Hacker botnets can automate a cyber attack in 15 seconds
Researchers find advanced tools being used by low-level attackers
Hackers are using botnets to automate the process of hacking into networks, security researchers have found.
The discovery was made when a 'honeypot' of fake user data was released to the dark web to tempt hackers into exploiting the data. Masquerading as data from a financial services company, the security firm released usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network to dark markets and paste sites to see how hackers would respond, according to a blog post by Ross Rustici, head of intelligence services at Cybereason.
He said that once set up, automated bots came along to the honeypot to carry out the groundwork for human attackers before they entered the network environment, including exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines.
The botnet also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the botnet carried out these functions in approximately 15 seconds.
"For defenders, automatic exploitation in a matter of seconds means they'll likely be overwhelmed by the speed at which the botnet can infiltrate their environment," Rustici said.
He added that the increasing automation of internal network reconnaissance and lateral movement is an even larger concern.
"These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes," he said.
Two days after the third botnet finished its work, a human attacker entered the environment, according to the post. Cybereason researchers knew it was a human because the attacker logged in with a user account created by the botnet. Also, a user interface application was opened and remote access capabilities were accessed, functions not typically carried out by bots.
"The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark web," he said.
He added that the experiment revealed the commoditisation of using bots to perform low-level tasks. "At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability."
Oliver Pinson-Roxburgh, EMEA director at Alert Logic told IT Pro that he was not surprised that organisations are starting to see this behaviour given the rise in popularity of browser miners as a way to monetise attacks.
"We see the miner malware automatically looking to identify other miners in the environment and shut the current hackers down in order to spin up their own systems. They are also looking to stay persistent for as long as possible in an asset, as controls on the cryptocurrency side starts to improve ways to detect what a valid miner looks like," he said.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Evaluate your order-to-cash process
15 recommended metrics to benchmark your O2C operationsDownload now
AI 360: Hold, fold, or double down?
How AI can benefit your businessDownload now
Getting started with Azure Red Hat OpenShift
A developer’s guide to improving application building and deployment capabilitiesDownload now