No one likes grunt work, including attackers, who have turned to botnets to automatically handle menial tasks like exploiting vulnerabilities. If exploit automation wasn’t enough of a concern for security teams, this technique has grown even more potent with attackers using botnets that can automatically exploit vulnerabilities, create backdoors, dump passwords, conduct network reconnaissance, and laterally move in seconds. That finding comes from Cybereason researchers who analyzed the data collected in a honeypot that masqueraded as a financial services company.
The project had three phases that lead to unique findings. First, the team released usernames and passwords for the Remote Desktop Protocol for three servers in the network in dark markets and paste sites to see how suspicious hackers have become of the forums that were once thriving with illicit activity. Second, the team created additional RDP services that had weak passwords to see how quickly botnets would compromise the service and what they did once they had access. Finally, we opened up several other services to see which ports were scanned the most and if there was a large difference in functionality once they broke in.
While there was a lot of rudimentary activity across all the services, one of the most interesting botnets was observed less than two hours after weakening the RDP ports. This botnet performed the groundwork for human attackers before they entered an environment, handling tasks exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines. The botnet also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the botnet carried out these functions in approximately 15 seconds.
For defenders, automatic exploitation in a matter of seconds means they’ll likely be overwhelmed by the speed at which the botnet can infiltrate their environment. The increasing automation of internal network reconnaissance and lateral movement is an even larger concern. These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes. Additionally, the versatility of the botnet changes the threat significantly. The security industry is use to seeing worms self replicate and perform one or two tasks. Take NotPetya and Olympic Destroyer, two prominent nation-state attacks from 2017. They mainly had three functions: replicate, move, and destroy. By comparison, the botnet that attacked the honeypot is designed to give full access to every machine it touches and spread throughout the entire network.
This timeline shows how the attack progressed.
Two days after the third botnet finished its work, a human attacker entered the environment. Cybereason researchers knew it was a human because the attacker logged in with a user account created by the botnet. Also, a user interface application was opened and remote access capabilities were accessed, functions not typically carried out by bots. The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark Web.
This honeypot experiment revealed the commoditization of using bots to perform low-level tasks. At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability. For example, the botnet that laid the groundwork for human adversaries attacked the honeypot just two hours after we added new data. This means that using bots to automatically exploit vulnerabilities is more prevalent than anticipated. The use of this technique proves that the operational profile of attackers is changing with less sophisticated attackers having access to tools that were once reserved for their more advanced counterparts.