Last Sunday, August 28th, at 17:53 a Brute Force Attack started against this website and this attack is still ongoing. At this moment, there are 2.538 systems involved in this attack and so far the countermeasures are holding.
So let us have a closer look at this attack, see what it means and what we can do against it.
The Brute Force Attack is directed against WordPress which I use to create this content and tries to guess the password for various accounts by login from a group of systems and work through randomly generated passwords. The attack includes 2.538 systems and with all media attention for cyberattacks coming from China, Russia and North Korea, one would expect the core of the involved attacking systems to come from either one of these countries or from another specific country but that is not the case. The systems and devices involved in this attack come from all over the world and there isn’t a country with significantly more participants than the others.
What is very interesting to see, is that roughly 70% of the systems involved in this attack are company owned systems or at least appear to be such. Why appear to be? Well, it could well be that the final system which is visible in the logfiles is abused as a forwarder (e.g. VPN or proxy) by malicious hackers. But even if that would be the case, at least it means that the abused system is not properly protected against abuse so they are part of the problem.
Given the amount of systems that started hammering this site with brute force attacks, the spread over countries and the high amount of company owned systems, it is clear that this attack is handled by a so called BOTNET. A BOTNET is a group of systems and devices which are infected by malicious code and are under the control of others to perform their malicious work. The problem with these botnet nodes is that the actual owners are in most cases not even aware that their systems and devices have been hijacked by hackers and as a result, these nodes can continue their malicious work for months and sometimes even years.
To be able to understand the attack itself and to implement proper countermeasures, it is important to understand why malicious hackers do this and what they might want to achieve by it. The first priority of most botnet’s is to gain access to the victim of the attack and add it as a node in the botnet cluster. This literally means that the attacked system becomes a part of the network and actively is involved in attacking new victims. As strange as it might sound, there are a lot of botnet’s out there which have so far done nothing other than swallowing attacked systems into their network. Maybe, they will always continue to do so, maybe the owners of these botnet’s are just waiting for something or someone before they go to the next level of their malicious work.
Last year for example, a Serbian based botnet which has been growing for 18 months without any further activity suddenly became very active and started to insert malicious SQL code in the websites it had infected and under its control. Experts were curious about this sudden activity because this particular botnet had been able to stay below the radar for most security measures and gradually grown its spread. By the sudden change in activity, the botnet became fully exposed and in the focus of experts and administrators. A few weeks later, there was a very simple explanation for this sudden change in the activity. The hacker controlling this botnet, an Ukrainian citizen living in Belgium, had been in jail for credit card and computer abuse and apparently the first thing he did after his release was activating one of the botnet clusters he had previously installed to continue where he had left before being jailed. Investigators discovered that he had a bundle of botnet clusters under his control, all waiting for a command from the master to start their real malicious work and in the meantime simple collecting more nodes into the cluster. This shows that if a botnet cluster has so far not started any real damaging activities yet, it might do so in the future at the command of whomever controls it!
So what malicious activities could that be? Very “popular” is abusing the controlled systems for phishing where the hackers attempt to gain access to account data, banking data, credit cards, etc. The infected nodes in the botnet cluster can be used to send the potential victims emails inviting them to for example enter their banking data to confirm their account, or as the webserver in which the victims enter their data etc. pretending to be an official system from in our example the banking institution. Analysts see phishing as the top cybercrime activity at this moment and the fast majority of the known cases involves botnets.
Next is spamming through botnet infected systems and devices where the nodes send large amounts of spam mails to ranges of email addresses which they receive from special nodes in the cluster. Because spamming is very highly exposed and easily detected, spamming botnet clusters are changing quickly to stay ahead of the detection and growing amount of blacklisting services. What most spam botnet owners do is briefly use a cluster for a spam activity and put it back to rest, growing the cluster in the background until it is activated again. To be able to do so, such spam cluster owners own many clusters. Many! And they don’t go through these efforts just for fun. They offer their services and clusters to those who want annoy us with unwanted emails. Yes, you read that correctly, they sell the capacity of their spam botnets.
What else can a botnet do? A lot and it is not a pretty story! There is an enormous amount of DDOS attacks through botnets, where a cluster at the command of its owner starts to hammer the selected victim with traffic until it collapses completely and is no longer available for the public. Such Distributed Denial of Service (DDOS) attacks are for example responsible for taking down the website of a newspaper but also high-profile blogs or banks. Botnets are also used to actively attack security measures of internet portals and services, and in most cases these are combined into a multi-layer cyberattack in which DDOS is sometimes also used as one of the attacking mechanisms.
We can safely conclude that botnets are bad for all of us and we should do whatever we can to avoid becoming a node in one of those malicious clusters. In the case of botnets the responsibility is very clear and very simple. First, there is the malicious hacker or group of hackers who abuse the systems, devices and infrastructure of others so it would be very easy to put the full responsibility at their hands. As logical as this might seem to be, it is not correct because what they actually do is abuse opportunities created by others. Opportunities which can be (and in most cases are) the result of not patching security holes in operating systems, applications, services and devices.
As seen in the ongoing attack against this website, a large amount of the systems involved in botnet clusters are company owned or use company owned forwarders and there is a very clear reason for that. Most of the company owned systems and devices are running 24/7 and a big part of that is running fully unattended so they are available to the hackers 24/7. A new and concerning development is the fast growth of “Internet of Things” (IoT) devices involved in botnet clusters. Examples are TV sets and so called “smart home” devices which are infected with malicious code, and since they are connected to the internet 24/7 these devices have become a very popular new target for hackers.
These 24/7 always-on-systems and the less frequently powered on systems have in common that the available precautions like updates of operating systems and anti-virus solutions are not installed or like in the case of most IoT devices, such precautions aren’t even available (yet). Prevention against becoming a node in a malicious network intended to harm others in these cases should be to stay ahead of the game by rolling out those patches and updates to the company infrastructure, all of it, and private owners to do the same for the devices they own and are responsible for. That includes parents to check regularly if their kids didn’t deactivate the anti-virus software “because my friend told me it is ok” and yes, I am speaking from own experience in this case.
So prevention from becoming a tool for criminals by being a node in a botnet cluster does put the responsibility on you and all the other owners and administrators to keep your systems and protection updated but it would be very wrong to suggest that this is sufficient. Wrong, because there are much more threats than those vulnerabilities in Operations Systems etc. we need to patch frequently. Wrong, because some of the vulnerabilities are related to the out-of-the-box settings of systems and devices and updates won’t change that until we do or the manufacturers finally realize they have to do so through an update. Wrong, because for example my now 6 year old internet-enabled Linux-based satellite receiver has ZERO updates available through the manufacturer but is known for its security issues in the out-of-the-box configuration.
Prevention includes not providing the opportunity, or at least provide less opportunities for hackers to abuse. And that includes switching off what you are not actually using. When a system or device is powered down, it isn’t available for hackers to try to get access to it and put it under their control. Prevention can be as simple as just that, switch off what you are not using! Prevention is also using common sense, think before you act and feeling responsible for the (cyber)security of yourself and others. As long as people naively believe that others are responsible for their security and prevention of abuse, hackers have plenty victims waiting to be abused.
During the research for my upcoming book “Cybersecurity for Road Warriors” and related workshops, victims of cyber abuse often ask me this questions. Why me, why was I a target, why am I a victim? The answer to this is in most cases simple, sobering and provocative. Because they can and because you allowed them. Asking more questions about what happened and how it happened will almost always give the same history. The victims installed what they believed to be a magic wand to make their computer faster and better, all for free. Or they installed a cracked version of commercial software. Or clicked on that link in an email although everyone always suggests that they shouldn’t do that. Plain and simple, hackers make their victims believe there is something to gain and their victims fall for it. Again and again, and they just keep falling for it.
Remember when your mother gave you this advice?
Do not to talk to strangers, not even when they offer you free candy!
Best advice ever and it is still valid, even in cyberspace! Surprised it turns out your mother knew/knows more about cybersecurity than you?