Imagine having the ability to sit behind a hacker and closely observe as they gain control of a computer, experimenting with various actions. This is precisely what two security researchers accomplished through a network of honeypot computers designed to attract hackers.
The researchers intentionally exposed several Windows servers to the internet, configured with Remote Desktop Protocol (RDP), enabling hackers to remotely take over these servers as if they were regular users, giving them the ability to type, click, and manipulate the systems.
The honeypots allowed the researchers to gather a wealth of data, including 190 million recorded events and 100 hours of video footage showing hackers taking control of the servers. The hackers performed a range of activities, such as reconnaissance, installing cryptocurrency mining malware, conducting click fraud using Android emulators, attempting to brute-force passwords for other computers, concealing their identities by launching attacks from the honeypot, and even engaging in inappropriate content consumption. A single successful login by a hacker into the honeypot could generate numerous events.
Andréanne Bergeron, with a Ph.D. in criminology from the University of Montreal and a cybersecurity professional at GoSecure, collaborated with Olivier Bilodeau on this research. They presented their findings at the Black Hat cybersecurity conference in Las Vegas.
The researchers categorized the types of hackers based on Dungeons and Dragons character archetypes:
- Rangers: Hackers who cautiously explore the compromised systems, sometimes changing passwords, likely to evaluate the system for future attacks.
- Barbarians: These hackers use the compromised honeypot computers to try to brute-force their way into other systems using lists of known hacked usernames and passwords.
- Wizards: These hackers utilize the honeypot as a platform to connect to other computers, attempting to hide their trails and the origin of their attacks. Defensive teams can gather threat intelligence on these hackers.
- Thieves: Hackers with the intent to monetize their access to honeypots, often by installing crypto miners, conducting click fraud, or selling access to the honeypots to other hackers.
- Bards: Hackers with limited skills, who use honeypots to search for malware or even consume explicit content. They sometimes connect via cell phones and might use the compromised computers to download content that may be restricted in their country of origin.
The researchers concluded that the ability to observe hackers interacting with such honeypots could prove invaluable not only to researchers but also to law enforcement and cybersecurity defense teams (blue teams). They suggested that law enforcement could intercept RDP environments used by ransomware groups for intelligence gathering in investigations, while blue teams could use the Indicators of Compromise (IoC) to enhance their own defenses.
Additionally, the researchers noted that if hackers become suspicious that the servers they compromise might be honeypots, they’ll likely need to alter their strategies, leading to a slowdown in their activities, which ultimately benefits everyone in terms of cybersecurity.