Rapid7 Finds Certain Cloud Risks With Heisenberg Honeypot

The security firm puts honeypots on AWS, Azure, Digital Ocean, Rackspace, Google and SoftLayer clouds with some interesting results.

cloud risks

Hackers are actively scanning and attacking the cloud, according to new research from security firm Rapid7. In a first-of-its-kind study, Rapid7 deployed its own network of honeypots on the six largest clouds in the world—Amazon Web Services, Microsoft Azure, Digital Ocean, Rackspace, Google Cloud Platform and IBM SoftLayer—to see what kind of attacks are actually occurring.

Rapid7 has dubbed its honeypot effort as the Project Heisenberg Cloud. The company developed the overall agent framework, including deployment, administration, monitoring and data collection components, Bob Rudis, the company's chief data scientist, told eWEEK.

"There are custom Rapid7-developed low- and medium-interaction honeypots used within the framework, along with open-source ones, such as cowrie," Rudis said. "The framework enables deployment of any type of honeypot to any Heisenberg node, and underneath each agent is a full PCAP monitoring and capture framework written in the Go language for enhanced portability."

The name "Heisenberg" is a nod to German theoretical physicist Werner Heisenberg, who famously came up with the Heisenberg Uncertainty Principle. While Heisenberg is famous for uncertainty, Rudis said Rapid7 is fairly certain that the Heisenberg network exists, as it is overseen by a management framework dubbed Sommerfield (Arnold Sommerfield was Heisenberg's Ph.D. adviser).

The Heisenberg honeypots don't scan the cloud vendors for vulnerabilities; rather, they are deployed waiting to be scanned by others who are actively scanning the cloud looking for potential vulnerabilities. Rudis emphasized that a critical element of Rapid7's research is that the company abides by the terms of service of the cloud providers and does not generate external communications from the honeypots.

An early hypothesis from Rapid7's research team was that attacks to the various cloud vendors would be randomly distributed. As it turns out, that's not the case, with more attackers, for example, scanning port 443 (HTTPS) on Google than on any other cloud providers.

"Due to the way Google adds capacity to their customer-facing cloud environment, some subnets that were previously 'Google' can be labeled as 'Google Cloud' and it may be that attackers were looking more heavily at the Google IPv4 space and not necessarily the targeting customer-facing cloud," Rudis said.

In addition, Rudis noted that many of the providers, including Google, do perform proactive reconnaissance of their environments. Plus, Google has its own cadre of web scraping bots.

One area of cloud scanning that does appear to be very consistent across all the cloud providers is for the Mirai internet of things (IoT) botnet. Mirai is the botnet that was allegedly behind a 1T-bps attack against European internet service provider OVH as well as the recent distributed denial-of-service (DDoS) attack against DNS provider Dyn.

"We see Mirai scans in every region of every cloud provider," Rudis said.

The Project Heisenberg Cloud botnet effort captured 100,000 unique IPv4 addresses behaving like Mirai since Oct. 8, according to Rudis. However, that doesn't mean that the Mirai botnet is only made up of 100,000 devices, as Rapid7 only captured Mirai activity in the six cloud providers, he said.

"While we knew the Mirai botnet code was not excluding cloud space, we did not expect to see the volume of Mirai that we have been able to," Rudis said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.