Authored by Phil Trainor, Head of Security Business for Ixia Asia Pacific, a Keysight Business
Synopsis: Bot armies are not skipping over Singapore in their quest to breach new systems and add to their numbers. This article delves into who is attacking servers in Singapore based on a year’s worth of collected data.
The media is constantly tracking all of the latest network security breaches while terrified citizens, with the sword of Damocles hanging over their heads, expect their financial institution, place of employment, or favorite social media site to be named as the next victim. Readers are undoubtedly under the impression that just beyond their company firewall, the Internet resembles Dante’s 9th
circle of Hell; treachery.
Exactly how close is this digital chaos? What about Singapore? Are the Goths at the Gates of Changi? Over the last year, I set out to discover exactly the scope and complexity of attacks targeting Singapore specifically.
What is the best way to observe attackers in the wild? A honeypot. A honeypot is a security collection tool running on a server that is exposed to the Internet and not being protected by a Firewall. The services on a honeypot resemble popular internet services such as a Web Server, email server, etc. The main difference between a Web honeypot and an actual web server is the honeypot is configured to capture attacker’s actions and is purposefully enticing for outside attackers. If you’re reading this from your laptop at home or from your office, the IP Address of your laptop is safely behind a firewall and the outside world cannot reach through the wires and directly interact with your machine. However, as all internet users know, this is no remedy for when you connect to services outside and drag home viruses on the bottom of your shoe.
Many of the Honeypots that I host are in the cloud, however, many are also in physical locations around the world. One of which is physically located in Singapore and configured to allow any machine from around the globe attempt to breach this collection device. So, did anyone try to attack this server in Singapore? How many times? From where? Let’s take a look.
Over the last year, on this single server, there were 244,225 total attacks from 168 unique countries! Imagine that! Attackers from Russia to Rwanda, from China to Cuba, and from Mexico to Monaco all took a shot at breaking into this server. And who were these individuals? Cinematic hoodie-wearing miscreants right off set of Mr Robot? Clean-cut military types with a patch on their arm and an officer pacing the room behind them? Nope, they were bots.
A bot is a software program running an automated task. These tasks can be useful, like Googlebots collecting information to serve during its 3.5 Billion daily searches. Bots can also be used for mischief and they are the tool of choice for massive collection of vulnerable targets. Singapore is no exception to this and under constant assault.
What makes these 244,225 events unique is that they have been analysed as malicious attacks and not benign collection agents. The honeypot performs automated malware analysis, attack signature matching, and other tactics in order to correctly categorize the collected event as pernicious. This number of attacks is fairly interesting due to the fact that there is no domain name pointing to the IP Address. Businesses and organizations will purchase a domain name to affiliate with an IP Address so that interested users have an easy way to navigate to their server. An example is Google owns the IP Address 188.8.131.52 and by pasting that IP Address into your browser, you will get the same result as typing https://www.google.com
So, let’s dig a little deeper. Who were these attackers? The top ten are shown in the pie chart on the right. Proximity to Singapore seems to account for many of the attackers looking to see if there are any vulnerable targets at their neighbours. However, there are a few interesting anomalies. The west is well represented in this mix with Russia in the #4 spot, The United States at #6, and Ukraine at #9. South America is fairly represented as well with Venezuela at #8 and, if we had expanded the chart, Brazil at #11.
What were these attackers looking to do? What is an attack that a bot can perform? The majority of successful breaches are done with well-known attacks. Equifax was breached last year due to a known vulnerability in the Apache Struts web application. Failure to patch servers or misconfigurations are the lowest hanging fruit and the perfect target for automated sweepers.
Another important distinction is that the bots are usually being operated without the knowledge of their host machine. These automated attackers are almost always being controlled by another system using this army of machines for large purposes such as sending millions of spam emails as part of phishing campaigns, massive DDoS attacks – a profitable endeavor often being paid for via cryptocurrencies such as Bitcoin or Ethereum. However, the majority attacks against my Singaporean server were bots looking for new, vulnerable machines to add to their army.
Let’s take a look at what we actually captured. Since 2017 was the year of WannaCry, the largest attempt was bots scanning for vulnerable machine to infect with the exploit to gain access to the target prior to automatically installing and downloading the malware package. I tracked 139,228 Server Message Block Attacks (the networked service targeted by WannaCry) where the premise of nearly 100% of them was propagating this widespread attack. Even long after the news cycle, imploring people to ensure they have patched their Microsoft Windows machines, the bots continued to search relentlessly.
Coming in second were generic attacks looking for misconfigured webservers. This totalled 78,349 total attempts. Those include the vulnerability exploited to breach Equifax as well as simplistic attacks such as php vulnerabilities especially those with misconfigured .htaccess files.
The third most prevalent attack was brute force attempts to breach the Microsoft MS-SQL database that was exposed to the internet. In total, 23,081 different attackers spent the whole year attempting to gain access to the database with an ever expanding list of password guesses. In a separate blog I may write about how password attempts by bruteforce agents in Asia vary from those targeting servers in the west.
Persistence is the strength of bots. They don’t get tired, they don’t make simple keystroke errors, and they don’t give up. Of the nearly quarter-million attack events, there were only 57,639 unique attackers. And the single-minded manner in which they tried their scripted list of attacks was impressive. These 57K attackers caused a new security alert on this one server in Singapore approximately every 2 minutes for the full 12 months of observation. This is the definition of relentless.
If you are in charge of protecting the public-facing resource of an organization in Singapore, like a website, the number of attempted breaches will be exponentially more and proportional to the popularity of the site or service. As soon as a new attack, with wide-sweeping potential, such as an attack on Apache Struts, is made public, there will be a very small window of time before the army of bots begins searching for vulnerable hosts. Diligent patching and correct deployment of resources and security devices are the best defense. Auditing these deployments continuously with security testing solutions, such as Keysight’s BreakingPoint, allows organization’s security teams to know if their deployed solutions can correctly block attacks under the load of normal user traffic. Also, Keysight’s Threat Armor can be deployed inline to mitigate traffic from known botnets, malware hosts, phishing sites, hijacker IP Addresses, and serial attackers – the very sources that put such effort into infiltrating my honeypot in Singapore. Diligent security measures and thoughtful preparation will ensure that you don’t make it easy for the Goths to breach the gates.