{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/opencanary/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenCanary"],"_cs_severities":["high"],"_cs_tags":["opencanary","honeypot","httpproxy","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Security Onion Solutions"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting malicious attempts to use an OpenCanary node as an HTTP proxy. OpenCanary is a low-interaction honeypot designed to detect intruders on a network. An attacker attempting to use an OpenCanary node as an HTTP proxy is a strong indicator of reconnaissance or lateral movement, as they are attempting to route their traffic through the honeypot. This activity is logged by OpenCanary and can be detected with appropriate monitoring. The default configuration of OpenCanary includes an HTTPPROXY service that listens for proxy requests. Defenders should monitor OpenCanary logs for event ID 7001, which indicates an attempted HTTP proxy login.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a network (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker performs network reconnaissance to identify potential targets, including the OpenCanary node.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to configure their system or tools to use the OpenCanary node as an HTTP proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker sends HTTP requests through the configured proxy, attempting to reach other systems on the network.\u003c/li\u003e\n\u003cli\u003eOpenCanary logs the attempted proxy connection with event ID 7001.\u003c/li\u003e\n\u003cli\u003eThe defender detects the suspicious HTTP proxy attempt in the OpenCanary logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful HTTP proxy attempt indicates that an attacker is actively exploring the network and attempting to move laterally. This could lead to further compromise of sensitive systems and data exfiltration. While the OpenCanary node itself is a honeypot and not a production asset, the detection of proxy attempts signals a breach and ongoing malicious activity within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eOpenCanary HTTPPROXY Login Attempt\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized proxy attempts on OpenCanary nodes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the source and target of the attempted proxy connection.\u003c/li\u003e\n\u003cli\u003eReview OpenCanary configuration to ensure that the HTTPPROXY service is properly configured and secured.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential lateral movement by attackers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T18:22:34Z","date_published":"2024-10-26T18:22:34Z","id":"/briefs/2024-10-opencanary-httpproxy/","summary":"Detection of attempted HTTP proxy use on an OpenCanary node, indicating potential reconnaissance or lateral movement by an attacker attempting to proxy another page.","title":"OpenCanary HTTPPROXY Login Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-10-opencanary-httpproxy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["honeypot","telnet","reconnaissance","intrusion","opencanary"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenCanary is a low-interaction honeypot designed to detect attackers on a network. This detection focuses on Telnet login attempts, a protocol rarely used legitimately in modern networks and thus a strong indicator of malicious activity. When an attacker attempts to log into a Telnet service on an OpenCanary node, it triggers this alert. This provides early warning of potential intrusion attempts, reconnaissance activities, or lateral movement by attackers who have already gained a foothold. The detection is based on OpenCanary\u0026rsquo;s logging functionality which records such login attempts, generating a log event with code 6001. This event signifies an attacker interacting with the Telnet service, which is unlikely in a well-secured and properly configured environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker scans the network for open ports, identifying a Telnet service.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to connect to the Telnet service on the OpenCanary node.\u003c/li\u003e\n\u003cli\u003eAttacker enters credentials (username and password) in an attempt to authenticate.\u003c/li\u003e\n\u003cli\u003eOpenCanary logs the Telnet login attempt, generating an event with logtype 6001.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on the OpenCanary log event.\u003c/li\u003e\n\u003cli\u003eSecurity team investigates the alert to determine the source and intent of the Telnet login attempt.\u003c/li\u003e\n\u003cli\u003eIf the attempt is malicious, the security team takes steps to block the attacker and prevent further access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Telnet login could provide an attacker with unauthorized access to the network or specific systems. While Telnet itself may not grant immediate access to sensitive data, it can be used as a stepping stone for further exploitation and lateral movement. The compromise of even a single system can lead to data breaches, ransomware deployment, and significant disruption of services. OpenCanary serves as an early warning system, allowing defenders to identify and respond to such attempts before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOpenCanary - Telnet Login Attempt\u003c/code\u003e to your SIEM to detect unauthorized Telnet login attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eOpenCanary - Telnet Login Attempt\u003c/code\u003e rule to determine the source and intent of the connection.\u003c/li\u003e\n\u003cli\u003eReview the OpenCanary configuration to ensure it is properly deployed and monitoring the appropriate network segments.\u003c/li\u003e\n\u003cli\u003eConsider disabling the Telnet service on all legitimate systems on the network to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T14:30:00Z","date_published":"2024-10-26T14:30:00Z","id":"/briefs/2024-10-opencanary-telnet-login/","summary":"The OpenCanary Telnet Login Attempt detection identifies unauthorized login attempts to a Telnet service monitored by an OpenCanary node, indicating potential reconnaissance or intrusion attempts targeting the network.","title":"OpenCanary Telnet Login Attempt","url":"https://feed.craftedsignal.io/briefs/2024-10-opencanary-telnet-login/"}],"language":"en","title":"CraftedSignal Threat Feed — Opencanary","version":"https://jsonfeed.org/version/1.1"}