Cloud Honeypots Planted by Researchers Compromised in Minutes

Researchers who deployed hundreds of honeypots packed with cloud service apps were shocked at how quickly they were compromised. Within 30 seconds, for example, 96 percent of 80 database instances around the world were compromised by just one threat actor.

Although misconfigured and exposed cloud storage buckets have been a well-known cybersecurity vulnerability for years, new research from Palo Alto Networks, a Microsoft technical partner, tackles less-publicized attacks against services running in public clouds, trying to gain a better understanding of them.

The research was conducted by the Unit 42 Threat Intelligence team at Palo Alto, which last summer created a global honeypot infrastructure of 320 nodes that were populated with multiple instances of remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database. Some 80 percent of the honeypots were compromised within 24 hours and all were compromised within a week.

"The speed of vulnerability management is usually measured in days or months," the company said in announcing the research last month. "The fact that attackers could find and compromise our honeypots in minutes was shocking. This research demonstrates the risk of insecurely exposed services."

The research measured mean time-to-first-compromise, mean time-between-compromise, number of attacker IPs observed in a honeypot, number of days an attacker IP was observed and many other metrics.

"An insecurely exposed service is one of the most commonly seen misconfigurations in cloud environments," Palo Alto said. "These services are discoverable on the internet and can pose a significant risk to cloud workloads in the same infrastructure. Notorious ransomware groups such as REvil and Mespinoza are known to exploit exposed services to gain initial access to victims' environments."

Researchers found many differences in the attacks, varying with the type of service, including how quickly they were compromised for the first time, with SSHD being compromised in a mean time of 184 minutes, while the mean time for the first Samba (SMB) service compromises was 2,485 minutes:

Mean Time-to-First-Compromise
[Click on image for larger view.] Mean Time-to-First-Compromise (source: Palo Alto Networks).

Palo Alto highlighted these findings:

  • SSH was the most attacked application. The number of attackers and compromising events was much higher than for the other three applications.
  • The most attacked SSH honeypot was compromised 169 times in a single day.
  • On average, each SSH honeypot was compromised 26 times daily.
  • One threat actor compromised 96 percent of our 80 Postgres honeypots globally within 30 seconds.
  • 85 percent of the attacker IPs were observed only on a single day. This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks. A list of malicious IPs created today will likely become outdated tomorrow.

While exposed storage buckets may have gotten more publicity, the company said that the exposed service problem was made worse by the agility of today's cloud infrastructure management, which can quicken the creation and replication of such misconfigurations.

To help organizations combat threat actors, Palo Alto suggested several strategies that leverage cloud-native approaches with various products, unsurprisingly including the company's own wares:

"The research highlights the risk and severity of such misconfigurations," Palo Alto concluded. "When a vulnerable service is exposed to the internet, opportunistic attackers can find and attack it in just a few minutes. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment."

About the Author

David Ramel is an editor and writer for Converge360.