For the past three years, hapless cybercriminals trying to steal data or deploy malware have been stumbling upon a virtual machine hosted in the United States. Like countless others, this machine’s weak password could easily be cracked. But, unbeknown to the hackers, the remote machine they’ve been accessing is a trap.
Every time one of the 2,000-plus attackers forced their way into the machine, researchers at cybersecurity firm GoSecure could watch their every move. Secretly, they recorded the machine’s screen, observing every mouse click and keyboard tap, as well as stealthily grabbing any data copied onto the clipboard of the attacker’s own devices.
An analysis of more than 100 hours of screen recordings from the attacks—an arguably unprecedented amount of data about the behavior of cybercriminals in action—shows the hackers gave away many of their most precious secrets. They inadvertently revealed the hacking tools they use and how they use them and what they do when they break into a system. Those foolish enough to log in to their personal email accounts also handed over details about their lives away from the keyboard.
Some attackers were sophisticated, while others appeared inept. And some just behaved oddly—one person who logged into the machine changed the desktop background and logged out, and another wrote “lol” before covering their tracks and leaving, the researchers behind the study say.
“It's basically a surveillance camera that shows everything they do,” says Andréanne Bergeron, a cybersecurity researcher at GoSecure who analyzed the mountain of recorded screen footage. Various kinds of honeypots to catch cybercriminals have existed for years. “There’s a lot of personal information that they use, even when they are attacking,” Bergeron adds. “In the end, they are like us. They think like us. And they do errors, they do mistakes.”
Bergeron along with her colleague Olivier Bilodeau, GoSecure’s cybersecurity research director, set up the honeypot to catch potential cybercriminals using Microsoft’s Remote Desktop Protocol (RDP). The RDP allows people to remotely log in to a computer and see its desktop on their own screen. The setup, which requires a username and password, is commonly used by IT staff within businesses to help colleagues with problems and install updates.
In recent years, RDP systems with insecure logins—such as weak passwords that can be unlocked via password-guessing software—have provided key access points for cybercriminals breaking into corporate networks. Ransomware gangs have particularly made use of RDPs for attacks, says Mark Stockley, a security expert at Malwarebytes who has researched insecure RDPs. “If I can get an RDP session on your computer, then it's as good as me pushing you off your chair and sitting down in front of it,” says Stockley, who is not connected to the new research. If an attacker has administrator access, they may be able to move around an entire network and deploy ransomware.
The new analysis by the GoSecure researchers, which is being presented at the Black Hat security conference in Las Vegas today, offers a detailed look at how those abusing RDP operate. Bilodeau says the team set up the RDP honeypot in January 2020 and created it outside of GoSecure’s systems so no data was put at risk. The researchers then used their homemade RDP interception tool, PyRDP, to capture the hackers in the act.
Plenty of people tried to access the system. Over the past three years, it has captured 21 million login attempts, with more than 2,600 successful logins by attackers brute-forcing the weak password they purposefully used on the system. They recorded 2,300 of these successful logins, gathered 470 files that were uploaded, and analyzed 339 of the videos with useful footage. (Some recordings were just a couple of seconds long, and proved less useful.) “We cataloged the techniques, the tooling, everything done on these systems,” Bilodeau says.
Bergeron and Bilodeau have grouped the attackers into five broad categories based on character types from the role-playing game Dungeons and Dragons. Most common were the rangers: once these attackers were inside the trap RDP session, they would immediately start exploring the system, removing Windows antivirus tools, delving into folders, looking at the network it was on and other elements of the machine. Rangers wouldn’t take any action, Bergeron says. “It's basic recon,” she says, suggesting they may be evaluating the system for others to enter it.
Barbarians were the next most frequent kind of attackers. These use multiple hacking tools, such as Masscan and NLBrute, to brute-force their way into other computers, the researchers say. They work through a list of IP addresses, usernames, and passwords, trying to break into the machines. Similarly, the group they call wizards use their access to the RDP to launch attacks against other insecure RDPs—potentially masking their identity across many layers. “They use the RDP access as a portal to connect to other computers,” Bergeron says.
The thieves, meanwhile, do what their name implies. They try to make money out of the RDP access in any way possible. They use traffic monetization websites and install crypto miners, the researchers say. They might not earn a lot in one go, but multiple compromises can add up.
The final group Bergeron and Bilodeau observed is the most haphazard: the bards. These people, the researchers say, may have purchased access to the RDP and are using it for a variety of reasons. One person the researchers watched Googled the “strongest virus ever,” Bergeron says, while another tried to access Google Ads.
Others simply tried (and failed) to find porn. “We can see the beginner level he is in, as he searched for porn on YouTube—nothing appears, of course,” Bergeron says, since YouTube doesn’t permit pornography. Multiple sessions were spotted trying to access porn, the researchers say, and these users were always writing in Farsi, indicating they may be trying to access porn in places where it is blocked. (The researchers weren’t able to determine conclusively where many of those accessing the RDP were doing so from.)
Despite this, watching the attackers reveals the way they behave, including some more peculiar actions. Bergeron, who has a PhD in criminology, says the attackers were sometimes “very slow” at doing their work. Often she was “getting impatient” while watching them, she says. “I’m like: ‘Come on, you're not good at that’ or 'Go faster’ or ‘Go deeper,’ or ‘You can do better.’”
In one case, the attacker was dawdling and repeatedly sketching out rectangles on the desktop with their mouse. “It feels like they are on the phone or talking to someone and fooling around,” Bergeron says. In another instance, a password one of the attackers generated may have included their own name.
Bilodeau says the research has provided a wealth of intelligence and information. Often, cybersecurity researchers and those dealing with hackers have to rely on technical logs, which reveal little about the individuals behind the attacks. “We see them install Telegram and they log in on the compromised system,” he says. This can potentially reveal phone numbers, which in turn can be used to identify people, country codes, and more information. “We collect credentials and stuff we, unfortunately, cannot legally use,” he says. Such details could potentially be useful for law enforcement agencies.
There’s also not a huge amount of automation by the attackers, Bilodeau says. Many of those accessing the systems manually click around the system to see what they can find, rather than using tools that could automatically scan the remote desktop.
As well as revealing the behavior of hackers, the research also highlights how frequently RDP is attacked. Stockley, from Malwarebytes, says a recent search he did showed around 2.5 million RDPs are online. Previously, he set up 10 RDPs as honeypots for hackers, and it took one minute and 24 seconds for attackers to start trying to break in. All 10 had been attacked after just 15 hours. “It's an absolute bonanza for cybercriminals,” Stockley says. Attempts to force passwords happened every seven seconds, he says.
GoSecure’s Bilodeau says he believes others should roll out their own traps. For companies, he says, it can show the kind of hackers that may be trying to break into their systems and help convince CEOs to invest more in cybersecurity. In the future, Bilodeau says, GoSecure may start to include files that could be encrypted into the RDP, to encourage more ransomware criminals to spend time in the system. He doesn’t worry that revealing that GoSecure has been recording criminals will stop them. If anything, it may make them change their behavior because they’re being monitored. “If they're more careful, they're going to be slower,” Bilodeau says. “We are raising their cost of attack.”
