Story image

'Honeypot' experiment exposes how hackers are doing their work

19 Apr 18

A new experiment has revealed hackers are no longer doing the hard work themselves - they just get their bots to do it.

Cybereason senior director of intelligence services Ross Rustici shared the findings from a ‘honeypot’ experiment where the company created a fake financial services company with weak cybersecurity to see how long it would take hackers to notice and how they would attack.

Rustici says the project was made up of three phases. First, the team released usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network in dark markets and paste sites. These forums were once thriving with illicit activity and Cybereason’s aim was to determine just how suspicious cybercriminals have become of them.

The next phase was to create additional RDP services that had weak passwords to see just how quickly bots would compromise the service and their actions once they had access. Finally, Cybereason opened several other services to see which ports were scanned the most and if there was a large difference in functionality once they broke in.

“While there was a lot of rudimentary activity across all the services, one of the most interesting bots was observed less than two hours after weakening the RDP ports. This bot performed the groundwork for human attackers before they entered an environment, handling tasks exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines,” says Rustici.

“The bot also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the bot carried out these functions in approximately 15 seconds.”

Rustici says this is troubling as automatic exploitation in a matter of seconds will overwhelm most organisations by the speed at which the bot can infiltrate their environment.

“The increasing automation of internal network reconnaissance and lateral movement is an even larger concern. These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes. Additionally, the versatility of the bot changes the threat significantly,” says Rustici.

“The security industry is used to seeing worms self-replicate and perform one or two tasks. Take NotPetya and OlympicDestroyer, two prominent nation-state attacks from 2017. They mainly had three functions: replicate, move, and destroy. By comparison, the bot that attacked the honeypot is designed to give full access to every machine it touches and spread throughout the entire network.”

Rustici says two days after the third bot had finished its work, a human attacker entered the environment.

“Cybereason researchers knew it was a human because the attacker logged in with a user account created by the bot. Also, a user interface application was opened, and remote access capabilities were accessed, functions not typically carried out by bots,” says Rustici.

“The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark Web.”

There were many findings from the honeypot experiment, but Rustici says the most prominent is the commoditisation of using bots to perform low-level tasks.

“At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability,” says Rustici.

“For example, the bot that laid the groundwork for human adversaries attacked the honeypot just two hours after we added new data. This means that using bots to automatically exploit vulnerabilities is more prevalent than anticipated. The use of this technique proves that the operational profile of attackers is changing with less sophisticated attackers having access to tools that were once reserved for their more advanced counterparts.”

ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.
Exclusive: Okta’s new GM shares its APAC strategy
“We believe that partnering with systems integrators, independent software vendors and consulting companies is a key factor of success for Okta.”
Three access management trends making waves in APAC
Consumer identity proofing, authentication, and authorisation will top the $37 billion value mark by 2023.
Combatting the rise of Cybercrime-as-a-Service
Amateur cybercriminals (or anyone with a grudge), can execute spam attacks, steal people’s identities, and more. 
ThreatQuotient partners with Visa for payments safety
“Cyber criminals are reusing tactics, techniques and procedures, leaving a recognisable trail of breadcrumbs and insights into the very attacks they are launching.”