‘Honeypot’ computers used to gain insights on cyberattackers

11 Aug 2023

Image generated by AI: © pixardi/Stock.adobe.com

The GoSecure investigation claims to have gathered hundreds of hours of cybercriminal footage, which was used to group attackers based on their behaviours.

Security researchers claim to have used a ‘honeynet’ of computers to gather years of data on hackers and how they conduct their cybercriminal activities.

The team at GoSecure investigated remote desktop protocol (RDP), an attack vector that cyberattackers can use to gain control of computer systems. The researchers created an “interception tool” that monitored the screen, mouse movements and other valuable data on hackers attempting an RDP attack.

The researchers then set up a honeynet of several Windows computers exposed on the cloud and vulnerable to RDP cyberattacks.

The researchers claim this tactic allowed them to gather three years of data, which includes 100 hours of video footage and 470 files collected from various threat actors.

Cybersecurity Dungeons & Dragons

Using this data, the researchers classified the different types of cyberattacks into groups based on the attacker’s behaviour. These groups are named after character types in the Dungeons & Dragons role-playing game.

One group – the rangers – run scouting missions and “explore all the folders of the computer”, gathering useful data. However, the researchers said they take “no other meaningful actions”.

“Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later,” the researchers said.

Earlier this month, BlackBerry’s Dmitry Bestuzhev spoke to SiliconRepublic.com about the threat of “initial access brokers”, who sell stolen data to aid other cyberattacks. This type of broker sounds similar to the rangers referenced in the GoSecure report.

Another group – the thieves – try to monetise their RDP access by using tools such as cryptominers, android emulators and participate in “pay to surf” schemes, where the computer’s browser gains revenue for watching promotional content.

The barbarian group uses various tools to “brute-force” their way into other computers, such as by trying to compromise other systems using stolen IP addresses and passwords.

The wizards group use the RDP access as a “portal” to connect to other compromised computers as a way to avoid detection. Finally, the bards group consists of attackers that showed no apparent hacking skills.

“The evidence shows that they [bards] might have bought RDP access from someone who has compromised the system for them, aka initial access brokers,” the report said.

The cybersecurity said RDP has various potential for research and law enforcement, as agencies can intercept attacks in RDP environments and collect intelligence in recorded sessions “for use in investigations”.

“Plus, if attackers are scared enough, they will have to change their strategies, and this will influence their attacks’ cost-benefit, leading to a slow down which will ultimately benefit everyone,” the researchers said.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic