SSH & Telnet logs of HoneyCloud

With the wide adoption, Linux-based IoT devices have emerged as one primary target of today’s cyber attacks. While traditional malware-based attacks (e.g., Mirai) can quickly spread across these devices, they are well-understood threats with defense techniques such as malware fingerprinting coupled with community-based fingerprint sharing. Recently, fileless attacks—attacks that do not rely on malware files—have been increasingly occurring on Linux-based IoT devices. Such attacks pose significant threats to the security and privacy of IoT systems; however, little has been known in terms of their characteristics and attack vectors, which hinders research and development efforts to defend against them.In this study, we present our endeavor in understanding fileless attacks on Linux-based IoT devices in the wild. Over a span of 12 months, we deployed four hardware IoT honeypots and 108 specially designed software IoT honeypots, which successfully attracted a wide variety of real-world IoT attacks. We present our measurement study on these attacks, with a focus on fileless attacks, including the prevalence, exploits, environments, and impacts. Our study further leads to multi-fold insights towards actionable defense strategies which can be adopted by IoT vendors and end users.

随着Linux系统在物联网设备领域的广泛应用，此类设备已成为当今网络攻击的首要目标。尽管传统的基于恶意软件的攻击（如Mirai）能在这些设备间迅速传播，但此类威胁已被充分理解，并可通过诸如恶意软件指纹识别与基于社区的指纹共享等防御技术进行抵御。近期，基于Linux的物联网设备上出现了越来越多的无文件攻击——这类攻击不依赖于恶意软件文件。此类攻击对物联网系统的安全与隐私构成了重大威胁；然而，关于其特征和攻击向量，我们所知甚少，这阻碍了防御这些攻击的研究与开发工作。在本研究中，我们致力于理解野外Linux系统物联网设备上的无文件攻击。在历时12个月的期间内，我们部署了四个硬件物联网蜜罐和108个特别设计的软件物联网蜜罐，成功吸引了各式各样的真实世界物联网攻击。我们针对这些攻击进行了测量研究，重点关注无文件攻击，包括其流行度、利用手段、环境以及影响。本研究进一步为我们提供了多方面的洞见，有助于制定可操作的防御策略，这些策略可被物联网供应商和终端用户采纳。