Researchers at GoSecure conducted an experiment using high-interaction honeypots to understand the relentless nature of hackers targeting remote desktop connections.
Over a three-month period, they recorded approximately 3.5 million login attempts to their RDP honeypot system, demonstrating the attackers‘ office-like schedule and human involvement in the attacks. The data revealed that hackers primarily relied on brute-force attacks, with the most common username being “Administrator” or its variations. Interestingly, attackers from China and Russia predominantly used the RDP certificate name, although this doesn’t necessarily imply their origin.
Further analysis showed that hackers followed a daily pattern, taking breaks and engaging in activity lasting up to 13 hours. The researchers observed that the human touch became more evident as attackers delved into the system to search for valuable data.
However, despite the researchers making the login process easier, only 25% of hackers explored the machine for important files, possibly due to the honeypot being empty. The team plans to continue their research by populating the server with fake corporate files to monitor attacker behavior.
To gather attack data, the researchers used PyRDP, an open-source interception tool developed by GoSecure. Andreanne Bergeron, a cybersecurity researcher at GoSecure, discussed these findings in her talk titled “Human vs Machine: The Level of Human Interaction in Automated Attacks Targeting the Remote Desktop Protocol” at the NorthSec cybersecurity conference.
The talk, along with other conference presentations, is available on NorthSec’s YouTube channel.
