Researchers watched 100 hours of hackers hacking honeypot computers
Imagine being able to sit behind a hacker and observe them take control of a computer and play around with it.
That’s pretty much what two security researchers did thanks to a large network of computers set up as a honeypot for hackers.
The researchers deployed several Windows servers deliberately exposed on the internet, set up with Remote Desktop Protocol, or RDP, meaning that hackers could remotely control the compromised servers as if they were regular users, being able to type and click around.
Thanks to these honeypots, the researchers were able to record 190 million events and 100 hours of video footage of hackers taking control of the servers and performing a series of actions on them, including reconnaissance, installing malware that mines cryptocurrencies, using Android emulators to conduct click fraud, brute-forcing passwords for other computers, hiding the hackers’ identities by using the honeypot as a starting point for another attack, and even watching porn. The researchers said a hacker successfully logging into its honeypot can generate “tens of events” alone.
“It’s basically like a surveillance camera for RDP system because we see everything,” Andréanne Bergeron, who has a Ph.D. in criminology from the University of Montreal, told TechCrunch.
Bergeron, who also works for cybersecurity firm GoSecure, worked with her colleague Olivier Bilodeau on this research. The two presented their findings on Wednesday at the Black Hat cybersecurity conference in Las Vegas.
The two researchers classified the type of hackers based on Dungeons and Dragons character types.
The “Rangers,” according to the two, carefully explored the hacked computers, doing reconnaissance, sometimes changing passwords, and mostly leaving it at that. “Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later,” the researchers wrote in a blog post published on Wednesday to accompany their talk.
The “Barbarians” use the compromised honeypot computers to try and bruteforce into other computers using known lists of hacked usernames and passwords, sometimes using tools such as Masscan, a legitimate tool that…