Since the WannaCry ransomware outbreak in May 2017, many people have been wondering what will be next…
The use of a sophisticated exploit that enabled the worm element to propagate was both clever and worrying. But the relatively unsophisticated ransomware attached to it meant that for many people, the impact was containable by simply patching systems.
Companies are dreading the news that they are being held to ransom, especially if it is through a more sophisticated mechanism which may not so easily be stopped or halted, or for those that acknowledge that their protection is not as up to date as it should be.
The WannaCry malware is a good example of how an attacker can take advantage of a vulnerability and a recent exploitation tool that has been made available to the public.
Attackers have you on their watch list…
Nettitude was called and asked to attend a cyber breach in recent weeks. During the investigation, we started tracing all the IP addresses and web links in the logs of the infected machines. Many were benign and legitimate connections from the users and applications on that device.
However, we stumbled across one of the internet servers in the list that had been used by the attacker. The server was unprotected at the time of discovery. A few days later, access to the server was locked down. Before this happened, we were able to freely download the files available on the malicious internet server. We then took a deeper look to see if we could learn how this particular threat actor was organising its operations.
Identifying their targets
The first thing we noticed was that the attackers had developed code that allowed them to acquire a list of targets and group them by category. In particular, Nettitude found pieces of code that allowed the attackers to target a group of companies by looking at their service provider. Customers of Microsoft Azure appeared to be targets of choice for this attacker.
Figure 1: Source code used to download list of target IPs
Nettitude was able to identify 53,330 IPs in one of the lists based on the code given in Figure 1, all of whom are Azure Customers. The attacker could run this script daily to ensure the list was updated to:
- Gather new IPs as they are added
- Check if new services are added to existing IPs addresses
- Check for new mistakes or changes in configuration.
This data can easily then be used to select the next victims.
Once the list of target IPs has been downloaded, the attacker will start scanning each IP to discover all open ports. As shown in the script, the attacker can specify the port numbers he is interested in (Figure 2).
Figure 2: Scanning to find open ports
After establishing which ports number are open, the attacker will start probing for specific services. These services are then mapped to specific vulnerabilities.
The attacker will perform a number of scans based on the type of services that have been identified. SQL database scanning was a typical example that was referenced in the code analysed.
Any results found from the scan are pushed into the IRC channel controlled by the attacker. The attacker can then decide whether to deploy other tools based on the vulnerabilities that have been discovered.
Using the technique described above, it is very easy for the attacker to use virtual private servers (VPS) that cost very little ($1-5 per month) to regularly scan their target IPs non-stop until they find one IP that is vulnerable. This will be done on secure IPs too as new vulnerabilities are frequency released and changes take place to production systems. This may mean a previously secure system is now susceptible.
Are you on a target list?
Quite possibly! In this case it is just Azure, but all public IPs and URLs’ a are easily obtainable these days through a variety of methods and public repositories/sources. As long as your IP address is visible online, your company will most likely be on a target list somewhere. Companies that have monitoring in place will confirm how often they are scanned by the same attackers systems.
There are many factors that attackers will take advantage of, including:
- Any unpatched system
- Any poor system configurations or mistakes
- Release of new software/product versions (these present a potential opportunity for new attacks)
- Change of IT staff
- Release of new zero day/CVEs vulnerabilities
- Public release of malicious tools (including the release of more sophisticated tools to exploit vulnerabilities that were not previously exploitable)
- Password/Account data dumps (The attacker could use corresponding user emails and passwords against your perimeter)
How to avoid being a victim
There are some straightforward measures you can implement to protect yourself against these types of attack. Understanding they happen is the first step.
- Patching is an absolute must. Patching! Patching and patching
- Monitoring is key! Monitoring is arguably the most important action against cyber-attacks Monitoring at the right points within your environment for the types of attack you expect to see
- Ensure your public facing perimeter defences are strong
- Review your security posture periodically to ensure that vulnerabilities are quickly discovered and fixed
- Conduct regular penetration testing, vulnerability scanning and red teaming against your infrastructure
- Ultimately, have a security strategy in place to address the threats you face
Every single company can be a target merely due to their online presence. As long as you have a presence on the Internet, you are a potential target. It is also true that certain companies will be targeted for specific objectives.
Attackers are continually watching, scanning, testing systems waiting for one of them to lower their guard or to be vulnerable to take full advantage. Given that their attacks are mostly automated (at least at the start), it is likely that a simple mistake could resolve into the company network being controlled by the attacker.
Phishing attacks are the most prevalent of initial attacks but they are not the only method being deployed by attackers.
The right kind of detection and response monitoring is key – a 100% secure posture will always be impossible to maintain.