Home News Exposed Services Commonly Observed in Public Clouds

Exposed Services Commonly Observed in Public Clouds

Palo Alto researchers used a honeypot infrastructure and deployed 320 nodes to better understand the attacks against exposed services in public clouds.

Public cloud

Cloud misconfigurations become one of the major reasons for unauthorized intrusions and accidental data breaches. Threat actors often target unsecured or poorly configured cloud infrastructures to compromise and steal classified information. Recently, security experts from Palo Alto Network’s Unit 42 performed a honeypot experiment to determine how fast cybercriminals attack exposed cloud services, and the results are alarming.

The Honeypot Experiment

A honeypot is a decoy security mechanism used to detect or counteract unauthorized intrusions to critical network systems. Once an attacker breaks into the honeypot, the security admins can identify how the hackers compromised the target, the hacking techniques they deployed, and how their networks defended or were compromised.

Palo Alto researchers stated they had used a honeypot infrastructure containing 320 nodes and deployed across North America, Asia Pacific, and Europe, exposing it online. They misconfigured the primary services within the cloud, including the remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB), and Postgres database in the honeypot infrastructure. The experiment calculated the time, frequency, and source of the attacks between July and August 2021.

Key Findings

  • Over 80% of the 320 honeypots were compromised within 24 hours, and all of the honeypots were compromised within a week.
  • SSH was the most attacked application. The number of attackers and compromising events was much higher than for the other three applications.
  • The most attacked SSH honeypot was compromised 169 times in a single day.
  • On average, each SSH honeypot was compromised 26 times daily.
  • One threat actor compromised 96% of our 80 Postgres honeypots globally within 30 seconds.
  • 85% of the attacker IPs were observed only on a single day. This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks. A list of malicious IPs created today will likely become outdated tomorrow.

“The speed of vulnerability management is usually measured in days or months. The fact that attackers could find and compromise our honeypots in minutes was shocking. This research demonstrates the risk of insecurely exposed services. The outcome reiterates the importance of mitigating and patching security issues quickly. When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service. There is no margin of error when it comes to the timing of security fixes,” the researchers said.

How Honeypots Boost Organizations’ Security

Deploying honeypots offer several security advantages to companies that are trying to boost their network defenses. Implementing honeypot technologies help security admins to break the attacker chain and avoid possible cyber risks. Identifying attackers’ hacking courses and paths help security experts build their own strategies to thwart potential cyberattacks. The honeypot experiments help organizations identify security loopholes and strengthen the overall cybersecurity defenses. Read More Here