| Abstract: |
Cyber-attacks targeting Linux have become an increasingly prevalent threat. While extensive research has been conducted on attacks affecting Android and Windows, Linux, which powers critical infrastructures, cloud environments, and enterprise servers, has received comparatively less attention. Given the growing number of attacks targeting Linux, this research had three primary objectives. Deploy a custom Cowrie Honeypot to capture data on current attack trends including the Tactics, Techniques, and Procedures (TTPs) used by threat actors. Analyse the data collected from the honeypot to identify patterns, attack vectors, and malware samples used against Linux to define actionable threat intelligence. Define effective security strategies to defend against emerging Linux based threats. By focusing on real world attack data, this research provides valuable insights into the evolving landscape of Linux targeted malware, addressing a crucial gap in cybersecurity research.
Cowrie is an interactive Secure Shell (SSH) and Telnet honeypot designed to emulate a Linux system and capture unauthorized access attempts. This research presents the dataset derived from a Cowrie deployment on the East Coast of the USA, focusing on adversary behaviours, attack patterns, and deployed payloads. The dataset spans from July 2022 to October 2024, highlighting the evolution of threat behaviour over time. The analysis covers 1,069,391 recorded connections, demonstrating substantial interest from both attackers and automated tools. Most connections targeted SSH, yet less than 1% of those connections attempted login. In contrast 58% of Telent connections proceeded to a login attempt. This indicates that SSH connections were used for reconnaissance and scanning while Telent was targeted more aggressively as it is more is more vulnerable. The honeypot recorded 142,741 unique IP addresses, suggesting widespread, distributed activity driven by large-scale botnets and scanning campaigns, where China had the highest number of geolocated IP addresses. Further, the honeypot logged over 23.4 million seconds of attacker activity, with an average session length of 21.92 seconds. Most interactions were brief, characteristic of automated bot activity, however some lasted for over 10 minutes, indicating a level of manual operation.
The honeypot recorded 1,319 file downloads and 220 echo based file transfers. After deduplication, 330 and 9 unique hashes were identified, with a total of 5 binaries not found on popular threat intelligence platforms, indicating novel malware samples. Further, the analysis uncovered multiple consecutive sessions from the same source IP, attempting variations of file delivery methods, including the use of Web Get (wget), Trivial File Transfer Protocol (TFTP), and manual echo based binary reconstruction. These attempts show an adaptation in attack techniques, as different architectures were targeted in successive sessions.
This research shows that attackers are leveraging automation in their exploitation attempts but are also testing new payload deployment strategies against various architectures. Understanding these TTPs enhances our ability to develop more robust threat intelligence and defensive countermeasures against emerging threats. |