Hacker explosion May 2020

A hacker explosion is bigger and better than ever in May of 2020. A few weeks back we saw a spike in blocked IP addresses on a honeypot we manage for our Whackers For Hackers IPBL (IP Block List). The thing is, this particular honeypot already had large swaths of the Internet blocked (which you can see here), so to see a spike in activity means one of two things. Either the mechanism blocking those large swaths is broken / stopped working or there are larges swaths of the Internet newly hacked. It turns out the latter is true and servers are more hacked than ever.

These attacks are all ssh brute force attempts that we’re monitoring for on this honeypot. This is where the attacker will try to get shell access or command line access to your server by pounding you with usernames + passwords until they guess correctly. There are many more attack mechanisms like attacking the website itself which this honeypot doesn’t monitor for (at least, we’re not disclosing that it does!) or the database websites sit on. What’s also interesting is their user name list. The list looks like stupid gibberish because it start off with a user name of just “a” and works its way up. Here is a sample list of the 700 + attempts from May 22nd, 2020.

a 129.126.244.51
ab 129.126.244.51
abv 72.53.233.6
ace 159.65.172.240
aci 134.209.154.78
acm 173.53.23.48
adam 213.204.81.159
adl 213.137.179.203
admin 13.92.17.234
admin1 47.15.247.108
admin 157.245.86.220
admin 165.227.108.128
admin 198.12.121.76
admin2 192.144.37.174
admin 68.183.81.213
aec 173.53.23.48
aft 51.141.122.112
agb 208.109.8.97
agi 134.122.76.222
agi 98.148.152.199
aih 35.231.211.161
ajf 35.226.165.144
ajl 165.22.143.3

Here you can see “admin” is used which is quite common an we’d expect to see but “ajl”…really? That’s just dumb! This is the worst attack I’ve seen in a long time. To attack a server with user names that aren’t even on the server is a guaranteed failure! They’d be better off trying “root” or “admin” or “administrator”. There are many default accounts you could try to attack with.

Who are the attackers? Yep…the usual suspects online thanks to consolidation of hosting and technology. Amazon, Google, Microsoft, Cloudflare, Digital Ocean made the list because we weren’t blocking Digital Ocean. They had a pass as does Comcast, Charter, Verizon and other “big players”. You can’t explicitly block them regardless of whether or not you should because of their abuse. Too many people use their “cloud” infrastructure to host web apps and servers like email. There were also many onezie twozies and if they were outside of the US we blocked the entire network (as you should). I suggest the attackers are these big corporations because they are, sure…the individuals or groups aren’t the corporations but the corporations are the enablers. They give a platform to these criminals to carry out their criminal activity for cheap. You can setup a Digital Ocean server for $5! Yowza…if I could spend $5 to make $1000+…a no brain’r thank you Digital Ocean 🙂

Our approach then to mitigate the issues we’re seeing in the short term is to simply block the /16 or /24 as stated when we see abuse from a particular subnet like this:

68.183.147.58
68.183.153.161
68.183.156.109
68.183.169.251
68.183.19.26
68.183.230.117
68.183.81.213

Notice the “68.183” in the beginning, these are the first two octets of an IPv4 (Internet Protocol version 4) address. We can then simply block the network from the hacked network for a time until the attacks subside. We add 68.183.0.0/16 to our Whackers For Hackers list, the firewalls using our lists download the updated block list. They then also block any inbound and outbound traffic to and from those networks thus protecting the network and any users or resources behind the firewall from any number of attacks. God only knows what’s hosted on those servers like fake login websites, phishing sites, email spamming…who knows!

I dug around a bit and there are now about 43,000 (yes, forty three thousand) servers for sale online (or websites hosted on servers):

Reference: Link

The “web shell” vector is 90% of that and is perhaps the most dangerous. Once you have web shell access it’s like having shell access to the server core itself. There are sometimes restrictions put on these servers called “jails” but that doesn’t prevent it from spamming, brute forcing, attacking or any number of other nefarious things online like setting up fake websites trying to steal your login credentials with a legitimate looking website you were sent to from an email asking you to change or update your passwords.

The funny thing is the FBI has a “most wanted” for cyber criminals but nothing much will ever come of it I’m sure (Link).

You should consider whom you entrust your cyber security with. “You can’t be any geek off the street if you know what I mean” (Warren G – Regulators). Of course, we’re biased and we think we’re the best 🙂

Country blocking is not enough. Many “enterprise firewalls” can’t even do country blocking. Many enterprise firewalls like Cisco Meraki are now catching up with what the rest of us already knew that were serious about cyber security. Their legacy routers and firewalls always required extra licensing to extend functionality but not our firewalls! Country blocking is an important component but there’s more! We compare it to a bullet proof vest that has many layers for a bullet to navigate through until it is slowed down enough to stop. You need a layered approach including block lists, white lists, DNS blocking, IP blocking, anti-virus for sure but that’s now a commodity and almost useless, anti-phishing, anti-malware, Windows Group Policy, etc…it goes on and on.

MSP’s (Managed Service Providers) don’t know nor understand these approaches and large firms are far too silo’d to know what a holistic or cross disciplinary approach is to anything.

Contact us to see how you can benefit from cyber security approaches that minimize your footprint to attacks from dopes like cyber criminals and how a holistic cross discipline approach can benefit your organization.

800-864-9497

Comments or questions are welcome.

* indicates required field