An insecurely exposed service is one of the most commonly seen misconfigurations in cloud environments. These services are discoverable on the internet and can pose a significant risk to cloud workloads in the same infrastructure. Using a honeypot infrastructure of 320 nodes deployed globally, researchers aim to better understand the attacks against exposed services in public clouds.
Multiple instances of remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database in the honeypot infrastructure has been deployed. These honeypots were deployed worldwide, with instances in North America, Asian Pacific, and Europe. Researchers found 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week
Some of the findings taken researchers in shok
- One threat actor compromised 96% of our 80 Postgres honeypots globally within 30 seconds.
- 85% of the attacker IPs were observed only on a single day , making firewall rules ineffective
- SSH was abused at most
- Single SSH honeypot compromised 169 times in a single day and on a average 26 times a day when all honeypots considered
- The vulnerability management cycle is considered in days or months , but here the honeypots are compromised in minutes after deployment, which came as a shock
The outcome reiterates the importance of mitigating and patching security issues quickly. If misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service.
To analyze the effectiveness of blocking network scanning traffic, known scanner IPs on a subset of honeypots was blocked. The firewall policies were updated once a day based on the observed network scanning traffic. Depending on the applications and days, each firewall policy might block 600-3,000 known scanner IP addresses.
The logs from all the honeypots were aggregated on an Elasticsearch cluster. A controller server continuously monitored the logs and checked the health of each honeypot. If a compromising event was detected or a virtual machine became unresponsive, the controller redeployed the virtual machine and application.
Time-to-first-compromise is the time that attackers take to discover and compromise a new service on the interne. Time-to-first-compromise varies with applications. In general, it is inversely proportional to the number of attackers targeting the application . If the number of attackers increases, the time-to-first compromise of this application decreases.
The mean time-between-compromise is the average time between two consecutive compromising events of a targeted application. Mean time-between-compromise resembles an attacker’s time on a compromised system before the next attacker shows up
During the 30 days covered in this research, 85% of the attacker IPs were observed only on a single day. The number indicates that the Layer 3 IP-based firewall is ineffective as attackers rarely reuse the same IPs to launch attacks. A list of malicious IPs created today will likely become outdated tomorrow.
The issue related to insecurely exposed services is not new to public cloud, but the agility of cloud infrastructure management makes the creation and replication of such misconfigurations faster. To overcome these type of threats, few strategies need to be followed
- Create a guardrail to prevent privileged ports from being open.
- Create audit rules to monitor all the open ports and exposed services.
- Create automated response and remediation rules to fix misconfigurations automatically.
- Deploy next-generation firewalls in front of the applications