Imagine having a front-row seat to observe hackers infiltrate computers, manipulate systems, and execute their cyber exploits. This unique vantage point was achieved by two security researchers who harnessed the power of a vast network of honeypot computers designed to attract hackers.
Creating a Virtual Playground for Hackers
In their groundbreaking study, these researchers strategically positioned several vulnerable Windows servers on the internet, equipped with Remote Desktop Protocol (RDP) access. This setup allowed hackers to gain remote control over these servers, essentially granting them unrestricted navigation and manipulation capabilities.
Amassing a Wealth of Insights
The deployment of these honeypots yielded astonishing results. A staggering 190 million events were recorded, accompanied by over 100 hours of video footage. Hackers’ actions ranged from initial reconnaissance to executing a variety of malicious activities. These activities encompassed installing cryptocurrency mining malware, engaging in click fraud through Android emulators, brute-forcing passwords on other systems, masking their identities by launching subsequent attacks from the honeypot, and even engaging in inappropriate activities like viewing explicit content. Notably, a single successful hacker login could generate numerous events.
Surveillance Beyond Expectations
Andréanne Bergeron, a cybersecurity expert with a Ph.D. in criminology from the University of Montreal, emphasized the comprehensive nature of the data collected, likening it to a surveillance system dedicated to RDP activity. Bergeron, alongside her colleague Olivier Bilodeau, works with cybersecurity firm GoSecure and presented their findings at the Black Hat cybersecurity conference in Las Vegas.
Classifying Hackers Based on Behavior
Bergeron and Bilodeau introduced a fascinating classification system for hackers, drawing parallels with Dungeons and Dragons character archetypes.
1. Rangers: Stealthy Observers
The “Rangers,” as dubbed by the researchers, were meticulous in their approach. They meticulously explored compromised computers, occasionally altering passwords, before withdrawing. This cautious behavior hinted at their intention to assess the system for future, potentially more extensive, attacks.
2. Barbarians: Brute Force Tacticians
The “Barbarians” leveraged the hacked honeypot computer systems to release brute pressure assaults on different systems. Armed with lists of compromised usernames and passwords, these hackers utilized tools such as Masscan to scan internet ports for potential targets.
3. Wizards: Trail Concealers
“Wizards” employed the honeypot as a springboard to access additional computers. Their primary objective was to obscure their tracks and the true origin of their attacks.This conduct lets in protecting groups to acquire intelligence on those hackers and benefit deeper insights into compromised infrastructures.
4. Thieves: Monetization Masters
The “Thieves” held clean motives: exploiting their get admission to to honeypots for monetary gain.This became done via the set up of cryptocurrency miners, engagement in click on fraud, or even promoting get right of entry to to the honeypot itself to fellow hackers.
5. Bards: Novice Intruders
The “Bards” exhibited minimal hacking skills. These individuals utilized the honeypots to conduct Google searches for malware and even indulged in activities like watching explicit content. Some even accessed honeypots using mobile phones, potentially to evade monitoring in their home countries.
Valuable Insights for Security Ecosystem
Bergeron and Bilodeau highlighted the significance of their research not only for fellow researchers but also for law enforcement and cybersecurity defense teams, commonly referred to as blue teams.
Enhancing Law Enforcement and Cybersecurity Defenses
In a visionary perspective, the researchers proposed that law enforcement agencies could legally intercept RDP environments exploited by ransomware groups. The collected intelligence from recorded sessions could significantly aid investigations. Simultaneously, blue teams could harness these insights to enhance their threat mitigation strategies. By assimilating Indicators of Compromise (IoCs), they could proactively set up their traps, fortifying their organizations against opportunistic attacks.
Forcing a Tactical Shift
Furthermore, the researchers predicted that hackers, upon suspecting that the servers they target might be honeypots, would be compelled to alter their tactics. The potential risks of exposure would trigger a reassessment of their actions, potentially slowing down their activities. Ultimately, this shift in hacker behavior would be advantageous for the entire cybersecurity landscape.
The experiment conducted by Andréanne Bergeron and Olivier Bilodeau unveiled a new dimension in understanding hackers’ behavior. Their innovative approach, involving honeypots, provided unprecedented access to observe hackers across different profiles. This research not only enriches the knowledge of cybersecurity experts but also offers valuable insights for law enforcement and defensive teams. As the digital battlefield continues to evolve, such observations could play a pivotal role in shaping more robust cybersecurity strategies.