Researchers at F5 Networks released a report identifying a series of cyber-attacks targeting Singapore on 6/11/2018 and 6/12/2018. Specifically, 88% of malicious traffic originated from Russia and targeted VoIP Phones (the kind found in many hotels) and IoT devices in Singapore – a country that does not typically fall within the top 10 countries in terms of global attack traffic.
It’s no secret Russia has been launching a steady barrage of coordinated cyber-attacks against the US as many sanctions have been issued against Russian officials and businesses since the 2016 Presidential election. Beyond official sanctions, the US-Cert issued an alert in April regarding Russia maintaining persistent access to small office and home office routers warning of widespread espionage.
Technical Details:
- Russia accounted for 88% of the attacks against Singapore on 6/12/2018
- 97% of all attacks coming from Russia during this time period targeted Singapore.
- The attacks were primarily reconnaissance scans—looking for vulnerable systems–from a single Russian IP address (246.234.60), followed by actual attacks that came from both Russia and Brazil.
- The top attacked target was a protocol known as SIP 5060, which is used by IP phones to transmit communications in clear text.
- The number two attacked port was telnet, consistent with IoT device attacks that could be within proximity to targets of interest.
- Other ports attacked include Port 7457, the same target used by the Mirai botnet and Annie to target ISP managed routers.
About the Attack:
- SIP is an IP phone protocol, 5060 is specifically the non-encrypted port.
- It is unusual to see port 5060 as a top attack destination port.
- Our assumption is that the attackers were trying to gain access to insecure phones or perhaps the VoIP server.
- Telnet is the most commonly attacked remote administration port by IoT attackers.
- It’s very likely the attackers were looking for any IoT device they could compromise that could provide them access to targets of interest where they could then spy on communications and collect data.
- Port 7457 is used by ISPs to remotely manage their routers. This protocol is targeted by Mirai and Annie, a Mirai spin off that caused millions of dollars of damage to European ISPs in late 2016.
- If any devices in Singapore had this port open and were protected with default admin credentials, it is likely the attackers gained access and could see any traffic through those devices, collecting data, redirecting traffic, etc. in what’s known as a “Man in the Middle” attack.
- Port 8291 was recently attacked by Hajime, the vigilante thingbot created to PDoS devices that would otherwise be infected by Mirai. If any devices in Singapore were listening on this port, and protected with vendor default credentials, it is likely the attackers could have gained access.
Conclusion:
It is unclear what the attackers were after with the SIP attacks, nor if they were successful. We will continue to analyze the attack data we have collected and update this story as we make new discoveries.
We do not have evidence directly tying this attacking activity to nation-state sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia carrying out their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin.
In regards to mitigating the threat of these types of attacks, which in this case is internet of things devices and databases directly touching the internet, always:
- protect remote administration to any device on your network with a firewall, VPN, or restrict to a specified management network, NEVER allow open communication to the entire internet.
- always change vendor default administration credentials
- stay up to date with any security patches released by the manufacturer
