The BBC today ran a story covering how cyber-attackers are now turning to tools that automate the process of finding and hijacking vulnerable servers.The study used a fake server known as a honeypot to log everything done to it by digital intruders. Put online by security firm Cybereason, the server was quickly found and hijacked in seconds by a bot that broke through its digital defences.
To make the fake server look more convincing, Cybereason thought up a company name, generated staff identities and spoofed network traffic. This helped it pass the “sniff test” and convince bots it was a target that was worth their attention. About two hours after the server for the fake finance firm was put online it was found by a bot which then aggressively set about taking it over. Passwords to protect some of the server’s functions were left intentionally weak to tempt the bot which duly cracked them and then went on to plunder information on the machine. IT security experts commented below.
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
I am not surprised that organisations are starting to see this behaviour It’s likely due to attackers using miners more and more as a way to monetise attacks. We see the miner malware automatically looking to identify other miners in the environment and shut the current hackers down in order to spin up their own systems. They are also looking to stay persistent for as long as possible in an asset, as controls on the cryptocurrency side starts to improve ways to detect what a valid miner looks like.”
Sammy Migues, Principal Scientist at Synopsys:
In theory, time is on the organisation’s side and their brilliant and comprehensive logging and attack management would catch the breach by the second or third step. When it’s automated, the entire attack might occur within the window that their logging and SIEM can turn data into knowledge into calls to action.
If your electronic “attack surface” has one or more vulnerabilities that are known long enough for someone to string together multiple exploits into one bot that still works, then you’ve made an error in how you prioritize repairs, or in asset management, or something like that.
So, yes, someone “weaponised” a set of attacks into something a great many less capable “attackers” can use. Hello, 1988 called and they want their Morris Worm back. Zero-days aside, by the time this happens, you probably should have patched. Considering the chain of exploits required here (for this purposely vulnerable honeypot), when that exists for real, it’s almost always because someone isn’t keeping up with the risk management, which would drive their patching, firewalling, WAFing, and so on. This is not victim blaming. There’s a reason why we inspect cars and keep the unsafe ones off the road…haven’t quite figured out how to do that with a lot drivers, however.
So, why do attackers lick their chops and run their bots? Because they can…”
Kelvin Murray, Senior Threat Research Analyst at Webroot:
“Cyber criminals largely operate a numbers game. More attempts to access data or capture information fundamentally translates to an increased likelihood of successfully making money. It really is no surprise that the more tedious aspects of stealing from a business have been automated. Completely taking over a business without secured RDP is very easy to do and to implement this in code wouldn’t be tough. We recommend securing your endpoints against RDP breaches immediately. Proper password policy is of course something that would also protect against these kind of attacks. A combination of an intelligent approach to security and the latest defence technologies will help organisations stay one step ahead of the bad guys – even if they are automating their attacks.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.