The IT experts at Palo Altos Unit 42 set up a network with 320 honeypots on the Internet and checked how long it took for the services on it to be attacked and infiltrated. Such systems are used by researchers as bait for cyber criminals, for example to analyze their approaches. The not unexpected, but still frightening result: After just one day, 80 percent of the honeypots were cracked.
The Honeynet nodes provided services such as the Remote Desktop Protocol (RDP), Secure Shell (SSH), Samba or PostgreSQL databases in equal parts. For the access data, the security researchers intentionally used weak user-password combinations such as
administrator:password set. The test ran for 30 days between July and August 2021, with the individual honeypots located in the North American, Asia-Pacific and European regions. After a break-in was detected or if a machine no longer responded, it was reset to its initial status.
It took around 3 hours for the first successful attack on SSH, 8.5 hours for PostegreSQL, 11 hours for RDP and 41 hours for the Samba services. This correlates with the frequency of attacks, describe the Unit 42 researchers in their article on this test. The average value hides the real danger – after all, according to the report, the first systems were found and compromised within minutes.
Vulnerable service as a competitive resource
But there is also a kind of battle over the infiltratable machines. The next attacker was back on the mat after quite similar periods of time and penetrated the honeypots. According to the Palo Alto researchers, attackers usually tried to remove legacies of previous intruders, such as backdoors and malware, and cited crypto-mining cyber gangs in this context. These use the hijacked machines to mine crypto currencies such as bitcoins.
The IT security experts also list the number of average attacker IPs that a honeypot has seen in the 30 days. Most of the IPs attempted attacks on SSH, namely 179. This was followed by 50 attacker IPs on RDP, 11 on Samba and 7 on PostgreSQL. Of the addresses observed, around 85 percent were only active for one day, so the attackers often change their starting point. This means that filter rules for firewalls that are based on lists of known attacking IP addresses are not very effective.
In addition, less than a fifth of the IPs were active on several nodes of the Honeynet. However, one attacker stood out from the crowd – he took over 96 percent of the 80 PostgreSQL honeypots set up around the world in just 30 seconds.
Be on your toes
Some recommendations can be derived from the results of this test. The response times for mending weak points are too long if they take days or weeks. This can also be seen in practice, for example, with the Exchange updates that have not yet been used, but have been available since spring this year at the latest for security gaps that attackers use to break into the system. Or the regular intrusions into networks via VPN software that has not been updated.
Administrators now have to install security updates that are available very quickly, implement workarounds that are available if necessary, or reduce areas of attack on services, for example by (partial) shutdowns. It is also advisable to introduce monitoring, for example, and to check its results regularly. Often exposed services are also active in networks that are not necessary at all – here it helps to simply switch them off. Last but not least, the results also show that good, complex passwords should be used.
(UPDATE 11/25/2021 07:05 a.m.)