The world of security and hacking is a vast and complex one, with new threats and vulnerabilities emerging every day. In this latest installment of Security Now!, we're taking a deep dive into the world of Confluence servers, a popular tool for team collaboration and content management. Our host, Leo Laporte, delves into the fascinating world of honeypots, or decoy servers designed to attract and detect malicious activity.

Leo begins by explaining how some security researchers conducted a study on publicly exposed Confluence servers. They used a tool called The Showdown, which searches for specific patterns in search results that might indicate the presence of a vulnerable server. Initially, they found an astonishing 177,000 hosts that matched their criteria, but upon further investigation, many of these turned out to be honeypots or decoy servers designed to look like real Confluence instances. By adding another term to their search criteria, they were able to filter out the honey pots and narrow down the list to 4,187 potential vulnerabilities.

One interesting observation made by the researchers was that many of the honeypots had identical values for their J session ID cookie settings reply header. This suggested that these servers were not being generated dynamically, but rather were part of a pre-defined set of fake Confluence instances designed to simulate real-world behavior. The researchers also noticed that some of these honeypots took shortcuts in their simulation, such as randomizing the J session ID value. By applying this filter, they were able to eliminate many of the potential vulnerabilities and arrive at a much more accurate count.

The findings of this study are both surprising and thought-provoking. With 4,187 potentially vulnerable Confluence servers out there, it's clear that hackers have been exploiting this vulnerability with alarming frequency. However, it's also worth noting that these honeypots are not just harmless decoys - they can be a powerful tool for security researchers and defenders alike.

The researchers point out that understanding the scale of an issue is crucial when assessing the impact of a vulnerability. In this case, the fact that only 4,187 Confluence servers were affected means that the actual number of vulnerable instances is likely to be much lower - perhaps as few as 4,200. This highlights the importance of precision in security assessments and the need for researchers to do their due diligence when identifying potential vulnerabilities.

The study also raises questions about the expanding popularity of honeypots among hackers. While these decoy servers can be a valuable tool for security research, they can also make it more difficult for defenders to understand real-world attack surfaces. With so many honeypots out there, it's becoming increasingly challenging to distinguish between legitimate and fake servers.

Leo notes that the sheer scale of this problem is staggering, with an estimated 236,000 Confluence honeypots on the internet - a number that's more than 50 times the actual number of Confluence users. This highlights the challenges facing security professionals in the digital age, where it's becoming increasingly difficult to distinguish between legitimate and malicious activity.

The study also touches on the issue of vulnerability scanning, which is often used to identify potential vulnerabilities in servers and other systems. However, with so many honeypots out there, these scanners are not always effective at filtering out decoy results. The researchers note that future internet vulnerability scanners will need to do a better job of filtering out honey pots, as the problem has become increasingly complex.

Finally, Leo notes that while hackers may be attracted to vulnerabilities like this one, it's also worth noting that many bad guys are simply not sophisticated enough to detect these honeypots. They might look at things like the F5 icon or the presence or absence of a favicon, and if they don't notice these red flags, their attacks can go undetected.

In conclusion, this study highlights the complexities and challenges of modern cybersecurity. With so many honeypots out there, it's becoming increasingly difficult to distinguish between legitimate and malicious activity. However, by applying critical thinking and a nuanced understanding of vulnerability assessments, security professionals can stay one step ahead of the hackers.

"WEBVTTKind: captionsLanguage: enthis is Twi I got a kick out of the blog post headline posted at the vul vuln vul check website it read there are too many damned honeypots exclamation point so here's what the vul guys explained they wrote determining the number of Internet facing hosts affect Ed by a new vulnerability is a key factor in determining if it will become a widespread or emergent threat if there are are a lot of hosts affected there's a pretty good possibility things are about to pop off as they put it but if only a few hosts are available for exploitation that's much less likely but actually counting those hosts turns out has become quite a bit more challenging they said for example take cve 2023 22527 so that's last year um this affected the atlassian Confluence servers they said at the time of writing Confluence has appeared on cis's Kev you know Kev the commonly exploited vulnerabilities list nine yes nine times they they wrote that's a level of exploitation that should encourage everyone to get their Confluence servers off the internet but let's look for ourselves there are a number of generic Confluence showan queries floating around but x- Confluence hyphen request hyphen time so X Confluence request time might be the most wellknown this simply checks for an http respon response header being uh you know being returned in other words okay so breaking from them for a second the as we know the showan internet search scanner um is constantly scanning the net uh and aggregating the presence of of hosts on the internet oh who's listening to what port on what IP and in the same way that Google index es the internet so that it's easy to find a site by by Search terms showan indexes the internet so that you're able to find vulnerable or or at least present Services by IP and type of service so it's a you know it's a search engine for stuff that's listening on ports so the the showan can make an HTTP query to confluences service port and if the reply coming back from that Port contains the reply header X Confluence request time that strongly suggests that there's a running Confluence server answering queries at that IP and Port so the vul che guys then show a showdown screen capture showing get this 241,000 2 two 24172 occurrences of that reply header being returned from queries across the internet then they point out one particular thing they say 241,000 you know it's a little more than that that hosts they said is a great Target base for an emergent threat but on closer examination there's something off about the listed hosts for example this one and they select one has the Confluence X Confluence request time header but it also has an F5 fave icon you know as in the wellknown security firm F5 systems uhhuh and they say it also claims to be a qap TS 128a yes you know uh Nas device they say this is a Honeypot yeah you know because it's it's arranging to look like a bunch of things in order to attract flies I got to tell you this is something that our sponsor would never have have done they have so much so accurate and they don't put their little logo in it and they don't impersonate more than one device so this is not a canary obviously this is some other right well and I was thinking about this too canaries are not meant to be publicly exposed they're they're they're for your land in order to to detect intrusion that's what you want you don't yeah exactly yeah yeah there was no reason you would stick it out there you know just to to take incoming from the internet we know we know there's bad guys out out there we don't have to test for that yeah what we want is to find out if any of them get inside MH so uh uh the the the vul guys say whoever created this honey wat this honey pot was somewhat clever they mashed together the popular Showdown queries for Confluence F5 devices and qap systems to create what they described as an Abomination that would show that would show up in all three queries to avoid throwing exploits all over the Internet and thus getting quickly caught some attackers use Shodan or similar to curate their target lists this Honeypot is optimized for this use case oh interesting which is neat but it blocks our view of what is real right can we filter them out of our search they say at this point it's probably useful to look at what a real Confluence server HTTP response look like the server has a number of you of other useful headers to key off of but we'll try to filter by adding in set cookie colon J session ID equals that update brings the host count down okay so now they're saying so they modify their Showdown query so that they want it to have both that that very popular xonfluence request time header and to be setting a cookie named J session ID equals so so they're they're doing an and on those two requirements and they write that update brings the host countdown from from 241,000 two to just 37,9 164 so just shy of 38 um and they call that probably actual Confluence servers publicly exposed to the internet but is that number real they say it still seems high because most of those do not respond with an actual Confluence landing page a simple way to capitalize on that is to also search for a snippet from the Confluence login page in our search criteria so they add a another term to The Showdown query looking for the rep for The Returned HTML to contain the phrase Confluence base URL and they say ah now we're down to 20, 584 a little over half as many as before they added that additional term and they write this knocks off 177,000 hosts and th things are looking more confluency but there seems to be a whole bunch of entries without fave icons let's drill down into that one and see so they do that looking for the presence or lack of any fave icon for the site and at one point it occurs to them to examine the value being returned in the Confluence J session ID cookie settings reply header and what do you know a great many of those across the internet have identical values meaning they're not being generated dynamically they're part of some fixed Confluence simulating Honeypot and this and the simulation took some shortcuts that is the simulation of the Honeypot took some shortcuts for example randomizing the J session ID which gives it away when it's examined closely Enough by applying this spoofed J session ID filter the number now drops to 4,187 probably authentic publicly exposed Confluence servers so again they write and conclude they said a quick investigation suggests that this could be the complete set of real Confluence hosts or just very very good honeypots they say that's a reduction from around 240,000 hosts all the way down to just 4,200 that means there are approximately 236,000 Confluence honeypots on the Internet or more than 50 times the actual number of Confluence users of real Confluence servers I'm thinking that's in well it's interesting you why do people want to do public honey pots I don't get that right just you know just probably to see to see anyway they they say a vulnerability that only impacts 4,000 hosts is much less concerning than a vulnerability that impacts 240,000 hosts understanding the scale of an issue and therefore being precise about the number of potentially impacted hosts is important too those who copy overinflated statistics or haven't done their due diligence are making vulnerabilities appear more impactful than they truly are uh 3 million toothbrushes anyone anyway while we focused on Confluence they said this particular problem has been repeated across many different targets honeypots are a net good for the security Community but their expanding popularity does make understanding real world attack surfaces much more difficult for Defenders not just attackers and and Leo know you I I I really think you rais a good point you know we're talking a quarter of a million that's a lot of them bogus right Confluence servers what you know you're right that's I don't know that that there are that many bad Russians it's just not as much fun to be a hacker as it used to be I just I so anyway this will be a very good rule of thumb for us to keep in mind moving forward academically it's interesting that the explosion and honey pot use and population is this large I mean it's like what who are all these people you know that's sort of astonishing but this means that the tendency to immediately rely upon and believe the results of a simple you know not very critical so showan search for a given open port assumes you know assuming that that means there's a truly vulnerable service running there needs to be significantly tempered and it also suggests that future internet vulnerability scanners will themselves need to do a better job of filtering out the honey pots well since the problem has obviously become you know nothing less than massive and it might be worse even than that because these were not well configured honey pots I mean any hacker worth his salt would have immediately noticed the foret or whether or the F5 icon and and the fact that it was both a qap uh and I mean that's a little bit you know the whole thing doesn't ring true and I would think most bad guys except for script kitties would be sensitive to that and watching out for that they probably many many many more that they can't see cuz they're well configured they look just like a real Confluence server yep y hey it's Leo leaport I hope you've enjoyed this little snippet from security Now if you want the whole show you can get it our website twit.tv slsn of course you can subscribe to security Now on your favorite podcast or just click one of the links belowthis is Twi I got a kick out of the blog post headline posted at the vul vuln vul check website it read there are too many damned honeypots exclamation point so here's what the vul guys explained they wrote determining the number of Internet facing hosts affect Ed by a new vulnerability is a key factor in determining if it will become a widespread or emergent threat if there are are a lot of hosts affected there's a pretty good possibility things are about to pop off as they put it but if only a few hosts are available for exploitation that's much less likely but actually counting those hosts turns out has become quite a bit more challenging they said for example take cve 2023 22527 so that's last year um this affected the atlassian Confluence servers they said at the time of writing Confluence has appeared on cis's Kev you know Kev the commonly exploited vulnerabilities list nine yes nine times they they wrote that's a level of exploitation that should encourage everyone to get their Confluence servers off the internet but let's look for ourselves there are a number of generic Confluence showan queries floating around but x- Confluence hyphen request hyphen time so X Confluence request time might be the most wellknown this simply checks for an http respon response header being uh you know being returned in other words okay so breaking from them for a second the as we know the showan internet search scanner um is constantly scanning the net uh and aggregating the presence of of hosts on the internet oh who's listening to what port on what IP and in the same way that Google index es the internet so that it's easy to find a site by by Search terms showan indexes the internet so that you're able to find vulnerable or or at least present Services by IP and type of service so it's a you know it's a search engine for stuff that's listening on ports so the the showan can make an HTTP query to confluences service port and if the reply coming back from that Port contains the reply header X Confluence request time that strongly suggests that there's a running Confluence server answering queries at that IP and Port so the vul che guys then show a showdown screen capture showing get this 241,000 2 two 24172 occurrences of that reply header being returned from queries across the internet then they point out one particular thing they say 241,000 you know it's a little more than that that hosts they said is a great Target base for an emergent threat but on closer examination there's something off about the listed hosts for example this one and they select one has the Confluence X Confluence request time header but it also has an F5 fave icon you know as in the wellknown security firm F5 systems uhhuh and they say it also claims to be a qap TS 128a yes you know uh Nas device they say this is a Honeypot yeah you know because it's it's arranging to look like a bunch of things in order to attract flies I got to tell you this is something that our sponsor would never have have done they have so much so accurate and they don't put their little logo in it and they don't impersonate more than one device so this is not a canary obviously this is some other right well and I was thinking about this too canaries are not meant to be publicly exposed they're they're they're for your land in order to to detect intrusion that's what you want you don't yeah exactly yeah yeah there was no reason you would stick it out there you know just to to take incoming from the internet we know we know there's bad guys out out there we don't have to test for that yeah what we want is to find out if any of them get inside MH so uh uh the the the vul guys say whoever created this honey wat this honey pot was somewhat clever they mashed together the popular Showdown queries for Confluence F5 devices and qap systems to create what they described as an Abomination that would show that would show up in all three queries to avoid throwing exploits all over the Internet and thus getting quickly caught some attackers use Shodan or similar to curate their target lists this Honeypot is optimized for this use case oh interesting which is neat but it blocks our view of what is real right can we filter them out of our search they say at this point it's probably useful to look at what a real Confluence server HTTP response look like the server has a number of you of other useful headers to key off of but we'll try to filter by adding in set cookie colon J session ID equals that update brings the host count down okay so now they're saying so they modify their Showdown query so that they want it to have both that that very popular xonfluence request time header and to be setting a cookie named J session ID equals so so they're they're doing an and on those two requirements and they write that update brings the host countdown from from 241,000 two to just 37,9 164 so just shy of 38 um and they call that probably actual Confluence servers publicly exposed to the internet but is that number real they say it still seems high because most of those do not respond with an actual Confluence landing page a simple way to capitalize on that is to also search for a snippet from the Confluence login page in our search criteria so they add a another term to The Showdown query looking for the rep for The Returned HTML to contain the phrase Confluence base URL and they say ah now we're down to 20, 584 a little over half as many as before they added that additional term and they write this knocks off 177,000 hosts and th things are looking more confluency but there seems to be a whole bunch of entries without fave icons let's drill down into that one and see so they do that looking for the presence or lack of any fave icon for the site and at one point it occurs to them to examine the value being returned in the Confluence J session ID cookie settings reply header and what do you know a great many of those across the internet have identical values meaning they're not being generated dynamically they're part of some fixed Confluence simulating Honeypot and this and the simulation took some shortcuts that is the simulation of the Honeypot took some shortcuts for example randomizing the J session ID which gives it away when it's examined closely Enough by applying this spoofed J session ID filter the number now drops to 4,187 probably authentic publicly exposed Confluence servers so again they write and conclude they said a quick investigation suggests that this could be the complete set of real Confluence hosts or just very very good honeypots they say that's a reduction from around 240,000 hosts all the way down to just 4,200 that means there are approximately 236,000 Confluence honeypots on the Internet or more than 50 times the actual number of Confluence users of real Confluence servers I'm thinking that's in well it's interesting you why do people want to do public honey pots I don't get that right just you know just probably to see to see anyway they they say a vulnerability that only impacts 4,000 hosts is much less concerning than a vulnerability that impacts 240,000 hosts understanding the scale of an issue and therefore being precise about the number of potentially impacted hosts is important too those who copy overinflated statistics or haven't done their due diligence are making vulnerabilities appear more impactful than they truly are uh 3 million toothbrushes anyone anyway while we focused on Confluence they said this particular problem has been repeated across many different targets honeypots are a net good for the security Community but their expanding popularity does make understanding real world attack surfaces much more difficult for Defenders not just attackers and and Leo know you I I I really think you rais a good point you know we're talking a quarter of a million that's a lot of them bogus right Confluence servers what you know you're right that's I don't know that that there are that many bad Russians it's just not as much fun to be a hacker as it used to be I just I so anyway this will be a very good rule of thumb for us to keep in mind moving forward academically it's interesting that the explosion and honey pot use and population is this large I mean it's like what who are all these people you know that's sort of astonishing but this means that the tendency to immediately rely upon and believe the results of a simple you know not very critical so showan search for a given open port assumes you know assuming that that means there's a truly vulnerable service running there needs to be significantly tempered and it also suggests that future internet vulnerability scanners will themselves need to do a better job of filtering out the honey pots well since the problem has obviously become you know nothing less than massive and it might be worse even than that because these were not well configured honey pots I mean any hacker worth his salt would have immediately noticed the foret or whether or the F5 icon and and the fact that it was both a qap uh and I mean that's a little bit you know the whole thing doesn't ring true and I would think most bad guys except for script kitties would be sensitive to that and watching out for that they probably many many many more that they can't see cuz they're well configured they look just like a real Confluence server yep y hey it's Leo leaport I hope you've enjoyed this little snippet from security Now if you want the whole show you can get it our website twit.tv slsn of course you can subscribe to security Now on your favorite podcast or just click one of the links below\n"