Connect with us

Hi, what are you looking for?


Lessons learned from the Windows Remote Desktop honeypot report

Threat actors spend most of their time on surveillance. Typical services generate many audit logs that can be difficult to parse and detect potentially malicious events.

Since a lot of surveillance is automated, creating a specific machine that is open to the internet, waiting for probes and attacks, is incredibly useful and is known as a honeypot.

The wealth of data collected by honeypots allows analysis of known and unknown attacks, meaning an organization can proactively track and block threats.

Relying strictly on threat disclosure means you are reactive, but with Honeypot, you can identify a potential attack and stop it before it becomes an issue!

Tracking Threats with Honeypots

With visibility into active attacks, it can be easier to understand the scale of the threat. For example, over several weeks In October of 2022, Speakops collected 4.6 million Tried passwords on their honeypot system.

In a given year, this adds up to millions of potential passwords that an attacker could use to enter your organization.

Then, how do honeypots work? A honeypot is nothing more than a system to lure threat actors into attempting an exploit. Once connected, the honeypot records the malicious attempt for later analysis.

Advertisement. Scroll to continue reading.

An example of a basic honeypot is a Microsoft Server virtual machine (VM) with a Remote Desktop Protocol (RDP) connection open to the Internet. With logging, you can see all attempts made by an attacker for a username.

taking it to the next level, many different types of software Cover a wide range of possible modes in a system. For example, pyrdp Provides a man-in-the-middle approach. This allows you to control the attack as well as attempt an attack by a threat actor in real time.

walk through findings

What do recent reports indicate on the status of the attacks?

Blumira analyzed their honeypot data against their Google Cloud Platform (RDP) VM from 2019 – 2020 and found that over 179,000 unique usernames were attempted from at least 122 countries.

Additionally, from 2019 – 2020, the incidence of attacks increased by 85%, reflecting the increasingly sophisticated and automated monitoring that threat actors use to collect data needed for ransomware and infrastructure attacks Huh.

Another example of how a basic Windows VM with open RDP to the Internet can be quickly attacked Analysis of attacks by TrustedSec,

They found an unsecured Windows 7 VM online for only 9 days, which recorded over 2,800 access attempts. Of these, 46 were successful. Many simply tested whether access was working, but many actively installed ransomware within minutes of connecting!

How to reduce malicious remote access attempts

Although the examples given here focus on RDP connections, a honeypot is not limited to that type of connection, and any remote access system is subject to SSH-like attacks.

What should an organization do to minimize potential losses?

Advertisement. Scroll to continue reading.

Three possible solutions will go a long way in providing protection against multiple attacks.

  1. Enforce strong password policies with checking against a breached password list.
  2. Protect any account with Multi-Factor Authentication (MFA), ensuring even stolen passwords can’t be used.
  3. Limit access to remote connections behind a VPN or zero-trust connection.

strong password policies

If an attacker gains access to the password dialog, which even the most persistent attackers can do despite all other protections, having a strong password policy is essential. Sufficiently long and complex passwords ensure that they cannot be easily cracked if their hash is stolen.

Before passwords are created, a Breached Passwords list that checks new passwords against known stolen credentials ensures that the most common variations are not used. Unique and complex passwords make an attacker’s job more complicated.

Speakops Password Policy With Breached Password Protection checks your user’s passwords and prevents them from choosing a compromised password.

Many threat actors rely on pre-built lists of hacked passwords shared across services, but with password breach checks in place, this use becomes less likely!

bpp express list failed password change
bpp express list failed password change
source, ATA Learning

Protecting Accounts with MFA

Layered on top of a strong password policy is the use of MFA. With a second authentication requirement, even a correctly guessed or stolen password does not ensure access. This indicates that an attempt was made when it was not expected, allowing the user to alert IT and take appropriate action.

restrict remote access

Finally, removing the connection to the public Internet also makes it more difficult for an attacker to attempt to access the system. Typically, the connection is placed behind a VPN. Nevertheless, due to configuration complexity, newer systems are using the concept of zero-trust which verifies that each connection is authenticated and protected.

Protect your organization by learning from honeypots

Learning from the many proactive threats discovered through honeypots allows an organization to take proactive steps to stay ahead of attackers. Locking down external connections through VPNs or zero-trust services isn’t easy for even the most persistent threat actors.

Combined with MFA, a strong password policy ensures that even if an attacker slips through, those who pose a threat will be stopped. Enforce strong passwords through a solution like Speakops Password Policy, and be proactive in protecting your organization!

Sponsored and written by speakops software

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...