In the last three years, hackers unknowingly seeking data or malware deployment have found a seemingly vulnerable virtual machine that is hosted in the U.S., which in reality, is a cleverly designed trap.
While this cleverly designed, trap has been implanted by cybersecurity researchers to trick the hackers and make them reveal their dark secrets with the help of a honeypot.
Over 2,000 hackers breached a machine, letting GoSecure experts invisibly record their actions, including:-
- Screen activity
- Mouse clicks
- Data grabs
Trap for Hackers
Using their RDP interception tool, GoSecure gathered extensive info on attackers, shared in a groundbreaking presentation at BlackHat USA:-
- I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers’ Tradecraft
While this story includes luring, understanding, characterizing, and dealing with threat actors to shift focus to advanced threats.
Threat actors like ransomware groups, exploit Remote Desktop Protocol (RDP) actively. That’s why to examine this; experts have crafted PyRDP, an open-source interception tool with the following key capabilities:-
- Unmatched screen
- Track Keyboard
- Monitor mouseclicks
- Clipboard data collection
- File collection
API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar
Moreover, security researchers at GoSecure built and set up a custom-designed cloud-based honeynet trap with RDP Windows servers and then ran them for 3-years.
Within a span of 3-years, they managed to accumulate several essential data and more than 190 million events which include:-
- 100 hours of video footage
- 470 files collected from threat actors
- Over 20,000 RDP captures
All the data that are gathered by the security analysts are used to categorize the hackers into different specified groups based on their behavior.
Here below we have mentioned all the groupings of the hackers:-
- Rangers: This group extensively explores folders, assesses performance, and conducts reconnaissance through clicks or scripts, likely assessing compromised systems for future attacks.
Watch them in action:-
- Thieves: This group exploits RDP access, taking control by altering credentials and engaging in various monetization activities, including traffmonetizer, pay-to-surf browsers, crypto miners, and Android emulators for mobile fraud.
- Barbarians: This group employs a diverse toolkit for widespread brute-force attacks, leveraging compromised systems with IP lists, usernames, and passwords.
- Wizards: This group cleverly uses RDP access as a portal for connecting to other similarly compromised computers, enhancing their operational security. Skillfully leveraging ‘living off the land’ techniques, so, monitoring them is important for in-depth threat intel.
Watch them in action:-
- Bards: This group lacks hacking skills and uses the system for simple tasks, possibly buying RDP access from Initial Access Brokers (IABs) who compromise it.
However, this GoSecure showcase highlights the vast potential of RDP for research, law enforcement, and defense teams. Legal interception of ransomware RDP setups aids investigations through recorded session intelligence.