Tag Archive for: honeypot

A Clever Honeypot Tricked Hackers Into Revealing Their Secrets

/in


Plenty of people tried to access the system. Over the past three years, it has captured 21 million login attempts, with more than 2,600 successful logins by attackers brute-forcing the weak password they purposefully used on the system. They recorded 2,300 of these successful logins, gathered 470 files that were uploaded, and analyzed 339 of the videos with useful footage. (Some recordings were just a couple of seconds long, and proved less useful.) “We cataloged the techniques, the tooling, everything done on these systems,” Bilodeau says.

Bergeron and Bilodeau have grouped the attackers into five broad categories based on character types from the role-playing game Dungeons and Dragons. Most common were the rangers: once these attackers were inside the trap RDP session, they would immediately start exploring the system, removing Windows antivirus tools, delving into folders, looking at the network it was on and other elements of the machine. Rangers wouldn’t take any action, Bergeron says. “It’s basic recon,” she says, suggesting they may be evaluating the system for others to enter it.

Barbarians were the next most frequent kind of attackers. These use multiple hacking tools, such as Masscan and NLBrute, to brute-force their way into other computers, the researchers say. They work through a list of IP addresses, usernames, and passwords, trying to break into the machines. Similarly, the group they call wizards use their access to the RDP to launch attacks against other insecure RDPs—potentially masking their identity across many layers. “They use the RDP access as a portal to connect to other computers,” Bergeron says.

The thieves, meanwhile, do what their name implies. They try to make money out of the RDP access in any way possible. They use traffic monetization websites and install crypto miners, the researchers say. They might not earn a lot in one go, but multiple compromises can add up.

The final group Bergeron and Bilodeau observed is the most haphazard: the bards. These people, the researchers say, may have purchased access to the RDP and are using it for a variety of reasons. One person the researchers watched Googled the “strongest virus ever,”…

Source…

Researchers watched 100 hours of hackers hacking honeypot computers

/in


Imagine being able to sit behind a hacker and observe them take control of a computer and play around with it.

That’s pretty much what two security researchers did thanks to a large network of computers set up as a honeypot for hackers.

The researchers deployed several Windows servers deliberately exposed on the internet, set up with Remote Desktop Protocol, or RDP, meaning that hackers could remotely control the compromised servers as if they were regular users, being able to type and click around.

Thanks to these honeypots, the researchers were able to record 190 million events and 100 hours of video footage of hackers taking control of the servers and performing a series of actions on them, including reconnaissance, installing malware that mines cryptocurrencies, using Android emulators to conduct click fraud, brute-forcing passwords for other computers, hiding the hackers’ identities by using the honeypot as a starting point for another attack, and even watching porn. The researchers said a hacker successfully logging into its honeypot can generate “tens of events” alone.

“It’s basically like a surveillance camera for RDP system because we see everything,” Andréanne Bergeron, who has a Ph.D. in criminology from the University of Montreal, told TechCrunch.

Bergeron, who also works for cybersecurity firm GoSecure, worked with her colleague Olivier Bilodeau on this research. The two presented their findings on Wednesday at the Black Hat cybersecurity conference in Las Vegas.

The two researchers classified the type of hackers based on Dungeons and Dragons character types.

The “Rangers,” according to the two, carefully explored the hacked computers, doing reconnaissance, sometimes changing passwords, and mostly leaving it at that. “Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later,” the researchers wrote in a blog post published on Wednesday to accompany their talk.

The “Barbarians” use the compromised honeypot computers to try and bruteforce into other computers using known lists of hacked usernames and passwords, sometimes using tools such as Masscan, a legitimate tool that…

Source…

Syrian rebels lured into malware honeypot sites through “sexy” online chats

/in

Hacking for “signals intelligence” doesn’t take NSA-level resources; it doesn’t even require very sophisticated exploit tools. Using a combination of Windows and Android malware and some very simple social engineering, a group aligned with the regime of Syrian President Bashar Al-Assad have raked in a wealth of intelligence on Syrian opposition groups. And they did it by pretending to be women and flirting with their victims.

Over the past two years, using a combination of fake social media and Skype accounts associated with fictional female supporters of Syrian rebel groups, the group—apparently operating from Lebanon—fooled rebel soldiers and others providing aid to them into downloading malware to their computers and Android smartphones. As revealed in a report published today by FireEye (PDF), the group (which may have been associated with Hezbollah) was able to harvest not just personal information on their targets, but also battle plans and other intelligence information that could have been used by Hezbollah and the Syrian government’s troops to counter the opposition.

FireEye discovered the operation during a malware investigation, uncovering a cache of 7.7 gigabytes of stolen data on a German server. The data contains Skype databases including chat logs and contacts, as well as documents and images.

Read 7 remaining paragraphs | Comments


Ars Technica » Technology Lab