“We pulled this typical course of action…”
Two recent sets of honeypot data showcase the scale of the security challenge posed by bots automatically scanning the internet for vulnerabilities, with an older Telnet protocol honeypot attacked twice per second as soon as it was set up – and a cloud server honeypot set up on AWS attracting 13 attempted attacks per minute.
Honeypot Data: Telnet and SSH
The first, a Telnet and SSH honeypot set up by Dr Vesselin Bontchev, of the Bulgarian Academy of Sciences’ National Laboratory of Computer Virology, was attacked twice per second by variants of the Mirai botnet, with the vast majority of the attacks stemming from the United States; followed by the Netherlands.
While Telnet has been around since 1969; there is still no shortage of embedded system applications in IoT devices such as routers, industrial control systems etc. that use its remote access capabilities.
The honeypot was set up in 2016 and Dr Bontchev publishes monthly findings on the attacks it faces. He told Computer Business Review: “There is a HUGE number of vulnerable devices out there.”
He added: “All the major cloud hosting providers, but particularly DigitalOcean, have a very serious problem with the bad guys misusing their services for setting up command-and-control servers for their botnets.”
“Every day I send DigitalOcean 100-300 abuse reports (each report describes an IP address of theirs that has attacked our honeypot during the previous day) and they still are the major source of attacks – often accounting for two-five times more attacks than the next contender.”
DigitalOcean had not responded to a request for comment as we published.
Some Bots are Smarter than Others…
He added: “I expected [Mirai attacks] to be higher than the rest, because the source code of the botnet was released publicly, meaning that every script kiddie would be tempted to set up a botnet of their own. I didn’t expect the attack volumes to be so high, though.”
“Our Telnet (and SSH, but that accounts for about 5% of the traffic only) honeypot is attacked almost twice per second! It means that if you connect a device with a default password directly to the Internet (i.e., not behind a firewall), it will be found and infected much faster than you can change its password!”
Edward Roberts, Director of Product Marketing at Distil Networks, told Computer Business Review: “The requests attacking [this kind of] honeypot are analogous to… walking to every car and trying to find any that are unlocked.”
“[Other bots are more varied and] specifically designed to attack that website by sophisticated bot operators.”
“For example, they attack an airline and scrape the prices for a specific flight every few minutes, or they perform credential stuffing attacks an financial services websites using stolen credentials to identify valid accounts around the clock, or they purchase items like concert tickets, milliseconds after they are available, before a human can complete the purchase, and re-sell them on other sites at premium prices. These bots are deployed as a tool to make money. The business of bots is money.”
Honey in the Cloud
Port sweeps for vulnerable Telnet ports could be expected to be rife.
But a new report today by network and endpoint security specialist Sophos reveals the extent to which cloud servers are also being relentlessly probed for weaknesses.
Sophos’ report Exposed: Cyberattacks on Cloud Honeypots, reveals that cybercriminals attacked one of the cloud server honeypots in the study within 52 seconds of the honeypot going live. On average, the cloud servers were then hit by 13 attempted attacks per minute, per honeypot.
The honeypots were set up in 10 of the most popular AWS data centers in the world, including California, Frankfurt, Ireland, London, Mumbai, Ohio, Paris, Sao Paulo, Singapore and Sydney over a 30-day period.
The Typical Course of Action
Sophos said: “From the high-interaction honeypot, we pulled this typical course of action:
1. Login attempt of username:root password:admin succeeded
2. TCP connection request to Yandex over HTTPS
3. TCP connection request to large retail chain’s open API over HTTPS
4. TCP forward request to large retail chain’s open API over HTTPS
The above process repeats thousands of times, making it appear automated.
However, we can still analyze the steps in the attack.
1. Check that the honeypot has a valid internet connection by connecting to a
well-known address. This is via a secure connection request to Yandex. Yandex
is a popular search engine in eastern Europe and Russia.
2. The attack then checks if connectivity to the target service is available – in
this case, a connection request to a remote IP address belonging to a large
retail chain’s open API .
3. There then follows an attempt to exploit large retail chain’s IP address using
the SSH honeypot server as a proxy.
By being compromised, the honeypot has now become an amplification device for
the cybercriminal to launch further attacks on other infrastructure.
In total, more than five million attacks were attempted on the honeypots over 30 days, with botnets relentlessly scanning for open cloud buckets or attempting to brute force SSH logins. (The report came as Sophos launched a new agentless product, Cloud Optix, which highlights and mitigate exposure in cloud infrastructure).
The report’s authors noted: “Looking at what drives this number of brute force login attempts, we found the dominant problem was ongoing exposure as a result of not changing default usernames and passwords.”
“For example, ‘root’ exists as a default username for most NIX devices. Consequently, it
is unsurprising that it is consistently at the top of the list of most seen username login
attempts. However, the sheer scale is remarkable: ‘root’ accounts for 5,211,644 of the
5,447,956 logins (just under 96%). Because the ‘root’ account provides administrative
access to devices, it’s likely that, after their botnet reaches a significant size, the
cybercriminal will use this privileged access to perform large scale DDOS attacks to
organizations and institutes as seen before in botnets like Mirai.”
Sophos added: “There are other correlations we can make between login attempts and specific technologies.”
“For example, the username ‘pi’ was represented in the top 20 attempted usernames because it is the default username for Raspberry Pi-based computers running the Raspbian operating system. The fact that the username exists here shows that, through misconfiguration or negligence, these devices appear on the internet as exposed and vulnerable.
Honeypots aside, Akamai’s Intelligent Platform gives a flavour of broader web attack trends. Its data over the past eight days (April 1, 2019 to April 8, 2019) shows 139,110,507 attacks across industry verticals.
By far the most commonly attempted attacks were SQL injections, which numbered 128,230,076, followed by remote file inclusions, cross site scripting and PHP injections. SQL injection weaknesses occur when an application uses unsanitised data entered into web form fields, as part of a database SQL query.