Security researchers at GoSecure were able to take a glimpse at how hackers are conducting their nefarious activities through a carefully designed trap involving a network of internet-exposed Windows servers with Remote Desktop Protocol (RDP) enabled, meaning that threat actors could remotely control the compromised machines.
The researchers run the honeypot for three years, accumulating over 190 million events, including 100 hours of video footage, 470 files collected from threat actors, and more than 20,000 RDP captures. This allowed them to better understand how malicious actors install malware, mine cryptocurrencies, launch DDoS attacks using compromised servers, and conduct fraud operations.
GoSecure classified attackers into five groups based on their behaviors:
Rangers explore all the folders of the computer, check the network and host performance characteristics, and run reconnaissance by clicking or by using programs/scripts. No other meaningful actions are undertaken.
Thieves try to monetize the RDP access. After taking control of the computer by changing the credentials to access it, they perform different activities that aim to take advantage of this access.
Barbarians use a large array of tools to brute-force their way into more computers. They leverage the compromised system to attempt to breach other systems by working with lists of IP addresses, usernames and passwords.
Wizards use the RDP access as a portal to connect to another computer that was compromised in a similar fashion. This strategy is good operational security: they hide their identity via jumps over compromised hosts. To do so, they demonstrate a high level of skill by carefully living off the land.
Bards are individuals with no apparent hacking skills. They access the system to accomplish basic tasks like looking for viruses through a simple Google search or to watch pornography. They likely buy RDP access from a third party such as Initial Access Brokers (IABs) - threat actors that sell cyberciminals access to compromised networks, the researchers believe.
The researchers presented their findings last week at the Black Hat cybersecurity conference in Las Vegas.