Security researchers detected 4.6 million data breach attempts via password entry in a one-month period in 2022. These incidents were observed by dedicated security traps (honeypots), which detect and respond to unauthorized access attempts. While honeypots mimic flaws in corporate environments, they must be isolated from the production network and continuously monitored.
Before an attack, threat actors monitor targeted networks as part of the reconnaissance phase to select the most effective and discrete entry points. Attackers often automate a significant portion of this monitoring period, which allows defensive teams to track their activities using specialized machines called honeypots. These machines are deliberately exposed to the internet to attract and detect probes and breaches.
Defensive teams can gather a wealth of data from honeypots, revealing both previously observed and unknown threats. Honeypots are also capable of proactive identification and defense against potential attacks. With these tools, defensive teams can assess threats and intercept and prevent malicious actions before they cause harm, rather than simply reacting to data breaches after the fact. Security researchers used honeypots to collect 4.6 million attempted data breaches via password entry. While these recently disclosed results were related to a one-month period (October 2022), the numbers suggest tens of millions of similar attacks by attackers over the year.
Read the report: Reshaping the Threat Landscape in 2023: Cybersixgill Announces Top Trends in Cybersecurity
A honeypot attracts and traps malicious actors by simulating a vulnerable system. Upon successful engagement, the honeypot captures and records the perpetrator's actions for subsequent analysis. A basic honeypot may consist of a Microsoft server virtual machine (VM) with an open Remote Desktop Protocol (RDP) connection exposed to the Internet. As threat actors attempt to exploit the exposed RDP, security teams observe and document attackers’ attempts to gain access via usernames. Various software products enhance honeypots’ capabilities, simulating a variety of possible entry points. For instance, PyRDP provides security teams with a man-in-the-middle approach to observe and manipulate in real-time malicious actors' attempts to infiltrate a system.
To illustrate the immense potential of honeypots for collecting valuable data, consider the 2019-2020 results generated by a detection and response organization, which found over 179,000 unique usernames attempted from at least 122 countries. The organization analyzed its honeypot data related to a Google Cloud Platform (RDP) VM. The data revealed a substantial surge in attacks, with an 85% uptick from 2019 to 2020, indicating threat actors’ increasingly sophisticated information-gathering techniques ahead of ransomware and infrastructure attacks.
Honeypots have also been used to assess the speed with which threat actors descend on exposed connections on the Internet. For example, a Windows 7 virtual machine (VM) with an open RDP connection exposed to the Internet for nine days accumulated over 2,800 access attempts, of which 46 were successful. While some threat actors tested for access, others immediately installed ransomware.
While the aforementioned examples used RDP connections, honeypots can test other access methods. Any remote system utilizing Secure Shell (SSH) protocol can be used as a honeypot to assess intrusion attempts. By studying active threats exposed by honeypots, organizations can take proactive measures to keep them ahead of adversaries. While implementing security technologies such as VPNs or a zero-trust approach can help fortify external connections, determined threat actors may still find ways to bypass them.
Security professionals are not the only ones versed in using honeypots, with cybercriminals aware that these traps await them. As such, threat actors frequently double-check the authenticity of compromised corporate access advertised underground. To illustrate the phenomenon, the chatter in the following post includes members of a popular Russian-language cybercrime forum discussing VPN access to the networks of a major European courier company.
Specifically, a threat actor (Member 1) with an average reputation advertised the VPN access for $10,000. Another member (Member 2) questioned whether the targeted network is a honeypot instead of a real corporate environment. Member 1 then guaranteed the item was not a honeypot, claiming to have successfully accessed the company’s environment using the VPN connection. Member 2 responded that the targeted networks may look legitimate but may actually be a honeypot within a virtual environment. Member 1 claimed to have accessed the courier company’s packages and surveillance cameras.
Figure 1: Cybercrime forum members debate whether VPN access is a honeypot.
Cybersixgill also collected a post on another Russian-language cybercriminal forum on which a member with an average reputation advertised a tool written in the Go (GoLang) programming language for brute force attacks on the SSH service. According to the forum member, the tool prevents logging onto honeypots and supports custom threading, meaning the user can set the number of threads for brute-force attacks. With such a tool, cybercriminals could launch brute force attacks and avoid honeypots set up by security teams.
Another forum member vouched for the tool, saying it works properly and that the seller-provided good support for setup and installation. The seller priced the tool at $25 and directed interested parties to make contact on Telegram.
Figure 2: A forum member advertises an anti-honeypot brute force tool on Exploit.in
Honeypots are a key tool for proactively identifying and defending against potential attacks. By simulating vulnerable systems and capturing the actions of malicious actors, organizations can gain valuable insights into cyber adversaries’ methods and techniques. The data gathered from honeypots can also reveal patterns and trends in attacks, allowing security teams to stay in front of the evolving threat landscape. However, honeypots are only part of the picture. They must be used with other security technologies and best practices, such as multi-factor authentication on all login portals and long and complex passwords to secure corporate accounts.
Organizations must also isolate honeypots from the production network and should never use honeypots as production environments. In addition, honeypots must be continuously monitored to maximize their efficiency, especially in light of attackers’ increasing use of automation and other sophisticated methods. Indeed, organizations must remain vigilant and take a proactive approach to threat detection and response to protect their systems and data.
Cybersixgill automatically aggregates data leaks and alerts customers in real time.