Cloud computing giant AWS says an internal threat intel decoy system called MadPot has been used successfully to trap malicious activity, including nation state-backed APTs like Volt Typhoon and Sandworm.
MadPot, the brainchild of AWS software engineer Nima Sharifi Mehr, is described as “a sophisticated system of monitoring sensors and automated response capabilities” that entraps malicious actors, watches their movements, and generates protection data for multiple AWS security products.
AWS said the honeypot system is designed to look like a huge number of plausible innocent targets to pinpoint and stop DDoS botnets and proactively block high-end threat actors like Sandworm from compromising AWS customers.
In a note describing MadPot, AWS said the sensors keep watch on more than 100 million potential threat interactions and probes every day around the world, with approximately 500,000 of those observed activities advancing to the point where they can be classified as malicious.
“That enormous amount of threat intelligence data is ingested, correlated, and analyzed to deliver actionable insights about potentially harmful activity happening across the internet. The response capabilities automatically protect the AWS network from identified threats, and generate outbound communications to other companies whose infrastructure is being used for malicious activities,” the company said.
In the case of Sandworm, AWS said the honeypot caught the actor attempting to exploit a security vulnerability affecting WatchGuard network security appliances. “With close investigation of the payload, we identified not only IP addresses but also other unique attributes associated with the Sandworm threat that were involved in an attempted compromise of an AWS customer,” it added.
“MadPot’s unique ability to mimic a variety of services and engage in high levels of interaction helped us capture additional details about Sandworm campaigns, such as services that the actor was targeting and post-exploitation commands initiated by that actor. Using this intelligence, we notified the customer, who promptly acted to mitigate the vulnerability,” AWS said.
In another high-profile case, AWS said the MadPot system was used to help government and law enforcement authorities to identify and disrupt Volt Typhoon, a Chinese state-backed hacking group caught siphoning data from critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.
“Through our investigation inside MadPot, we identified a payload submitted by the threat actor that contained a unique signature, which allowed identification and attribution of activities by Volt Typhoon that would otherwise appear to be unrelated,” AWS explained.
The company said MadPot’s data and findings is used to beef up the quality of its security tooling that include AWS WAF, AWS Shield, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall, and detective and reactive services like Amazon GuardDuty, AWS Security Hub, and Amazon Inspector.