Cybercriminals are continually engaged in identifying new and more advanced tools to attack user systems, especially those of professionals and businesses. In many cases, with the aim of stealing money and asking for ransoms, components are installed that record user behavior, the credentials used, the screens that appear as they appear. What if we reversed the scenario? This is what two researchers did who using a honeypot artfully configured, they spied on the attackers’ activities by stealing their data and secrets.
What is a honeypot and what is it for?
A honeypot is a technique that involves setting up a system or a apparently vulnerable environment that may be attractive to attackers. Overlooking the Internet, the honeypot is a sort of bait that exposes, for example, some communication ports open and behind which a vulnerable server. In some cases, more simply, one is used weak password to protect the machine.
Main objective is to attract the attackers and to monitor their malicious activity for the purpose of studying, understanding and gathering information on the tactics, techniques and procedures used. A honeypot can be implemented as an isolated computer system or as part of a network, and can vary in complexity. It can be a simple one trap or a more sophisticated system designed to mimic real servers, services, and networks.
Obviously, honeypots must be set up with particular care: malicious activity carried out on the system by remote subjects must not have negative effects on the network or on the systems used in its infrastructure.
Over 100 hours of video footage show what hackers do to a vulnerable system connected to the Internet
During the Black Hat USA 2023 event, researchers Olivier Bilodeau and Andréanne Bergeron from GoSecure they showed the result of their efforts.
Remote Desktop Protocol (RDP) it is a critical attack vector used daily by a large number of attackers. The exploitation of vulnerabilities in the implementation of Desktop remotois one of the most popular “sports” of cybercriminals.
With the express intent of studying attacks on RDP, Bilodeau and Bergeron developed PyRDP, an open source RDP eavesdropping tool with file collection capabilities, logging of keystrokes, mouse usage, clipboard content, what is displayed on the screen time to time. PyRDP is available on GitHub and anyone can review and improve it.
The scholars then configured a honeypot by installing several server Windows RDP publicly displayed online. The systems in question ran for 3 years, accumulating over 150 million events during that time, including 100 hours of video footage, 570 files collected by threat actors, and over 20,000 RDP sessions.
To describe the behavior of the attackers, the researchers enjoyed drawing analogies with some figures from the famous fantasy role-playing game Dungeon & Dragons. Thus, in the presentation brought to the Black Hat event, a precise identikit of the various murky figures with which the honeypot had to deal was drawn up.
The honeypot reveals a truly diverse hacker community
During the long journey that lasted three years, Bilodeau and Bergeron were able to note down (revealing them today) the instruments which constitute the “toolbox” of cybercriminals: dControl, xDedic RDP Patch, NLBrute, Masscan, SilverBulletvarious mechanisms for disabling security programs and software tools for fingerprinting of the previously undocumented host. They also showed some examples of particularly relevant video recordings showing the hackers in action.
The duo said that some attackers who made their way into their honeypot proved to have extremely advanced skills. Others, however, seemed improvised and totally inexperienced. And some have behaved strangely: a person who logged into the machine changed the desktop background and logged out; another wrote “lol” before covering her tracks and walking away, probably figuring out what was going on “behind the scenes” right away.
Opening image credit: iStock.com/da-kuk