BSidesAugusta 2024

As researchers focusing on attacker behavior, we often face the challenge of uncovering the true identities of cyber attackers who employ sophisticated anonymity tactics. Although IP addresses can offer vital clues, the task of accurately tracing attacks to specific nations is complicated by the attackers' extensive use of proxies.

To explore the prevalence of proxy use among attackers, we devised an innovative strategy. We set up a honeypot network comprising Windows servers with exposed RDP (Remote Desktop Protocol) access. Over a three-year period, this setup generated an extensive dataset of over 190 million events.

With the aid of our Monster-in-the-Middle tool, PyRDP, which provides exceptional monitoring capabilities, we scrutinized the RDP protocol to extract genuine source IP information from the protocol's metadata. By contrasting these authentic source IP addresses with the falsified ones, we uncovered notable differences in the geographic origins of the attackers. Predictably, the real source IPs frequently revealed locations different from those initially suggested.

This analysis enabled us to gain insights into the various attack strategies based on the geographic origins of IP addresses. Additionally, our study unearthed evidence of hacking tools being shared across borders, hinting at potential international collaboration in cyberattacks. This presentation will elaborate on these methodologies, offering evidence of cross-country alliances in cyber threats.

Through our research, we aim to enhance the understanding of global cyber threats, highlighting the cooperative nature of contemporary cyberattacks.