Just take 15 seconds to break into a network and lay the way for an attacker. It turns out that botnets might be an easier way to break into a network, not least by taking the grunt work out of it. It’s not a new concept; information security researchers have seen it before with bots running through lists of default usernames and passwords to hijack Internet of Things devices.
It’s not unheard of to see botnets conducting device exploitation using public and known vulnerabilities to silently break into devices to take them over, and steal data or conduct attacks.
New research from Boston-based Cybereason wanted to test the theory that a botnet can be used to break into a network.
By creating a honeypot network, the information security researchers were able to see how hackers are using the same kind of tools to their advantage. Hackers took a botnet to conduct early exploitation and reconnaissance without needing to get stuck in them. Only when the botnet had a foot in the door did the hacker jump in and takes over.
“For defenders, automatic exploitation in a matter of seconds means they’ll likely be overwhelmed by the speed at which the bot can infiltrate their environment,” said the report by Israel Barak, Cybereason chief information security officer.
“The increasing automation of internal network reconnaissance and lateral movement is an even larger concern,” he said.
Here’s how it worked. The security firm set up a honeypot, a fake financial firm, with several points of attack. The network was small, but consisted of two Ubuntu servers, one for email and a Windows-based dev-ops server.
First, the researchers scattered “leaked” server credentials across dark web markets that would allow an attacker to gain access to the network over the RDP, a widely abused remote access system that when exploited allows attackers to sit at a compromised system as though they were really there. Then additional RDP services from local administrator and root accounts using weak passwords were opened as bait.
Somewhat unexpectedly, the passwords dumped to the dark web didn’t go anywhere.
“Despite dressing up the information as a low level hacker who got lucky and didn’t know where to go from there, not a single set of credentials was used,” said Ross Rustici, senior director at Cybereason.
But within a couple of hours, a bot had broken in with the weak passwords, scanned the network, and created new administrator user accounts using the command line.
The bot also dumped the credentials of a compromised machine by scanning for browser cookies, including common banks, financial services, online retailers, and social networks and dating sites.
Two days later, a human hacker dropped into the honeypot using one of the backdoored credentials, possibly to determine what data needed to be stolen, the information security professional said. Knowing how the network looked, more than three gigabytes of dummy data was stolen.