To examine exactly how cyber attackers work, Cybersecurity researchers decided to set up some tempting honeypots. Afterall organisations with an insecure cloud-computing service can be a huge risk as cyber criminals regularly find and exploit these vulnerabilities. So researchers decided to prove just how vulnerable or misconfigured cloud services can be. As a result, they positioned hundreds of honeypots to entice cyber attackers. These honeypots were designed to look like an unsecure cloud infrastructure to establish how long it took for attackers to be able to compromise. During this test some of them only lasted for minutes before hackers were able to compromise.
Cybersecurity researchers at Palo Alto Networks took to designing honeypots that comprised of 320 nodes, made up for many misconfigured common cloud services that cybercriminals look for when they want to exploit. For instance, honeypots included remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres databases.
Secondly, honeypots also included weak and default passwords, again this is what cybercriminals are looking for when they are trying to exploit and breach a network.
Of the 320 honeypots that were positioned all around the world, it took some sites to be compromised within minutes while 80% were compromised within 24 hours. Above all, none lasted longer than a week. All had been compromised.
During the test Secure shell was the most attacked application which is a network protocol that allows two machines to communicate over an open network. On average each SSH honeypot was compromised 26 times a day. In just a single day, the most attacked honeypot was compromised 169 times.
Meanwhile, 96% of the 80 Postgres honeypots were compromised by the same attacker it a minute and a half.
Jay Chen, the principal cloud security researcher at Palo Alto Networks says, “the speed of vulnerability management is usually measured in days or months.” So, the compromise of the honeypots within minutes was very concerning and shocking. And demonstrates the “risk of insecurely exposed services.”
Most importantly, the lesson learnt from this test reiterates that exposed or poorly configured cloud services are tempting for cybercriminals. And they’ll exploit exposed cloud services to gain initial access to the victim’s network. The criminals will encrypt as much as possible and then demand a ransom payment in exchange for the decryption key.
As a way to conduct espionage, steal data, or deploy malware without detection nation state-backed hacking groups are also known to target vulnerabilities in cloud services.
So, we can ascertain from the test that it doesn’t take long for cyber criminals to find exposed internet-facing systems. Chen says that “attackers can find and attack it in just a few minutes” when they see vulnerable service is exposed to the internet. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment, he explains.”
As a result, organisation must ensure they take some necessary precautions to secure accounts used to access cloud services. Such as:
- Avoid using default passwords
- Provide users with multi-factor authentication to create an second layer and avoid credentials being exploited.
- apply security patches when they’re available in order to prevent cyber criminals from taking advantage of known exploits — and it’s a strategy that applies to cloud applications, too.
The cloud security test by researchers has reiterated the importance of mitigating and patching security issues quickly. If there is one thing, we have learnt attackers take only a few minutes to discover and compromise a service. In other words, there’s no room for any margin of error when we are talking about the quick fix of misconfigured cloud services.