New study: Individual configuration protects cloud server

Sophos has set up ten cloud server honeypots for a security study. On average, it took less than 40 minutes for the first attack on one of the ten honeypots to occur. In total, Sophos counted 13 attacks per minute on one honeypot per minute. As the linchpin for a high level of security, the vendor recommends custom configuration and strong passwords.

Cloud platforms are an important component of modern IT environments, enabling location-independent data access, increasing cost efficiency, simplifying business processes and much more. More and more companies and consumers around the world are storing their data in the cloud. Protecting them from access by cybercriminals is therefore a fundamental concern for those responsible for IT security. To find out how much cloud servers are exposed to potential hacker attacks, security solutions provider Sophos exposed in the 30-day study: Cyberattacks on Cloud Honeypots using ten honeypots.

For a comparison of cloud servers check out

Ten of the world’s most popular Amazon Web Services (AWS) data centers in Frankfurt, London, Paris, Mumbai, Ohio, Sao Paolo, Singapore, Sydney, California and Ireland have been equipped with cloud honeypots. The study results show, among other things, that hacker attacks were numerous and fast and that the attackers were most likely automated.

Using honeypots to simulate remote access

The set up honeypots simulated the Secure Shell (SSH) service to measure SSH logon attempts. SSH is a remote access service that is not only used by servers, but is also used in home environments with devices as diverse as webcams or NAS devices. On these systems, authorized users can connect via SSH to remotely configure the device or access files.

When an attacker leaves the login prompt on an IoT device behind, he not only gains the same access rights as the owner, but often even more control than he intended. As is still very often the case with real installations, Sophos experts have maintained factory default usernames and passwords when configuring the honeypots.

Over five million attempted attacks on honeypots

The research shows that devices that have not received the required configuration (including changing factory default passwords on many devices) allow a hacker to access those devices relatively easily. During the 30-day trial period, more than five million attempts were made to attack the global honeypot network. Ohio was the most hit with around 950,000 attempts, followed by Mumbai, Sydney, Ireland and Paris with attack rates between just under 680,000 and 613,000 and California with around 573,000 attempts. Frankfurt recorded just under 440,00 attempts and London and Singapore escaped with only around 314,000 and 313,000 attacks, respectively.

First attack attempts within minutes

Also astonishing was the speed with which the hackers identified their potential targets and launched their first attacks. The Honeypot was attacked in Sao Paolo, Brazil, 52 seconds after its release. Paris and Sydney were 17 and 18 minutes respectively on the net for the first attack, Frankfurt was the fastest after a good hour and Ireland was the longest with a good 100 minutes until a first attack attempt was made. Worldwide, the honeypot cloud servers were the target of attempted attacks on average 13 times per minute and 757 times per hour.

The hackers are obviously speculating that factory configurations will not be changed – they used standard user names and popular, frequently used weak passwords for most logon attempts. The 123456 series, for example, was the most commonly used password for a logon attempt worldwide.

Default should not be used as default

In the report, Sophos makes recommendations to ensure better security and break through the automated attacks of cybercriminals. “The speed and scale of the attacks show once again how persistent and determined cybercriminals are to attack cloud platforms,” said Michael Veit, security evangelist for Sophos. “Our most important recommendation is therefore always strong authentication by certificate or multi-factor authentication and a one-time time-based password. The cloud is an elementary part of modern IT life and it’s hard to imagine life without it. The only approved standards must therefore be careful configuration and a powerful IT security strategy”.

Here are some important tips for IT security:

  • Use key-based authentication on SSH servers, not just a password.
  • Use fail2ban on Linux servers to limit the number of logon attempts.
  • Use a powerful Linux AV solution, such as Sophos Antivirus for Linux.
  • Use an AI-based cloud security solution with compliance automation, such as Sophos Cloud Optix, which uses AI to evaluate and reduce the threat risk of different cloud environments.

What is a honeypot definition?

The term honeypot is borrowed from the animal world and is based on the attraction of a honeypot to bees. A honeypot in connection with IT security refers to a system that imitates an actual “attack target”, such as a cloud server, in order to attract attackers. This allows researchers to observe cybercriminal behavior.