Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute

2020-06-25 15:52

Web traffic to the servers of the notorious Dutch-German Cyberbunker hosting biz was filled with all kinds of badness, including apparent botnet command-and-control and denial-of-service traffic, says SANS Institute.

Cyberbunker, aka CB3ROB, was raided last September by 600 German police gunmen who forced entry to the outfit's Traben-Trarbach HQ. Following the raid, infosec biz SANS was able to set up a honeypot on former Cyberbunker IPs to analyse traffic passing through them - and the results shed light on just what kind of dubious traffic was passing through the servers.

Sold-off assets included three IPv4 subnets: 185.103.72.0/22; 185.35.136.0/22; and 91.209.12.0/24. Those were sold to Legaco Networks, which agreed to let SANS' Internet Storm Centre erect a honeypot behind them for one week in April 2020.

Karim Lalji, SANS' community instructor in the Penetration Testing curriculum, recounted in a paper about his findings: "Close to 2,000 unique computer names and over 7,000 unique source IPs that follow a similar request pattern are present in the traffic sample collected." He added that if single computer names were isolated within this traffic, "The intervals between requests were exactly 1min and 30sec - indicating automation and potential C2.".

Lalji added: "Several of these events can be attributed to internet-wide scans that are not specific to the IP address space under examination." Email traffic was also excluded as prosecutors were potentially interested in it.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/06/25/sans_cyberbunker_traffic_analysis/

#honeypot #sans #sansinstitute