Submission + - Researchers Watched 100 Hours of Hackers Hacking Honeypot Computers (techcrunch.com)
The “Rangers,” according to the two, carefully explored the hacked computers, doing reconnaissance, sometimes changing passwords, and mostly leaving it at that. “Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later,” the researchers wrote in a blog post published on Wednesday to accompany their talk. The “Barbarians” use the compromised honeypot computers to try and bruteforce into other computers using known lists of hacked usernames and passwords, sometimes using tools such as Masscan, a legitimate tool that allows users to port-scan the whole internet, according to the researchers. The “Wizards” use the honeypot as a platform to connect to other computers in an attempt to hide their trails and the actual origin of their attacks. According to what Bergeron and Bilodeau wrote in their blog post, defensive teams can gather threat intelligence on these hackers, and “reach deeper into compromised infrastructure.”
According to Bergeron and Bilodeau, the “Thieves” have the clear goal of monetizing their access to these honeypots. They may do that by installing crypto miners, programs to perform click fraud or generate fake traffic to websites they control, and selling access to the honeypot itself to other hackers. Finally, the “Bards” are hackers with very little or almost no skills. These hackers used the honeypots to use Google to search for malware, and even watch porn. These hackers sometimes used cell phones instead of desktop or laptop computers to connect to the honeypots. Bergeron and Bilodeau said they believe this type of hacker sometimes uses the compromised computers to download porn, something that may be banned or censored in their country of origin. In one case, a hacker “was downloading the porn and sending it to himself via Telegram. So basically circumventing a country-level ban on porn,” Bilodeau told TechCrunch. “What I think [the hacker] does with this then is download it in an internet cafe, using Telegram, and then he can put it on USB keys, and he can sell it.”