Opportunistic attackers instantly exploited insecurely exposed services deployed in honeypots by Unit 42 researchers, demonstrating the immediate danger of these typical mistakes.
Poorly configured cloud services can be exploit by threat actors in minutes and sometimes in under 30 seconds. Attacks include network intrusion, data theft and ransomware infections, researchers have found.
Researchers at Palo Alto Networks’ Unit 42 used a honeypot infrastructure of 320 nodes deployed globally in which they misconfigured key services within a cloud–including remote desktop protocol (RDP), secure shell protocol (SSH), server message block (Samba) and Postgres database.
What they found was that attackers jumped at the opportunity to exploit the misconfigurations, with 80 percent of the 320 honeypots compromised within 24 hours and all compromised within a week, researchers disclosed in a report posted Monday.
Moreover, some attacks occurred within minutes, with one particularly speedy threat actor compromising 96 percent of the 80 honeypots globally within 30 seconds, researchers found.
Given that the speed with which organizations typically manage vulnerabilities is typically measured in days or months, “that fact that attackers could find and compromise our honeypots in minutes was shocking,” Unit 42 principal cloud security researcher Jay Chen wrote in the post.
Common Cloud Mistakes
The study clearly shows how quickly these common misconfigurations can lead to data breaches or attackers’ taking down an entire network—given that “most of these internet-facing services are connected to some other cloud workloads,” Chen wrote. This reinforces the importance of mitigating and patching security issues quickly, he said.
“When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service,” Chen wrote. “There is no margin of error when it comes to the timing of security fixes.”
Indeed, scores of high-profile cyber incidents have occurred because of misconfigured cloud services. This year alone two popular commercial outlets—the Hobby Lobby retail chain and Wegman’s grocery stores—experienced separate data breaches due to these types of mistakes.
Hobby Lobby exposed customer data because of a cloud-bucket misconfiguration, while Wegman’s also leaked customer data because two of its cloud-based databases were misconfigured.
Unit 42 conducted the current cloud-misconfiguration study between July 2021 and August 2021, deploying 320 honeypots with even distributions of SSH, Samba, Postgres and RDP across four regions–North America (NA), Asia Pacific (APAC) and Europe (EU). Their research analyzed the time, frequency and origins of the attacks observed during that time in the infrastructure.
To lure attackers, researchers intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password, which granted limited access to the application in a sandboxed environment. They reset honeypots after a compromising event—i.e., when a threat actor successfully authenticated via one of the credentials and gained access to the application.
Researchers also blocked a list of known scanner IPs on a subset of honeypots, updating firewall policies once a day based on the observed network scanning traffic.
The team analyzed attacks according to a variety of attack patterns, including: the time attackers took to discover and compromise a new service; the average time between two consecutive compromising events of a targeted application; the number of attacker IPs observed on a honeypot; and the number of days an attacker IP was observed.
Results of the study showed that the Samba honeypots were the ones attacked most quickly, as well as the ones with attackers that compromised the services most consecutively with the most speed.
However, SSH was the misconfigured service with the highest number of attackers, experiencing a number of attackers and compromising events that was much higher than for the other three applications, researchers reported. The most attacked SSH honeypot was compromised 169 times in a single day, while on average, each SSH honey suffered 26 attacks daily, they found.
Researchers also tracked attacks according to region, with Samba and RDP getting the most attacks from North America, while attacks from APAC targeting Postgres and SSH more frequently, they found.
Overall, 85 percent of the attacks on the honeypots were observed on a single day, which indicated to researchers that blocking known scanner IPs is ineffective in mitigating attacks, as attackers rarely reuse the same IPs to launch attacks, Chen wrote.
Avoiding Common Cloud Mistakes
The good news for organizations making common cloud configuration mistakes that can be easily exploited is that they also are easy to avoid, researchers said. Chen listed several recommendations for system administrators to avoid leaving services exposed to attacks.
To safeguard services from being pummeled by attacker IPs, cloud administrators can implement a guardrail to prevent privileged ports from being open, as well as create audit rules to monitor all the open ports and exposed services.
Researchers also suggested that admins create automated response and remediation rules to fix misconfigurations automatically and deploy next-generation firewalls to block malicious traffic.