Sophos, an IT and network security company, conducted a study entitled “Exposed: Cyberattacks on Cloud Honeypots”. The study involved placing servers in 10 of the most popular data centres around the globe.
The servers were ‘honeypots’ configured in an open and vulnerable way to lure a cybercriminal attack. The study included both ‘low-’ and ‘high-interaction’ honeypots. The low-interaction honeypots logged and stored log-in attempts, providing information on a hacker’s IP address and the username and password used during the attempted log-in.
The high-interaction honeypots allowed further interaction with the hacker to try and gather information about the administrative commands made by the hacker after they managed to log in.
The low-interaction servers based in the United States, Europe, South America, Asia, and Australia suffered between 335,000 and 900,000 log-in attempts over a 30-day period, and in most cases the attempts were made from IP addresses based in China. In the most extreme case, one of the honeypots was attacked less than one minute from deployment, and once deployed averaged 13 log-in attempts per minute.
For the high-interaction honeypots, the findings show that the use of default usernames results in privileged access to servers and allows large-scale DDOS attacks. The findings also show that hackers target commonly used but poorly chosen passwords, such as “admin” or “123456”.
Sophos’ report highlights threats facing organisations that migrate data to hybrid and all-cloud platforms. Best practice and following the recommendations of ENISA and other cybersecurity agencies, as well as the security guidelines issued by various regulators, such as the EU data protection supervisory authorities, really are a must for organisations to protect data placed on the cloud.