Researchers watched 100 hours of hackers hacking honeypot computers

Imagine being capable to beryllium down a hacker and observe them instrumentality power of a machine and play astir with it.

That’s beauteous overmuch what 2 information researchers did acknowledgment to a ample web of computers acceptable up arsenic a honeypot for hackers.

The researchers deployed respective Windows servers deliberately exposed connected the internet, acceptable up with Remote Desktop Protocol, oregon RDP, meaning that hackers could remotely power the compromised servers arsenic if they were regular users, being capable to benignant and click around.

Thanks to these honeypots, the researchers were capable to grounds 190 cardinal events and 100 hours of video footage of hackers taking power of the servers and performing a bid of actions connected them, including reconnaissance, installing malware that mines cryptocurrencies, utilizing Android emulators to behaviour click fraud, brute-forcing passwords for different computers, hiding the hackers’ identities by utilizing the honeypot arsenic a starting constituent for different attack, and adjacent watching porn. The researchers said a hacker successfully logging into its honeypot tin make “tens of events” alone.

“It’s fundamentally similar a surveillance camera for RDP strategy due to the fact that we spot everything,” Andréanne Bergeron, who has a Ph.D. successful criminology from the University of Montreal, told TechCrunch.

Bergeron, who besides works for cybersecurity steadfast GoSecure, worked with her workfellow Olivier Bilodeau connected this research. The 2 presented their findings connected Wednesday astatine the Black Hat cybersecurity conference successful Las Vegas.

The 2 researchers classified the benignant of hackers based connected Dungeons and Dragons quality types.

The “Rangers,” according to the two, cautiously explored the hacked computers, doing reconnaissance, sometimes changing passwords, and mostly leaving it astatine that. “Our proposal is that they are evaluating the strategy they compromised truthful that different illustration of attacker tin travel backmost later,” the researchers wrote successful a blog post published connected Wednesday to travel their talk.

The “Barbarians” usage the compromised honeypot computers to effort and bruteforce into different computers utilizing known lists of hacked usernames and passwords, sometimes utilizing tools specified arsenic Masscan, a morganatic instrumentality that allows users to port-scan the full internet, according to the researchers.

The “Wizards” usage the honeypot arsenic a level to link to different computers successful an effort to fell their trails and the existent root of their attacks. According to what Bergeron and Bilodeau wrote successful their blog post, antiaircraft teams tin stitchery menace quality connected these hackers, and “reach deeper into compromised infrastructure.”

According to Bergeron and Bilodeau, the “Thieves” person the wide extremity of monetizing their entree to these honeypots. They whitethorn bash that by installing crypto miners, programs to execute click fraud oregon make fake postulation to websites they control, and selling entree to the honeypot itself to different hackers.

Finally, the “Bards” are hackers with precise small oregon astir nary skills. These hackers utilized the honeypots to usage Google to hunt for malware, and adjacent ticker porn. These hackers sometimes utilized compartment phones alternatively of desktop oregon laptop computers to link to the honeypots. Bergeron and Bilodeau said they judge this benignant of hacker sometimes uses the compromised computers to download porn, thing that whitethorn beryllium banned oregon censored successful their state of origin.

In 1 case, a hacker “was downloading the porn and sending it to himself via Telegram. So fundamentally circumventing a country-level prohibition connected porn,” Bilodeau told TechCrunch. “What I deliberation [the hacker] does with this past is download it successful an net cafe, utilizing Telegram, and past helium tin enactment it connected USB keys, and helium tin merchantability it.”

Bergeron and Bilodeau concluded that being capable to observe hackers interact with this benignant of honeypots could beryllium precise utile not conscionable for researchers similar them, but besides instrumentality enforcement oregon cybersecurity antiaircraft teams — besides known arsenic bluish teams.

“Law enforcement could lawfully intercept the RDP environments utilized by ransomware groups and cod quality successful recorded sessions for usage successful investigations,” the researchers wrote successful the blog post. “Blue teams for their portion tin devour the [Indicators of Compromise] and rotation retired their ain traps successful bid to further support their organization, arsenic this volition springiness them extended documentation of opportunistic attackers’ tradecraft.”

Moreover, if hackers commencement to fishy that the servers they compromise whitethorn beryllium honeypots, they volition person to alteration strategies and determine whether the risks of being caught are worthy it, “leading to a dilatory down which volition yet payment everyone,” according to the researchers.

Read much connected TechCrunch: