Threat actors find and compromise exposed services in 24 hours


Researchers created 320 honeypots to see how quickly threat actors would target vulnerable cloud services, reporting that 80% of them were compromised in less than 24 hours.

Malicious actors constantly scan the Internet for vulnerable services that could be exploited to access internal networks or perform other malicious activity.

To track which software and services are targeted at threat actors, researchers are creating publicly available honeypots. Honeypots are servers that are configured to look like they are running various software that entices to monitor the tactics of threatening actors.

A tempting lure

In a new study conducted by Palo Altos Networks’ Unit 42, researchers set up 320 honey jars and found that 80% of the honey jars were compromised within the first 24 hours.

The installed honeypots included those with remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgre’s database services and were kept alive from July to August 2021.

These honey jars were implemented all over the world, with deposits in North America, Asian Pacific and Europe.

Honeypot Experimental Infrastructure
Honeypot Experimental Infrastructure
Source: Unit 42

How the attackers move

The time to the first compromise is analogous to how much the service type is targeted.

For SSH honey pots, which were the most targeted, the average time for the first compromise was three hours, and the average time between two consecutive attacks was about 2 hours.

Average time between two consecutive attacks
Average time between two consecutive attacks
Source: Unit 42

Unit 42 also observed a remarkable case of a threat actor compromising 96% of the experiment’s 80 Postgres honey pots in just 30 seconds.

This finding is very worrying as it may take days, if not longer, to implement new security updates as they are released, while threat actors only need hours to exploit vulnerable services.

Finally, in terms of whether the location makes any difference, the APAC region received the most attention from threat actors.

Attacks on each service type by region
Attacks on each service type by region
Source: Unit 42

Do firewalls help?

The vast majority (85%) of the attacker’s IPs were observed in a single day, which means that actors rarely (15%) reuse the same IP in subsequent attacks.

This constant IP change makes ‘layer 3’ firewall rules ineffective against most threat actors.

What could have better chances of mitigating the attacks is to block IPs by extracting data from network scanning projects that identify hundreds of thousands of malicious IPs daily.

However, Unit 42 tested this hypothesis on a subgroup of 48 honeypots and found that blocking over 700,000 IPs had no significant difference in the number of attacks between the subgroup and the control group.

Comparison between firewall and no-firewall groups
Comparison between firewall and no-firewall groups
Source: Unit 42

To effectively protect cloud services, Unit 42 recommends that administrators do the following:

  • Create a crash barrier to prevent privileged ports from being open.
  • Create audit rules to monitor all open ports and exposed services.
  • Create automatic response and troubleshooting rules to correct error configurations automatically.
  • Implement next generation firewalls (WFA or VM series) in front of the programs.

Finally, always install the latest security updates as they become available, as threat actors rush to exploit exploits for new vulnerabilities as they are released.


Please enter your comment!
Please enter your name here