Contents:
Harmful actors are continually scouring the Internet for vulnerable services that may be used to gain access to internal networks or carry out other malicious acts.
Researchers sometimes develop publicly available honeypots to track what software and services are targeted by threat actors. Honeypots are servers that are set up to look like they’re running other software in order to monitor threat actors’ methods.
Researchers from Palo Alto Networks’ Unit 42 put up 320 honeypots in a recent study and discovered that 80 percent of them were hacked within the first 24 hours.
From July to August 2021, honeypots with the remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB), and Postgres database services were deployed and maintained alive.
Honeypots were placed all over the world, including examples in North America, Asia, and Europe.
What Is the Attackers M.O.?
The length of time it takes to reach the first compromise is proportional to how specific the service type is.
The average time for the first compromise on SSH honeypots, which were the most targeted, was three hours, while the average time between two successive attacks was roughly two hours.
A prominent incidence of a threat actor compromising 96 percent of the experiment’s 80 Postgres honeypots in approximately 30 seconds was also detected by Unit 42.
This is alarming because it might take days, if not longer, to install new security patches as they become available, but threat actors only require a few hours to exploit unprotected services.
Finally, when it comes to whether or not geography matters, the APAC area attracted the greatest attention from hackers. The vast majority (85%) of attacker IPs were observed on a single day, which means that actors rarely (15%) reuse the same IP on subsequent attacks.
Between July 2021 and August 2021, Unit 42 researchers deployed 320 honeypots across North America (NA), Asia Pacific (APAC), and Europe (EU). The research analyzed the time, frequency and origins of the attacks observed in our honeypot infrastructure.
Four types of applications, SSH, Samba, Postgres and RDP, were evenly deployed across the honeypot infrastructure. We intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password. These accounts grant limited access to the application in a sandboxed environment. A honeypot will be reset and redeployed when a compromising event is detected, i.e., when a threat actor successfully authenticates via one of the credentials and gains access to the application.
To analyze the effectiveness of blocking network scanning traffic, we blocked a list of known scanner IPs on a subset of honeypots. The firewall policies were updated once a day based on the observed network scanning traffic. Depending on the applications and days, each firewall policy might block 600-3,000 known scanner IP addresses.
The logs from all the honeypots were aggregated on an Elasticsearch cluster. A controller server continuously monitored the logs and checked the health of each honeypot. If a compromising event was detected or a virtual machine became unresponsive, the controller redeployed the virtual machine and application. Figure 1 illustrates the architecture of the honeypot infrastructure.
As thoroughly reported by BleepingComputer, this constant IP change leaves the ‘layer 3’ firewall vulnerable against the majority of threat actors, therefore a better chance of mitigating the attacks would be to block the dangerous IPs using the data drawn from network scanning projects able to identify hundreds of thousands of malicious IPs daily.
How Can Heimdal™ Help?
Heimdal™ Threat Prevention – Network provides unique threat hunting and ultimate visibility over an entire network, therefore offering A to Z protection, regardless of device or operating system.
Staying secure is easier with the correct knowledge and a trustworthy portfolio of solutions. As always, Heimdal™ Security is available to assist you with the latter. You can always contact us or book a demo if you have any questions regarding which of our company’s products are most suited for your needs.
If you liked this article follow us on LinkedIn, Twitter, YouTube, Facebook, and Instagram to keep up to date with everything cybersecurity.