Story image

'Honeypot' experiment exposes how hackers are doing their work

19 Apr 2018

A new experiment has revealed hackers are no longer doing the hard work themselves - they just get their bots to do it.

Cybereason senior director of intelligence services Ross Rustici shared the findings from a ‘honeypot’ experiment where the company created a fake financial services company with weak cybersecurity to see how long it would take hackers to notice and how they would attack.

Rustici says the project was made up of three phases. First, the team released usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network in dark markets and paste sites. These forums were once thriving with illicit activity and Cybereason’s aim was to determine just how suspicious cybercriminals have become of them.

The next phase was to create additional RDP services that had weak passwords to see just how quickly bots would compromise the service and their actions once they had access. Finally, Cybereason opened several other services to see which ports were scanned the most and if there was a large difference in functionality once they broke in.

“While there was a lot of rudimentary activity across all the services, one of the most interesting bots was observed less than two hours after weakening the RDP ports. This bot performed the groundwork for human attackers before they entered an environment, handling tasks exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines,” says Rustici.

“The bot also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the bot carried out these functions in approximately 15 seconds.”

Rustici says this is troubling as automatic exploitation in a matter of seconds will overwhelm most organisations by the speed at which the bot can infiltrate their environment.

“The increasing automation of internal network reconnaissance and lateral movement is an even larger concern. These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes. Additionally, the versatility of the bot changes the threat significantly,” says Rustici.

“The security industry is used to seeing worms self-replicate and perform one or two tasks. Take NotPetya and OlympicDestroyer, two prominent nation-state attacks from 2017. They mainly had three functions: replicate, move, and destroy. By comparison, the bot that attacked the honeypot is designed to give full access to every machine it touches and spread throughout the entire network.”

Rustici says two days after the third bot had finished its work, a human attacker entered the environment.

“Cybereason researchers knew it was a human because the attacker logged in with a user account created by the bot. Also, a user interface application was opened, and remote access capabilities were accessed, functions not typically carried out by bots,” says Rustici.

“The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark Web.”

There were many findings from the honeypot experiment, but Rustici says the most prominent is the commoditisation of using bots to perform low-level tasks.

“At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability,” says Rustici.

“For example, the bot that laid the groundwork for human adversaries attacked the honeypot just two hours after we added new data. This means that using bots to automatically exploit vulnerabilities is more prevalent than anticipated. The use of this technique proves that the operational profile of attackers is changing with less sophisticated attackers having access to tools that were once reserved for their more advanced counterparts.”

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.