Threat actors find and compromise exposed services in 24 hours


Level 61
Thread author
Top poster
Content Creator
Apr 24, 2016
Researchers set up 320 honeypots to see how quickly threat actors would target exposed cloud services and report that 80% of them were compromised in under 24 hours.

Malicious actors are constantly scanning the Internet for exposed services that could be exploited to access internal networks or perform other malicious activity.

To track what software and services are targeted by threat actors, researchers create publicly accessible honeypots. Honeypots are servers configured to appear as if they are running various software as lures to monitor threat actors' tactics.

In a new study conducted by Palo Altos Networks' Unit 42, researchers set up 320 honeypots and found that 80% of the honeypots were compromised within the first 24 hours.

The deployed honeypots included ones with remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB), and Postgres database services and were kept alive from July to August 2021.

These honeypots were deployed worldwide, with instances in North America, Asian Pacific, and Europe.
To protect cloud services effectively, Unit 42 recommends that admins do the following:
  • Create a guardrail to prevent privileged ports from being open.
  • Create audit rules to monitor all the open ports and exposed services.
  • Create automated response and remediation rules to fix misconfigurations automatically.
  • Deploy next-generation firewalls (WFA or VM-Series) in front of the applications.
Finally, always install the latest security updates as they become available as threat actors rush to utilize exploits for new vulnerabilities as they are published.