A hacker explosion is bigger and better than ever in May of 2020. A few weeks back we saw a spike in blocked IP addresses on a honeypot we manage for our Whackers For Hackers IPBL (IP Block List). The thing is, this particular honeypot already had large swaths of the Internet blocked (which you can see here), so to see a spike in activity means one of two things. Either the mechanism blocking those large swaths is broken / stopped working or there are larges swaths of the Internet newly hacked. It turns out the latter is true and servers are more hacked than ever.
These attacks are all ssh brute force attempts that we’re monitoring for on this honeypot. This is where the attacker will try to get shell access or command line access to your server by pounding you with usernames + passwords until they guess correctly. There are many more attack mechanisms like attacking the website itself which this honeypot doesn’t monitor for (at least, we’re not disclosing that it does!) or the database websites sit on. What’s also interesting is their user name list. The list looks like stupid gibberish because it start off with a user name of just “a” and works its way up. Here is a sample list of the 700 + attempts from May 22nd, 2020.
a 22.214.171.124 ab 126.96.36.199 abv 188.8.131.52 ace 184.108.40.206 aci 220.127.116.11 acm 18.104.22.168 adam 22.214.171.124 adl 126.96.36.199 admin 188.8.131.52 admin1 184.108.40.206 admin 220.127.116.11 admin 18.104.22.168 admin 22.214.171.124 admin2 126.96.36.199 admin 188.8.131.52 aec 184.108.40.206 aft 220.127.116.11 agb 18.104.22.168 agi 22.214.171.124 agi 126.96.36.199 aih 188.8.131.52 ajf 184.108.40.206 ajl 220.127.116.11
Here you can see “admin” is used which is quite common an we’d expect to see but “ajl”…really? That’s just dumb! This is the worst attack I’ve seen in a long time. To attack a server with user names that aren’t even on the server is a guaranteed failure! They’d be better off trying “root” or “admin” or “administrator”. There are many default accounts you could try to attack with.
Who are the attackers? Yep…the usual suspects online thanks to consolidation of hosting and technology. Amazon, Google, Microsoft, Cloudflare, Digital Ocean made the list because we weren’t blocking Digital Ocean. They had a pass as does Comcast, Charter, Verizon and other “big players”. You can’t explicitly block them regardless of whether or not you should because of their abuse. Too many people use their “cloud” infrastructure to host web apps and servers like email. There were also many onezie twozies and if they were outside of the US we blocked the entire network (as you should). I suggest the attackers are these big corporations because they are, sure…the individuals or groups aren’t the corporations but the corporations are the enablers. They give a platform to these criminals to carry out their criminal activity for cheap. You can setup a Digital Ocean server for $5! Yowza…if I could spend $5 to make $1000+…a no brain’r thank you Digital Ocean 🙂
Our approach then to mitigate the issues we’re seeing in the short term is to simply block the /16 or /24 as stated when we see abuse from a particular subnet like this:
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
Notice the “68.183” in the beginning, these are the first two octets of an IPv4 (Internet Protocol version 4) address. We can then simply block the network from the hacked network for a time until the attacks subside. We add 22.214.171.124/16 to our Whackers For Hackers list, the firewalls using our lists download the updated block list. They then also block any inbound and outbound traffic to and from those networks thus protecting the network and any users or resources behind the firewall from any number of attacks. God only knows what’s hosted on those servers like fake login websites, phishing sites, email spamming…who knows!
I dug around a bit and there are now about 43,000 (yes, forty three thousand) servers for sale online (or websites hosted on servers):
The “web shell” vector is 90% of that and is perhaps the most dangerous. Once you have web shell access it’s like having shell access to the server core itself. There are sometimes restrictions put on these servers called “jails” but that doesn’t prevent it from spamming, brute forcing, attacking or any number of other nefarious things online like setting up fake websites trying to steal your login credentials with a legitimate looking website you were sent to from an email asking you to change or update your passwords.
The funny thing is the FBI has a “most wanted” for cyber criminals but nothing much will ever come of it I’m sure (Link).
You should consider whom you entrust your cyber security with. “You can’t be any geek off the street if you know what I mean” (Warren G – Regulators). Of course, we’re biased and we think we’re the best 🙂
Country blocking is not enough. Many “enterprise firewalls” can’t even do country blocking. Many enterprise firewalls like Cisco Meraki are now catching up with what the rest of us already knew that were serious about cyber security. Their legacy routers and firewalls always required extra licensing to extend functionality but not our firewalls! Country blocking is an important component but there’s more! We compare it to a bullet proof vest that has many layers for a bullet to navigate through until it is slowed down enough to stop. You need a layered approach including block lists, white lists, DNS blocking, IP blocking, anti-virus for sure but that’s now a commodity and almost useless, anti-phishing, anti-malware, Windows Group Policy, etc…it goes on and on.
MSP’s (Managed Service Providers) don’t know nor understand these approaches and large firms are far too silo’d to know what a holistic or cross disciplinary approach is to anything.
Contact us to see how you can benefit from cyber security approaches that minimize your footprint to attacks from dopes like cyber criminals and how a holistic cross discipline approach can benefit your organization.
Comments or questions are welcome.