Honeypot project reveals attackers are turning to automation
Most businesses are seeking to automate the more tedious aspects of their operations and some new research from security analytics platform Cybereason reveals that hackers are no exception.
The company set up a honeypot system masquerading as a financial services company and introduced security flaws in several stages.
First usernames and passwords for Remote Desktop Services were released to hacker forums, second additional RDP services with weak passwords were created, and finally other devices were opened up to see which ports got scanned.
The most interesting result came after weakening the RDP ports. This attracted the attentions of a bot that performed groundwork for human attackers, scanning the network and dumping the credentials of compromised machines. The bot also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords.
The bot carried out these functions in approximately 15 seconds of activity -- though in order to evade detection it didn't do all of this at once, spacing its actions over three days. Two days after bot activity ceased, a human attacker entered via one of the new user accounts and proceeded to copy around 3GB of information from the system.
"The user knew exactly what he was looking for, exactly where he was going," says Ross Rustici, director of intelligence services at Cybereason. "He had a shopping list and was going directly to the files he wanted to exfiltrate. The bot itself also had a lateral movement technique that would have allowed it to spread to entire network. This isn't necessarily completely new, there are other people scripting things, but the way in which it was implemented makes defending against this type of attack very difficult. It can strike faster than a lot of defensive teams could even recognize the initial breach, so they're playing catch up, the house is on fire before they have a chance to respond to the first spark."
You can find out more about the research findings on the Cybereason blog.