Remember “War driving” and setting up “Honeypots?” What has been used in the past to gauge cyber vulnerabilities are being used again. The Honeypot is one of the oldest tricks used for luring hackers into the system. The Honeynet is a group of computer systems that together creates a trap for hackers. It is more powerful for catching the hackers as the chances for the possible information loss are lessened because the entire system is put together to track down hackers.
Recently, cybersecurity researchers set up a tempting cloud honeypot to examine how cyber attackers work. Insecure cloud-computing services can be a huge risk for organizations, because they are now a regular targets for cyber criminals. Researchers have demonstrated how vulnerable or misconfigured cloud services can be, after they have deployed hundreds of honeypots. These were designed to look like insecure infrastructure, some of which lasted just minutes before being compromised by hackers.
Cybersecurity researchers at Palo Alto Networks set up a honeypot comprised of 320 nodes around the world, made up of multiple misconfigured instances of common cloud services, including remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres databases. The honeypot also included accounts configured to have default or weak passwords, exactly the sort of things that cyber criminals are looking for when trying to breach networks. It did not take long before cyber criminals discovered the honeypot and looked to exploit it. Some of the sites were compromised in minutes while 80% of the 320 honeypots were compromised within 24 hours. All of them had been compromised within a week.
The most attacked application was secure shell, which is a network communication protocol that enables two machines to communicate. Each SSH honeypot was compromised 26 times a day on average. The most attacked honeypot was compromised a total of 169 times in just a single day. One attacker compromised 96% of the 80 Postgres honeypots within a single 90-second period.
"The speed of vulnerability management is usually measured in days or months. The fact that attackers could find and compromise our honeypots in minutes was shocking. This research demonstrates the risk of insecurely exposed services," said Jay Chen, principal cloud security researcher at Palo Alto Networks. Exposed or poorly configured cloud services like those deployed in the honeypot make tempting targets for cyber criminals of all kinds.
Several notorious ransomware operations are known to exploit exposed cloud services to gain initial access to the victim's network in order to eventually encrypt as much as possible and demand a multi-million dollar ransom in exchange for the decryption key.
Nation state-backed hacking groups are also known to target vulnerabilities in cloud services as stealthy means of entering networks in order to conduct espionage, steal data, or deploy malware without detection. Unfortunately, the research demonstrates, it does not very take long for cyber criminals to find exposed internet-facing systems. "When a vulnerable service is exposed to the internet, opportunistic attackers can find and attack it in just a few minutes. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment," said Chen.
When it comes to securing accounts used to access cloud services, organizations should avoid using default passwords and users should be provided with multi-factor authentication to create an extra barrier to prevent leaked credentials being exploited. It is critical for organizations to apply security patches when they are available in order to prevent cyber criminals from taking advantage of known exploits and it is a strategy that applies to cloud applications, too.
"The outcome [of the research] reiterates the importance of mitigating and patching security issues quickly. When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service. There is no margin of error when it comes to the timing of security fixes," said Chen.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://www.redskyalliance.org/
https://www.wapacklabs.com/
https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments