Cybercriminals are pivoting towards automated tools such as botnets to do the grunt work like exploiting vulnerabilities and infiltrate a targeted networks faster, security researchers have found. Since the historic Mirai attack in October 2016 that saw a botnet enslave hundreds of thousands of vulnerable IoT devices to launch a massive attack on Dyn, several, increasingly versatile bots inspired by the publicly available Mirai source code have cropped up over the past few months.
Each tweaked with new modifications, some botnets scan through lists of default usernames and passwords to brute-force and hijack IoT devices. Others are equipped with new vulnerabilities and designed to quietly break into a targeted device, steal data or use them as zombied bots in larger attacks.
As the number of vulnerabilities and pool of exposed IoT devices expand, hackers prefer the use of automated bots to handle the hard work while breaking into a targeted network, according to research by Boston-based security firm Cybereason.
“If exploit automation wasn’t enough of a concern for security teams, this technique has grown even more potent with attackers using botnets that can automatically exploit vulnerabilities, create backdoors, dump passwords, conduct network reconnaissance, and laterally move in seconds,” Cybereason’s report noted.
At this year’s RSA Conference in San Francisco, Cybereason detailed a honeypot experiment that highlighted the commoditization of using bots to perform low-level tasks. In this project, the security firm set up a honeypot - a fake financial company - and “leaked” credentials for the RDP for three servers in dark markets and paste sites.
The team also created additional RDP services with weak passwords as bait to see how quickly botnets could compromise the service and observe their activities once inside.
Less than two hours after the RDP ports were weakened, one botnet cleared the pathway for human attackers by exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised devices. It also created new user accounts allowing the attacker to still access the environment even if the device users changed their passwords. All of these functions were completed within 15 seconds.
“For defenders, automatic exploitation in a matter of seconds means they’ll likely be overwhelmed by the speed at which the botnet can infiltrate their environment,” researchers noted. “The increasing automation of internal network reconnaissance and lateral movement is an even larger concern. These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes.”
Two days after the third botnet’s work was done, researchers observed a human attack entering the environment. Cybereason said they identified the attacker as human since he/she logged in with a user account created by the bot, opened a user interface application and accessed remote access capabilities which would not likely be carried out by a bot.
“The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information,” Cybereason noted. “This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark web.”
Besides showcasing the striking ease and efficiency of botnets, this experiment also highlights the fact that even novice, less sophisticated hackers can gain access to tools that were once deployed solely by advanced threat actors.
“This means that using bots to automatically exploit vulnerabilities is more prevalent than anticipated,” researchers added. “The use of this technique proves that the operational profile of attackers is changing with less sophisticated attackers having access to tools that were once reserved for their more advanced counterparts.”