Hello and welcome to the Friday, April 26, 2024 edition of the Sansonet Storms

Sunners Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Quick a reminder day from Jesse that even on a honeypot, the fireball configuration matters. It's less a matter of blocking or allowing certain ports,

but redirecting traffic to appropriate listeners.

The honeypot we are using is taking a page here from Cowry,

where you are using IP tables in order to redirect traffic to individual ports that we have,

things like Cowrie and our web honeypot listening on.

That way, if the firewall rules are not configured correctly,

you may miss quite a bit of traffic, and that's what Jesse observed in his Asia cloud-based honeypot.

Black X is a little bit older bot net originally coming out in 2020, in March 2020.

Sofos wrote about it, and it had a couple interesting properties one was that it's one of

those bots that actually propagates over USB sticks so if you connect the USB stick to an

infected system it copies itself and then could potentially be launched on a new system as the USB stick

is being moved.

Now, as of late last year, this botnet was really sort of considered somewhat dead

because it only communicated with one specific IP address as a command control server.

Well, it turns out that Sequoia has taken over that IP address.

It was hosted with Green Cloud, so they pretty much just set up an account with them and had

themselves assign this IP address.

And since September last year, they're using it as a sinkhole to basically learn more about

this particular botnet.

Sadly, it always happens that there are still thousands, if not hundreds of thousands of systems

...