Cyber Security Threat Summary:
Researchers using a Remote Desktop Protocol honeypot found that exposed connections are so attractive to attackers that they were targeted around 37,000 times a day from various IP addresses. The attacks are completely automated, but once the right access credentials were found via brute-forcing, hackers will manually begin looking for important or sensitive files.

“An experiment using high-interaction honeypots with an RDP connection accessible from the public web shows how relentless attackers are and that they operate within a daily schedule very much like working office hours. Over three months, the researchers at GoSecure, a threat hunting and response company with headquarters in the U.S. and Canada, recorded close to 3.5 million login attempts to their RDP honeypot system. Andreanne Bergeron, a cybersecurity researcher at GoSecure, explained at the NorthSec cybersecurity conference in Montreal, Canada, that the honeypots are linked to a research program that aims to understand attacker strategies that could be translated into prevention advice” (Bleeping Computer, 2023).

The honeypot used by the researchers has been functioning on and off for more than three years, but the bulk of the data represents only three months between July 1st and September 30th, 2022. During this window, the honeypot was attacked 3.5 million times from more than 1,500 IP addresses. For the entire year, the researchers saw 13 million login attempts.

Security Officer Comments:
To entice attacks, the researchers named the system as if it were part of a bank’s network. Most attacks revolved around automated brute-force which used multiple dictionaries and the common username was “Administrator” with various variations for shorter length, different languages, and letter case. In a smaller subset of attacks, roughly 60,000 cases, the attackers did perform various reconnaissance activities to try and find the right login before attempting access. The researchers explained that the three odd usernames were related to the honeypot system (names of the RDP certificate and the host, and the hosting provider). The presence of this data in the top 12 tried login names indicates that at least some of the hackers did not blindly test credential pairs to log in but gathered information about the victim first.

The researchers explained that the honeypot collected hashes of the passwords and the researchers were able to revert the weaker ones. The results showed that the most common strategy was to use a variation of the RDP certificate, followed by variants of the word ‘password’ and a simple string of up to ten digits. One interesting observation when correlating these statistics with the attack IP addresses is that the RDP certificate name was used exclusively in login attempts from IPs in China (98%) and Russia (2%). The researchers did note that the IP addresses do not necessarily mean the attackers are from those two countries, but they could be using infrastructure in those two regions. Another observation is that plenty of attackers (15%) combined thousands of passwords with just five usernames.

The activity seemed to form daily patterns, with the attackers taking various breaks. Many activity chunks span over four hours and up to eight, although some sessions were as long as 13 hours. This suggests human intervention, at least for launching the attacks, and appears to follow a schedule of some sort. Adding weight to this observation is the fact that the brute force activity stopped during weekend days, possibly suggesting that the attackers are treating the hacking activity like a regular job. In one example, the researchers noticed an eight-hour gap between attacks and inferred that it could indicate an attacker working in shifts.

Suggested Correction(s):
While the large volume of attacks was due to the researchers setting the honeypot with an “admin/admin” credential pair, this experiment highlights the importance of changing the default passwords for any device exposed to the Internet. The actually honeypot used in the experiment contained no data, so only around 25% of hackers actually took the time to explore the machine for important files. The next step of the research would be to fill the server with fake corporate files and monitor the attacker’s movements and actions.

Changing default passwords is an important step to preventing brute-force and password attacks. Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including credential stuffing and password spraying, with analysis by Microsoft suggesting that it would have stopped 99.9% of account compromises. As such, it should be implemented wherever possible; however, depending on the audience of the application, it may not be practical or feasible to enforce the use of MFA.

In order to balance security and usability, multi-factor authentication can be combined with other techniques to require for 2nd factor only in specific circumstances where there is reason to suspect that the login attempt may not be legitimate, such as a login from: