Posted on April 20, 2018 at 4:15 AM
Hackers are employing botnets to infiltrate networks. With botnets, the process can take as little as 15 seconds, which does not leave the victims with adequate time to defend themselves.
Gaining entrance into a system used to be a prolonged operation. Attackers needed to look for weak points, and attempt a long series of logins using well-known and default credentials. Then they needed to create a new user and potentially exploit other vulnerabilities in the network. However, cybersecurity researchers at Cybereason have witnessed how the attack now only takes a minimum amount of time with the use of botnets.
A honeypot for hackers
The Boston-based company’s researchers assembled a small and fake network that would be appealing to parties looking to steal information. The bogus financial firm’s network had only three servers, two Ubuntu and one Windows for development and operations, and they had Remote Desktop Protocol (RDP) set up—a relatively easy way for hackers to access a network and remain there undiscovered for a while.
The researchers then posted the passwords on some markets of the deep web. This also served to see how much would-be attackers still trusted the place and the information given there. The Cybereason team set up some more RDP services with weak credentials, with the purpose of seeing how fast botnets could infiltrate them, and what they would do once they have done so.
An automated attack
A mere two hours after the ports were weakened, a particularly active botnet probed the entire network for known weaknesses. Once it gained access, it also scanned for browser cookies and saved passwords to online retailers, banks, and other financial services. The botnet moved laterally across the system to check for other machines, and also created a new user for the hacker, which ensured a foothold in the network even if other passwords were changed.
The entire process took only 15 seconds.
Two days following the botnet’s work, a human attacker entered the network through one of the accounts created by the botnet. Knowing the layout of the system, the attacker immediately downloaded 3Gb of data—which was fake and thus of no value to anyone.
Interestingly, the credentials ‘leaked’ onto the Dark Web were not used.
The researchers have not yet pinpointed which botnet was the culprit. They did, however, say that the attacks had a number of IP addresses, most of which were Russian, and the attacker is believed to have accessed the network from Hong Kong.
In the past, the whole process of checking for weaknesses one by one was grueling. Now, botnets can automate most of it, and as we have seen, the infiltration will only take less than a minute, and the siphoning of sensitive data does not take much more than that, either. All this can leave the affected parties at a great disadvantage, as the attack potentially happens faster than they could react.
Cybereason’s research has proved that the use of botnets is an increasing source of concern. Novice attackers can also use them now, which means a much larger number of hackers can execute attacks.