Two sentences summarizing the article: The piece analyzes how user agent strings observed on a DShield honeypot can reveal outdated software, spoofed devices, and scanning activity, including potential Log4j/JNDI exploitation attempts. It also demonstrates automating UA translation with WhatIsMyBrowser API and Python, highlights common vs. rare user agents, and notes indicators of vulnerability scans and customized attacks. #Log4j #JNDI #QualysGuard #DShield #Roku #Masscan
Keypoints
- Large dataset: 7,540,306 user agent strings collected over ~5 months with 1,181 unique strings.
- Most common UA is Firefox 22 on Windows 7, indicating an old/outdated device or a falsified UA string.
- Automation workflow: logs exported with jq, translated via WhatIsMyBrowser API, and processed with a Python script, yielding basic_results.csv and results.json.
- Top 10 UA examples include browser/OS combos and scanning tools like masscan and zgrab, suggesting a mix of legitimate and automated activity.
- Notable evidence of Log4j-style activity: UA data hints at JNDI-based attacks attempting to fetch payloads from remote hosts.
- Least common UAs reveal highly old/rare environments and several “No results found” entries that may indicate customized attacks or未 cataloged agents.
- Understanding UA distributions helps identify devices/applications on networks and potential security gaps.
MITRE Techniques
- [T1036] Masquerading – Falsified or outdated user agent strings can masquerade as legitimate software, as noted when the article discusses Windows 7 with Firefox 22 and calls out the possibility of a falsified UA string. ‘The most popular user agent seen is for Windows 7 using Firefox 22. Windows 7 support ended in January of 2020 and Firefox 22 was released in 2013. This could either be a very old and outdated device, that also may be compromised, or it is a falsified user agent string.’
- [T1595] Active Scanning – Attacker-like behavior is inferred from using various agent strings to access web resources to determine vulnerabilities and bypass security controls. ‘Using different agent strings to access web resources can be particularly helpful to determine vulnerabilities and work around security controls.’
- [T1203] Exploitation for Client Execution – The notes about a Log4j attack using JNDI payloads (e.g., ‘ldap://10.10.11.42:33141/QUALYSTEST’) indicate attempts to load and execute code via a remote payload. ‘This looks like a Log4j attack, attempting to download a payload from 193.111.248 on port port 2213.’
Indicators of Compromise
- [IP Address] – Observed source IPs associated with certain user agents; example: 80.243.171.172
- [IP Address] – JNDI-related payload hosts mentioned in examples; example: 10.10.11.42 (multiple QUALYSTEST payloads show up in jndi URIs)
- [Domain] – Domains seen in No results found entries indicating potential malicious targets: aff.rip, affgate.top, discordservers.su
- [File] – Artifacts created during analysis: basic_results.csv and results.json
- [IP/Domain] – Payload delivery host referenced by JNDI strings: 193.111.248.104:2213 (noted in the log as 193.111.248[.]104:2213)
Read more: https://isc.sans.edu/diary/rss/30536