AWS stirs the MadPot – busting bot baddies and eastern espionage

Interview AWS has unveiled MadPot, its previously secret threat-intelligence tool that one of the cloud giant's security execs tells us has thwarted Chinese and Russian spies – and millions of bots.

The massive honeypot system has been around since late last decade, and includes tens of thousands of threat sensors monitoring criminals' attempts to connect with AWS decoys. These sensors spot more than 100 million potential threats every day, and some 500,000 of these turn out to be malicious activity, according to the cloud giant.

Even though it's been under development and in use for years, AWS just this week went public with details about MadPot and some of the attacks it has thwarted.

This includes preventing Chinese spies from snooping around in US critical infrastructure networks earlier this year and contributing to the Five Eyes' May advisory about Volt Typhoon, a Beijing-backed cyber-espionage gang.  

Using data gleaned from MadPot, Amazon was able to identify a payload that contained a unique signature, and then determined that as belonging to Volt Typhoon.

"We do keep a huge security data lake of all the past interactions" with MadPot, Mark Ryland, director of the Office of the CISO for AWS, told The Register. This data lake allowed the threat hunters to identify other instances of the Chinese hackers' signature going back to August 2021.

"The success story there was being able to do the query across a large data set going back multiple years, for these sort of subtle indicators of identity, something that's unique about the behavior," Ryland said.

AWS still sees Volt Typhoon trying to break into US networks, and continues sharing this information with the government.

Spotting Sandworm

Sandworm also got caught in AWS's decoys when it tried to exploit what it thought was a WatchGuard network security appliance. In 2022, the hacking crew, tied to Russia's GRU military intelligence unit, went on a hijacking spree, compromising WatchGuard and ASUS routers to run its Cyclops Blinks botnet in an attempt to use these devices as command-and-control (C2) servers for future attacks. The feds took down the C2 infrastructure in April 2022.

Using MadPot's intel, AWS identified the IP addresses and other attributes tied to Sandworm being used in attempts to compromise one of its customers. Ryland says the cloud provider notified the customer, which then mitigated the vulnerability and prevented a device takeover.

This illustrates how MadPot can detect and help prevent attacks that aren't typically cloud threats, according to Ryland.

"We emulate things like home routers or security appliances that normally aren't in the cloud," he said. "We're constantly expanding the kinds of behaviors we can emulate, and thereby gain greater intelligence as to what's going on with the malicious actors."

AWS claims that, in the first three months of 2023, MadPot thwarted more than 1.3 million outbound botnet-driven distributed denial-of-service attacks. And in the first half of the year, it spotted almost 2,000 botnet C2 hosts, and shared these details with relevant hosting providers and domain registrars to take down the control infrastructure.

• Five Eyes and Microsoft accuse China of attacking US infrastructure again
• Cyclops Blink malware sets up shop in ASUS routers
• Kremlin-backed Sandworm strikes Android devices with data-stealing Infamous Chisel
• Microsoft Bing Chat pushes malware via bad ads

"We now have very quick and accurate capability to detect C2 behavior that allows us to block C2 signals at the edge of our network, which has a huge impact across our large IP space," Ryland said. "That ability to shut it off at the spigot, or at least as it enters our network, is one of the most important advances that we've been able to make."

Like everyone else keeping a close eye on the threat landscape, AWS has seen a massive influx in the number of network-flooding DDoS attempts. The cloud giant has also seen a spike in these attacks at the application layer, according to Ryland.

During the first six months of 2023, AWS worked with other providers to shut down the sources of about 230,000 of these Layer 7 DDoS events.

"That's an area that we've seen a significant increase," Ryland said. "We were able to do a lot of detection and edge blocking of that, but also working to drive down the existence of open proxies across our platform , [and]... the broader internet by letting other providers know when we see that behavior."

Another element of these open proxies is that criminals like to use them for credential-stuffing attacks, where they've obtained a list of leaked or stolen passwords, and then try to brute-force their way into a victim's environment.

MadPot, "by pretending to be an open proxy and pretending to send the requests on to the actual target," gives AWS a ton of data about these attempts, and helps prevent more people and organizations from falling victim to them, Ryland said. 

"We know not only who the target is, we know exactly what they're targeting, who they're targeting," he said. "And we can actually then acquire all the credentials that they're using and add those to industry lists of known stolen credentials." ®