Cloud Honeypot Report 2023

News 2023-06-25 05:14:07 views: null

A recent Orca Security report analyzed cybercrime habits. The report shows that attackers typically find exposed "secrets" in as little as two minutes, allowing access to sensitive pieces of information in corporate cloud environments, and in many cases, begin exploiting them almost immediately.

Conducted from January 2023 to May 2023, the study began by creating "honeypots" in nine different cloud environments, simulating misconfigured resources in the cloud to attract attackers. Each contains a secret Amazon Web Service ( AWS ) key.

Key findings of the report include:

Misconfigured and vulnerable assets are discovered within minutes. Secrets exposed on GitHub, HTTP, and SSH were all discovered within five minutes. Discovered AWS S3 Buckets in less than an hour.

The more popular and easily accessible a resource is, the more likely it is to contain sensitive information, the more an attacker is inclined to perform reconnaissance.

Although 50% of all observed use of exposed AWS keys occurred in the United States, there was use in almost all other regions, including Canada, Asia Pacific, Europe, and South America.

The state of cloud security is a dynamic, ever-evolving landscape, as both attackers and defenders are constantly adjusting their strategies and measures. As more and more sensitive information and critical systems reside in the cloud, organizations must implement strong security measures to protect their cloud assets. However, to do this in an effective manner, one must understand what attackers are looking for and how they operate.

To that end, Orca Security has released the 2023 Honeypots in the Cloud report, which provides key insights into what attracts potential attackers and the tactics and techniques they use.

For the research project, we deployed "honeypots" in nine different environments, simulating misconfigured resources in the cloud that act as decoys for bad actors.

Honeypots were placed on AWS S3 Buckets, GitHub, DockerHub, Elastic Container Registry, Elasticsearch, HTTP, Elastic Block Storage, Redis, and SSH. 

Each honeypot contains a secret, in this case an AWS secret access key. The report details the actions taken by attackers against each of our honeypot resources and provides recommendations on how to stop these bad actors to better protect your organization's cloud assets.

main findings

At a high level, here are five key takeaways from our research:

  • Quick discovery of vulnerable assets: Misconfigured and vulnerable assets were discovered in literally minutes (GitHub - 2 minutes, HTTP - 3 minutes, SSH - 4 minutes, S3 Buckets - 1 hour).

  • Key usage time varies by asset type: we saw key usage on GitHub within 2 minutes, meaning exposed keys are compromised essentially immediately . It took 8 hours for S3 Buckets and 4 months for Elastic Container Registry.

  • Not all assets are treated equally: the more popular a resource is, the easier it is to access it, and the more likely it is to contain sensitive information, the more attackers will be inclined to conduct reconnaissance. Certain assets, such as SSH, are extremely easy targets for malware and cryptomining.

  • Defenders should not rely on automatic key protection: With the exception of GitHub, where exposed AWS key permissions were immediately locked, we did not detect any automatic protection for the other resources we tested.

  • No region is safe: While we saw 50% of exposed AWS keys being used in US regions, nearly all other regions were also used, including Canada, Asia Pacific, Europe, and South America.

The study was conducted between January 2023 and May 2023. In order to set up our "honeypot" and simulate a misconfigured resource, we basically broke all security best practices (don't try this at home!):

  1. We created a number of repositories in different environments and configured them to allow public access or easy access. 

  2. Next, we placed a secret in our honeypot - in this case an AWS key. 

  3. Then we wait for the attacker to take the bait.. 

The goal of our honeypot research was to find the following:

  • Which popular cloud services are most often targeted by attackers?

  • How long would it take for an attacker to gain access to a public or easily accessible resource?

  • How long will it take for an attacker to find and use a leaked secret?

  • What are the common attack routes and methods?

  • How can we use this information to strengthen our defenses?

In some respects, our research confirms a well-known fact: attackers are constantly scanning the Internet for lucrative opportunities. What surprised us, however, was how quickly this happened in some cases. Depending on the resources, it sometimes only takes an attacker a few hours or even minutes to find and use an exposed key in our honeypot.

Furthermore, we found that the more services exist in S3 Buckets, the faster the access and key usage. While we had to leave extra breadcrumbs in our (fake) buckets before we saw visits, we wanted the legitimate buckets to have more breadcrumbs, such as references to bucket names, IDs, and links. As a result, legitimate buckets that were accidentally exposed could be accessed by the attacker more quickly , meaning discovery can be expected within an hour.

Why do some resources have more targets?

The "attractiveness" of a resource depends on a combination of factors:

  • Cost/Benefit Ratio: The easier a resource is to discover, the more attractive the resource is to an attacker:

    • For example, it's easy to discover public repositories and new commits in those repositories on GitHub.

    • If assets are exposed to the internet via TCP ports such as HTTP, Elasticsearch, Redis, SSH, and Postgres, these systems can be efficiently found through resources such as Shodan.

    • However, with S3 buckets, there is no way to query all existing S3 buckets, nor is there an unauthenticated way to query all S3 buckets for a particular account; instead, a dictionary attack approach is required, looping through the space of potential bucket names to Finding the publicly accessible bucket name requires more effort, even though it can also be done in an automated fashion. 

  • How much the resource is used: The more users of the resource, the better the chances of finding potentially useful data.

  • It's easy to contain secrets: For example GitHub is very easy to contain secrets, because it contains all the source code of a project, and sometimes even the source code of an entire organization. Other resources are less prone to this.

Because attacker strategies differ significantly for each resource, defenders must tailor defense strategies to each resource. For example, because GitHub is closely monitored by attackers and secrets are discovered so quickly, the risk justifies the overhead of ensuring that any secrets are prevented from being leaked before code is committed. Another example is a system that needs to expose SSH to the Internet, where additional mitigation measures are recommended to detect and prevent the execution of malware such as cryptominers.

The report contains 8 key recommendations designed to help defenders stay ahead of attackers, including recommendations on secrets management, authentication, malicious process monitoring, and more.

This article first published the WeChat public account Network Research Institute

Download the report Follow Reply: 20230621

Guess you like

Origin blog.csdn.net/qq_29607687/article/details/131368078
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com