The Heisenberg Cloud, a honeypot intelligence-gathering effort, shows that attackers target different clouds for different reasons—and are selective in their efforts rather than merely opportunistic.
Heisenberg is a new Rapid7 Labs research project with a singular purpose: understanding what attackers, researchers and organizations are doing in, across and against cloud environments. This research is based on data collected from a Rapid7-developed honeypot framework, along with internet reconnaissance data from the company’s Project Sonar.
Using 136 honeypots across five continents, Rapid7 collected four months of data. Nodes were moved around depending on what was happening in the networks (the 136-node honey net can be taken down and reconfigured in 30 minutes or less), resulting in several nodes’ worth of data for each zone of six major cloud providers.
For phase one, Rapid7 looked at Amazon Web Services (52 nodes); Microsoft Azure (28 nodes); Digital Ocean (38 nodes); Google Cloud (103 nodes); Rackspace Cloud Hosting (eight nodes); and IBM SoftLayer (24 nodes).
Those sensors then examined the service diversity in each of these environments, the types of connections that attackers, researchers and organizations are initiating against these environments, as well as the types of connections these groups are making within and across these environments.
Unsurprisingly, the vast majority of customer nodes (53-80%) in each cloud provider expose web services. But there were some singular aspects to the various clouds observed. For instance, about 22% of SoftLayer customer nodes expose database services (MySQL & SQL Server) directly to the internet. And, Digital Ocean and Google Cloud customer nodes expose shell (Telnet and SSH) services at a much higher rate than customer nodes in the other four cloud providers.
“In other words, while most cloud user populations rely on these services for web hosting, the kinds of services exposed by each cloud provider’s user populations are varied according to the provider,” Rapid7 said in its 2016 National Exposure Study, covering the honeypot findings. “These differences are being tested and exploited today by a range of adversaries who are clearly aware of these differences.”
The research found a myriad of attacks are coming at the cloud honeypots, including active attempts to exploit the recent Juniper NSA backdoor, PHP services, remote desktop environments, point-of-sale systems databases and more. There is also notable active use of logging and reporting infrastructure injection attacks in HTTP referrer and user agent fields.
The data also showed that many sites are illegally scraping and aggregating pornography content, and that services that mash up data sources (such as airline discount ticket sites) often seek out anonymous proxies in an attempt to cover their tracks.
“There is a ton of proxying happening out there, from automated systems trying to gather information, including illicit activity from pseudo-legit companies (aggregators), which find as many anonymous proxies as they can to glean info illegally from airlines’ sites and so on,” said Derek Abdine, director at R7 Labs at Rapid7, speaking at the company’s UNITED 2017 summit.
He added that Heisenberg showed two key ways that bad actors do proxies—there is the standard HTTP proxy approach, but also proxies over SSH tunneling. “The moral here is that if you leave a service open, people will find that and try to knock on your door. When you throw something on the internet you will be pinged several times, very quickly.”
He added that companies should, at all costs, avoid using ports 1090, 3128, 8000, 8080, 8083, 8118 and 8888.
“You will get proxy traffic within a minute,” Abdine said.
The honeypot results also showed a deep lack of patching. In one example, it showed that servers were still being exploited using the Shellshock vulnerability from two years ago. And, the Conficker worm—an eight-year-old vulnerability—is still rampant.
“Attackers still find success using these, which indicates that we need to be better at patching,” said Abdine. “Attackers and bots wouldn’t use these if they weren’t so successful in gaining access with them.”
When starting this project, the research team hypothesized that if attacks/connections to the cloud truly are randomly distributed or opportunistic in nature, then Heisenberg should see the same types and rates of connections across each provider. It picked up on the Mirai DDoS botnet attack, showing an average number of unique hits per day per node coming in at 25 to 100 per day for a total of 100,000 unique IP Mirai attacks hitting the honeypots. This is an opportunistic bot just scanning the internet for vulnerable IoT devices, so the cloud environments showed similar patterns during the attack.
But that’s not the case typically. “If it’s opportunistic, traffic should all look alike,” said Bob Rudis, chief security data scientist at Rapid7, speaking at the UNITED 2017 session. “But we found that every port is different, and traffic is not consistent across ports or protocols or anything else.”
Much of this is down to misconfiguration, Rudis added. “We saw a lot of legitimate data and API requests to things that are no longer there.”
That means that organizations that use dynamic cloud infrastructure components may leave “stale” configurations either hardcoded or in their DNS entries. This causes legitimate services to make attempts to contact infrastructure that no longer exists.
The researchers also expected there be the same levels of traffic in and among the cloud providers when it came to cloud-to-cloud communication. That too proved untrue, with nodes in Amazon making many more connection attempts (across all TCP and UDP ports) to itself than other providers, and other providers also having different port distributions.
Rapid7 said that it has just begun to translate the findings from Heisenberg Cloud into actionable intelligence on the cloud-based attack surface.
“Going forward, Rapid7 expects to release more in-depth research based on our initial findings in future papers, as well as open-sourcing as much data as we can,” the paper noted.
Photo © Vector Tradition