Security Experts:

Honeypot Shows the Power of Automation in the Hands of Hackers

Honeypot Experiment Shows the Commoditization of Using Bots to Perform Low-level Hacking Tasks

Next-gen endpoint detection and response firm Cybereason wanted to test two hypotheses: first, that hackers are ignoring free information in the underground forums; and second, that bots have become more sophisticated and dangerous than is often believed.

To do this, it set up a sophisticated honeypot system that masqueraded as a financial services company. For the first hypothesis, it dropped remote desktop protocol (RDP) access credentials for three servers on dark markets and paste sites. The passwords were complex, but everything needed to break in was dropped in plaintext, with the cover story of a lucky skiddie who found the information but didn't know what to do with it. He was giving away the information to build trust and foster goodwill.

The first hypothesis was proven. Nobody touched or attempted to use the credentials. "They might as well not have existed," Cybereason's senior director for intelligence services, Ross Rustici, told SecurityWeek. Hackers no longer trust the markets near the surface of the dark web, probably considering them to be full of government agents and security researchers. Instead, they work in closed forums in the deep web where access to outsiders -- and hacker newbies -- is difficult.

Or they work alone, without relying on untrustworthy human-to-human interaction, and with greater reliance on bots. This was the second purpose on the financial services honeypot -- to gauge how sophisticated these bots have become. 

This part of the project had two phases. The first was to set up additional RDP services with weak passwords, and, writes Rustici in an associated blog, "we opened up several other services to see which ports were scanned the most and if there was a large difference in functionality once they broke in."

Within two hours of creating the weak RDP services, he told SecurityWeek, "they got popped by a bunch of different stuff probably using rainbow tables." It was what he expected -- simple bots, scanning, brute forcing, and performing the rudimentary tasks that would help the operator decide to incorporate the network into a botnet or keep the credentials for future use.

"But then we got lucky," he said. "One particular bot not only popped the box, but then started doing exploit analysis right off the bat." This bot was essentially a complete and automated hacking kit. It did a network recon. "It tried to figure out where it was, and what the machine name was. It created false user names and accounts, so the attacker would have sustained backdoor access into the system should the weak password get changed or somebody try to take out the initial intrusion."

This was an aggressive and stealthy bot. It was aggressive in the speed and extent of its functions, and stealthy through its use of PowerShell scripts. "The attacker had cobbled together a bunch of PowerShell scripts, a bit of Python and a couple of open source utilities (MimiKatz and probably Netcat) and, within minutes, it could pretty much own every node on the network without the hacker having to get into the network and get dirty. It did everything that a normal intrusion would take hours to do, and essentially reduced the dwell time on the endpoint from 2 hours (which would be average) to minutes."

Only the use of MimiKatz and Netcat would provide easily visible red flags for the defenders; but Rustici commented, "It all happens so fast and largely quietly that it would probably be missed by 50% of the controls currently on the market." Basically, the bot broke in, looked around, dropped its own backdoor and withdrew in minutes and without human interaction.

"Two days later," Rustici told SecurityWeek, "we saw a human come into that network using one of the created accounts and start poking around on the box and looking for specific information. He already had the road map from the bot. He knew what he was looking for -- and so he just literally popped up the RDP, went in and then started pulling files back. He then installed a mail program and emailed himself 3 GB of exfiltration.

"It was interesting," he added, "because although you see a lot of bot activity, it's rare you see interaction between a human and a bot and how cybercriminals are monetizing this brute force access that they're getting through scanning the web. The way they moved into the environment also shows how much data the bot gathered and how useful that data was to whoever was using it."

Cybereason still has, he said, "some sleuthing" to do. Is the bot, "run and operated by a group that is selling access on the deep web closed forums based off the information they pull back, or was it the same person operating the bot who came in and stole the data?" The two-days delay between the bot and the human activity could just be a cooling off period, it could be the length of time taken to sell on the data, or it could be an indication of the number of genuine networks popped by the bot -- with what was to all intents and purposes a financial services company bumped towards the top of the list for further exploitation.

What is almost certain, however, is that we will see more of this type of automated hacking in the future. "I think the attack method is already commoditized," says Rustici. "I think we got lucky in that we saw it happen so quickly after we opened up the ports, I think we got a little unlucky in the fact that we didn't see more of it. The scripting and the automation is the way that both attackers and defenders are going -- it's the only way that you can keep up with the amount of devices that exist online -- the attack surface that you either have to defend or penetrate."

As access to specific information becomes more valuable, he added, "you're going to see a lot more people take this approach rather than the traditional DDoS botnet type activity that bots are more generally associated with -- especially with monetizing DDoS getting harder and the industry getting better at mitigating it. I think we are going to see a lot more actors move towards this type of automated recon. They can either sell the information or do some doxing and try to hold the whole network to ransom in new ways beyond the traditional ransomware infection."

In short, automated intrusion and reconnaissance is the natural evolution of hacking methodologies: "It's sort of worming 2.0 -- and I think we are going to see a lot of people playing with this kind of technology."

Boston, MA-based Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017. This increased total investment in the firm to $189 million since its inception in 2012. It raised $25 million in Series B financing and $59 million in Series C financing, both in 2015.

Related: Attackers Increase Use of PowerShell, WMI to Evade Detection

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.