The BBC today ran a story covering how cyber-attackers are now turning to tools that automate the process of finding and hijacking vulnerable servers.The study used a fake server known as a honeypot to log everything done to it by digital intruders. Put online by security firm Cybereason, the server was quickly found and hijacked in seconds by a bot that broke through its digital defences.
To make the fake server look more convincing, Cybereason thought up a company name, generated staff identities and spoofed network traffic. This helped it pass the “sniff test” and convince bots it was a target that was worth their attention. About two hours after the server for the fake finance firm was put online it was found by a bot which then aggressively set about taking it over. Passwords to protect some of the server’s functions were left intentionally weak to tempt the bot which duly cracked them and then went on to plunder information on the machine. IT security experts commented below.
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
“Alert Logic did some research on autosploit, a new tool that automatically looks for assets to hack on the internet, and then automatically hacks the systems. Our research was to see if this new tool generated interest in the hacker community. We would have expected to see an increase in attacks against our customers generally due to its release, and while we haven’t quantified what impact this might have had, we have at least a supposition that it would increase attacks.
I am not surprised that organisations are starting to see this behaviour It’s likely due to attackers using miners more and more as a way to monetise attacks. We see the miner malware automatically looking to identify other miners in the environment and shut the current hackers down in order to spin up their own systems. They are also looking to stay persistent for as long as possible in an asset, as controls on the cryptocurrency side starts to improve ways to detect what a valid miner looks like.”
Sammy Migues, Principal Scientist at Synopsys:
“In my day, a “hacker” was someone who would spend two hours coding up some elegant script so that they wouldn’t ever have to do 10 minutes of tedious labour ever again. Even though “hacker” is “attacker” now, the mindset hasn’t changed. Only a person incapable of actual hacking (such as writing clever scripts) would ever do all those steps manually and that person is probably not an attacker to be feared.
In theory, time is on the organisation’s side and their brilliant and comprehensive logging and attack management would catch the breach by the second or third step. When it’s automated, the entire attack might occur within the window that their logging and SIEM can turn data into knowledge into calls to action.
If your electronic “attack surface” has one or more vulnerabilities that are known long enough for someone to string together multiple exploits into one bot that still works, then you’ve made an error in how you prioritize repairs, or in asset management, or something like that.
So, yes, someone “weaponised” a set of attacks into something a great many less capable “attackers” can use. Hello, 1988 called and they want their Morris Worm back. Zero-days aside, by the time this happens, you probably should have patched. Considering the chain of exploits required here (for this purposely vulnerable honeypot), when that exists for real, it’s almost always because someone isn’t keeping up with the risk management, which would drive their patching, firewalling, WAFing, and so on. This is not victim blaming. There’s a reason why we inspect cars and keep the unsafe ones off the road…haven’t quite figured out how to do that with a lot drivers, however.
So, why do attackers lick their chops and run their bots? Because they can…”
Kelvin Murray, Senior Threat Research Analyst at Webroot:
“Hackers always look at the latest technology. Automation technologies are changing the game for attackers, allowing them to mount more complex and sophisticated attacks at scale in seconds. Although it will take many years before hackers employ powerful AI to inflict damage upon systems and services autonomously, smart programming and even machine learning can be more readily weaponised in the medium term. These attackers appear to have successfully removed the human labour required to complete a successful breach, using a bot to identify and attack a decoy – which is worrying news.
“Cyber criminals largely operate a numbers game. More attempts to access data or capture information fundamentally translates to an increased likelihood of successfully making money. It really is no surprise that the more tedious aspects of stealing from a business have been automated. Completely taking over a business without secured RDP is very easy to do and to implement this in code wouldn’t be tough. We recommend securing your endpoints against RDP breaches immediately. Proper password policy is of course something that would also protect against these kind of attacks. A combination of an intelligent approach to security and the latest defence technologies will help organisations stay one step ahead of the bad guys – even if they are automating their attacks.”