A Clever Honeypot Tricked Hackers Into Revealing Their Secrets
Many people tried to access the system. Over the last three years, 21 million login attempts were recorded, with more than 2,600 successful logins by attackers who brutally enforced the weak password they intentionally used in the system. They recorded 2,300 of those successful signups, collected 470 uploaded files, and analyzed 339 of the videos with useful footage. (Some recordings were only a few seconds long and proved less useful.) “We cataloged the techniques, the tools, and everything that was done on those systems,” says Bilodeau.
Bergeron and Bilodeau divided the attackers into five broad categories based on character types from the Dungeons and Dragons role-playing game. The most widespread were the rangers: as soon as these attackers were in the RDP trap session, they immediately began to explore the system, removing Windows antivirus tools, rummaging in folders, the network they were on , and examine other elements of the machine. The Rangers would do nothing, says Bergeron. “It’s basic reconnaissance,” she says, hinting that they may evaluate the system so others can access it.
Barbarians were the second most common type of attacker. These use several hacking tools, such as bulk scan And NLBruteto invade other computers with brute force, the researchers say. They go through a list of IP addresses, usernames and passwords and try to break into the machines. Similarly, the group they call Wizards uses their access to the RDP to boot Attacks against other insecure RDPs– potentially obscuring their identity across many levels. “They use the RDP access as a portal to connect to other computers,” says Bergeron.
The thieves, meanwhile, do as their name suggests. They try to make money from RDP access in any way they can. They use traffic monetization websites and install crypto miners, the researchers say. You might not make a lot at once, but multiple trade-offs can add up.
The last group that Bergeron and Bilodeau observed is the most random: the bards. These individuals, the researchers say, may have acquired access to the RDP and use it for a variety of reasons. One person the researchers observed Googled the “strongest virus ever,” Bergeron says, while another tried to access Google Ads.
Others simply tried (and failed) to find porn. “We can see what beginner level he’s at because he’s searched for porn on YouTube — of course nothing shows up,” Bergeron says, since pornography isn’t allowed on YouTube. According to the researchers, several sessions attempting to access porn were spotted and these users always wrote in Farsi, suggesting that they might be trying to access porn in places where it was blocked. (Researchers could not conclusively determine where many of those who accessed the RDP did so.)
Still, observing the attackers shows how they behave, including some stranger actions. Bergeron, who has a PhD in criminology, says the attackers sometimes got the job done “very slowly.” She often “got impatient” while watching, she says. “I’m like, ‘Come on, you’re not good at it,’ or ‘Go faster,’ or ‘Go deeper,’ or ‘You can do better.'”
