AWS’ MadPot Honeypot Operation Corrals Threat Actors
Engineers with Amazon Web Services more than a decade ago began developing tools to better collect intelligence on the cyberthreats coming into the giant cloud provider’s IT environment
Fast forward to now, and AWS’s sophisticated suite of tools – called MadPot – comprises myriad monitoring sensors and automated response features that can detect and trap bad actors, observe their activities and malware, and then inform security services offered by AWS about the threats.
The honeypot operation is used to capture hackers’ malware, collect threat intelligence from it, and thwart the attack before it can compromise AWS’ network or the cloud provider’s customers.
“Using these capabilities, we make it more difficult and expensive for cyberattacks to be carried out against our network, our infrastructure, and our customers,” Mark Ryland, director of the Office of the CISO for AWS, wrote in a recent blog post. “But we also help make the internet as a whole a safer place by working with other responsible providers to take action against threat actors operating within their infrastructure.”
To lure threat actors, the system is designed to look like it’s made up of a large number of innocent-looking targets, Ryland wrote, adding that “mimicking real systems in a controlled and safe environment provides observations and insights that we can often immediately use to help stop harmful activity and help protect customers.”
Catching Millions of Threats
MadPot’s sensors observe more than 100 million potential threats and probes every day, with about 500,000 of which can be classified as malicious, he wrote. AWS also ensures that the system can adapt to the rapid changes that are inherent in the cyberthreat landscape.
As bad actors change their tactics, techniques, and procedures, MadPot collects the intelligence and evolves its own behavior, and AWS engineers put the intelligence into such security services as AWS Shield and AWS WAF, occasionally providing the data to customers via Amazon GuardDuty to ensure their own tools can respond.
Like other cloud providers, such as Microsoft Azure and Google Cloud, AWS continues to bolster its security capabilities as bad actors turn more of their attention on the cloud as organizations shift more of their business operations into it.
Check Point Software found that in 2022, attacks on cloud networks jumped 48% year-over-year. In a report earlier this year, the cybersecurity firm noted that 98% of global organization use cloud-based services, with 76% using multiple clouds.
“With the move to the cloud comes a need for cloud security as the largest the adaptation of technology, so comes the increase in [the] amount of attacks on it,” Check Point researchers wrote.
AWS Using Its Size
Ryland noted in this post AWS’ sheer size – it is the world’s largest cloud services provider, followed by Azure and Google Cloud – as both an advantage when dealing with cyberthreats and a responsibility to share what it learns with others.
He said that in the first half of 2023, AWS used 5.5 billion signals from its internet threat sensors and 1.5 billion signals from active network probes to protect against botnets and stopped more than 1.3 million outbound botnet-drive distributed denial-of-services (DDoS) attacks. The cloud provider also shared security intelligence – including about almost 1,000 command-and-control (C2) host – with hosting providers and domain registrars.
AWS also traced the sources of 230,000 L7 HTTP(S) DDoS attacks and worked with other entities to dismantle the sources, he wrote.
Snaring Sandworm and Void Typhoon
Highlighting some of the success of MadPot, Ryland pointed to trapping Sandworm, a Russian-linked threat group known for deploying the Cyclops Blink malware used to manage a botnet of compromised routers that was trying to exploit a security flaw affecting WatchGuard network security appliances.
“With close investigation of the payload, we identified not only IP addresses but also other unique attributes associated with the Sandworm threat that were involved in an attempted compromise of an AWS customer,” he wrote. “MadPot’s unique ability to mimic a variety of services and engage in high levels of interaction helped us capture additional details about Sandworm campaigns, such as services that the actor was targeting and post-exploitation commands initiated by that actor.”
AWS notified the customer, who was able to mitigate the vulnerability.
In addition, AWS used MadPot to help government agencies and law enforcement to identity and disrupt Volt Typhoon, a Chinese state-sponsored group that runs cyber-espionage operations against critical infrastructure organizations. Through the honeypot system, AWS identified a malicious payload from the threat group and attributed it to Volt Typhoon.
“We shared our findings with government authorities, and those hard-to-make connections helped inform the research and conclusions of the Cybersecurity and Infrastructure Security Agency (CISA),” Ryland wrote. “Our work and the work of other cooperating parties resulted in their May 2023 Cybersecurity advisory.”