Following the news from Channel News Asia that Nearly 9,000 malware-laden servers, compromised websites found in Singapore-based Interpol operation. IT security expert from Balabit and STEALTHbits Technologies commented below.
Sándor Bálint, Security Lead for Applied Data Science at Balabit:
“When most people think of the fight against malware, the first thing that comes to mind is installing anti-malware software on end-user computers. However, as this story points out, it is just as important to protect publicly available servers so they cannot be easily turned into command-and-control (C2) servers by cyber criminals, and used in subsequent attacks on other victims.
“Before this thought is quickly dismissed with the thought “Why should I care, I don’t operate any server,” it’s worth remembering that countless people run a server without knowing it. Just think of smart devices, home automation, remote control apps, the much-hyped Internet of Things – many connected devices offer various services through the network (thus acting as servers). When connected, such services are often accessible from anywhere on the Internet… smetimes, such a server is even carried in a pocket.
“By offering services to the public, one is implicitly running the risk that others might use those services in unintended ways – including turning them into C2 servers. Whether or not this is going to happen depends on a number of factors: how securely the server component was programmed, whether the service uses any authentication, if there are known problems in the network protocols used, whether adequately strong passwords are being used, if the service is running 24/7 or only for short periods of time – and oftentimes, sheer luck factors in. And if unintended usage does happen, it could be a targeted attack against the server and its data, or the server can be used as a jump host to target others and to help cover the tracks of the criminal exploiting it – sometimes over an extended period of time.
“As a result, it is now easier to become an unwitting accomplice in cybercrime than ever before.
“Running a publicly accessible server is a responsibility. While it’s not always possible to prevent any and all abuse, decreasing the attack surface (e.g. by turning off unneeded services) is essential, as is taking steps to detect and stop attacks, such as usingmonitoring solutions. Many services are able to generate usage logs, and this information can (and should) be collected and regularly reviewed. If possible, such data should be analyzed looking for signs of unusual patterns and changes in trends – preferably, the analysis should be automated.
“In some cases, the most malware defense is simply turning off unnecessary services – such as switching off your smart TV when you are not using it.”
Jonathan Sander, CTO at STEALTHbits Technologies:
“The surprising part of Interpol finding thousands of compromised servers throughout Southeast Asia is not the number found, but rather the fact that so many agencies and organizations cooperated so seamlessly to find that many. Everyone realizes we’re living in a state where the bad guys are advancing, not receding. So thousands of servers being compromised across a huge expanse of the Internet isn’t shocking. Bad guys rely in large part on organizations not cooperating with one another. They compromise a server in one organization and use it to attack another, hoping the two will never share data and connect the dots.
“Interpol was used as a bridge between many organizations and, as a result, unprecedented numbers of dots got connected to identify the bad guys’ networks of zombie machines. If more cooperation becomes the norm and data about malware and other bad guy weapons is shared freely, then maybe the good guys could get more wins like this.”