Researchers from Palo Alto Networks deployed a honeypot infrastructure of 320 nodes to analyze how three actors target exposed services in public clouds.
The company set up the honeypots between July 2021 and August 2021 to analyze the time, frequency and origins of the attacks targeting them.
The instances included systems exposing remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database. The experts discovered that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week.
Below are some findings shared by the experts:
“Four types of applications, SSH, Samba, Postgres and RDP, were evenly deployed across the honeypot infrastructure. We intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password. These accounts grant limited access to the application in a sandboxed environment. A honeypot will be reset and redeployed when a compromising event is detected, i.e., when a threat actor successfully authenticates via one of the credentials and gains access to the application.” reads the post published by Palo Alto Networks. “To analyze the effectiveness of blocking network scanning traffic, we blocked a list of known scanner IPs on a subset of honeypots.”
The researchers were updating the firewall policies once a day based on the observed network scanning traffic to prevent reconnaissance and attacks conducted with scanners. Each firewall policy might block 600-3,000 known scanner IP addresses.
Every time one of the virtual machines composing the honeypot infrastructure became unresponsive, the controller redeployed the virtual machine and application.
The experts analyzed the time-to-first-compromise (the time before the system was compromised) for the different services. The time-to-first-compromise for Samba installs was 2485 minutes, 667 minutes for RDP, 511 for Postgres, and 184 minutes for SSHD.
Palo Alto’s study also focuses on tThe mean time-between-compromise, that is the average time between two consecutive compromising events of a targeted application.
“A vulnerable service on the internet is usually compromised multiple times by multiple different attackers. To compete for the victim’s resources, attackers commonly attempt to remove malware or backdoors left by other cybercriminal groups (e.g., Rocke, TeamTNT).” continues the report. “Mean time-between-compromise resembles an attacker’s time on a compromised system before the next attacker shows up. Similar to time-to-first-compromise, the mean time-between-compromise of an application is also inversely proportional to the number of attackers targeting the application.”
Researchers also analyzed the geographic distribution of the attacks, systems deployed in the APAC region were most targeted from threat actors.
“The problem of insecurely exposed services is not new to public cloud, but the agility of cloud infrastructure management makes the creation and replication of such misconfigurations faster. The research highlights the risk and severity of such misconfigurations. When a vulnerable service is exposed to the internet, opportunistic attackers can find and attack it in just a few minutes. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment.” concludes the report.
Below is the list of recommendations to protect cloud services published by Palo Alto Networks:
(SecurityAffairs – hacking, honeypot)