Nettitude Blog

Global statistics: An insight in to Nettitude's latest honeypot findings

Posted by Media marketing on Nov 7, 2016, 10:00:28 AM

Knowing the methods, sophistication and modus operandi of threat actors, and how this changes over time is fascinating. The Nettitude Global Honeypot network has been upgraded recently to capture more in-depth information and more interactions from attackers. This section gives you an overview of the trends and highlights from recently captured data.

Overview
Remote Desktop Protocol (RDP) was developed by Microsoft to allow users to connect to a remote system over a network connection.

The end user will deploy RDP client software whilst the remote server will run RDP server software. The client software exists for Windows, Linux, Unix, OS X, iOS and Android as well as several other operating systems.
RDP services are built into Windows and are also available for Unix and OS.

The protocol has recently been exploited by the Apocalypse ransomware group. They brute forced weak RDP server passwords, gaining access to a victim’s infrastructure and encrypting files whilst gaining first-hand knowledge of network configurations. The data below shows that RDP is still a popular protocol to explore, with attacks originating from three separate continents.

Attacking RDP
The United States accounts for the vast majority of attacks against the RDP protocol (tcp/3389), as seen in Figure 1. The protocol is commonly used by system administrators to remotely access a users’ system to assist with troubleshooting. As previously mentioned, poorly configured RDP servers can offer a staging post for attacks against a system. With millions of endpoints utilising this protocol, it is not unusual to see attacks against it.

[av_image src='https://www.nettitude.co.uk/wp-content/uploads/2016/11/Countries-Targetting-Port-3389-Remote-Desktop-1030x775.jpg' attachment='11302' attachment_size='large' align='center' styling='' hover='' link='lightbox' target='' caption='' font_size='' appearance='' overlay_opacity='0.4' overlay_color='#000000' overlay_text_color='#ffffff' animation='no-animation'][/av_image]

Attacker OS
Nearly 75% of attacks against RDP originated from Windows terminals, specifically Windows 7 or 8, as seen in Figure 2. This is consistent with the popularity of the RDP protocol, its compatibility with Windows OS and the likelihood that a victim has it supported on a Windows server.

[av_image src='https://www.nettitude.co.uk/wp-content/uploads/2016/11/ATTACKERS_OPERATING_SYSTEM-1030x753.jpg' attachment='11303' attachment_size='large' align='center' styling='' hover='' link='lightbox' target='' caption='' font_size='' appearance='' overlay_opacity='0.4' overlay_color='#000000' overlay_text_color='#ffffff' animation='no-animation'][/av_image]

Iran
Most attackers mainly use windows 7 or 8. Unlike attacks observed from the United States and Iraq, Iranian attackers focused their efforts against port 22 which provides the Secure Shell (SSH), Secure File Transfer Protocol (SFTP) and port forwarding, as seen in Figure 3. Iran, as a nation state, has significantly improved its cyber capability since the Stuxnet and Flame attacks in 2010 and 2012. Since the election of Hassan Rouhani to President in 2013, funding for cyber security has risen by 1,200% (between 2013-2016).

Iran has sought to harden its defenses and learn from the Advanced Persistent Threats (APT) campaigns that were directed at Iran. The Internet itself is less censored which has paved the way for an increase in malicious activity originating from, or routed through, Iran. As is seen in China, Internet Service Providers are leveraged by attackers to conduct attacks, be it automated or manually crafted campaigns. These allow for a certain level of anonymity.

[av_image src='https://www.nettitude.co.uk/wp-content/uploads/2016/11/Iran-Islamic-Republic-of-1030x827.jpg' attachment='11304' attachment_size='large' align='center' styling='' hover='' link='lightbox' target='' caption='' font_size='' appearance='' overlay_opacity='0.4' overlay_color='#000000' overlay_text_color='#ffffff' animation='no-animation'][/av_image]

Iraq
Iraq has recently seen victims targeted by a group known as Operation Ghoul, a credential harvesting group that exploits victims using spear phishing emails. Interestingly, the attacks originating from Iraq, and captured by the honeypot, target port 3306 which typically hosts the MySQL database system, which can be seen in Figure 4. Databases are often a rich repository of information, with organisations often using it to store confidential material. For example, a poorly configured SQL database would afford attackers the ability to credential harvest and sell that information formonetary gain.

[av_image src='https://www.nettitude.co.uk/wp-content/uploads/2016/11/IRAQ-1030x753.jpg' attachment='11305' attachment_size='large' align='center' styling='' hover='' link='lightbox' target='' caption='' font_size='' appearance='' overlay_opacity='0.4' overlay_color='#000000' overlay_text_color='#ffffff' animation='no-animation'][/av_image]

URL Statistics
One of the more interesting areas to investigate is Uniform Resource Locator (URL) information, specifically focused on the origins of malware. URLs themselves are the global addresses of documents and other resources on the web. They are also used as staging posts for launching malware.

Nettitude, through its global network of honeypots, has captured vast swatches of information that has helped us understand malware trends and identify the domains through which they are being hosted. Figure 5 lists the top ten worst ISPs for hosting malicious URLs. Between them they account for 79% of the total number of maliciously hosted URLs. It is difficult to ascertain the source of these campaigns, be that the actual threat actor or a compromised computer used as a bot, however it does show that ISPs are an ideal medium through which to launch malicious activity.

Nettitude has drawn on historical data and observed the creation of just over 139,000 malicious domains, as seen in Figure 6. Of those, just over 77,000 have been created since 2014, accounting for 55% of the total number observed. In 2015 alone, over 53,000 were created, a record number since data records began. This is a staggering statistic and one that is going to increase by the end of 2016.

[av_image src='https://www.nettitude.co.uk/wp-content/uploads/2016/11/top-10-url-registrars.jpg' attachment='11306' attachment_size='full' align='center' styling='' hover='' link='lightbox' target='' caption='' font_size='' appearance='' overlay_opacity='0.4' overlay_color='#000000' overlay_text_color='#ffffff' animation='no-animation'][/av_image]

This article has been taken from Cyber Threat Intelligence (CTI) Report produced by Nettitude's Research and Innovation team. If you would like to request a copy of the CTI Report, you can request it here.

Authors: Phil Buck and Dr Jules Pagna Disso in Nettitude's Research and Innovation team.

To contact Nettitude's editor, please email media@nettitude.com.

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Subscribe Here!

Recent Posts