A vulnerable honeypot exposed online can be compromised in 24 hours

Pierluigi Paganini November 24, 2021

Researchers deployed multiple instances of vulnerable systems and found that 80% of the 320 honeypots were compromised within 24 hours.

Researchers from Palo Alto Networks deployed a honeypot infrastructure of 320 nodes to analyze how three actors target exposed services in public clouds.

The company set up the honeypots between July 2021 and August 2021 to analyze the time, frequency and origins of the attacks targeting them.

The instances included systems exposing remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database. The experts discovered that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week. 

Below are some findings shared by the experts:

  • the most attacked application was SSH.
  • The most attacked SSH honeypot was compromised 169 times in a single day.
  • each SSH honeypot was compromised on average 26 times per day.
  • experts observed that one threat actor compromised 96% of the 80 Postgres honeypots that the researchers deployed, and all the instances were hacked within 30 seconds.
  • 85% of the attacker IPs were observed only on a single day demonstrating that Layer 3 IP-based firewalls are not effective against these attacks because threat actors rotate same IPs to launch attacks.

“Four types of applications, SSH, Samba, Postgres and RDP, were evenly deployed across the honeypot infrastructure. We intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password. These accounts grant limited access to the application in a sandboxed environment. A honeypot will be reset and redeployed when a compromising event is detected, i.e., when a threat actor successfully authenticates via one of the credentials and gains access to the application.” reads the post published by Palo Alto Networks. “To analyze the effectiveness of blocking network scanning traffic, we blocked a list of known scanner IPs on a subset of honeypots.”

The researchers were updating the firewall policies once a day based on the observed network scanning traffic to prevent reconnaissance and attacks conducted with scanners. Each firewall policy might block 600-3,000 known scanner IP addresses.

Every time one of the virtual machines composing the honeypot infrastructure became unresponsive, the controller redeployed the virtual machine and application.


The experts analyzed the time-to-first-compromise (the time before the system was compromised) for the different services. The time-to-first-compromise for Samba installs was 2485 minutes, 667 minutes for RDP, 511 for Postgres, and 184 minutes for SSHD.

Palo Alto’s study also focuses on tThe mean time-between-compromise, that is the average time between two consecutive compromising events of a targeted application.

“A vulnerable service on the internet is usually compromised multiple times by multiple different attackers. To compete for the victim’s resources, attackers commonly attempt to remove malware or backdoors left by other cybercriminal groups (e.g., RockeTeamTNT).” continues the report. “Mean time-between-compromise resembles an attacker’s time on a compromised system before the next attacker shows up. Similar to time-to-first-compromise, the mean time-between-compromise of an application is also inversely proportional to the number of attackers targeting the application.”

Researchers also analyzed the geographic distribution of the attacks, systems deployed in the APAC region were most targeted from threat actors.

honeypot infrastructure 2

“The problem of insecurely exposed services is not new to public cloud, but the agility of cloud infrastructure management makes the creation and replication of such misconfigurations faster. The research highlights the risk and severity of such misconfigurations. When a vulnerable service is exposed to the internet, opportunistic attackers can find and attack it in just a few minutes. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment.” concludes the report.

Below is the list of recommendations to protect cloud services published by Palo Alto Networks:

  • Create a guardrail to prevent privileged ports from being open.
  • Create audit rules to monitor all the open ports and exposed services.
  • Create automated response and remediation rules to fix misconfigurations automatically.
  • Deploy next-generation firewalls in front of the applications, such as VM-Series or WAF to block malicious traffic.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, honeypot)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment