Researchers Watched 100 Hours of Hackers Hacking Honeypot Computers

An anonymous reader quotes a report from TechCrunch: Imagine being able to sit behind a hacker and observe them take control of a computer and play around with it. That's pretty much what two security researchers did thanks to a large network of computers set up as a honeypot for hackers. The researchers deployed several Windows servers deliberately exposed on the internet, set up with Remote Desktop Protocol, or RDP, meaning that hackers could remotely control the compromised servers as if they were regular users, being able to type and click around. Thanks to these honeypots, the researchers were able to record 190 million events and 100 hours of video footage of hackers taking control of the servers and performing a series of actions on them, including reconnaissance, installing malware that mines cryptocurrencies, using Android emulators to conduct click fraud, brute-forcing passwords for other computers, hiding the hackers' identities by using the honeypot as a starting point for another attack, and even watching porn. The researchers said a hacker successfully logging into its honeypot can generate "tens of events" alone.

The "Rangers," according to the two, carefully explored the hacked computers, doing reconnaissance, sometimes changing passwords, and mostly leaving it at that. "Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later," the researchers wrote in a blog post published on Wednesday to accompany their talk. The "Barbarians" use the compromised honeypot computers to try and bruteforce into other computers using known lists of hacked usernames and passwords, sometimes using tools such as Masscan, a legitimate tool that allows users to port-scan the whole internet, according to the researchers. The "Wizards" use the honeypot as a platform to connect to other computers in an attempt to hide their trails and the actual origin of their attacks. According to what Bergeron and Bilodeau wrote in their blog post, defensive teams can gather threat intelligence on these hackers, and "reach deeper into compromised infrastructure."

According to Bergeron and Bilodeau, the "Thieves" have the clear goal of monetizing their access to these honeypots. They may do that by installing crypto miners, programs to perform click fraud or generate fake traffic to websites they control, and selling access to the honeypot itself to other hackers. Finally, the "Bards" are hackers with very little or almost no skills. These hackers used the honeypots to use Google to search for malware, and even watch porn. These hackers sometimes used cell phones instead of desktop or laptop computers to connect to the honeypots. Bergeron and Bilodeau said they believe this type of hacker sometimes uses the compromised computers to download porn, something that may be banned or censored in their country of origin. In one case, a hacker "was downloading the porn and sending it to himself via Telegram. So basically circumventing a country-level ban on porn," Bilodeau told TechCrunch. "What I think [the hacker] does with this then is download it in an internet cafe, using Telegram, and then he can put it on USB keys, and he can sell it." These types of honeypots could be useful for law enforcement or cybersecurity defensive teams. "Law enforcement could lawfully intercept the RDP environments used by ransomware groups and collect intelligence in recorded sessions for use in investigations," the researchers wrote in the blog post. "Blue teams for their part can consume the [Indicators of Compromise] and roll out their own traps in order to further protect their organization, as this will give them extensive documentation of opportunistic attackers' tradecraft."

Moreover, if hackers start to suspect that the servers they compromise may be honeypots, they will have to change strategies and decide whether the risks of being caught are worth it, "leading to a slow down which will ultimately benefit everyone," according to the researchers.

lol porn

[braden87]

Porn over RDP at 1 frame every 4 seconds *chefs kiss*

Re:

[eneville]

Real teams wouldn't waste time on porn. Machines going through descent firewalls/MITM proxies would sound alerts that the owners have broken staff rule books, wasting an asset for the attacker.

Re:

[Anonymice]

You'd need to try to access a lot of porn before getting much attention from a SOC. Non-malicious blocks are just background noise.

Like "regular" programmers

[Tony Isaac]

What's amazing is that these "hackers" had no idea they were being watched.

We have this image of hackers being brilliant computer masterminds, doing what they do at blazing speed. I suppose a lot of that comes from Hollywood. The reality is much more humdrum. It's mostly just sleazy guys trying to rip off people, who have learned just enough to download some hacker toolkit or Googled steps to exploit RDP or some other weak system.

Re:

[migos]

We call these script kiddies. The real hackers only infiltrate stuff that normal people can't, and sometimes they only do it just to prove that they can and they leave the servers alone.

Re:Like "regular" programmers

[shoor]

One thing I didn't see in the summary was how much effort was made to disguise the honeypots to look like legitimate or desirable targets.

I would think that you'd have a range of honeypots. Some might look like the ancient, wheezing computer used by a backwoods church, whose superannuated operator barely knows how to maintain a mailing list. On the other end, have one with seemingly valuable stuff, financials on a big company or government agency maybe, and it would have reasonable security because you'd expect that. Then there would other computers in between the extremes.

Re:

[bkmoore]

....We have this image of hackers being brilliant computer masterminds, doing what they do at blazing speed. I suppose a lot of that comes from Hollywood.....

Hollywood hackers type randomly on the keyboard noisily and at high speed while the computer is running some snazzy 3d screensaver, then after enough random keystrokes, the screensaver stops and you get a giant 3d font indicating ACCESS GRANTED. All it takes is random keystrokes to disable even the most secure systems, but those keystrokes have to come from either a nerdy hacker-like character with a funny accent and thick glasses, or a pretty woman who has no clue. Either work just as well.

Re:

[Tony Isaac]

Or in the case of one NCIS episode, two nerdy people typing on the SAME keyboard at the same time!

https://www.youtube.com/watch?... [youtube.com]

Re:

[phantomfive]

We have this image of hackers being brilliant computer masterminds, doing what they do at blazing speed.

Some of them are. Some of the winners of DEFCON CTF have been absolutely amazing, finding zero-days in binaries like they were candy. These kinds of hackers are rare.

The rest of us are script kiddies.

Honeypot

[OrangAsm]

I put a honeypot in the server room at work, and left a backdoor open. The next day a bunch of bears were hanging out in there.

Re:

[zephvark]

Oh, pooh. Does sound like fun though. As does watching honeypots. Heck, back when, all we wanted to do was see if your system had ROGUE or HACK on it. Maybe one of the Trek games?

Re:

[echo123]

Oh bother, would anyone happen to know about some FOSS honeypot software that can be found on the internet? Something ever so simple to install and gather metrics from, perhaps?

Re:

[SpzToid]

Obligatory XKCD [xkcd.com], ...because do you really want to do something like that that? Ewww.

Freshmeat

[jd]

...used to be the Go To place for such questions, but the site has long been frozen, and has now been taken down. Bstds.

https://www.honeyd.org/ [honeyd.org]
https://github.com/paralax/awe... [github.com]

Re:Honeypot

[DarkOx]

be careful - I have some clients that set honeypots up. The next thing that happened was people started publishing on reddit how they'd hacked into systems belonging to $CLIENT

They absolutely not gotten into ANYTHING besides the honey DMZ. Which was there to be A a distraction and B very positively identify bad actors addresses so that the firewalls on the real target systems could shun them. They did not want block just anyone who happened to scan or programmatically cralw the site. Their attitude was - we are probably the cheapest option out their so if the price and catalog aggregator guys want to index us, let'em and we are mostly commodity stuff so if someone wants to use our order API without visiting the site also let'em. - 'worst that can happen is we get more sales'.

but when someone starts trying to brute force IKE, or is feeding a serious of what are obviously SQL reserved words to ever input on a site - well now we KNOW they are up to no good. Also you want some targets to be exploitable at least with some level of difficulty because if someone is actually intentionally targeting you, its A) evidence, B) you get a chance to perhaps identify their C&C methods etc before they compromise something real.. Actual gathering of threat intelligence about the people specifically targeting YOU as opposed to general intelligence you could buy. They were actively doing stuff with it like ok we spotted this DNS based C&C we will add that to SEIM watching the real stuff and if anything does something similar - instant incident.

but ... it still became a black eye in the public, until it was all explained.. at which point .. it destroyed the value of the whole operation because all the threat actors knew what was honeypot current and obviously anticipate new honeypot stuff in the future.

Re:

[NotEmmanuelGoldstein]

... destroyed the value of the whole operation ...

The smart answer might be to keep the script kiddies talking, emphasizing they didn't touch anything valuable and will be easy to catch. The slow process of doxxing them is the goal.

As for bad PR, it's important to remind concerned people, the world is full of arseholes, these arseholes haven't issued ransom demands or leaked intel or proven that corporate security has been cracked, and we need them to confess their stupidity, not tell everyone we've got ultra-top-secret security.

Re:

[DarkOx]

yeah that does not work in practice.

You have arseholes threatening to report you to the state for violating disclosure laws, when you have nothing to disclose.

your account management staff is spending a ton of time explaining to your clients "no we were not hacked, seriously it was just a honeypot, not our real systems people were 'expected' to hack those things." They are doing that because your clients also subscribe to threat intel services that picked up the noise in reddit and not surprisingly those "e

Re:

[jonadab]

Heh. Tell them that Taiwan is a country and see how mad they get.

AI training set!

[martin-boundary]

Next week: researchers start watching 100 hours of hackers hacking, grow bored after 5 minutes, build an AI to watch the full 100 hours for them. AI reports back, nothing interesting to see there, would you like to play a nice game of chess instead?

D&D character analysis of types

[oxnyx]

Interesting choice of categories. I feel like Bards should get extra points somehow for cracking from a cellphone to watch choppy material. Likely then screen recording it and trying to sell it. It's like sex drive is a normal adult human - drive. (When made with consenting adults) Also good to know that Wizards are the ones this author is scared of. No Fighter tho glad to see they are else were ðYoe. I would love to hear about the Clerics but likely they are targeting big "evil" companies and repa

Re:

[TWX]

I was surprised that there weren't any categories for remote code exploit through compromised through basic OS services that have full rights to the boxes, all performed without ever touching the GUI.

It's all well and good to analyze the behaviors of those gaining unauthorized access to the GUI, that is obviously a form of attack vector and use. But that's only a subset of exploits, while the ability to run remote commands or programs without invoking something as obvious as that would be a much more effec

Re:

[SoftwareArtist]

Someone has a really low opinion of bards. "Very little or almost no skills"? Bards everywhere are offended.

Could puppeteer blackhats into serving the state.

[Eunomion]

I assume they already do this: Emulate a targeted system, seduce a hacker to play with it who just thinks it's another mark, then select for their most effective tactics against the real target.

Might even subtly alter the incentive dynamics, so that desired information presents to them as having financial rewards. You want to know what's in a file, so you show it to them as having bank information when it's actually cartel logistics or some military document. The bank info could be a real account that

Oh this would be so fun

[nucrash]

Maybe I am the odd one here, but setting up honey pots and watching techniques of those to plow through them seems like the ultimate fun to do.

I need to setup an internal honeypot and see if I can get others to hit it for the sake of watching.

Re:

[TWX]

For a short time I had a commercial DSL service with a /28 subnet. I had port-forwarded unsolicited incoming connections to an old Quadra 660AV running MkLinux. This was good fun because the box was snail-snot slow and no binaries that someone gaining access had would run on it due to the different architecture, and the memory and disk were so small that it wouldn't make for a good application server or file store. And the box was so old I had to use a "gator box" as an Ethernet to Appletalk (serial) net

Sounds like Berfed rides Again

[Superdad]

Umm, wasn't this done 30+ years ago .... in 'An Evening with Berfed', 1991 IIRC.
Berfed was the hacker(s)'s commonest typo.

Nothing new under the Sun.
Yawn.

SD

Hire a verified hacker

[Anastasia90]

Hire a verified hacker for quality service (TECHSPYHACKERPRO @ GM AIL C OM ). They offer service like ( phone hack, Upgrade grade, GPS track, face book recovery, delete criminal record, whatsApp recovery, retrieve lost wallet and many more...