RDP honeypot targeted 3.5 million times in brute-force attacks

Remote desktop connections are so powerful a magnet for hackers that an exposed connection can average more than 37,000 times every day from various IP addresses.

During this phase, the attacks are automated. But once they get the right access credentials, the hackers start searching for important or sensitive files manually.

Hackers swarm to RDP

An experiment using high-interaction honeypots with an RDP connection accessible from the public web shows how relentless attackers are and that they operate within a daily schedule very much like working office hours.

Over three months, the researchers at GoSecure, a threat hunting and response company with headquarters in the U.S. and Canada, recorded close to 3.5 million login attempts to their RDP honeypot system.

Andreanne Bergeron, a cybersecurity researcher at GoSecure, explained at the NorthSec cybersecurity conference in Montreal, Canada, that the honeypots are linked to a research program that aims to understand attacker strategies that could be translated into prevention advice.

The honeypot has been functioning on and off for more than three years and running steadily for over a year but the data collected for the presentation represents only three months, between July 1 and September 30, 2022.

During this time, the honeypot was hit 3,427,611 times from more than 1,500 IP addresses. However, the attack count for the entire year reached 13 million login attempts.

To whet the attackers’ appetite, the researchers named the system to appear to be part of a bank’s network.

As expected, the compromise attempts relied on brute-force attacks based on multiple dictionaries and the most common username was “Administrator” and variation of it (e.g. short version, different language or letter case).

In some 60,000 cases, though, the attacker did some reconnaissance before trying to find the right login and ran some usernames that are obviously out of place in the set below.

Bergeron explained that the three odd usernames in the image above are related to the honeypot system (names of the RDP certificate and the host, and the hosting provider).

The presence of this data in the top 12 tried login names indicates that at least some of the hackers did not blindly test credential pairs t log in but gathered information about the victim first.

Bergeron told us that the system collected hashes of the passwords and the researchers were able to revert the weaker ones. The results showed that the most common strategy was to use a variation of the RDP certificate, followed by variants of the word ‘password’ and a simple string of up to ten digits.

One interesting observation when correlating these statistics with the attack IP addresses is that the RDP certificate name was used exclusively in login attempts from IPs in China (98%) and Russia (2%).

However, this does not necessarily mean that the attackers are from the two countries but that they use infrastructure in the two regions.

Another observation is that plenty of attackers (15%) combined thousands of passwords with just five usernames.

A normal working day

The human involvement in the attack became more evident past this initial bruteforce stage when the hackers started snooping inside the system for valuable data.

Digging further into the data, Bergeron created a heat map for IP addresses targeting the honeypot and noticed that the activity formed a daily pattern with pauses indicating that the hackers were taking a break.

Many activity chunks span over four hours and up to eight, although some sessions were as long as 13 hours. This suggests human intervention, at least for launching the attacks, and appears to follow a schedule of some sort.

Adding weight to this observation is the fact that the bruteforce activity stopped during weekend days, possibly suggesting that the attackers are treating the hacking activity like a regular job.

It is worth noting that these were all automated login attempts that did not require human monitoring once the script was properly tweaked.

In one example, Bergeron noticed an eight-hour gap between attacks and inferred that it could indicate an attacker working in shifts.

The human touch and the level of sophistication were also visible in attacks that were customized for the target (14%) as well as in adding a delay between each login attempt, to mimic a real person’s activity.

The human involvement in the attack became more evident past this initial bruteforce stage when the hackers started snooping inside the system for valuable data.

Despite the researchers lowering the login difficulty on the honeypot with the ‘admin/admin’ credential pair, Bergeron told BleepingComputer that only 25% of the hackers started to explore the machine for important files.

Bergeron also said that the honeypot was empty, which is probably why only a quarter of the attackers lingered on searching for data. However, the next step of the research would be to fill the server with fake corporate files and monitor the attacker’s movements and actions.

To record and store the attack data, which includes live video feeds of the adversary RDP session, the research used PyRDP, an open-source interception tool developed at GoSecure by Olivier Bilodeau, cybersecurity research director at the company and president of the NorthSec conference.

Andreanne Bergeron's talk at NorthSec this year is titled "Human vs Machine: The Level of Human Interaction in Automated Attacks Targeting the Remote Desktop Protocol." All the talks from both stages of the conference are available on NorthSec's YouTube channel.