Research Brief: How Hackers Attack Misconfigured Cloud, Internet Services
How important are proper cloud security posture management (CSPM), patch management and vulnerability management services from MSSPs?
The simple answer is this: Hackers can typically exploit misconfigurations and vulnerabilities to attack services within minutes, according to a honeypot-oriented test by Palo Alto Networks’ Unit 42 researchers.
Keeping in mind that notorious ransomware groups such as REvil and Mespinoza are known to exploit exposed services to gain initial access to victims’ environments, Unit 42 researchers stationed 320 honeypots worldwide. Those honeypots involved intentionally misconfigured services within an infrastructure, including remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database.
The result? 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week, Unit 42 principal researcher Jay Chen wrote in a blog post.
Related: See more Research Briefs here
Other significant findings:
- SSH was the most attacked application. The number of attackers and compromising events was much higher than for the other three applications.
- The most attacked SSH honeypot was compromised 169 times in a single day.
- On average, each SSH honeypot was compromised 26 times daily.
- One threat actor compromised 96% of 80 Postgres honeypots globally within 30 seconds.
- 85% of the attacker IPs were observed only on a single day.
“This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks,” Chen said. “A list of malicious IPs created today will likely become outdated tomorrow,” the researcher said.
Inasmuch as the speed of vulnerability management is usually measured in days or months, that hackers could locate and compromise Unit 42’s honeypots in minutes was “shocking,” Chen wrote. “This research demonstrates the risk of insecurely exposed services. When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service. There is no margin of error when it comes to the timing of security fixes,” said Chen.
Unit 42 conducted the study between July 2021 and August 2021, deploying honeypots across North America, Asia Pacific and Europe. The research analyzed the time, frequency and origins of the attacks observed during that time in the infrastructure. To lure attackers, researchers intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest and administrator:password.