Discovering connections between attackers

In the last few years, Pedram Hayati, founder of Australian IT company Security Dimension, has been developing a custom honeypot intelligence system called Smart Honeypot.

Honeypots – fake systems designed to look like the real thing – can be used for many different purposes. One of these is to determine what attackers are after, their capabilities and the tactics they use to achieve their goals, and this is why Hayati set up thirteen Smart Honeypots in different geographic regions of Amazon Web Services and Google Cloud (America, Europe, Asia and Oceania).

“All hosts were identical, mimicking a typical server, and during the experiment their IP addresses were not published,” he explained to the audience at Hack in the Box conference in Amsterdam. Interestingly enough, even so it took on average less than ten minutes for attackers to find them and target them.

He limited the experiment to SSH service – other network services were disabled.

He ultimately divided the attackers targeting cloud hosts into three categories: Brute-forcers (bots), Infectors, and Commanders.

The former concentrated on brute forcing the host. Some bots attempted only one username/password combination on all honeypots, others tried out a set of combinations, apparently compiled from publicly available password lists. Most attempts were aimed at “root” and “admin” accounts.

If Brute-forcers succeeded in identifying the right combination, they would retreat. Then a new attacker, from a new IP address, would arrive and use the same combination to authenticate to the host.

These attackers – Infectors – would then attempt to infect the host by using malicious scripts or binary files, whose presence they tried to hide as best as possible. Once the malware was run, they, too, retreated.

The malware would initiate a connection with a C&C server, which is in the hands of a Commander and who’s then able to send remote commands to the host – for example, to initiate a DoS attack.

Hayati used network theory to identify groups of similar attackers and the connections between them, and he discovered that:

  • The majority of attacks originated from unique sources per each geographic region (and that’s why blacklists would not work)
  • There are more brute-forcers than infectors
  • The most targeted honeypots (hosts) were those in known cloud providers’ IP ranges
  • Most attacks originated from a few network providers.

In one particular attack, he noticed that Brute-forcer IP addresses were owned by a Hong Kong based company, while the Infectors’ IP addresses belonged to six US-base companies.

This lead him to think that either the Infectors (US) purchased a botnet in Hong Kong for brute-force attempts and distribute malware on compromised hosts; or that a list of compromised hosts was traded to the Infectors (US) for malware distribution.

The fact that there was a week-long gap between the brute-force attacks and those mounted by Infectors makes him believe that the latter theory is the correct one.

This would indicate that Brute-forcers, Infectors and Commanders are not the members of one criminal group. Each of the groups is specialized and works for themselves: the Brute-forcers sell their services and loot to Infectors, and the Infectors to Commanders (botnet masters), who then offer DoS and spam services to the highest bidder.

For more details about Hayati’s research, you can check out this paper.