I was posting on the Fediverse about the fact that a hacker pwned my Kippo honeypot and managed to bypass Kippo’s ability to save their malware.
Someone responded with “it’s not a bad idea for an attacker to use honeypots if they’re able to hack it, or are content with limited access”. Which is actually a good point. Is anyone deliberately using honeypots for evil? Probably.
My thoughts on that are:
It is a two-fanged issue. Either:
- Attacker wants to avoid honeypots, or
- Attacker wants to hack honeypots.
Point 1 is a defender problem. Need to make honeypot not obvious. For example, the default Kippo root login is 123456. Smart attackers know this and won’t use a server with those creds. Cowrie, on the other hand will accept anything BUT root/123456 so that’s better. But, also easily defeated because an attacker can just try two passwords for root and if they both work, move on.
Point 2 is an attacker problem because fake shells are geared to log their stuff, copy their malware, etc. So it would probably have to be a very particular hacker that wanted to a) use easily available honeypots and b) not have their malware captured.