Nettitude Blog

How to Monitor Your External Devices and Improve Your Alerts (pt.2)

Posted by Graham Sharples on Aug 29, 2017 4:41:52 PM

Earlier this week we published the first half of this blog. The preceeding blog can be found here: http://blog.nettitude.com/how-to-monitor-your-external-devices-and-improve-your-alerts-pt.1

Being able to detect new malware infections or security breaches on a network or on a computer system without known signatures is always a challenge. We explore a simple and efficient solution to monitor external facing assets, such as servers, and we discuss the data that was collected during the experimental period.

In this experiment, Nettitude deployed an Internet facing Windows 2012 server that was configured for monitoring. During June 2017, over 5 million events were collected. Nettitude will explain the setup process and discuss the data collected that will ultimately lead towards a better monitoring system.  

 

Data Analysis

The following data was recorded between June 1st at 00:01 and June 30th 23:59 2017. When the windows server was fully configured, port 3389 (RDP) and port 80 (Microsoft IIS httpd) were visible to the internet. The full extent of how visible RDP can be was previously covered by Nettitude.

 

Number of events

During the month of June 2017, Nettitude recorded 5,170,688 events. This is a considerable amount of data which would be difficult to try to understand if you were to use event viewer alone.

 

How to avoid false positive and tune your IDS/IPS

Throughout the month of June, 792 unique IP addresses were observed that visited the windows server. Nettitude observed a large variation in the number of visits from the different IPs. Table 2 below shows a breakdown of the interactions IP addresses had with the server. It is possible that the amount of time an unauthorised IP address spends interacting with your server may indicate what it is or what it is trying to achieve.

 

Interaction count

Number of IP addresses

Comments

Map legend

1 – 9

187

Masscan or another web index engine.

Green

10 – 99

218

Mostly expected.

Purple

100 – 999

252

Mostly vulnerability scanners.

Yellow

1000 – 9999

124

Mild brute force attack.

Red

10,000 – 56,174

11

Aggressive brute force attack.

Blue

Table 2: Number of IP addresses grouped by their number of interactions on the windows server.

The software program masscan has the ability to scan the entire internet if it is just looking for one port within 10 hours. With this information alone, we could now build alerts to trigger if certain amounts of interaction are received from the same IP address.

 

Number of countries

Attacks originated from 73 countries. As shown in Figure 7, Europe, USA and Asia, specifically China, are well represented in the map.

 

Figure 7.png

Figure 7: Spread of attackers IPs organized by language.

All major providers of VPS or cloud services were represented in the IPs used. As a consequence, VPS providers cannot be white listed for security purposes. All VPS IPs should be treated as suspicious.

 

Figure 8.png

Figure 8; Countries by number of IP addresses.

 

Figure 8 shows the spread of IP addresses across the world with the highest amount of IP addresses coming from the United States. Altogether there were a total of 73 unique countries from which the 792 IP addresses were located.

 

Top 10 Usernames

As soon as the windows server went live it was possible to see the login attempt fails happening at a fast rate. The top ten login names used are shown in Table 3 below, including the amount of times they were attempted.

 

User names

Number of attempts

administrator

522,394

admin

28,755

test

6,893

user

5,207

testuser

4,416

scanner

3,967

temp

2,883

system

2,475

user1

2,306

scan

1,838

Table 3: Top 10 login names attempted.

These numbers add up to 581,134 login attempts. Looking at this number doesn’t really sink in until you realize that this number represents the amount of times that a program or person has tried to login to your windows machine. That’s well over half a million in just one month.

Lessons learnt:

  • Default usernames are not the best choice. This gives the attacker 50% of what he needs to break in.
  • Common words. Words from the dictionary are easy to guess and exist in most password lists.
  • Dictionary words joined up together to form a longer word.
  • Common words with a slight change especially with a number at the end.

From the data shown in Table 3, it is clear that a lot of threat actors spend time trying on find windows servers with the default username “administrator”. With the vast amount that can be gained from accessing an administrator’s account, this would be as good a place as any to start guessing usernames. Altogether 31,513 unique usernames have been tried against the server.

 

Languages used in the password guessing process

We analysed the usernames collected and we observed 71 different languages used. Администратор the Russian word for administrator was tried 926 times.  One lesson from this analysis is that hackers are aware that users may think that their passwords are unique because they are using a language different from the region they operate in. Such tricks would not work unless the passwords are sufficiently complex. 

.

Afrikaans

Hausa

Chichewa; Chewa; Nyanja

Arabic

Hawaiian

Polish

Azerbaijani

Hindi

Portuguese

Bulgarian

Hmong; Mong

Romanian

Bosnian

Croatian

Russian

Catalan; Valencian

Haiti

Slovak

Cebuano

Hungarian

Slovenian

Corsican

Indonesian

Samoan

Czech

Igbo

Shona

Welsh

Icelandic

Somali

Danish

Italian

Albanian

Germany

Japanese

Sotho, Southern

Greek-Modern

Javanese

Sundanese

English

Kurdish

Swedish

Esperanto

Latin

Swahili

Spanish

Luxembourgish; Letzeburgesch

Tagalog

Estonian

Lithuanian

Turkish

Basque

Latvian

Undetermined

Finnish

Malagasy

Uzbek

French

Maori

Vietnamese

Western Frisian

Malay

Xhosa

Irish

Maltese

Yoruba

Gaelic; Scottish Gaelic

Dutch; Flemish

Chinese

Galician

Norwegian

Zulu

Table 4: Languages found through the password list.

From the spread of languages in Table 4 it is hard to tell if we are being specifically targeted. It is safer to say that everyone, regardless of location, is a potential target. The top 10 languages used are seen in Figure 9.

Figure_10.png

Figure 9: Top 10 languages used.

 

Key windows event ID

When viewing event viewer, it becomes very clear that every event that happens on a windows system is given an event ID. These event ID’s are used as references to uniquely identify each individual event and catalogue them in to their event grouping.

Figure 10.png

Figure 10: Event ID 4,625 over the course of June.

Event ID 4,625 relates to an account failed login through RDP. As these are login attempts they directly relate to the usernames tried, with Figure 10 showing the spread of this data over June 2017. This graph also shows that there were between 15,000 to 25,000 login attempts per day.

Per hour there are between 800 to 1,300 login attempts. Selecting a single hour period on 12th June 2017 between 01:00 and 02:00 revealed the following; there were 1,125 login attempts which consisted of 978 attempts using “administrator”, 99 using “admin” with another 48 different user names tried.

 

Attack trends based on our web server IIS logs

 

  • Microsoft CVE-2017-7269: WebDAV Remote Code Execution Vulnerability: we observed automated attacks against our IIS servers. Whilst the version we were running was not vulnerable, we still recorded attempts to gain remote access through the PROFIND request. The severity of this vulnerability is rated 10. Running an old version of IIS (6.0) is a serious business risk as exploitation code is freely available online.
  • Multiple directories were targeted. A selection of interesting ones are listed below in Table 5:

 

Directory

Description

/dnscfg.cgi

Attempt to reconfigure vulnerable router

/CFIDE/administrator

Cold fusion admin bypass attempts

/_phpmyadmin/scripts/setup.php

Weak or poor installation of phpmyadmin toolkit

/app/mailer/account/signin.php

An attempt to find an easy way to register an account

/testproxy.php

Most likely testing for an open reverse proxy in order to attempt to install crypto locker

/manager/html

Unauthenticated exploit

/sql/phpmanager

Targeting sql database

Table 5: Targeted directories.

 

  • Mozilla/5.0+Jorgee: The jorgee web scanner is known to target PHP applications as detailed in Table 6.

Browser user agent

Frequency

Mozilla/5.0+Jorgee

68.43%

Wget(linux)

3.99%

ZmEu

3.43%

Table 6: Web agents.

 

We observed an increase in automated vulnerability scanners used by attackers. We recently published a blog discussing tools that were gathered from an attackers’ toolbox. Whilst phishing attacks are not as popular these days, attackers are using other ways to gain a foothold in a companies environment.

 

Summary

Setting up a monitoring system can be simplified given the right tools. From the data analysed it is important that companies must have continuous scanning in place to identify any vulnerabilities. Default settings should be avoided such as login names and directories. The system in this blog can be expanded to monitor multiple hosts by following the model in Figure 11.

Figure 11.png

Figure 11: Future prospect with more windows machines providing more data.

 

 

Topics: Cyber Security Blog

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Subscribe Here!

Recent Posts