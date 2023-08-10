Over the past three years, cybersecurity firm GoSecure has been using a honeypot to catch cybercriminals attempting to steal data or deploy malware. The honeypot is a virtual machine with a weak password that is intentionally left vulnerable. When attackers gain access to the machine, researchers at GoSecure can observe their every move, recording their screen and collecting data copied onto their devices.

Through the analysis of over 100 hours of screen recordings, the researchers have gained valuable insights into the behavior and tactics of cybercriminals. They have discovered the tools they use, how they use them, and even details about their personal lives. Some attackers were sophisticated, while others were inept. Some behaved oddly, such as changing the desktop background or leaving comments before covering their tracks.

The honeypot was set up using Microsoft’s Remote Desktop Protocol (RDP), which allows users to remotely log in to a computer and view its desktop. Insecure logins, such as weak passwords, have become a common access point for cybercriminals. Ransomware gangs, in particular, have targeted these vulnerable RDP systems.

The researchers captured a significant amount of data from the honeypot, including 21 million login attempts, over 2,600 successful logins, and 470 uploaded files. They grouped the attackers into five categories: rangers, barbarians, wizards, thieves, and bards. Each group had different tactics and objectives, ranging from reconnaissance to launching attacks against other insecure RDPs or trying to monetize the access.

While some attackers were skilled and purposeful, others displayed haphazard or novice behavior. Some were seen attempting to access restricted content, such as pornography, with limited success. Overall, the researchers found that cybercriminals exhibit similar behaviors to regular individuals and are prone to making mistakes.

The insights gained from this research can help inform cybersecurity strategies and defenses against cybercriminals. By understanding their tactics and vulnerabilities, organizations can better protect their systems and data. The data collected by GoSecure provides a unique and valuable resource for studying cybercriminal behavior in action.