{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/opencanary/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenCanary"],"_cs_severities":["high"],"_cs_tags":["opencanary","honeypot","httpproxy","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Security Onion Solutions"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting malicious attempts to use an OpenCanary node as an HTTP proxy. OpenCanary is a low-interaction honeypot designed to detect intruders on a network. An attacker attempting to use an OpenCanary node as an HTTP proxy is a strong indicator of reconnaissance or lateral movement, as they are attempting to route their traffic through the honeypot. This activity is logged by OpenCanary and can be detected with appropriate monitoring. The default configuration of OpenCanary includes an HTTPPROXY service that listens for proxy requests. Defenders should monitor OpenCanary logs for event ID 7001, which indicates an attempted HTTP proxy login.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a network (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker performs network reconnaissance to identify potential targets, including the OpenCanary node.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to configure their system or tools to use the OpenCanary node as an HTTP proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker sends HTTP requests through the configured proxy, attempting to reach other systems on the network.\u003c/li\u003e\n\u003cli\u003eOpenCanary logs the attempted proxy connection with event ID 7001.\u003c/li\u003e\n\u003cli\u003eThe defender detects the suspicious HTTP proxy attempt in the OpenCanary logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful HTTP proxy attempt indicates that an attacker is actively exploring the network and attempting to move laterally. This could lead to further compromise of sensitive systems and data exfiltration. While the OpenCanary node itself is a honeypot and not a production asset, the detection of proxy attempts signals a breach and ongoing malicious activity within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eOpenCanary HTTPPROXY Login Attempt\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized proxy attempts on OpenCanary nodes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the source and target of the attempted proxy connection.\u003c/li\u003e\n\u003cli\u003eReview OpenCanary configuration to ensure that the HTTPPROXY service is properly configured and secured.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential lateral movement by attackers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T18:22:34Z","date_published":"2024-10-26T18:22:34Z","id":"/briefs/2024-10-opencanary-httpproxy/","summary":"Detection of attempted HTTP proxy use on an OpenCanary node, indicating potential reconnaissance or lateral movement by an attacker attempting to proxy another page.","title":"OpenCanary HTTPPROXY Login Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-10-opencanary-httpproxy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenCanary"],"_cs_severities":["high"],"_cs_tags":["honeypot","ssh","reconnaissance"],"_cs_type":"advisory","_cs_vendors":["Thinkst"],"content_html":"\u003cp\u003eThe OpenCanary SSH Connection Attempt alert signifies that an SSH service on a deployed OpenCanary node has received a connection attempt. OpenCanary is a low-interaction honeypot designed to detect reconnaissance and lateral movement activities within a network. This event, logged as logtype 4000 by default, suggests that an attacker is actively scanning for or attempting to exploit SSH services. This alert is crucial for defenders because OpenCanary nodes are deliberately placed to attract malicious activity, meaning any interaction is highly suspicious. The alert helps identify potential breaches early, allowing security teams to respond quickly. The configuration of services monitored by OpenCanary is detailed in the project\u0026rsquo;s documentation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Reconnaissance: The attacker conducts network scanning using tools like Nmap or Masscan to identify open ports and services, including SSH (port 22).\u003c/li\u003e\n\u003cli\u003eTarget Identification: The attacker identifies the OpenCanary node, mistaking it for a legitimate SSH server, due to its exposed SSH port.\u003c/li\u003e\n\u003cli\u003eConnection Attempt: The attacker attempts to establish an SSH connection to the OpenCanary node using a tool like \u003ccode\u003essh\u003c/code\u003e or a custom script.\u003c/li\u003e\n\u003cli\u003eAuthentication Probe: The attacker might attempt to authenticate using default credentials, common usernames and passwords, or brute-force techniques.\u003c/li\u003e\n\u003cli\u003eCredential Compromise (Simulated): The OpenCanary node logs the failed or successful (simulated) login attempt, triggering the alert. OpenCanary may simulate a successful login for further interaction logging.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Attempted): If the attacker believes they have successfully authenticated, they may attempt lateral movement to other systems within the network.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Attempted): The attacker could attempt to escalate privileges on the \u0026ldquo;compromised\u0026rdquo; system (OpenCanary) to gain further access.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/System Damage (Prevented): Because it\u0026rsquo;s a honeypot, OpenCanary prevents actual data exfiltration or system damage but logs all attempted actions for analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn SSH connection attempt on an OpenCanary node, while not directly causing damage, indicates active reconnaissance or attempted unauthorized access within the network. The number of alerts generated can highlight the frequency of malicious scans targeting SSH services. Successful exploitation (simulated on the honeypot) could lead to lateral movement, privilege escalation, and data exfiltration if the attacker were to compromise a real system. This activity is valuable for understanding attacker behavior and improving overall security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect SSH connection attempts to OpenCanary nodes, focusing on \u003ccode\u003elogtype: 4000\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview OpenCanary logs in conjunction with other security logs (firewall, endpoint) to correlate the SSH attempts with other suspicious activities.\u003c/li\u003e\n\u003cli\u003eInvestigate the source IP addresses from which SSH connection attempts originate to identify potential threat actors.\u003c/li\u003e\n\u003cli\u003eConsult the OpenCanary documentation to ensure proper configuration of the SSH service and logging capabilities.\u003c/li\u003e\n\u003cli\u003eUse network segmentation to limit the potential impact of a successful breach, even if only simulated on the OpenCanary node.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-08T14:30:00Z","date_published":"2024-05-08T14:30:00Z","id":"/briefs/2024-05-opencanary-ssh-attempt/","summary":"An SSH connection attempt to an OpenCanary node indicates a potential adversary probing for vulnerable services or attempting unauthorized access within a network.","title":"OpenCanary SSH Connection Attempt","url":"https://feed.craftedsignal.io/briefs/2024-05-opencanary-ssh-attempt/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenCanary"],"_cs_severities":["high"],"_cs_tags":["honeypot","ssh","initial-access"],"_cs_type":"advisory","_cs_vendors":["thinkst"],"content_html":"\u003cp\u003eOpenCanary is a low-interaction honeypot designed to detect attackers on a network. This brief focuses on detecting SSH login attempts on OpenCanary nodes, which are designed to mimic real SSH servers but log any interaction. While the OpenCanary project itself has been around for several years, its integration with modern detection strategies makes it a valuable tool for defenders. An SSH login attempt against an OpenCanary instance signifies that an attacker is actively scanning or attempting to compromise systems within the network. This activity might be part of a broader campaign, including lateral movement, privilege escalation, or data exfiltration. The detection of such attempts allows for timely incident response and mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the network, possibly through phishing, exploiting a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker performs network scanning to identify potential targets, including the OpenCanary node masquerading as a legitimate SSH server.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish an SSH connection to the OpenCanary node, attempting to authenticate using various usernames and passwords.\u003c/li\u003e\n\u003cli\u003eThe OpenCanary service logs the failed SSH login attempt, recording the source IP address and attempted credentials.\u003c/li\u003e\n\u003cli\u003eSecurity monitoring tools ingest the OpenCanary logs and trigger an alert based on the detected SSH login attempt.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the alert, analyzing the source IP address and other relevant information to determine the scope and severity of the potential breach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful SSH login attempt on a real server could lead to complete system compromise, data exfiltration, and disruption of services. While OpenCanary is designed to be a honeypot, detecting login attempts early allows for proactive measures to prevent attackers from reaching critical assets. Identifying the attacker\u0026rsquo;s source IP address and attempted usernames can provide valuable insights into their tactics and objectives, preventing damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;OpenCanary - SSH Login Attempt\u0026rdquo; to your SIEM to detect unauthorized SSH login attempts on OpenCanary nodes.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any identified malicious source IP addresses from network access using firewall rules.\u003c/li\u003e\n\u003cli\u003eReview OpenCanary configuration to ensure it is deployed in strategically valuable network segments (references: OpenCanary documentation).\u003c/li\u003e\n\u003cli\u003eCorrelate OpenCanary alerts with other security events to identify potential broader attack campaigns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T14:30:00Z","date_published":"2024-05-02T14:30:00Z","id":"/briefs/2024-05-opencanary-ssh-login/","summary":"Detects instances where an SSH service on an OpenCanary node has had a login attempt, indicating potential reconnaissance, privilege escalation, or lateral movement.","title":"OpenCanary SSH Login Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-05-opencanary-ssh-login/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenCanary","version":"https://jsonfeed.org/version/1.1"}