Meet Your Attacker
Confused by the heading? If you are looking at the image above, you are looking at your new adversary. Today’s hacks are so automated that a minor error in a firewall setting could have the attack underway within a few minutes. It might be hard to believe, how can this be so fast? Simple, millions of criminal hackers using automated tools. I hope that clarifies the struggles we face in the cyber-domain.
Automated Attacks in the Rise
Several months ago, I was supporting a small business recover from a ransomware attack on their network. Thankfully, they had backups of their data and was able to restore their systems within a couple days. However, this was not the first time they experienced a ransomware attack. I was called in to review their network and assess it for vulnerabilities and weaknesses.
One significant discovery during my assessment was that their contracted IT support service had exposed two servers to the internet using Remote Desktop (RDP), likely to simplify the remote administration of the network. Please don’t do this, because this will attract the attention of hackers who will work feverishly to exploit the system, and this is subject of this post.
In most cases, a criminal hacker doesn’t know who you are or the address of your server, nor do they need to. There are many sources of information on the Internet that provide this information; Google, Shodan, scanning services, etc. Hackers use these free services to identify your systems, then create programs to automate their attack.
Computers generate information, called logs, when you do something on it. For example, when you log into your computer, a log of the successful login is made in the log history. When you mistype your password, a failed login attempt is recorded in the log history. This is important because you can use log files to assess how an event happened on your network.
During a review of my client’s server log files, I observed that there were thousands of failed login attempts ending only a few seconds ago. A quick refresh and two more failed login attempts were recorded. The servers were under attack from a would-be hacker. These attacks were focused on the exposed RDP port that led directly to the server. I quickly contacted my client and informed them of the attack and recommended that I take immediate action to halt the attack.
Make sure you get approval to modify a clients system before doing so
Receiving approval from the client, I blocked the IP address at the firewall. Upon refresh of the log files, the attack continued; however, now it was coming from a different IP address. After blocking the second IP address, the attack was halted.
In a post assessment of the attack, criminal hackers used automated tools in a brute-force attack on the servers. The attacker had a list of thousands of usernames and passwords and each failed login attempt used a username and password combo. Ultimately, there is a human behind the scene attempting to access your infrastructure for nefarious purposes. However, these processes are now so automated, the criminal hacker could be at the local coffee shop sipping a vanilla latte while his computer searches the Internet for a vulnerable server then runs automated scripts to attempt the break in.
What can you do to protect your businesses information assets from attack? It’s important to know what your exposure risk is and minimize it by utilizing smart practices to prevent easy access to your infrastructure. You can certainly help yourself by going to www.whatsmyip.com then pasting your IP address into www.shodan.io. If you see a message that no results are found, then that’s a great start.