will post them to GitHub accounts automatically. What I did was I took Stix's code and made it a little bit more automated in that it would pull so it would create a GitHub account, it would post an individual CVE to that GitHub account, and then it would also post some other stuff to that to keep it like in line. As you can imagine, pretty [ __ ] dangerous. Um Aiden taught me a lot about templating. As I said earlier on, we were chatting about Russian and then we got very deep into building stuff in Python. Uh thanks, Canary. Um they gave me

access originally to canarytokens.org, which is free. You should go and check it out. But then they gave me access to their paid console. And their paid console is fantastic. And this isn't me corporate shilling or whatever, but it's genuinely the best thing I've come across in terms of honeypot software in their in their networks. Like I do a lot of red team engagements. And there are certain uh vendors that you can spot their honeypots in their networks based on the kind of profile and fingerprint inside the network. However, what I found with Think Canary is it's very difficult to detect because it looks like a Windows 10 machine. Or in some instance where where companies don't

really care, they say make it an XP machine. You're like, that's a that's an XP machine or a Windows 10 estate, which you do see now and again, but it's it's pretty difficult to detect. Um Kevin Kevin Beaumont I want to thank as well. Um he couldn't make it down cuz he forgot I was speaking at this weekend, but um he's kind of the one to blame for the reason it got automated cuz he was like, "Oh, this is a good idea." And then he started chatting to me about things and I was like, "That's that's pretty cool." Um and then got ipinfo.io. So, all the pretty dashboards and stuff that I had up, um they've they actually started

building this in I think it was like April when I got in contact with them. I was like, "I'm using your service for mapping IP addresses. This is what I've built. It'd be cool if you could do this on mass." And I was like, "That's a good idea." So, they built an IP mapping tool and a summarization tool. So, the the dashboard with all the graphs and things is their summarization tool. And the map with all the dots and things is their the mapping tool. Now, that's free. You can go and use that. If you go to ipinfo.io, um you can chuck in up to half a million IP addresses and it will map them out for you or it will

summarize them. It will find the ASNs, it will find the geographic locations based on the kind of longitude, latitude, and all that sort of stuff. And it's pretty interesting in general. Finally, Morgan to thank. She talked me out of a lot of things. Um I didn't get disappeared by foreign intelligence services cuz I didn't name them cuz that was that was something suggested. And then before I kind of finish off, um if you want to give that quick scan, that'd be great. Um as of just double check the time. As of right now, 3 minutes ago, um that blog post is live. So, if you go to blog.z site.uk, there's a tweet that's gone out right

now as well. Didn't tweet while I was there to schedule it or at least I hope I scheduled it for the right time. Um that's got all the data from things. So, you can go follow me on Twitter. Um the other blog posts are under the honeypot tag. Um I've left intentionally a couple of minutes for questions cuz I imagine there'll be a few. So, for thanks for coming along. Um thanks for watching at home and hopefully you enjoyed it. Has anyone got any questions? Thanks, Andy.