Beware of older cyber attacks: Footprinting and brute

Transcription

Beware of older cyber
attacks
Footprinting and brute force attacks are still in use
IBM X-Force® Research
Managed Security Services Report
Click here to start ▶
◀ Previous
Next ▶
Contents
Executive overview
Executive overview
Covering more than 18 years of vulnerability data,
the IBM® X-Force® database surpassed 100,000
entries in Q2 2016.1 That means there are a lot of
attack vectors at a criminal’s disposal. With much
of the media focus on new and emerging threats,
it’s easy to see how security teams might lose
sight of older, less newsworthy vulnerabilities and
attack vectors.
Footprinting
Top 10 ports
Brute force password
attacks
Secure shell (SSH) brute
force attacks
Persistence of SSH brute
force top 20 attacker
IP addresses
SSH brute force top five
IP addresses
File Transfer Protocol (FTP)
brute force attacks
Top five FTP brute force
attacker IP addresses
Recommendations
Protect your enterprise
while reducing cost
and complexity
About IBM Security
About the author
References
An assessment of recent data from IBM Managed
Security Services (IBM MSS), which continuously
monitors billions of events reported by more than
8,000 client devices in over 100 countries, reveals
some interesting findings about attack vectors no
longer discussed much. One example is the TCP/
UDP port scan and TCP/UDP service sweep,
which are part of an attack pattern known as
footprinting.2 Another is the password brute force
attack pattern,3 one of the brute force attacks4 we
saw emerge decades ago and still see today. While
many products and services today require strong
passwords, weak passwords are still being used,
aiding criminals in carrying out successful brute
force attacks.5 6 7
Fortunately, many tools and mitigation techniques
to thwart these older kinds of cyber attack have
been developed over the years. Organizations that
apply them in their environments will be better
equipped to deal with the ongoing threat.
About this report
This IBM® X-Force® Research report was created by the
IBM Managed Security Services Threat Research group, a
team of experienced and skilled security analysts working
diligently to keep IBM clients informed and prepared for the
latest cybersecurity threats. This research team analyzes
security data from many internal and external sources,
including event data, activity and trends sourced from
thousands of endpoints managed and monitored by IBM.
2
◀ Previous
Next ▶
Contents
Footprinting
Executive overview
Looking at the Common Attack Pattern
Enumeration and Classification (CAPEC)
mechanisms of attack8, we see an attack pattern
hierarchy. Footprinting9 is considered a meta
attack pattern that falls under one of the top level
categories, “Gather Information.” Often viewed as
more of a pre-attack used to gather information on
potential targets, the term encompasses several
attack techniques, among them network topology
mapping, host discovery, account footprinting,
and port scanning. Generally, multiple ports are
scanned in a port scan.
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
There’s also something called a service (or port)
sweep, in which multiple hosts in a network are
checked for a specific open service port. Service
sweeps are often ignored, since they occur so
regularly and aren’t something that warrants an
immediate response. The placement of network
sensors also impacts whether footprinting activity
can be detected. If a sensor is behind a firewall
and the firewall is not configured to map ports to
internal systems, the scan activity won’t be logged.
Commonly used footprinting tools
Most security analysts will agree that “nmap,”
made available in 1997, is the best known and most
widely used network footprinting tool.10 “Scanrand”
(2002)11, “amap” (2003)12, “Unicornscan” (2005)13,
“zmap” (2012)14 and “masscan” (2013) are also
popular. Newer tools such as “zmap” (2012)
claim the ability to scan the entire Internet in
times ranging from five minutes to an hour.15
And masscan claims to do it in three minutes.16
Scanning tools existed before 1997, for example the
Internet Security Scanner (ISS) version 1.x that first
appeared as a shareware product in 1992 and later
inspired a commercial product.17
Another way to glean footprinting data is to use a
search engine that is searching data from ongoing
Internet mapping projects. Shodan (2009) is one
of the most popular projects and is thought by
many to be the most comprehensive.18 Censys
(2015) is geared towards computer scientists and
researchers.19 Thingful (2013) is for Internet of
Things (IoT) devices.20 Internet mapping search
engines such as these allow attackers to gain
access to footprinting information without actually
sending packets to the victim, who then remains
unaware they’re being targeted.
References
3
◀ Previous
Next ▶
Contents
Top 10 ports
Executive overview
In a sampling of IBM Managed Security Services
customers over two days in Q1 2016, the telnet
port (TCP port 23) received the most number of
sweeps, accounting for 79 percent of the events.
Port 80 is excluded from the network IDS signature
represented in this data due to the likelihood of
false positives because legitimate web traffic also
uses port 80.21 Popular ports such as 25 (SMTP),
21 (FTP), 53 (DNS), 135 (RPC), 137 (NETBIOS), 139
(NETBIOS), 445 (Microsoft-DS), and others ranked
lower than the top 10. This is shown in Figure 1
and Table 1.
Footprinting
Top 10 ports
1 • 2 • 3 • 4 • 5 • 6 • 7
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
Top 10 TCP service sweep destination ports
3128 (Active API) 1.00%
3389 (MS WBT) 1.54%
3306 (MySQL) 1.59%
1433 (SQL Server) 2.61%
8080 (HTTP-alt) 2.14%
443 (HTTP over SSL) 0.90%
5900 (RmtFrameBuffer) 0.61%
9200 (WAP) 0.56%
21320 (N/A) 0.54%
Other 9.87%
while reducing cost
and complexity
Internet Assigned
Numbers Authority
Destination
Rank
Sweeps (IANA)-assigned
TCP port
service description
and popular use22
1
23
78.65%
telnet
2
1433
2.61%
Microsoft SQL Server
3
8080
2.14%
HTTP alternate for port 80
4
3306
1.59%
MySQL
5
3389
1.54%
MS WBT Server, Windows
Remote Desktop
6
3128
1.00%
Active API Server Port, some
proxy servers (squid-http,
3proxy)
7
443
0.90%
http protocol over TLS/SSL
8
5900
0.61%
Remote framebuffer, VNC
(virtual network computing),
Apple Remote Desktop
9
9200
0.56%
WAP connectionless
session service, EMC2
(Legato) Networker or
Sun Solstice Backup
10
21320
0.54%
N/A
All other
9.87%
All other TCP ports combined
Table 1. Rank, destination TCP port, sweeps
and service description and popular use for
the top 10 ports. Source: IBM MSS data.
About IBM Security
About the author
References
23 (telnet); 78.65%
Figure 1. Top 10 TCP service sweep
destination ports. Source: IBM MSS data.
4
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
1 • 2 • 3 • 4 • 5 • 6 • 7
attacks
Ports provide multiple pieces of useful information.
Attackers may be seeking:
• Specific vulnerabilities for known services, such
as Heartbleed on web servers
• Services that can be exploited for a brute force
password attack
• Information on a target, such as what can be
found in a login banner
force attacks
IP addresses
IP addresses
Banners can be particularly revealing. “Welcome
to the ACME central bank system running Widgets
OS version 3.43.23c” reveals that the attacker
has found both a prime target and an easy path to
unauthorized access via what may be its operating
system’s many known vulnerabilities. Certain
malware are also known to use many common
ports. Table 2 highlights those associated with the
top 10 TCP destination ports revealed in Table 1.
Rank
Destination
Sweeps
TCP port
Trojans, worms or malware using the port
1
23
78.65%
ADM worm (May 1998), Aphex’s Remote Packet Sniffer, AutoSpY, ButtMan , Fire HacKer, My Very Own Trojan,
Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (2005.10.26)
2
1433
2.61%
Digispid.B.Worm (2002.05.21), W32.Kelvir.R (2005.04.12), Voyager Alpha Force
3
8080
2.14%
Reverse WWW Tunnel Backdoor, RingZero, Screen Cutter, Mydoom.B (2004.01.28), W32.Spybot.
OFN (2005.04.29), W32.Zotob.C@mm (2005.08.16), W32.Zotob.E(2005.08.16), Backdoor.Naninf.D
(2006.02.01), Backdoor.Naninf.C (2006.01.31), W32.Rinbot.A (2007.03.02), Android.Acnetdoor
(2012.05.16), Feodo/Geodo (a.k.a. Cridex or Bugat), Backdoor.Tjserv.D (2005.10.04), RemoConChubo,
Brown Orifice, Feutel, Haxdoor, Hesive, Nemog, Ryknos, W32.Kelvir, W32.Mytob, W32.Opanki, W32.
Picrate, W32.Spybot, W32.Zotob, Webus
4
3306
1.59%
Nemon backdoor (discovered 2004.08.16), W32.Mydoom.Q@mm, W32.Spybot
Recommendations
5
3389
1.54%
Backdoor.Win32.Agent.cdm, TSPY_AGENT.ADDQ
while reducing cost
and complexity
6
3128
1.00%
Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero, Mydoom.B (2004.01.28), W32.HLLW.
Deadhat (2004.02.06)
7
443
0.90%
W32.Kelvir.M (2005.04.05), Slapper, Civcat, Tabdim, W32.Kelvir, W32.Kiman
About IBM Security
8
5900
0.61%
Backdoor.Evivinc, W32.Gangbot (2007.01.22)
9
9200
0.56%
Unknown
10
21320
0.54%
Spybot, TopArcadeHits malware installing unapproved proxy
brute force attacks
About the author
References
Table 2. Illegitimate uses of the top 10 ports. Rank, destination TCP port, sweeps. Source: IBM
MSS data. Trojans, worms, malware using port. Source: Various.23 24 25
5
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
1 • 2 • 3 • 4 • 5 • 6 • 7
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
Telnet: TCP port 23
Telnet, which has been around since the beginning
of the ARPANET in 1969 in what evolved to be the
Internet in 1982, accounts for more than threequarters of the sweep traffic we analyzed. People
might wonder “How could that be? I thought
telnet didn’t get used much anymore.” That’s
true enough, but only partly so. While telnet is no
longer enabled by default in many UNIX/Linux
distributions, as it once was, it still gets enabled
by naïve administrators, and it can be found
enabled by default on many IoT devices such as
refrigerators, DVRs, televisions, beds, toothbrushes
and some older SCADA (Supervisory Control And
Data Acquisition) devices. Telnet doesn’t encrypt
its communications, making it easy for someone to
sniff the traffic for user IDs and passwords.
Telnet servers aren’t limited to only UNIX/Linux;
some telnet servers connected to the Internet
are running on Windows systems ranging from
Windows 10 all the way back to Windows XP.
Many embedded system applications are used
in equipment such as routers, VOIP phones and
industrial control systems (ICSs). People think of
ICS as infrastructure—in utility or manufacturing
environments—but ICS is used in other industries,
for example at the car wash. At least one car wash
system has been known to have a telnet server
listening and reachable from the Internet.26 When
you pull into one of those automated car washes
with no attendant anywhere in sight, one could
wonder whether there’s some criminal in control
from hundreds or thousands of miles away.
A report created on 4 April 2016 from the world’s
first search engine for internet-connected devices,
Shodan, shows that telnet is still alive and serving
(see Figure 2).27 28
Once an attacker discovers an open telnet port,
she or he may have several options:
• See if the banner reveals something about the
system and the entity that owns it
• If authentication isn’t required, gain immediate
access to the system
• Try common default accounts such as root/root,
system/system, manager/manager, or operator/
operator to gain unauthorized access
• Perform brute force attacks to obtain passwords
for common user accounts or system (root or
Administrator) accounts.
An attacker with unauthorized access will
normally explore the system to view its features,
see what data it contains, and gain experience
with the technologies used, building up a toolbox
and learning additional ways to exploit the
targeted organization.
6
◀ Previous
Next ▶
Contents
Telnet port 23 search results
Executive overview
Footprinting
Top 10 ports
1 • 2 • 3 • 4 • 5 • 6 • 7
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Top Countries
1 . China
5,199,724
2 . United States
1,327,980
3 . Brazil
1,257,974
4 . Republic of Korea
1,030,702
5 . India
723,424
Recommendations
6 . Spain
526,469
7 . Russian Federation
467,227
while reducing cost
and complexity
8 . Viet Nam
409,888
9 . Italy
350,927
10 . Dominican Republic
296,118
About IBM Security
About the author
Figure 2. A search for port 23 on 5 April 2016 returned over 16 million results. Source: Shodan.
References
7
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
1 • 2 • 3 • 4 • 5 • 6 • 7
attacks
Telnet vulnerabilities
“Common Vulnerabilities and Exposures” (CVE )
is a dictionary of common names (also called
CVE Identifiers) for publicly known cybersecurity
vulnerabilities.29 Vulnerabilities related to telnet
have been disclosed every year since its launch in
1999, and by the end of 2015 they totaled 266 (see
Figure 3). While their disclosure has slowed over
force attacks
40
35
IP addresses
25
Recommendations
while reducing cost
and complexity
A few of the telnet server vulnerabilities disclosed in
2015 could impact many organizations without their
ever suspecting such a vulnerability exists. This
includes CVE-2015-2874 and CVE-2015-3459.
Count of telnet CVE IDs
IP addresses
brute force attacks
time, there has been a small resurgence in number
during the past few years. It should be interesting to
see the count for 2016.
®
30
20
15
10
5
0
99
19
00
20
01
20
02
20
20
03
20
04
05
20
20
06
20
07
08
20
20
09
10
20
11
20
12
20
13
20
14
20
15
20
Figure 3. Total number of telnet vulnerabilities since 1999. Source: CVE Project,
MITRE Corporation.30
About IBM Security
About the author
References
8
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
1 • 2 • 3 • 4 • 5 • 6 • 7
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
CVE-2015-2874 is associated with a vulnerability in
a few Seagate portable hard drives used to share
content with mobile devices such as cell phones
and tablets.31 The vulnerability is also linked to a
common weakness enumeration ID, CWE-798,
which is for “Use of Hard-Coded Credentials.”32
An attacker could exploit this vulnerability by
establishing a telnet session into a vulnerable
device and typing in the default username and
password to gain root privileges to the system and
access all the files stored on the drive. A firmware
update to remediate the issue is now available from
the manufacturer.
CVE-2015-3459 is associated with a vulnerability
affecting the Hospira LifeCare PCA Infusion
System prior to version 7.0. Vulnerable systems do
not require authentication for root telnet sessions,
potentially allowing a remote attacker to modify
the pump configuration. The implications are
life-threatening: a malicious actor could bypass
authentication and relatively easily change the
upper limit of a drug being administered to a
patient. According to the vendor, version 7.0 has
the telnet port disabled by default to prevent
unauthorized access.33
2015 saw the disclosure of several other telnet
vulnerabilities where admin access could be gained
fairly easily (see Table 3).
CVE ID
Product
Vulnerability
CVE-2015-0924
Ceragon FiberAir
IP-10 bridges
Default password for the
root account
CVE-2015-2897
Sierra Wireless
AirLink ES, GX,
and LS devices
Hardcoded root
accounts
CVE-2015-7251
ZTE ZXHN H108N
R1A devices
Hardcoded password of
root for the root account
CVE-2015-7289
Arris DG860A,
TG862A, and
TG862G devices
Hardcoded administrator password derived
from a serial number
Table 3. Additional notable telnet
vulnerabilities. Note that specific software
or firmware versions of vulnerable products
are not noted in the table. Refer to the IBM
X-Force Exchange for more information.
About the author
References
9
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
1 • 2 • 3 • 4 • 5 • 6 • 7
attacks
force attacks
IP addresses
IP addresses
brute force attacks
SQL Server: port 1433
The number two ranked destination port for TCP
service sweeps, at only three percent of the traffic,
is 1433, commonly used for Microsoft SQL Server.
In addition to the common footprinting tools noted
earlier, a freely available software package called
Metasploit34 has an auxiliary module, mssql ping,
used to discover exposed Microsoft SQL Server
instances. Metasploit also includes modules
named mssql_login and mssql_hashdump used
to gain unauthorized access to a Microsoft SQL
Server instance. An open source penetration tool
called sqlmap35 will locate and exploit SQL injection
flaws of database servers such as Microsoft SQL
Server. Another tool to exploit Microsoft SQL
Server installations is sqlninja.36 Both sqlmap and
sqlninja are included in the current releases of Kali
Linux, a Linux distribution designed to be used for
penetration testing.37
Other ports
Some of the ports noted in the top 10 are
associated with well-known older attacks such
as MyDoom, Slapper, SQL Slammer, and Spybot.
While these attacks may or may not still be active
in the wild, the services with which they are
associated are still of interest to today’s attackers.
Malware may use some of these ports because
some organizations’ firewalls already have rules
allowing these services to go through.
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
Telnet vulnerabilities persist, largely because
of administrators activating telnet ports and
because of open ports on IoT devices.
10
◀ Previous
Next ▶
Contents
Brute force password attacks
Executive overview
A brute force password attack is a tactic in which
an intruder tries to guess a username and
password combination in order to gain unauthorized
access to a system or data. The attacker will try
a litany of common usernames and passwords,
well-known default credentials, and passwords
derived from a dictionary. The target could be a
local console, an encrypted file or a service across
a network, such as a social media account or a
secure shell (SSH) access to a remote system.
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
Brute force password attacks have been around
since the early days of the Internet and are
still a significant presence in the wild. Often an
attacker will come across a new system during a
footprinting attack against a targeted network and
see a login screen banner. A banner that reveals
the operating system version will give the attacker
an idea of what system-level account names to
begin trying. Many brute force password hacking
and cracking programs exist. Some of the more
popular remote network password hacking tools
are Brutus38, Medusa39, Ncrack40 (alpha), and THC
Hydra41. They work against a variety of protocols
which may include FTP, SSH, SMB, telnet, MySQL,
Microsoft SQL, SMTP and VNC, and might find a
simple dictionary password in less than a second.
The data included in this report shows that
brute force password hacking attacks occurred
consistently throughout 2015. Some of the top
attackers carried out the same type of brute force
attacks against many targets every day for months,
even for a full year in some cases. Several times
an attacker carrying out an SSH brute force attack
came back months later looking for another service
to target, such as a database server. Even though
attacks may come from a compromised system or
an anonymous proxy rather than the attacker’s own
IP address, the persistence we’ve seen in brute
force attacks means that it’s wise to block the
source IP address of the attacking system.
Brute force password attackers can
be very persistent, continuing their
attacks for months or even a full year.
11
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
1 • 2 • 3
IP addresses
IP addresses
brute force attacks
Recommendations
force attacks
Attackers favor SSH because it provides shell
account access across the network. SSH brute
force attacks peaked in May 2015, then trended
downward for the rest of the year except for a slight
increase in December over November (see Figure
4). It’s likely that the botnet known as SSHPsychos
was responsible for much of the activity early in
the year, and the downward trend in later months
reflected efforts by members of the security
community to mitigate this threat.42
SSH brute force attacks
20%
15%
10%
while reducing cost
and complexity
5%
About IBM Security
0%
About the author
References
The number of unique attacker IP addresses
associated with SSH brute force attacks also
peaked in May (see Figure 5). While there was a
pronounced downward trend in attacks from June
through December, the unique attacker count was
closer to trending flat during that time period. The
main point is that SSH brute force attacks aren’t
limited to a small set of attackers, and protecting
your systems from such attacks is important.
Ja
a
nu
ry
b
Fe
a
ru
ry
M
ch
ar
ril
Ap
ay
M
ne
Ju
ly
Ju
t
us
g
Au
em
pt
e
S
r
be
er
O
ob
ct
r
r
be
m
ve
No
be
m
ce
De
Figure 4. Percentage of SSH brute force attacks for each month in 2015 (1 January 2015 –
31 December 2015). Source: IBM MSS data.
12
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Unique attacker IP count
1000
800
Top 10 ports
attacks
force attacks
1 • 2 • 3
IP addresses
IP addresses
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
600
400
200
0
Ja
a
nu
ry
b
Fe
a
ru
ry
M
ch
ar
ril
Ap
ay
M
ne
Ju
ly
Ju
t
us
g
Au
em
pt
e
S
r
be
er
O
ob
ct
r
r
be
m
ve
No
be
em
c
De
Figure 5. Unique attacker IP count for SSH brute force attacks (1 January 2015 – 31 December
2015). Source: IBM MSS data.
Note: A single IP address is considered unique and counted as “1” for each month that it appeared in the data. For example, the IP address
1.2.3.4 would be counted as “1” in both January and February if found in both months.
The brute force attack source IP locations collected
by IBM Managed Security Services covered
98 countries (see Figure 6), with 93 percent of
the total brute force attack activity coming from
the top 10 countries. Hong Kong and China
combined represented 76 percent of the total—not
surprisingly, since the networks most known as
sources for the SSHPsychos botnet, 103.41.124.0/23
and 43.255.190.0/23, were from there.43
IP addresses hosted in the United States were
targets in almost 67 percent of the attacks (see
Figure 7).
13
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
Top 10 source countries
for SSH brute force attacks
United Kingdom 1.04%
Germany 1.15%
Republic of Korea 1.31%
France 2.50%
Russian Federation 0.88%
Netherlands 0.84%
Brazil 0.72%
Hong Kong 40.28%
United States 8.76%
Top 10 destination countries
for SSH brute force attacks
Japan 0.79%
Italy 0.80%
Denmark 1.26%
France 0.43%
Australia 0.22%
Germany 0.17%
Europe 0.03%
Canada 1.95%
force attacks
1 • 2 • 3
IP addresses
1 • 2
IP addresses
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
China 35.51%
United States 66.91%
Figure 6. Top ten source countries for SSH
brute force attacks (1 January 2015 –
Persistence of SSH brute force top
20 attacker IP addresses
Attackers behind the top 20 IP addresses actively
targeted their victims during two or more calendar
months (see Table 4). Any amount of attack activity
is a concern, but activity noted for three or more
months from the same IP address may signify
Figure 7. The top destination countries for
SSH brute force attacks (1 January 2015 –
a more targeted and prolonged effort against a
particular organization. According to the Talos
Security Intelligence and Research Group,44
several IP addresses in the table are known to be
associated with the SSHPsychos group. Talos
reported that the SSHPsychos attacks involved
targeting only the root account, trying over
300,000 passwords.
References
14
◀ Previous
Next ▶
Total Customers
Affected*
Month Count
0%
0%
0%
0%
0%
29%
4
2
115.231.222.23
9%
22%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
24%
2
force attacks
3
115.239.248.237
15%
13%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
20%
2
4
115.239.248.205
10%
16%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
20%
2
IP addresses
1 • 2
5
27.221.10.43
0%
0%
2%
7%
7%
9%
6%
7%
9%
2%
5%
3%
18%
10
6
88.150.240.59
0%
3%
14%
6%
0%
0%
0%
0%
0%
0%
0%
0%
17%
3
7
58.218.213.238
6%
10%
5%
0%
0%
0%
0%
0%
0%
0%
0%
0%
16%
3
8
103.41.124.63
7%
10%
10%
0%
0%
0%
0%
0%
0%
0%
0%
0%
16%
3
9
103.41.124.111
8%
8%
9%
0%
0%
0%
0%
0%
0%
0%
0%
0%
16%
3
10
43.255.190.147
0%
0%
0%
14%
5%
0%
0%
0%
0%
0%
0%
0%
15%
2
11
43.255.190.160
0%
0%
0%
15%
2%
0%
0%
0%
0%
0%
0%
0%
15%
2
12
218.26.11.118
0%
0%
10%
8%
0%
0%
0%
0%
0%
0%
0%
0%
15%
2
13
59.47.0.150
0%
7%
3%
8%
6%
9%
9%
5%
2%
0%
0%
0%
15%
8
14
218.65.30.61
0%
7%
7%
11%
13%
9%
7%
2%
3%
0%
0%
0%
15%
8
15
58.218.204.172
7%
9%
6%
0%
0%
0%
0%
0%
0%
0%
0%
0%
15%
3
16
43.255.190.125
0%
0%
0%
14%
3%
0%
0%
0%
0%
0%
0%
0%
15%
2
17
58.218.213.249
5%
13%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
15%
2
18
43.255.190.134
0%
0%
0%
15%
2%
0%
0%
0%
0%
0%
0%
0%
15%
2
19
8.254.73.28
3%
9%
5%
1%
0%
0%
0%
0%
0%
0%
0%
0%
15%
4
20
103.41.124.48
7%
8%
8%
0%
0%
0%
0%
0%
0%
0%
0%
0%
15%
3
IP addresses
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
Rank
December
0%
November
0%
October
0%
September
7%
August
10%
July
22%
June
8%
May
221.229.160.237
Top 10 ports
April
March
1
Footprinting
January
attacks
Executive overview
Attacking IP
February
Contents
Table 4. The top attacking IP addresses for SSH brute force in 2015 (1 January 2015 –
Note: Percentages shown represent the percentage of customers the attacking IP targeted during 2015. The red highlighting indicates a higher
percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.
15
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
1 • 2 • 3 • 4 • 5 • 6
brute force attacks
Recommendations
while reducing cost
and complexity
IP addresses
The following section highlights the top five source
IP addresses that conducted SSH brute force
attacks in 2015. For each of the following tables,
the signature names shown in the first column
represent intrusion detection/protection system
signatures from multiple vendors. These tables
show that the same IP address that initiates
TCP service sweeps also carries out brute force
password attacks. While the network ranges of
103.41.124.0/23 (China) and 43.255.190.0/23 (Hong
Kong) were previously noted as sources for much
of the SSHPsycho botnet activity, the LongTail SSH
Honeypot project confirms other IP addresses
outside those ranges exhibiting the same
patterns.45 It’s interesting that all top five source IP
addresses reside in China and much of the activity
happened within the first few months of the year.
1: Attacker IP address 221.229.160.237
Country location: China
Most of the activity from this address occurred
from January 2015 through June 2015, with a little
showing up in September (see Table 5). While all
its activity in January through April was focused on
SSH, the TCP service sweeps in June (6/3 – 6/4)
and September (9/17) targeted SQL Server (and
were sourced from port 6000).
Observations regarding this IP address include:
• The SSH_Brute_Force signature directly
indicates the SSH brute force attacks.
• Brute force attacks require making many
connections to a service. “Multiple Rapid SSH
Connections,” “OpenSSH Repeated CRC
DoS,” “SSH connection flood,” and “SSH_
Connection_DoS” signatures indirectly indicate
SSH brute force attacks based on the large
number of connections.
• The footprinting signatures shown are “TCP_
Service_Sweep,” “SSH client scan,” “TCP_
Probe_SSH,” “Sweep Scan,” “SSH_Service_
Sweep,” and “TCP: SYN Host Sweep.”
About IBM Security
About the author
References
16
◀ Previous
Next ▶
September
December
Top 10 ports
attacks
32.49%
8.44%
8.31%
0.00%
0.00%
0.00%
59.49%
TCP_Service_Sweep
0.00%
0.00%
0.00%
0.00%
30.07%
0.34%
0.00%
30.41%
force attacks
Multiple Rapid SSH Connections 1.14%
4.50%
0.15%
0.00%
0.00%
0.00%
0.00%
5.79%
OpenSSH Repeated CRC DoS
0.52%
3.52%
0.00%
0.00%
0.00%
0.00%
0.00%
4.04%
IP addresses
SSH connection flood
0.01%
0.07%
0.00%
0.00%
0.00%
0.00%
0.00%
0.08%
SSH client scan
0.01%
0.05%
0.00%
0.00%
0.00%
0.00%
0.00%
0.07%
IP addresses
1 • 2 • 3 • 4 • 5 • 6
Geo Protection
0.00%
0.00%
0.00%
0.00%
0.04%
0.00%
0.00%
0.04%
TCP_Probe_SSH
0.01%
0.00%
0.01%
0.00%
0.00%
0.00%
0.00%
0.02%
SSH_Connection_DoS
0.00%
0.00%
0.00%
0.02%
0.00%
0.00%
0.00%
0.02%
brute force attacks
Sweep Scan
0.00%
0.00%
0.00%
0.00%
0.01%
0.00%
0.00%
0.01%
SSH_Service_Sweep
0.00%
0.00%
0.01%
0.00%
0.00%
0.00%
0.00%
0.01%
TCP: SYN Host Sweep
0.00%
0.00%
0.00%
0.00%
0.01%
0.00%
0.00%
0.01%
Grand Total*
11.96%
40.63%
8.60%
8.33%
30.14%
0.34%
0.00%
100.00%
Count*
June
10.26%
Footprinting
Total Event
March
SSH_Brute_Force
Signature
April
February
Executive overview
January
Contents
Recommendations
while reducing cost
and complexity
Table 5. Activity from IP address 221.229.160.237 (1 January 2015 – 31 December 2015).
Source: IBM MSS data.
Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher
About IBM Security
About the author
References
17
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
1 • 2 • 3 • 4 • 5 • 6
brute force attacks
Recommendations
while reducing cost
and complexity
This attacker IP address was seen in the logs for
only two months in 2015 conducting brute force
attacks. It ranks number two based on the high
count of customers targeted. Actual dates were
17 January 2015 through 25 February 2015
(see Table 6).
This attacker IP was seen in logs at the same time
as the previous attacker IP address, and most of
the IDS signatures were the same (see Table 7).
This attacker was logged primarily in January and
February of 2015, with a little activity in July. All the
activity in January and February centered on SSH
scanning and brute force SSH attacks. In July the
traffic triggered a different signature, indicating
that the attacker was attempting to launch a
denial of service (DoS) attack against the target’s
DNS system (see Table 8).
Signature
Total Event
Count*
Contents
February
Next ▶
January
◀ Previous
SSH_Brute_Force
34.19%
51.73%
85.92%
Multiple Rapid SSH Connections
1.97%
6.67%
8.63%
0.20%
2.65%
2.85%
Sequence Verifier
0.73%
1.49%
2.22%
TCP_Probe_SSH
0.04%
0.06%
0.10%
TCP Invalid Checksum
0.08%
0.00%
0.08%
SSH client scan
0.02%
0.06%
0.08%
0.00%
0.06%
0.06%
TCP anomaly
0.04%
0.00%
0.04%
OpenSSH maxstartup Threshold
Connection Exhaustion denial
of service
0.00%
0.02%
0.02%
Grand Total*
37.26%
62.74%
100.00%
Table 6. Activity from IP address
115.231.222.23 (1 January 2015 – 31 December
2015). Source: IBM MSS data.
Note: Percentages shown represent signature event count
generated from the attacking IP address. Red highlighting indicates
a higher percentage, orange a lower percentage, and green indicates
zero percentage. *Totals rounded to the nearest hundredth.
About IBM Security
About the author
References
18
◀ Previous
Next ▶
Total Event
Count*
January
February
July
Total Event
Count*
Top 10 ports
SSH_Brute_Force
31.47%
49.76%
81.23%
SSH_Brute_Force
31.46%
56.32%
0.00%
87.78%
attacks
Multiple Rapid SSH Connections
5.33%
3.67%
9.01%
4.09%
2.75%
0.00%
6.84%
2.67%
5.26%
7.92%
Multiple Rapid SSH
Connections
force attacks
Sequence Verifier
0.81%
0.25%
1.06%
OpenSSH Repeated CRC
DoS
0.00%
4.41%
0.00%
4.41%
TCP Invalid Checksum
0.10%
0.10%
0.20%
Sequence Verifier
0.24%
0.08%
0.00%
0.32%
TCP_Probe_SSH
0.15%
0.05%
0.20%
SSH User Authentication
Brute-force Attempt(40015)
0.24%
0.00%
0.00%
0.24%
TCP anomaly
0.08%
0.10%
0.18%
0.00%
0.12%
0.00%
0.12%
SSH client scan
0.05%
0.08%
0.13%
SSH client scan
0.00%
0.12%
0.00%
0.12%
0.03%
0.05%
0.08%
DNS ANY Queries Bruteforce DOS Attack(40033)
0.00%
0.00%
0.08%
0.08%
Grand Total*
40.68%
59.32%
100.00%
TCP_Probe_SSH
0.04%
0.02%
0.00%
0.06%
SSH_Service_Sweep
0.02%
0.00%
0.00%
0.02%
Grand Total*
36.09% 63.83% 0.08%
Executive overview
Signature
Footprinting
IP addresses
IP addresses
1 • 2 • 3 • 4 • 5 • 6
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
January
February
Contents
115.239.248.237 (1 January 2015 –
Signature
100.00%
115.231.248.205 (1 January 2015 –
About the author
References
19
Next ▶
June
November
December
Total Event
Count*
2.14%
7.43%
10.62%
11.40%
2.29%
9.05%
7.58%
2.97%
4.78%
0.71%
65.82%
attacks
SSH_Brute_Force
0.30%
2.80%
2.37%
1.85%
1.04%
1.69%
2.93%
0.88%
0.96%
1.72%
20.69%
TCP_Probe_SSH
0.06%
1.07%
1.12%
0.84%
0.38%
0.93%
0.66%
0.01%
0.01%
0.74%
7.61%
force attacks
SSH.Client.Request.
Mimicking
0.51%
0.02%
0.01%
0.26%
0.00%
1.68%
2.10%
0.24%
0.00%
0.00%
4.81%
Geo Protection
0.01%
0.04%
0.08%
0.08%
0.05%
0.04%
0.02%
0.01%
0.01%
0.00%
0.52%
TCP: SYN Host Sweep
0.01%
0.03%
0.01%
0.01%
0.00%
0.02%
0.01%
0.01%
0.00%
0.18%
0.31%
Sweep Scan
0.00%
0.03%
0.02%
0.01%
0.00%
0.01%
0.01%
0.01%
0.00%
0.08%
0.17%
TCP SYN Host Sweep
0.00%
0.01%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.01%
TCP_Service_Sweep
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.01%
PSNG_TCP_PORTSWEEP_FILTERED
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
SSH_Connection_DoS
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
Grand Total*
3.03%
11.44%
14.23%
14.44%
3.78%
13.42%
13.30%
4.13%
5.78%
3.43%
100.00%
Footprinting
IP addresses
IP addresses
1 • 2 • 3 • 4 • 5 • 6
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
October
May
SSH_Service_Sweep
Signature
August
April
Top 10 ports
Executive overview
July
March
Contents
September
◀ Previous
Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red
highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. Orange cells containing “0.00%”
indicate a value greater than 0.00%, but less than 0.01%. *Totals rounded to the nearest hundredth.
The first activity from this IP address appeared
in March 2015 and continued throughout the year
(see Table 9) and into the first months of 2016 (see
Table 10).
This attacker was still being seen as of March 2016,
making it the most persistent attacking IP address
identified for the period 1 January 2015 through
31 March 2016.
20
◀ Previous
Next ▶
January
February
March
Contents
Top 10 ports
SSH_Service_Sweep
0.81%
5.54%
0.59%
attacks
SSH_Brute_Force
0.65%
3.46%
0.03%
TCP_Probe_SSH
0.82%
0.85%
0.13%
force attacks
Geo Protection
0.00%
0.16%
0.00%
TCP: SYN Host Sweep
0.00%
0.03%
0.00%
Sweep Scan
0.00%
0.01%
0.00%
NetScreen_Dest_IP_Session_
Limit
0.00%
0.00%
0.00%
Grand Total*
2.28%
9.99%
0.75%
Executive overview
Signature
Footprinting
IP addresses
IP addresses
1 • 2 • 3 • 4 • 5 • 6
brute force attacks
Table 10. Activity from IP address 27.221.10.43
(1 January 2016 – 31 March 2016).
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
Often we see that the same IP address is
associated with both TCP service sweeps
and brute force password attacks.
21
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
File Transfer Protocol (FTP) brute
force attacks
The service File Transfer Protocol (FTP) has been
around a long time and isn’t used as it once was
because it doesn’t encrypt either the authentication
process or the data transfer. While FTP should
be configured to deny access to administrator
accounts, we have witnessed successful FTP brute
force attacks against these accounts (see Figure 8).
IP addresses
IP addresses
File Transfer Protocol
(FTP) brute force attacks
1 • 2 • 3
12%
10%
8%
6%
4%
Recommendations
2%
while reducing cost
and complexity
0%
About the author
Most months in 2015 had over 100 different
attacker IP addresses (see Figure 9). July had the
highest with 276, which is 55 percent above the
monthly average. The second highest month was
November at 236 unique attacker IP addresses.
FTP brute force attacks
About IBM Security
Figure 8 shows that brute force FTP attacks
occurred throughout 2015, ranging from 3 to 12
percent of total attacks each month.
nu
Ja
ar
y
ar
Fe
u
br
y
M
ch
ar
ril
Ap
ay
M
ne
Ju
ly
Ju
t
us
g
Au
em
pt
e
S
r
be
er
O
ob
ct
r
r
be
m
ve
o
N
be
em
c
De
Figure 8. FTP brute force attacks as a percentage of all observed attacks (1 January 2015 –
References
22
◀ Previous
Next ▶
Contents
Unique attacker IP count (FTP)
Executive overview
300
Footprinting
250
Top 10 ports
200
attacks
force attacks
IP addresses
IP addresses
1 • 2 • 3
Recommendations
while reducing cost
and complexity
150
100
50
0
Ja
a
nu
ry
b
Fe
a
ru
ry
M
ch
ar
ril
Ap
ay
M
ne
Ju
ly
Ju
t
us
g
Au
em
pt
e
S
r
be
er
O
ob
ct
r
r
be
m
ve
No
be
m
ce
De
Figure 9. Unique attacker IP counts for FTP brute force attacks (1 January 2015 –
China edges out the United States with just a two
percent difference to take first place as the country
where most FTP brute force attacks appeared to
originate (see Figure 10). Interestingly, only four
of the top source countries, United States, India,
France, and United Kingdom, are also part of the
top ten destination countries (see Figure 11). The
top two destination countries for FTP brute force
attacks were the United States and France with
nearly 60 percent of the total attacks.
About IBM Security
About the author
References
23
◀ Previous
Next ▶
Contents
Top 10 source countries
for FTP brute force attacks
Executive overview
Footprinting
Top 10 ports
attacks
Indonesia 3%
United Kingdon 3%
France 4%
China 21%
Top 10 destination countries
for FTP brute force attacks
Denmark 0.85%
Hong Kong 1.16%
Australia 2.25%
Brazil 5%
Japan 6.74%
Germany 0.62%
Italy 0.23%
India 0.15%
United States
32.30%
Vietnam 5%
force attacks
IP addresses
IP addresses
1 • 2 • 3
Ukraine 7%
Russian
Federation
7%
United States
19%
India 10%
Figure 10. The top two source countries for FTP
brute force attacks were China and the United
States (1 January 2015 – 31 December 2015).
France 27.81%
Figure 11. The top two destination countries
for FTP brute force attacks were the United
States and France (1 January 2015 – 31
December 2015). Source: IBM MSS data.
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
24
Next ▶
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
Top five FTP brute force attacker
IP addresses
January
February
March
April
May
June
July
October
November
December
Total Customers
Affected*
Month Count
1
27.251.65.195
4.76%
2.38%
4.76%
9.52%
2.38%
4.76%
7.14%
11.90% 0.00%
0.00%
0.00%
2.38%
28.57%
9
2
141.105.70.98
0.00%
0.00%
0.00%
2.38%
7.14%
0.00%
2.38%
9.52%
0.00%
0.00%
0.00%
0.00%
19.05%
4
Rank
Attacking IP
brute force attacks
This attacker was seen in FTP brute force attack
logs every month in 2015. The activity from this IP
was made up largely of FTP brute force attacks,
but there were also footprinting and SSH brute
force attacks. (See Table 12.)
The top five FTP brute force password attackers
were seen conducting FTP brute force attacks
spanning anywhere from 2 to 12 calendar months
(see Table 11). Three out of the five IP addresses
had several months of activity followed by a pause
of one or more months, then resumed activity.
IP addresses
IP addresses
Country location: India
September
Contents
August
◀ Previous
1 • 2 • 3 • 4 • 5 • 6 • 7
3
113.20.30.182
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
2.38%
7.14%
2.38%
2.38%
2.38%
14.29%
5
4
211.109.1.231
0.00%
0.00%
0.00%
0.00%
9.52%
2.38%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
11.90%
2
Recommendations
5
141.105.70.96
0.00%
0.00%
0.00%
4.76%
2.38%
0.00%
9.52%
0.00%
0.00%
0.00%
0.00%
0.00%
11.90%
3
while reducing cost
and complexity
Table 11. The top attacking IP addresses for FTP brute force in 2015. Source: IBM MSS data.
Note: Percentages shown represent the percentage of customers the attacking IP targeted during 2015. Red highlighting indicates a higher
About IBM Security
About the author
References
25
◀ Previous
Next ▶
September
November
December
Total Event
Count*
6.57%
0.00%
0.00%
9.26%
87.69%
attacks
FTP_Auth_Failed
0.65%
0.20%
0.04%
2.40%
0.00%
3.53%
0.05%
1.15%
0.00%
0.00%
0.00%
8.11%
FTP_User
0.09%
0.08%
0.12%
0.00%
0.09%
2.26%
0.00%
0.00%
0.00%
0.00%
0.00%
2.64%
TCP_Service_Sweep
0.33%
0.08%
0.13%
0.01%
0.01%
0.00%
0.02%
0.03%
0.04%
0.02%
0.04%
0.71%
FTP Authorization
Failure
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.41%
0.00%
0.41%
force attacks
July
15.82% 1.59%
June
18.90% 0.01%
May
33.35% 0.28%
April
1.91%
Footprinting
March
FTP_User_Root
Signature
February
Top 10 ports
Executive overview
January
August
Contents
IP addresses
SSH_Brute_Force
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.18%
0.00%
0.01%
0.00%
0.00%
0.19%
SSH_Service_Sweep
0.00%
0.00%
0.00%
0.00%
0.00%
0.08%
0.00%
0.00%
0.02%
0.02%
0.00%
0.12%
IP addresses
PSNG_TCP_PORT
SWEEP_FILTERED
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
TCP: SYN Host Sweep
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
Sweep Scan
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
Grand Total*
2.98%
33.71%
0.56%
21.32% 0.12%
21.79%
1.84%
7.74%
0.06%
0.58%
9.30%
100.00%
brute force attacks
1 • 2 • 3 • 4 • 5 • 6 • 7
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
26
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
Country location: Russia
This attacker was logged across six different
months in 2015, but there was no activity in either
June or September. The footprinting attack activity
had scans for the FTP port and resulted in FTP
brute force attacks. More ports were scanned,
however; other ports seen were for SIP (Session
Initiation Protocol, used in internet telephony)46
including ports 5060, 5061, 5095, 5070, 5095, 6060,
and 6090. The FTP attacks from this attacker
could have been attempts to gain access to a
digital voice or collaboration system.
November
Total Event
Count*
6.60%
13.21%
23.55% 0.00%
0.00%
46.03%
TCP_Service_Sweep
27.29%
0.00%
0.42%
0.29%
5.99%
0.00%
33.99%
brute force attacks
FTP_User_Root
2.64%
1.27%
6.31%
6.47%
0.00%
0.00%
16.69%
Geo Protection
0.00%
0.00%
0.00%
0.00%
0.00%
3.12%
3.12%
1 • 2 • 3 • 4 • 5 • 6 • 7
TCP: SYN Host Sweep
0.00%
0.00%
0.00%
0.00%
0.13%
0.00%
0.16%
Grand Total*
32.60% 7.87%
19.94%
30.35% 6.12%
3.12%
100.00%
Recommendations
while reducing cost
and complexity
October
2.67%
IP addresses
Signature
August
July
FTP_Auth_Failed
IP addresses
April
May
force attacks
About IBM Security
About the author
References
27
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
This attacker was seen in FTP brute force attack
logs for 5 out of 12 months, but was seen in SSH
brute force attack logs the month before attacks
from this address appeared for FTP brute force.
November
December
Total Event
Count*
FTP_User_Root
0.00%
34.22% 37.66%
0.54%
8.00%
0.66%
81.07%
IP addresses
TCP_Service_Sweep
0.01%
0.09%
3.67%
0.41%
0.00%
4.66%
8.85%
FTP_Auth_Failed
0.00%
1.34%
5.41%
0.05%
1.66%
0.34%
8.81%
brute force attacks
SSH_Brute_Force
0.18%
0.00%
0.00%
0.58%
0.20%
0.00%
0.96%
SSH_Service_Sweep 0.00%
0.05%
0.00%
0.04%
0.12%
0.00%
0.21%
TCP: SYN Host
Sweep
0.00%
0.00%
0.05%
0.00%
0.00%
0.00%
0.05%
Sweep Scan
0.00%
0.01%
0.00%
0.00%
0.00%
0.01%
0.03%
PSNG_TCP_PORTS0.00%
WEEP_FILTERED
0.00%
0.01%
0.00%
0.00%
0.00%
0.01%
Grand Total*
35.72%
46.81%
1.62%
9.97%
5.68%
100.00%
1 • 2 • 3 • 4 • 5 • 6 • 7
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
July
IP addresses
Signature
0.20%
August
October
force attacks
Country location: Indonesia
September
◀ Previous
References
28
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
Country location: Korea
This attacker was seen for just a little over one
month (7 May 2015 – 12 June 2015), so we’re
showing a daily view of this particular data rather
than a whole year’s worth (Tables 15 and 16). Even
though this is a short time frame of activity, due to
the high number of customers it attacked, this IP
address ranked fourth.
10 May 2015
12 May 2015
13 May 2015
17 May 2015
22 May 2015
24 May 2015
25 May 2015
26 May 2015
Total event
count*
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
53.51% 0.00%
0.00%
0.00%
0.00%
6.76%
74.50%
FTP_Auth_Failed
0.34%
0.01%
0.00%
0.00%
0.00%
0.00%
0.00%
0.20%
0.00%
0.00%
0.00%
1.97%
15.27%
FTP_User
0.00%
0.00%
0.00%
2.03%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
5.00%
TCP_Service_
Sweep
1.24%
0.01%
0.04%
0.12%
0.04%
0.11%
0.00%
1.25%
0.00%
0.15%
0.14%
0.02%
4.98%
Recommendations
FTP: login Bruteforce attempt (40001)
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.01%
0.24%
while reducing cost
and complexity
PSNG_TCP_PORT
SWEEP_FILTERED
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.01%
TCP: SYN Host
Sweep
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.01%
Grand Total*
1.58%
0.02%
0.05%
2.14%
0.04%
0.12%
53.51% 1.43%
0.00%
0.15%
3.11%
10.78% 100.00%
brute force attacks
1 • 2 • 3 • 4 • 5 • 6 • 7
About IBM Security
About the author
References
Signature
19 May 2015
8 May 2015
FTP_User_Root
IP addresses
18 May 2015
7 May 2015
IP addresses
There are both footprinting and brute force (against
FTP) attack patterns. FTP User Root covers login
attempts for administrator accounts such as “root,”
“Administrator,” and “admin.” The largest event
count was from the brute force attacks, but the
footprinting attacks were seen across the greatest
number of days. The FTP User signature is an audit
event that isn’t enabled often, which explains why
the same volume of events is not seen for both FTP
User and FTP User Root.
Table 15. Activity from IP address 211.109.1.231 (7 May 2015 – 26 May 2015).
29
Next ▶
4 June 2015
5 June 2015
8 June 2015
12 June 2015
Total Event
Count*
0.03%
12.02% 0.00%
0.00%
0.00%
0.00%
0.00%
0.01%
0.14%
0.00%
74.50%
FTP_Auth_Failed
0.00%
0.00%
12.69% 0.00%
0.00%
0.00%
0.01%
0.00%
0.00%
0.03%
0.03%
15.27%
FTP_User
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
5.00%
TCP_Service_Sweep
0.02%
0.00%
0.00%
0.00%
0.01%
0.14%
0.15%
0.01%
0.02%
0.14%
1.38%
4.98%
IP addresses
FTP: login Brute-force
attempt(40001)
0.09%
0.00%
0.00%
0.14%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.24%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.01%
IP addresses
TCP: SYN Host Sweep 0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.01%
0.00%
0.01%
Grand Total*
0.03%
24.71%
0.14%
0.01%
0.14%
0.15%
0.01%
0.03%
0.33%
1.41%
100.00%
Footprinting
Top 10 ports
attacks
force attacks
brute force attacks
1 • 2 • 3 • 4 • 5 • 6 • 7
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
0.11%
11 June 2015
2 June 2015
0.00%
Signature
31 May 2015
28 May 2015
FTP_User_Root
Executive overview
30 May 2015
27 May 2015
Contents
10 June 2015
◀ Previous
Table 16. Activity from IP address 211.109.1.231 (27 May 2015 – 12 June 2015).
Country location: Russia
This attacker acted differently from the other top
five FTP brute force attacker IP addresses in that
its FTP brute force events (signatures highlighted
in grey in Table 17) did not have a high volume. Its
footprinting attacks logged higher event counts
and included sweeps and scans not only for port
21 (FTP), but also for common HTTP proxy ports
(81 through 88, 8080 through 8089), plus port
8086, registered with IANA for “Distributed SCADA
Networking Rendezvous Port,” and port 8383,
registered with IANA for “M2M Services”. M2M
means machine-to-machine and is associated with
IoT (Internet of Things) device use, generally in an
industrial context. We surmise that the attacker
was searching for specific industrial control
equipment with an exposed FTP service.
30
◀ Previous
Next ▶
April
May
June
July
Signature
March
Executive overview
Total Event
Count*
Contents
Top 10 ports
TCP_Probe_Other
0.00%
0.00%
0.00%
52.10%
0.00%
52.10%
attacks
TCP_Service_Sweep
13.74%
0.02%
17.88%
0.01%
2.64%
34.30%
TCP_Port_Scan
0.03%
0.00%
9.11%
0.02%
0.00%
9.17%
force attacks
FTP_User_Root
0.00%
0.91%
0.12%
0.01%
0.97%
2.01%
FTP_Auth_Failed
0.00%
0.49%
0.20%
0.00%
0.89%
1.58%
FTP_User
0.00%
0.74%
0.00%
0.00%
0.00%
0.74%
TCP: SYN Host Sweep
0.00%
0.02%
0.00%
0.00%
0.03%
0.05%
IP addresses
FTP Authorization Failure
0.00%
0.00%
0.02%
0.00%
0.00%
0.02%
0.00%
0.01%
0.00%
0.00%
0.00%
0.01%
brute force attacks
HTTP_AuthResponse_Possible_CSRF
0.00%
0.00%
0.00%
0.00%
0.01%
0.01%
PSNG_TCP_FILTERED_PORTSCAN
0.00%
0.01%
0.00%
0.00%
0.00%
0.01%
Grand Total*
13.78%
2.20%
27.33%
52.15%
19.94%
100.00%
Footprinting
IP addresses
1 • 2 • 3 • 4 • 5 • 6 • 7
Recommendations
while reducing cost
and complexity
Table 17. Activity from IP address 141.105.70.96 (1 March 2015 – 31 July 2015).
About IBM Security
About the author
References
31
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
1 • 2
while reducing cost
and complexity
Recommendations
Our data shows that footprinting techniques
such as service sweeps and port scans are still
being carried out with some frequency. Attackers
often use the results of scanning to conduct
brute force password attacks. Because the IoT
devices and industrial control systems increasingly
present in networks don’t always get the level of
security review given a new computer, they can
more easily fall victim to both footprinting and
brute force attacks. We provide the following
recommendations to help avoid this result.
Footprinting
• Footprint your own network from the Internet,
using the same techniques as an attacker. While
you may be able to assemble a kit of tools like
Kali Linux, a vulnerability scanning service can
continuously monitor your attack surface.
• Check network mapping search engines such
as Shodan to see if your banners are revealing
details they shouldn’t.
• Footprint your network from the inside to help
ensure that only approved and inventoried
devices are connected and to detect
unapproved devices. Your footprinting should
include port detection and software versions to
ensure that no unpatched, vulnerable versions
are present.
• Disable all unnecessary or insecure services,
replacing services that have weak security with
stronger counterparts. For example, replace
telnet with SSH.
• If a service such as SSH, which defaults to
listening on TCP port 22, can be changed
to another port number without negatively
impacting operations, doing so would lessen its
chance of being attacked by systems that could
connect to it.
• Use a firewall to allow access only from
authorized networks and IP addresses to
services they require. Do not allow “all” to
connect to services such as SSH, FTP and
databases unless that’s absolutely necessary for
the type of service you provide.
About IBM Security
About the author
References
32
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
1 • 2
while reducing cost
and complexity
Brute force attacks
• Enforce complex passwords. Stipulate a
minimum length of eight characters and a
combination of upper- and lower-case letters,
numbers and special characters such as
punctuation marks and mathematical symbols.
• Change your password every so often, even
when not forced to do so, but do NOT use a
derivation of a previously used password. And
never, ever use weak passwords.
• When you use the same password across many
sites, you risk multiple account compromises
if even just one vendor is breached. A local
password manager helps in managing the use
of many passwords. Keep the master password
written down and locked securely in a safe.
• Make sure the answers to your security questions
are difficult to guess or to look up in publicly
available information. If a site lets you create your
own question, make it as esoteric as possible. For
example, one comedian suggested the question
“What are you wearing right now?” and the
answer “That’s a totally inappropriate question!”
But obviously, don’t use that question and answer
•
•
•
•
because we’ve just published it openly, haven’t
we? Never use your real high school, mother’s
maiden name, or any other information that can
be gleaned from social media and public records
such as obituaries. You can still use the maiden
name option, of course. Just choose an answer
that’s not true, and would be difficult to guess.
Use two-factor authentication when available.
Disable accounts if they’re not being used. If
you’ve been granted access to an application or
service but don’t plan to use it, have the account
disabled. If you think you might happen to need it
sometime in the distant future, challenge yourself
to make the password the toughest one to crack.
Implement account lockout features. That can
be very effective at slowing down or blocking
remote brute force password attacks, but please
be aware of the considerations found here:
https://www.owasp.org/index.php/Blocking_
Brute_Force Attacks
Do not allow administrator accounts to be
logged into directly. Disable them in operating
systems that allow you to do so.
About IBM Security
About the author
References
33
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
Protect your enterprise while
reducing cost and complexity
From infrastructure, data and application protection
to cloud and managed security services, IBM
Security Services has the expertise to help
safeguard your company’s critical assets. We
protect some of the most sophisticated networks
in the world and employ some of the best minds in
the business.
IBM offers services to help you optimize your
security program, stop advanced threats, protect
data and safeguard cloud and mobile. With
IBM Managed Security Services, you can take
advantage of industry-leading tools, security
intelligence and expertise that will help you improve
your security posture—often at a fraction of the
cost of in-house security resources. Our Managed
Protection Service offers around-the-clock
monitoring, management and incident escalation to
help protect your networks, servers and desktops.
Identity and Access Management services target
virtually every aspect of identity and access
management across your enterprise, including user
provisioning, web access management, enterprise
single sign-on, multi-factor authentication, and user
activity compliance.
About IBM Security
IBM Security offers one of the most advanced
and integrated portfolios of enterprise security
products and services. The portfolio, supported
by world-renowned IBM X-Force research and
development, provides security intelligence to
help organizations holistically protect their people,
infrastructures, data and applications, offering
solutions for identity and access management,
database security, application development, risk
management, endpoint management, network
security and more. IBM operates one of the world’s
broadest security research, development and
delivery organizations, monitors billions of security
events per day in more than 130 countries, and
holds more than 3,000 security patents.
34
◀ Previous
Next ▶
Contents
About the Author
Contributors
Executive overview
Scott Craig is a Threat
Researcher for IBM Managed
Security Services. Scott has
worked in the IT field for more
than 20 years, 17 of which were
dedicated to computer security. Before being
dedicated to computer security, Scott’s work
as an enterprise Unix system administrator and
a systems architect helped him to understand
the way security fits into overall systems. Scott’s
unique ability to find patterns of interest in security
device logs is what helped him become successful
in his last role in IBM Managed Security Services
as a team lead of the Data Intelligence group. In
his role as an IBM Threat Researcher, Scott mines
through millions of rows of data in search of stories
worth sharing with others. Through these efforts,
he hopes to improve every entity’s data security
which, in turn, helps every person who has a file
about them somewhere.
Dave McMillen – Senior Threat Researcher, Threat
Research Group
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
brute force attacks
Recommendations
Michelle Alvarez – Threat Researcher, Threat
Research Group
For more information
To learn more about the IBM Security portfolio,
please contact your IBM representative or IBM
Business Partner, or visit:
ibm.com/security
For more information on security services, visit:
ibm.com/security/services
Follow @IBMSecurity on Twitter or visit the IBM
Security Intelligence blog
while reducing cost
and complexity
About IBM Security
About the author
References
35
◀ Previous
Next ▶
Contents
Executive overview
Footprinting
http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=
WH&infotype=SA&htmlfid=WGL03114USEN&attachment=
WGL03114USEN.PDF
1
http://capec.mitre.org/data/definitions/169.html
2
3
attacks
force attacks
IP addresses
http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html
25
http://www.darkreading.com/vulnerabilities---threats/hackin-atthe-car-wash-yeah/d/d-id/1319156
26
27
28
5
https://en.wikipedia.org/wiki/Shodan
https://www.shodan.io/
http://www.theregister.co.uk/2016/02/08/alibaba_taobao_
security_process_failure/
29
http://www.itworldcanada.com/article/nasa-breach-shows-againthat-brute-force-password-attacks-work/380475
31
6
7
http://www.simovits.com/trojans/trojans.html
24
4
Top 10 ports
http://www.speedguide.net/ports.php
23
http://cve.mitre.org/about/index.html
http://cve.mitre.org/data/downloads/index.html
30
https://exchange.xforce.ibmcloud.com/vulnerabilities/106137
32
33
8
9
http://www.metasploit.com/
https://nmap.org/ 34
http://dankaminsky.com/2002/11/18/77/
35
12
http://www.irongeek.com/i.php?page=backtrack-3-man/amap
36
IP addresses
13
https://www.defcon.org/images/defcon-13/dc13-presentations/
DC_13-Lee.pdf
37
brute force attacks
15
16
Recommendations
18
while reducing cost
and complexity
About IBM Security
About the author
10
11
https://zmap.io/
14
https://www.washingtonpost.com/news/the-switch/wp/2013/08/
18/heres-what-you-find-when-you-scan-the-entire-internet-in-anhour/
http://blog.erratasec.com/2013/09/masscan-entire-internet-in3-minutes.html#.VtR_S3UrIkV
ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/iss/
http://sqlmap.org/
http://sqlninja.sourceforge.net/
https://en.wikipedia.org/wiki/Wikei/Kali_Linux
http://sectools.org/tool/brutus/
38
http://foofus.net/goons/jmk/medusa/medusa.html
39
https://nmap.org/ncrack/
40
https://www.thc.org/thc-hydra/
41
42
17
http://fossbytes.com/the-hacker-search-engine-shodan-is-thescariest-search-engine-on-internet/
http://blog.level3.com/security/breaking-botnets-how-level-3and-cisco-worked-together-to-improve-the-internets-securityand-stop-sshpsychos/
44
https://thingful.net/
45
20
https://exchange.xforce.ibmcloud.com/signature/TCP_Service_
Sweep
21
http://blog.level3.com/security/breaking-botnets-how-level-3and-cisco-worked-together-to-improve-the-internets-securityand-stop-sshpsychos/
43
https://censys.io/about
19
https://cwe.mitre.org/data/definitions/798.html
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01B
https://blogs.cisco.com/security/talos/sshpsychos
http://longtail.it.marist.edu/honey/index.shtml
https://en.wikipedia.org/wiki/Session_Initiation_Protocol
46
http://www.iana.org/assignments/service-names-portnumbers/service-names-port-numbers.xhtml
22
References
36
◀ Previous
Next ▶
Contents
© Copyright IBM Corporation 2016
Executive overview
IBM Security
Route 100
Somers, NY 10589
Footprinting
Top 10 ports
attacks
force attacks
IP addresses
IP addresses
Produced in the United States of America
April 2016
IBM, the IBM logo, ibm.com and X-Force are trademarks of International Business Machines Corp., registered in
many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at
ibm.com/legal/copytrade.shtml
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United
States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
brute force attacks
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all
offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted
according to the terms and conditions of the agreements under which they are provided.
Recommendations
while reducing cost
and complexity
About IBM Security
About the author
References
Statement of Good Security Practices: IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and outside your enterprise. Improper access
can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse
of your systems, including for use in attacks on others. No IT system or product should be considered completely
secure and no single product, service or security measure can be completely effective in preventing improper use or
access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach,
which will necessarily involve additional operational procedures, and may require other systems, products or
services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
SEL03093-USEN-00

Beware of older cyber attacks: Footprinting and brute

Transcription

Similar documents

Albert Kramer Technical Director Trend Micro

ssh real estate represents pond lehocky stern giordano in 52000 sf

HPC at IU - Hands-on exercises - Research Technologies

Bond Movies Dr. Jonathan M Sackier As an Englishman of a certain

Shark Attacks - International Wildlife Museum

On the Privacy of Real-World Friend-Finder Services

WS_FTP Pro Data Sheet - Secure Information and File Transfer

I Subscribed to Maxim and All I Got Was This Lousy Packet

TOSSUPS - FLORIDA SWORD BOWL 2004 -- UT

Intrusion Detection and Prevention