sb-eu logo
Story image

'Honeypot' experiment exposes how hackers are doing their work

19 Apr 2018

A new experiment has revealed hackers are no longer doing the hard work themselves - they just get their bots to do it.

Cybereason senior director of intelligence services Ross Rustici shared the findings from a ‘honeypot’ experiment where the company created a fake financial services company with weak cybersecurity to see how long it would take hackers to notice and how they would attack.

Rustici says the project was made up of three phases. First, the team released usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network in dark markets and paste sites. These forums were once thriving with illicit activity and Cybereason’s aim was to determine just how suspicious cybercriminals have become of them.

The next phase was to create additional RDP services that had weak passwords to see just how quickly bots would compromise the service and their actions once they had access. Finally, Cybereason opened several other services to see which ports were scanned the most and if there was a large difference in functionality once they broke in.

“While there was a lot of rudimentary activity across all the services, one of the most interesting bots was observed less than two hours after weakening the RDP ports. This bot performed the groundwork for human attackers before they entered an environment, handling tasks exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines,” says Rustici.

“The bot also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the bot carried out these functions in approximately 15 seconds.”

Rustici says this is troubling as automatic exploitation in a matter of seconds will overwhelm most organisations by the speed at which the bot can infiltrate their environment.

“The increasing automation of internal network reconnaissance and lateral movement is an even larger concern. These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes. Additionally, the versatility of the bot changes the threat significantly,” says Rustici.

“The security industry is used to seeing worms self-replicate and perform one or two tasks. Take NotPetya and OlympicDestroyer, two prominent nation-state attacks from 2017. They mainly had three functions: replicate, move, and destroy. By comparison, the bot that attacked the honeypot is designed to give full access to every machine it touches and spread throughout the entire network.”

Rustici says two days after the third bot had finished its work, a human attacker entered the environment.

“Cybereason researchers knew it was a human because the attacker logged in with a user account created by the bot. Also, a user interface application was opened, and remote access capabilities were accessed, functions not typically carried out by bots,” says Rustici.

“The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark Web.”

There were many findings from the honeypot experiment, but Rustici says the most prominent is the commoditisation of using bots to perform low-level tasks.

“At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability,” says Rustici.

“For example, the bot that laid the groundwork for human adversaries attacked the honeypot just two hours after we added new data. This means that using bots to automatically exploit vulnerabilities is more prevalent than anticipated. The use of this technique proves that the operational profile of attackers is changing with less sophisticated attackers having access to tools that were once reserved for their more advanced counterparts.”

Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More
Story image
Zero trust is the way to secure the distributed workforce - Empired
Existing security solutions need to evolve to accommodate the new remote workforce.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More
Story image
Proofpoint launches new SMB focused security awareness training
Proofpoint has launched security awareness training for small to medium businesses (SMBs) with the aim of reducing successful phishing attacks and malware infections to almost zero. More