Our adversaries in cyber space have been busy. That much is evident from our statistics from our global network of honeypots throughout the last half of 2018. Our servers registered a fourfold jump in attack and reconnaissance traffic for the period.
Observed attack traffic was most common on the Telnet protocol, which we believe to be attributable to the increasing numbers of IoT devices in use. Next most common was traffic on the SSH, SMB and SMTP protocols, and web server compromise was a leading attack vector after Telnet. Attacks originating in the US and Russian IP spaces dominated, followed by Italy and the UK.
For the past few years, we’ve been putting out a half yearly report on traffic to our global network of honeypots, or decoy servers set up expressly for the purpose of attracting attackers and watching their behavior. Our honeypots emulate popular services like SMB, SSH and HTTP. The traffic these honeypots see is a good indicator of high level trends in the overall attack landscape.
For example, after the WannaCry and NotPetya outbreaks of 2017, we saw a jump in traffic on SMB port 445, which had until that point always seen nominal activity. (We continue to see elevated levels of SMB traffic.)
Who’s after who
Always interesting is to take a look at which countries’ IP spaces attacks came from and which countries they were directed at.
Traffic originating in the US IP space grabbed the largest share this time around, with Russia coming in a distant second. Of course, as we always point out, there is no way of knowing whether the attacks are actually conceived in a given country, since cyber criminals route their attacks through proxies to avoid detection. They may employ VPNs, TOR, and compromised machines or infrastructure in different locations to evade law enforcement.
What’s more, the list of countries is not meant to imply that this is predominantly nation state behavior. The motivation behind the majority of these attacks is likely financial and instigated by common cyber criminals who are carrying out DDoS attacks and sending malware, etc.
What we can be more certain of, however, is the attack destinations, and these are the countries who attracted the most interest from attackers:
Upon the mention of cyber criminals, a reader might imagine a hooded adversary sitting at a desk conducting each one of these attacks. This is mostly not the case. The amount of manual human activity is around 0,1% of what our honeypots see. 99.9% of traffic is from bots, malware and other automated tools. Of course, it’s humans who create these tools and configure them. But the sheer number of attacks – in the hundreds of millions – is made possible by automation.
Attacks may be coming from any sort of connected computing device – even a weak computer, smartwatch or IoT toothbrush can be the source of scanning or attack traffic.
The UK, while high on the list of top source countries, interestingly, does not appear as a source country on our “Top sources to destinations” list. As with the previous period, we’re continuing to see attacks from the UK directed across a broad range of countries, in modest quantities per country. The UK’s biggest target was the US, with 85,000 attacks. And in a repeat from the previous period, the favored target of probes from the UK was SMB, representing 99% of attacks from the country.
Ports and protocols
This time around, from July through December of 2018, the overwhelming majority of traffic, 83%, was on TCP port 23, which is used for Telnet. Early in the period we made some adjustments to the Telnet portion of our honeypots, which contributes to this uptick as our servers are now better able to recognize Telnet attacks. But the skyrocketing numbers also highlight the fact that IoT devices, which too often use default username and password combinations, are still easy prey.
A great deal of Telnet activity is related to the existence of thingbots, internet-connected devices that have been co-opted as part of a botnet. We saw a strong concentrated Telnet campaign in the last half of December, which is perhaps considered by cyber criminals a prime time for attacks, with people distracted by the holiday season and many traveling away from home.
After port 23, port 22 (associated with SSH, also attempting remote login) was the number two most targeted port. Port 445 took third place with SMB activity, a decline from the previous period: In the first half of 2018 we had seen a spike to 127 million attacks via port 445. Prior to the WannaCry and NotPetya attacks of 2017, SMB attack traffic was insignificant, not even registering among the top 20 ports.
SMPT, or email attack traffic, registered at number four, most likely representing malware and spam, which we reported on in December. Fifth was MySQL traffic, most likely related to data breach attempts, MySQL being popular with users of content management systems such as WordPress, Drupal and Joomla. Farther down the list, the CWMP protocol can be associated with the TR-069 protocol (for which there are known exploits) which is used for remote management of end user devices like modems, gateways, routers, VOiP phones, and set top boxes.
Servers and services
Using our web topology mapping tool, F-Secure Riddler, we were able to hone in on the servers and services that are the most popular sources of web-based attacks. Heading this list were Nginx, Apache, and WordPress, which is often compromised by attackers and used for malicious purposes. After IoT, web server compromise is one of the leading attack vectors we see in our honeypots.
The top username and passwords attackers use when attempting to break into honeypot services don’t tend to change drastically (“root” and “admin” are always on the list), but an interesting point this period is that the second and sixth place passwords are the default passwords for a Dahua IoT camera and a Chinese H.264 DVR.
The company environment
How are companies being affected by the external threat landscape? For the answer to that question, we ran an online survey of 3350 IT decision makers, influencers, and managers from 12 countries. We asked them about their company’s detection of both opportunistic and targeted cyber attacks over the past year. Two thirds of respondents said their company had detected at least one attack, 22% said their company had not detected an attack, and 12% didn’t know or refrained from responding.
Larger companies were more likely to detect more attacks, with 20% of companies with over 5000 employees saying they’ve detected five or more attacks, as compared with only 10% of companies with 200 to 500 seats detecting five or more attacks. Larger companies were also least likely to say they’ve never detected an attack: 16% of 5000+-seat companies reporting no attacks detected, as compared with 28% of companies under 500 seats who report no detections.
French, German, and Japanese companies were most likely to report no attack detections, while on the other hand, the Nordics and the US were the most likely to report five or more detections. Almost half of all Indian companies reported two to five attack detections, while in the other countries, roughly a third of companies reported two to five.
Across the board, slightly less than one third of companies reported using some sort of detection and response solution.
If we’ve learned anything from following our honeypot traffic over the years, it’s that the more things change, the more they remain the same. Whether the criminals’ latest tactic is compromising IoT devices to assemble the biggest botnet, spreading SMB worms to propagate ransomware, sending email spam, or targeting web services, they will continue to switch up methods to exploit the easiest path to the money.
The best defense is, as always, to incorporate a program of holistic security involving people, processes and technology:
Limit your attack surface. Limit the complexity of your networks, software, and hardware. Know what systems and services you are using, and turn off what’s unnecessary.
Engage your people. Educate your staff in information security concepts and following best practices. Have processes and procedures they can follow.
Use layered technologies. Security works in layers. Use an approach combining prediction, prevention, detection and response technologies.
Would you like to see this report in a nutshell? Download our infographic below.Download Infographic
Leave a comment