This server was online for under a minute before hackers were trying to crack it

New report demonstrates how prolific cyber attackers are - and the dangers of default login credentials.
Written by Danny Palmer, Senior Writer

It can only take seconds before cyber criminals start attempting to hack into newly connected cloud devices and services, as attackers relentlessly pursue new avenues to exploit for malicious purposes.

Researchers at security company Sophos set up honeypots in ten of the most popular AWS data centre locations around the world -- California, Ohio, Sao Paulo, Ireland, London, Paris, Frankfurt, Mumbai, Singapore and Sydney -- and connected them to the internet with common configuration errors, such as using default credentials or insecure passwords.

Each of the honeypot sites simulates a Secure Shell (SSH) remote access service, designed to allow users to connect remotely to the device and access files. If attackers can bypass the SSH, they can gain the same level of access as the owner -- and in some cases, gain more control over the device than was ever intended.

It took under a minute for attackers to start to find the honeypots and begin using brute-force attacks in an effort to login to the devices. The Sao Paulo site first came under attack, with the first login attempt registered after just 52 seconds.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   

"What this demonstrates is a potential worst-case scenario regardless of region," Matt Boddy, senior security specialist at Sophos and author of the Exposed: Cyberattacks on Cloud Honeypots report, told ZDNet.

"If your device is unfortunate, like mine was in Brazil, and a malicious actor's script makes an attempt at your IP address moments after your device has gained connectivity, you could find that you're sharing your device with a malicious actor from the word go."

Malicious login attempts started targeting the honeypot in Ohio within five minutes, while efforts to compromise the California, Paris and Sydney sites all first occurred in under 20 minutes.

At the other end of the scale, it was almost an hour and 15 minutes before attackers discovered the London honeypot and an hour and 45 minutes before the Irish site first received malicious login attempts.


The amount of time it took for the first login attempt at each honeypot.

Image: Sophos

However, once the sites were discovered, they came under a constant barrage of login attempts, with each device registering an average of 13 login attempts per minute -- or about 757 an hour.

Over the course of a 30-day period, there were 953,736 brute-force login attempts against the most highly targeted honeypot in Ohio. The Singapore honeypot site was the least targeted, but attackers still attempted to gain access to it 312,928 times in a month.

"This is a clear demonstration that no-one is able to fly under the radar whilst online. The attackers are using scripts not to focus on any one individual, but to probe the entire internet address space to look for the low-hanging fruit," said Boddy.

"This scripted approach of attempting to login to your online device means that these attackers can attempt to login to a huge number of online devices in no time at all," he added.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Default login credentials -- especially those based around usernames linked to the hardware they run on -- help give attackers an easy ride when it comes to breaching and taking control of devices for malicious purposes.

However, this has a relatively simple fix: organisations which are running internet-connected devices should change the default username and password when they're setting them up, and they should be changed to something that's not obvious or easily guessable.

Researchers also recommend the use of a password manager to help users manage the different passwords and usernames on different devices, as well as the use of cybersecurity and malware scanning software, should attackers breach devices and find a way onto the network.


Editorial standards