Security researchers from Unit 42, the research arm of cybersecurity firm Palo Alto Networks, set out a honeypot infrastructure of 320 nodes globally to better understand the attacks against exposed services in public clouds, and 80% of the 320 honeypots were compromised within the first 24.
According to the company’s report, all honeypots were compromised within the week.
The results may be alarming, but given the increase in ransomware activity taking place within public clouds lately, the report may come as no surprise. What’s most impressive is the time it took the threat actors to compromise most of the honeypot. Ransomware gangs such as REvil are known to exploit exposed services to gain access to victims’ environments.
Unit 42 researchers deployed remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database in the honeypot infrastructure. They reported the following findings:
- SSH was the most attacked application. The number of attackers and compromising events was much higher than for the other three applications.
- The most attacked SSH honeypot was compromised 169 times in a single day.
- On average, each SSH honeypot was compromised 26 times daily.
- One threat actor compromised 96% of the 80 Postgres honeypots globally within 30 seconds.
- 85% of the attacker IPs were observed only on a single day. This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks. A list of malicious IPs created today will likely become outdated tomorrow.
The outcome reiterates the importance of mitigating and patching security issues quickly. When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service. There is no margin of error when it comes to the timing of security fixes, according to Unit 42.
Here are some strategies IT administrators can take:
- Create a guardrail to prevent privileged ports from being open. For example, use AWS Service Control Policies or Azure Firewall Management.
- Create audit rules to monitor all the open ports and exposed services. For example, use AWS Config, Checkov, or Cloud Security Posture Management tools
- Create automated response and remediation rules to fix misconfigurations automatically. For example, consider AWS Security Hub or Prisma Cloud Automated Remediation.
- Deploy next-generation firewalls in front of the applications, such as VM-Series or WAF to block malicious traffic.
Leave a Reply