A new study from leading security firm Sophos reveals that cybercriminals are casting the widest possible net across the internet using automated scripts, looking for any and every easy target in the cloud. A global network of honeypots set up by the company logged a staggering amount of scripted attacks attempting to pass default credentials.
While this isn’t new information and was certainly to be expected, the study shed light on the aggressive speed and scale of these attempts. The key takeaway is that if you connect anything at all to cloud platforms, expect the hacking attempts to begin in anywhere from one minute to one hour.
Fortunately, most of these scripted attacks are not particularly sophisticated. They use a “brute force” approach and focus on known default credentials for the devices they target.
The Sophos study: Honeypots around the world
This experiment consisted of Sophos placing honeypots in 10 of the world’s most popular Amazon Web Services (AWS) data center locations. The honeypots were anonymized such that they did not appear to be a target of any particular value, just another average civilian device connected to the internet that may not yield anything more than a bit more processing power to be harnessed by a botnet.
The first login attempt (in Sao Paulo) came just 52 seconds after the honeypot went online. One in Ohio was targeted just shy of five minutes in. Three more were discovered by hackers in under 20 minutes, two in just under an hour, and two in a little over an hour. The one that evaded detection the longest was in Ireland, almost making it one hour and forty-five minutes before the first hacking attempt occurred.
Sophos used a combination of honeypot types to record information about the hack attempts. One honeypot variety simply presented the attackers with an impassable login to see what user names and passwords they attempted to use. Another allowed them to get in using commonly known default login credentials, and recorded the commands they issued once inside.
The attacks overwhelmingly worked from a script of known login combinations for a variety of common operating systems and device types. Attackers almost always tried “root” as a login name, probing for poorly secured Linux systems or Internet of Things (IoT) devices. However, there was some variety in their approach after that. Other common login names tried were “admin” and “user” (default for a wide variety of IoT devices), “ubnt” (Ubiquiti Networks), “ubuntu”, “nagios” (Nagios Network Monitoring) and “pi” (Raspberry Pi devices). Most scripts appeared to have a particular type of device in mind.
The danger of default credentials
The scripts were also looking for easy targets; devices that were still using default credentials or some sort of common and basic password.
You can probably guess what the most common password attempts were: sequences of numbers (12345), “admin”, “password”, “default” and “qwerty.” While one would hope people would not still be using these stereotypically awful passwords in 2019, apparently enough are for this to be worth hackers’ time. Even worse, quite a few IoT devices are shipping with passwords like these as their default credentials.
Why criminals are targeting every device
Even the most humble IoT device can provide a boost for criminal attempts to hack into more rewarding systems. Consumers with a less sophisticated understanding of cybersecurity measures often believe that their home smart devices do not need to be secured because criminals can’t do anything useful with them, or that they are somehow not accessible over the internet in the same way that computers and smartphones are. Of course, this is far from true.
As mentioned, some of the Sophos honeypots allowed the attackers in to see what they would do. The standard course of action by hackers was to test connectivity by connecting to Yandex (the most popular search engine in Russia and Eastern Europe), then to direct the device to the open API of a bigger fish – most commonly a large retail chain.
Cyber criminals have been scooping up IoT devices for use in massive botnet “denial of service” attacks for years now, as we have learned from incidents like the Mirai attack of 2016 and the attempted attack on Github in 2018. This study makes clear that hackers are also interested in any and all available devices as a means of amplifying similar attacks against targets of higher value.
The speed with which hacking attempts start is not the only troubling information in this report. The scale of attacks on the honeypots is also a major concern.
During a 30-day period from mid-January to mid-February, each individual honeypot was targeted from 312,000 times (Singapore) to 953,000 times (Ohio). Again, this is for a target that would appear to be completely unremarkable and of no special value to a hacker.
These numbers indicate that the average device can expect 13 attempted attacks per minute, or 757 per hour. If a new device is connected to the internet with default credentials, you can expect it to be compromised by one of these automated scripts almost immediately.
An interesting footnote is that 95.4% of the hacks attempted on the global honeypots appeared to come from China. That does not mean that Chinese hackers are responsible for the vast bulk of the world’s scripted exploits, however; the safer assumption is that China is home to the world’s largest assemblage of compromised devices and these attacks are being routed through them.
Securing remote access devices
The first defense against all of this is obvious – don’t use default credentials or simple passwords on any device that is connected to the internet and able to accept remote connections. If an IoT device does not allow you to change the default credentials or is not password-protected at all, it should immediately be taken offline and discarded in favor of a more secure replacement.
The Sophos study noted that the attacks on the cloud server honeypots tended to focus on universal plug and play (UPNP) systems. UPNP networks automatically enable port forwarding between routers and devices. This can be disabled if it is not necessary.
The study also suggests that SSH servers should implement key-based authentication in addition to passwords due to the volume of attacks they are subject to, and that login attempts should be limited in number whenever possible.