From bad to good and looking towards the future, Bots remain an information security issue which has the potential to impact all commercial and recreational online activity. This series will explore the security and business ramifications of the modern internet where you may be surprised by all the non-human visitors to your online services.
“All we know is that there’s still no contact with the colony and that xenobot may be involved.” – Lieutenant Gorman, LV426, 1986
“The web server is compromised” Really, these are the words no one in IT or IT security wants to hear but, it happens and in a lot of cases, it’s an SSH brute force bot attack that is responsible.
In 2013, Sucuri Net author Daniel Cid suggests SSH brute force is a ten-year-old attack – that dates the attack to about 2003. Fast forward to today – within seconds of spinning up a virtual server in any hosting environment on the internet and within seconds bots will start hammering the SSH login.
This is precisely what is going on with a new bot that Sophos has revealed in October 2018. In an extensive blog post by Timothy Easton, he discusses the first stage of the attack.
“SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo.” Once the SSH password has been forced, software components are installed on the compromised server, so it can be used as for future DDoS attacks or any other purposes the malicious actor desires.
There is an art to conducting brute force attacks against SSH and other exposed internet services and it has more to do with human psychology than any technical prowess. In most of the cases, the attacker has all the advantages – email accounts or administrative default accounts are readily available, and many humans are lazy when it comes to creating passwords.
For an SSH account, chances are the “root”, “admin” or “Administrator” account will be targeted. A bot can cycle through the top 100, 500 or 1000 most common passwords like “12345678” or “letmein” or “P@@sw0rd” in minutes. If the bot breaks in the bad guys win. Web servers are another tempting target but, rather than a break-in, the bot’s capabilities are turned loose in an account harvesting mode.
“The bot goes online August 4th, 1997. The bot begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th.” – Terminator 800 Series, 16 August 1991
Credential stuffing as it’s called, or account harvesting is a recent evolution of a bot attack. This is more sophisticated and less noisy style of attack than brute force. Using data from previous data breaches, email addresses are used from these breaches along with a password disclosed in the data breach. That compromised account information is re-used in hopes of breaching different accounts which may be protected by the same compromised email and password combination.
Due to password re-use by people across multiple websites, one combination of previously stolen credentials could compromise nearly all of someone’s accounts. There is a thriving underground market for stolen credentials to popular websites or even corporate user accounts according to the Irdeto’s Global Consumer Piracy Threat Report 2018.
Malicious actors may not stop at compromising individual accounts and potentially leverage the information they have gained in a different way. In August of 2018 SuperDrug, a large retailer of beauty products was approached by cyber-criminal(s) who suggested: “they had 20,000 users account information.”
Given the penalties outlined in the GDPR, the cybercriminal(s) attempted to extort SuperDrug to “keep the data breach private.” When asked to provide proof of the hack – the cybercriminal(s) produced only 400 or so accounts. The investigation revealed these accounts were all obtained from previous breaches.
The most significant piece of actionable threat intelligence you have access to is failed logins recorded in your logs that originate from the same IP address – the volume of attempts certainly indicates some sort of bot attack is taking place – no human tries to log in 4769 times.
This could be brute force attempts against one account or multiple accounts being tried with common passwords – further analysis of the logs would provide that information. One way to address this problem is to use a tool such as Failtoban to ban an IP address which starts generating a high number of login failures. The concern with Failtoban is a spoofed IP address could deliberately ban non-hostile or internal connections resulting in a form of DDoS.
The latest data available, from the most detailed study of the bot problem, suggests this is a quickly growing online problem. In Shape Security’s 2018 Credential Spill Report two highlights really bring the source of the credential stuffing attack problem to light:
“The US consumer banking suffers, actual losses of $5 million per day, or over $1.6 billion per year.” And some insight on how stolen credentials are utilized “On average, it took fifteen months for a credential spill to become public knowledge. The longer it takes to discover a compromise, the more time attackers have to monetize account takeovers.”
“There’s something out there waiting for your website, and it ain’t no man. We’re all gonna die.” Billy, an unspecified country in Central America, 1 January 1988.
Defending your websites from bot credential stuffing and bot brute force attacks is relatively painless. Although account lockout policies “that after X number of failed logins lock the account” may be considered a word of caution is required. Keep in mind several bots working in unison could potentially lock out hundreds of accounts on your system overwhelming the support team with account un-lock requests. It’s best to take a different approach.
Educating users to chose a sufficiently strong password (not necessarily a complex password 7) Enforcing unique and complex passwords by checking newly created passwords against a complexity meter and – not or – utilizing the “Have I been Pwned” API to check newly created passwords against previous passwords used in account data breaches is really effective.
Unique & complex strong passwords combined with the credential stuffing bot KILLER technique of multi-factor authentication or as some folks call it 2FA will not only alert you to the attack, the 2FA will prevent the account compromise even when a password is guessed or re-used.
A password manager can certainly help against bot attacks as well, as it assists or enforces the creation of complex strong unique passwords and protects the use of them with a 2FA feature – Don’t forget to join us in future blog posts to explore the exciting, dynamic and dangerous world of bots.