Catching the hackers in the act Published duration 2 September 2017

image copyright ktsimage image caption Attack bots scan net address ranges looking for vulnerable servers

Cyber-criminals start attacking servers newly set up online about an hour after they are switched on, suggests research.

The servers were part of an experiment the BBC asked a security company to carry out to judge the scale and calibre of cyber-attacks that firms face every day.

About 71 minutes after the servers were set up online they were visited by automated attack tools that scanned them for weaknesses they could exploit, found security firm Cybereason.

Once the machines had been found by the bots, they were subjected to a "constant" assault by the attack tools.

Thin skin

The servers were accessible online for about 170 hours to form a cyber-attack sampling tool known as a honeypot, said Israel Barak, chief information security officer at Cybereason. The servers were given real, public IP addresses and other identifying information that announced their presence online.

"We set out to map the automatic attack activity," said Mr Barak.

To make them even more realistic, he said, each one was also configured to superficially resemble a legitimate server. Each one could accept requests for webpages, file transfers and secure networking.

image copyright die-phalanx image caption The attack bots look for well-known weaknesses in widely used web applications

"They had no more depth than that," he said, meaning the servers were not capable of doing anything more than providing a very basic response to a query about these basic net services and protocols.

"There was no assumption that anyone was going to go in and probe it and even if they did, there's nothing there for them to find," he said.

The servers' limited responses did not deter the automated attack tools, or bots, that many cyber-thieves use to find potential targets, he said. A wide variety of attack bots probed the servers seeking weaknesses that could be exploited had they been full-blown, production machines.

Many of the code vulnerabilities and other loopholes they looked for had been known about for months or years, he said. However, added Mr Barak, many organisations struggled to keep servers up-to-date with the patches that would thwart these bots potentially giving attackers a way to get at the server.

During the experiment:

17% of the attack bots were scrapers that sought to suck up all the web content they found

37% looked for vulnerabilities in web apps or tried well-known admin passwords

10% checked for bugs in web applications the servers might have been running

29% tried to get at user accounts using brute force techniques that tried commonly used passwords

7% sought loopholes in the operating system software the servers were supposedly running

"This was a very typical pattern for these automatic bots," said Mr Barak. "They used similar techniques to those we've seen before. There's nothing particularly new."

As well as running a bank of servers for the BBC, Cybereason also sought to find out how quickly phishing gangs start to target new employees. It seeded 100 legitimate marketing email lists with spoof addresses and then waited to see what would turn up.

image copyright Devonyu image caption Phishing gangs were quick to find new email addresses and start sending booby-trapped messages

After 21 hours, the first booby-trapped phishing email landed in the email inbox for the fake employees, said Mr Barak. It was followed by a steady trickle of messages that sought, in many different ways, to trick people into opening malicious attachments.

About 15% of the emails contained a link to a compromised webpage that, if visited, would launch an attack that would compromise the visitor's PC. The other 85% of the phishing messages had malicious attachments. The account received booby-trapped Microsoft Office documents, Adobe PDFs and executable files.

Brian Witten, senior director at Symantec research

We use a lots of honeypots in a lot of different ways. The concept really scales to almost any kind of thing where you can create a believable fake or even a real version of something. You put it out and see who turns up to hit it or break it.

There are honeypots, honey-nets, honey-tokens, honey anything.

When a customer sees a threat that's hit hundreds of honeypots that's different to when they see one that no-one else has. That context in terms of attack is very useful.

Some are thin but some have a lot more depth and are scaled very broadly. Sometimes you put up the equivalent of a fake shop-front to see who turns up to attack it.

If you see an approach that you've never seen before then you might let that in and see what you can learn from it.

The most sophisticated adversaries are often very targeted when they go after specific companies or individuals.

Mr Barak said the techniques used by the bots were a good guide to what organisations should do to avoid falling victim. They should harden servers by patching, controls around admin access, check apps to make sure they are not harbouring well-known bugs and enforce strong passwords

Deeper dive

Criminals often have different targets in mind when seeking out vulnerable servers, he said. Some were keen to hijack user accounts and others sought to take over servers and use them for their own ends.

image copyright CHBD image caption Honeypots have become a useful tool for security firms keen to understand hack attack techniques

Cyber-thieves would look through the logs compiled by attack bots to see if they have turned up any useful or lucrative targets. There had been times when a server compromised by a bot was passed on to another criminal gang because it was at a bank, government or other high-value target.

"They sell access to parts of their botnet and offer other attackers access to machines their bots are active on," he said. "We have seen cases where a very typical bot infection turns into a manual operation."

In those cases, attackers would then use the foothold gained by the bots as a starting point for a more comprehensive attack. It's at that point, he said, hackers would take over and start to use other digital attack tools to penetrate further into a compromised organisation.

He said: "Once an adversary has got to a certain level in an organisation you have to ask what will they do next?"

In a bid to explore what happens in those situations, Cybereason is now planning to set up more servers and give these more depth to make them even more tempting targets. The idea is, he said, to get a close look at the techniques hackers use when they embark on a serious attack.

"We'll look for more sophisticated, manual operations," he said. "We'll want to see the techniques they use and if there is any monetisation of the method."