Cloud Honeypots Planted by Researchers Compromised in Minutes

Researchers who deployed hundreds of honeypots packed with cloud service apps were shocked at how quickly they were compromised. Within 30 seconds, for example, 96 percent of 80 database instances around the world were compromised by just one threat actor.

Although misconfigured and exposed cloud storage buckets have been a well-known cybersecurity vulnerability for years, new research from Palo Alto Networks, a Microsoft technical partner, tackles less-publicized attacks against services running in public clouds, trying to gain a better understanding of them.

The research was conducted by the Unit 42 Threat Intelligence team at Palo Alto, which last summer created a global honeypot infrastructure of 320 nodes that were populated with multiple instances of remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database. Some 80 percent of the honeypots were compromised within 24 hours and all were compromised within a week.

"The speed of vulnerability management is usually measured in days or months," the company said in announcing the research last month. "The fact that attackers could find and compromise our honeypots in minutes was shocking. This research demonstrates the risk of insecurely exposed services."

The research measured mean time-to-first-compromise, mean time-between-compromise, number of attacker IPs observed in a honeypot, number of days an attacker IP was observed and many other metrics.

"An insecurely exposed service is one of the most commonly seen misconfigurations in cloud environments," Palo Alto said. "These services are discoverable on the internet and can pose a significant risk to cloud workloads in the same infrastructure. Notorious ransomware groups such as REvil and Mespinoza are known to exploit exposed services to gain initial access to victims' environments."

Researchers found many differences in the attacks, varying with the type of service, including how quickly they were compromised for the first time, with SSHD being compromised in a mean time of 184 minutes, while the mean time for the first Samba (SMB) service compromises was 2,485 minutes:

Mean Time-to-First-Compromise
[Click on image for larger view.] Mean Time-to-First-Compromise (source: Palo Alto Networks).

Palo Alto highlighted these findings:

  • SSH was the most attacked application. The number of attackers and compromising events was much higher than for the other three applications.
  • The most attacked SSH honeypot was compromised 169 times in a single day.
  • On average, each SSH honeypot was compromised 26 times daily.
  • One threat actor compromised 96 percent of our 80 Postgres honeypots globally within 30 seconds.
  • 85 percent of the attacker IPs were observed only on a single day. This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks. A list of malicious IPs created today will likely become outdated tomorrow.

While exposed storage buckets may have gotten more publicity, the company said that the exposed service problem was made worse by the agility of today's cloud infrastructure management, which can quicken the creation and replication of such misconfigurations.

To help organizations combat threat actors, Palo Alto suggested several strategies that leverage cloud-native approaches with various products, unsurprisingly including the company's own wares:

"The research highlights the risk and severity of such misconfigurations," Palo Alto concluded. "When a vulnerable service is exposed to the internet, opportunistic attackers can find and attack it in just a few minutes. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment."

About the Author

David Ramel is an editor and writer for Converge360.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.