'Smart factory' honeypot attracts two ransomware attacks, fraudsters, corporate espionage - and other security researchers

Trend Micro honeypot indicates that bread-and-butter security measures will deter most attackers

A ‘smart factory' honeypot set-up by Trend Micro attracted crypto-miners and two ransomware attacks - although it took more than a month before the attacks commenced.

However, once the sub-par security of the supposed factory was discovered, the attacks multiplied, and even attracted the attention of security researchers, albeit only after several months.

The company established the honeypot in May last year, modelled on two similar operations it conducted in 2013 and 2015. These had followed on from the Stuxnet worm, which was first uncovered in 2010 targeting supervisory control and data acquisition (SCADA) systems running Windows and Siemens Step7 engineering software.

And, because hackers have grown wise to wasting their time over honeypots, Trend Micro went to some trouble to create a convincing facade - setting up phone systems, an online profile for the company replete with staff biographies, and negotiating with ransomware attackers when they struck. The company also used genuine industrial control system hardware from Siemens, Allen-Bradley and Omron for authenticity.

In addition to a research paper [PDF], Trend Micro also presented the results of the experiment at the S4 industrial security event earlier this week.

"Trend Micro decided to pose as a small industrial prototyping ‘boutique' consultancy working on sensitive projects for highly specialised customers," wrote Ian Heritage in a blog posting.

He continued: "To add authenticity to the honeypot, the research team used real Industrial Control System (ICS) hardware and a mix of physical hosts and VMs. Several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations and a file server completed the picture.

"To lure attackers, specific ports were left open without passwords to enable services such as VNC, and information was posted to Pastebin to make the fake company easier to find."

However, rather than being targeted by fiendishly clever attackers, adds Heritage, the attacks were somewhat mundane, "but still enough to cause especially smaller organisations some significant problems".

He continued: "It is clear that best practice security measures do work. Even the most basic security measures we had in place initially kept attackers from attempting to infiltrate the honeypot. It was only when we opened up the VNC port, for example, that it was infected with cryptocurrency malware.

"We'd therefore urge IT security bosses managing smart factory environments to ensure they follow industry advice: by limiting the number of ports they open and following strict access control policies according to least privilege."

The findings don't auger well for organisations that have fallen victim to serious ransomware or Magecart attacks in recent years, such as Travelex and British Airways.

It took more than a month before the first attack showed up, but several followed after a VNC service was opened. This was a Monero-mining operation using a remote access Trojan, with the attacker returning a week later to install further malware.

Another threat actor at the beginning of August came in via VNC and enabled RDP on the Windows firewall. In the same month, more reconnaissance attacks were detected. Also in August, the honeypot appeared on security researchers' radars, with one posting a tweet intended to warn the company of the vulnerabilities it was exhibiting.

In October, the first ransomware turns up, with an attacker downloading a compressed file containing the Phobos ransomware. In November, meanwhile, another ransomware attack was attempted, while a white-hat hacker left behind a message advising the organisation that port 5901 was open and that it should set a password for VNC.

"During the research period, it became apparent that there was increasing activity on the honeypot, with higher levels of interactions from day to day. [But] for our honeypot to garner this kind of attention, we practically had to do everything wrong when it came to our faux company's general security stance.

"However, for many small businesses with no IT or security staff, such a situation is not uncommon," the company concluded.