2018-04-24

Lazy hackers are automating their attacks

Introduction

Hackers are using widely bots (automated Web robots that run scripts over the Internet) to seek out and subvert vulnerable servers in Internet or Intranets they have gained access. Once the potential target is located, a human usually carries out the actual breaching operation. 

Cybereason company created a “honeypot” installation and observed first time an automated breach of system executed by a bot.

The automation and in future artificial intelligence enhanced bot will increase further the probability of the breach. Currently, Cisco security organisation blocks more than 20 million attacks every day including booby-trapped emails, malicious web pages, and new malware.

Threat case

About two hours after the “honeypot” server for the fake finance firm was put online it was found by a bot which then aggressively set about taking it over. Passwords to protect some of the server's functions were left intentionally weak to tempt the bot which duly cracked them and then went on to plunder information on the machine.
Within 15 seconds of getting access, the bot:
  • sought out and exploited several known vulnerabilities
  • scanned the network to which the server was connected
  • stole and dumped credentials for other vulnerable machines
  • created new user accounts for its creators to use.
Once the bot had done its work, the attackers went quiet for two days but returned to steal data to which the compromised server allowed access. In total, the attackers took about four gigabytes of data, all of which was fake.

Recommendation

Since the attacker is improving and automating their processes and tools so should the defender. Artificial Intelligence enhanced Security Incident, and Event Management systems will increase the probability of catching the crooks on-time, while the human operator cannot maintain focus all the time and is not able to reach far to the historical data.

References:

  1. http://www.bbc.com/news/technology-43788337

2018-04-20

Russian state-sponsored actor preparing network infrastructure devices for further cyber attacks

What is claimed to happen?


USA and UK issued a joint technical alert accusing Russian state-sponsored actors of mounting a malicious manipulation and cracking the Internet communications devices. The actor's target government institutions, private sector companies, and Internet providers. The operation has been monitored for months this far by FBI, US Department of Homeland Security and UK NCSC. The mission of this GRIZZLY STEP operation seems to be to prepare the network devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) servicing the target organisations to be a man-in-the-middle attack. Once the front yard network device is compromised, it can capture all IP traffic going through and act as packet capturer. 

How the action seems to take place?


  1. Reconnaissance: Cyber actors scan the possible vulnerable protocols as Telnet, HTTP, SNMP, SMI. 
  2. Weaponization: Actors trigger the device to send them their configuration file. The configuration file contains information like password hash values and SNMP community strings. These user credential are brute-force hacked to reveal the authorised Telnet or SSH login credentials.
  3. Exploitation: Armed with real credentials, the actors access the network devices and activate for example Cisco SMI service thus gaining full control of the device. Once logged in, the actors can: 
  • extract additional configuration information,
  • export the OS image file to an externally located cyber actor-controlled FTP server,
  • modify device configurations,
  • create Generic Routing Encapsulation (GRE) tunnels, or
  • mirror or redirect network traffic through other network infrastructure they control.


What to do?


The following general advice may apply:
  • All network devices should be treated as any other server or PC in the network, harden them by removing unnecessary processes, update them regularly, prefer out-of-band management over in-band-management, install IDS detectors to monitor management traffic.
  • For more detailed countermeasures visit the reference 2.

References:


  1. https://www.theguardian.com/technology/2018/apr/16/us-and-uk-blame-russia-for-malicious-cyber-offensive
  2. https://www.us-cert.gov/ncas/alerts/TA18-106A