Hacker botnets can automate a cyber attack in 15 seconds

Researchers find advanced tools being used by low-level attackers

Hackers are using botnets to automate the process of hacking into networks, security researchers have found.

The discovery was made when a 'honeypot' of fake user data was released to the dark web to tempt hackers into exploiting the data. Masquerading as data from a financial services company, the security firm released usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network to dark markets and paste sites to see how hackers would respond, according to a blog post by Ross Rustici, head of intelligence services at Cybereason.

He said that once set up, automated bots came along to the honeypot to carry out the groundwork for human attackers before they entered the network environment, including exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines.

The botnet also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the botnet carried out these functions in approximately 15 seconds.

"For defenders, automatic exploitation in a matter of seconds means they'll likely be overwhelmed by the speed at which the botnet can infiltrate their environment," Rustici said.

He added that the increasing automation of internal network reconnaissance and lateral movement is an even larger concern.

"These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes," he said.

Two days after the third botnet finished its work, a human attacker entered the environment, according to the post. Cybereason researchers knew it was a human because the attacker logged in with a user account created by the botnet. Also, a user interface application was opened and remote access capabilities were accessed, functions not typically carried out by bots.

"The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark web," he said.

He added that the experiment revealed the commoditisation of using bots to perform low-level tasks. "At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability."

Oliver Pinson-Roxburgh, EMEA director at Alert Logic told IT Pro that he was not surprised that organisations are starting to see this behaviour given the rise in popularity of browser miners as a way to monetise attacks.

"We see the miner malware automatically looking to identify other miners in the environment and shut the current hackers down in order to spin up their own systems. They are also looking to stay persistent for as long as possible in an asset, as controls on the cryptocurrency side starts to improve ways to detect what a valid miner looks like," he said.

Image: Shutterstock

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
IBM and SAP expand partnership to support software on hybrid cloud
Cloud

IBM and SAP expand partnership to support software on hybrid cloud

21 Oct 2020