Posted on August 9, 2023 at 5:02 PM

Researchers Observe A Hacker Spend 100 Hours Compromising Honeypot Computers

Two security researchers observed that a hacker took control of a computer and started running a malicious campaign. The researchers used a vast network of computers created as a honeypot to trick the threat actors.

Researchers deploy exposed Windows servers to trick hackers

The researchers behind this campaign used several Windows servers exposed to the internet before setting up with Remote Desktop Protocol (RDP). As such, the hackers could gain remote control over the compromised server as if they were regular users. The hackers could type and click after gaining access.

The honeypots also allowed the security researchers to record 190 million events and 100 hours of video footage of these hackers taking over the servers and conducting several malicious campaigns. The campaigns included installing malware to mine cryptocurrencies, click fraud, and brute-forcing passwords for other devices.

The campaign also allowed the hackers to hide their identities using a honeypot as the starting point. According to the researchers, a hacker could successfully log into the honeypot to generate tens of events on their own.

Andréanne Bergeron said that the research was similar to having a surveillance camera for the RDP system. The two security researchers presented their findings during the Black Hat 2023 Conference in Las Vegas.

Hackers had different techniques and behavior

The researchers said that the hackers behind the campaign were classified into different categories.

A blog post published by the researchers said that the “Rangers” category of hackers evaluated the compromised system so that another profile of attackers could perform another attack. 

On the other hand, the “Barbarians” category of hackers used compromised honeypot computers to attempt a brute forcing campaign using known usernames and passwords. The other category of hackers is the “Wizards,” which use the honeypot to link to other computers to hide their activity and the origin of attacks.

The security researchers also said that security systems can collect threat intelligence from these hackers to attain an in-depth reach into the compromised system. The researchers also noted another category of threat actors known as “Thieves.” These hackers had clear objectives to monetize access to the honeypots.

The “Thieves” category might monetize their hacking activities by installing cryptocurrency miner programs. These programs conduct click fraud and generate fake traffic to the websites that they control. They can also sell access to this honeypot to other hackers to maximize their funding.

The “Bards” category of hackers has limited or zero skills. These hackers used the honeypots to manipulate Google into searching for malware. They can also use their cell phones instead of desktop and laptops to link to these honeypots.

The two security researchers also said that in some cases, the hackers used the compromised computers to download content banned or censored in their country of origin.

In one of the instances, a threat actor was downloading banned content while sending it to himself through Telegram. As such, this hacker managed to circumvent the restrictions in their country.

While speaking to TechCrunch, one of the researchers said that the threat actor downloaded the prohibited content and later downloaded it through an internet café through Telegram. The hacker can later install the data on USB keys before the same content is sold to others.

The researchers also said that observing the interaction between hackers and honeypots might be helpful for cybersecurity researchers that want to safeguard their systems. The same research can also benefit law enforcement and cybersecurity research teams.

The blog post by these security researchers also said that law enforcement could intercept the RDP environments used by hacker groups. Law enforcement can also gather intelligence within the recorded sessions and use the same in running investigations and finding the perpetrators behind the hacking campaign.

“Blue teams, for their part can consume the [Indicators of Compromise] and roll out their own traps in order to further protect their organization, as this will give them extensive documentation of opportunistic attackers’ tradecraft’” the researchers said.

The use of honeypots might also cause a ripple effect. Hackers might suspect that their compromised servers could be honeypots, forcing them to change their strategies. Hackers will therefore decide whether the risk of their activity being detected is worth it. The researchers said that the activity might slow down hacking activity, which will eventually benefit everyone.