SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
'Honeypot' experiment exposes how hackers are doing their work
Thu, 19th Apr 2018
FYI, this story is more than a year old

A new experiment has revealed hackers are no longer doing the hard work themselves - they just get their bots to do it.

Cybereason senior director of intelligence services Ross Rustici shared the findings from a ‘honeypot' experiment where the company created a fake financial services company with weak cybersecurity to see how long it would take hackers to notice and how they would attack.

Rustici says the project was made up of three phases. First, the team released usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network in dark markets and paste sites. These forums were once thriving with illicit activity and Cybereason's aim was to determine just how suspicious cybercriminals have become of them.

The next phase was to create additional RDP services that had weak passwords to see just how quickly bots would compromise the service and their actions once they had access. Finally, Cybereason opened several other services to see which ports were scanned the most and if there was a large difference in functionality once they broke in.

“While there was a lot of rudimentary activity across all the services, one of the most interesting bots was observed less than two hours after weakening the RDP ports. This bot performed the groundwork for human attackers before they entered an environment, handling tasks exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines,” says Rustici.

“The bot also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the bot carried out these functions in approximately 15 seconds.”

Rustici says this is troubling as automatic exploitation in a matter of seconds will overwhelm most organisations by the speed at which the bot can infiltrate their environment.

“The increasing automation of internal network reconnaissance and lateral movement is an even larger concern. These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes. Additionally, the versatility of the bot changes the threat significantly,” says Rustici.

“The security industry is used to seeing worms self-replicate and perform one or two tasks. Take NotPetya and OlympicDestroyer, two prominent nation-state attacks from 2017. They mainly had three functions: replicate, move, and destroy. By comparison, the bot that attacked the honeypot is designed to give full access to every machine it touches and spread throughout the entire network.”

Rustici says two days after the third bot had finished its work, a human attacker entered the environment.

“Cybereason researchers knew it was a human because the attacker logged in with a user account created by the bot. Also, a user interface application was opened, and remote access capabilities were accessed, functions not typically carried out by bots,” says Rustici.

“The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark Web.”

There were many findings from the honeypot experiment, but Rustici says the most prominent is the commoditisation of using bots to perform low-level tasks.

“At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability,” says Rustici.

“For example, the bot that laid the groundwork for human adversaries attacked the honeypot just two hours after we added new data. This means that using bots to automatically exploit vulnerabilities is more prevalent than anticipated. The use of this technique proves that the operational profile of attackers is changing with less sophisticated attackers having access to tools that were once reserved for their more advanced counterparts.”