beware of older cyber attacks - ibm

Beware of older cyber attacksFootprinting and brute force attacks are still in use

IBM X-Force® Research Managed Security Services Report

Click here to start ▶

2

◀ Previous Next ▶

ContentsExecutive overview

Footprinting

Top 10 ports

Brute force password attacks

Secure shell (SSH) brute force attacks

Persistence of SSH brute force top 20 attacker IP addresses

SSH brute force top five IP addresses

File Transfer Protocol (FTP) brute force attacks

Top five FTP brute force attacker IP addresses

Recommendations

Protect your enterprise while reducing cost and complexity

About IBM Security

About the author

References

Executive overviewCovering more than 18 years of vulnerability data, the IBM® X-Force® database surpassed 100,000 entries in Q2 2016.1 That means there are a lot of attack vectors at a criminal’s disposal. With much of the media focus on new and emerging threats, it’s easy to see how security teams might lose sight of older, less newsworthy vulnerabilities and attack vectors.

An assessment of recent data from IBM Managed Security Services (IBM MSS), which continuously monitors billions of events reported by more than 8,000 client devices in over 100 countries, reveals some interesting findings about attack vectors no

longer discussed much. One example is the TCP/UDP port scan and TCP/UDP service sweep, which are part of an attack pattern known as footprinting.2 Another is the password brute force attack pattern,3 one of the brute force attacks4 we saw emerge decades ago and still see today. While many products and services today require strong passwords, weak passwords are still being used, aiding criminals in carrying out successful brute force attacks.5 6 7

Fortunately, many tools and mitigation techniques to thwart these older kinds of cyber attack have been developed over the years. Organizations that apply them in their environments will be better equipped to deal with the ongoing threat.

About this report

This IBM® X-Force® Research report was created by the IBM Managed Security Services Threat Research group, a team of experienced and skilled security analysts working diligently to keep IBM clients informed and prepared for the latest cybersecurity threats. This research team analyzes security data from many internal and external sources, including event data, activity and trends sourced from thousands of endpoints managed and monitored by IBM.

3


FootprintingLooking at the Common Attack Pattern Enumeration and Classification (CAPEC) mechanisms of attack8, we see an attack pattern hierarchy. Footprinting9 is considered a meta attack pattern that falls under one of the top level categories, “Gather Information.” Often viewed as more of a pre-attack used to gather information on potential targets, the term encompasses several attack techniques, among them network topology mapping, host discovery, account footprinting, and port scanning. Generally, multiple ports are scanned in a port scan.

There’s also something called a service (or port) sweep, in which multiple hosts in a network are checked for a specific open service port. Service sweeps are often ignored, since they occur so regularly and aren’t something that warrants an immediate response. The placement of network sensors also impacts whether footprinting activity can be detected. If a sensor is behind a firewall and the firewall is not configured to map ports to internal systems, the scan activity won’t be logged.

Commonly used footprinting tools

Most security analysts will agree that “nmap,” made available in 1997, is the best known and most widely used network footprinting tool.10 “Scanrand” (2002)11, “amap” (2003)12, “Unicornscan” (2005)13, “zmap” (2012)14 and “masscan” (2013) are also popular. Newer tools such as “zmap” (2012) claim the ability to scan the entire Internet in times ranging from five minutes to an hour.15 And masscan claims to do it in three minutes.16 Scanning tools existed before 1997, for example the Internet Security Scanner (ISS) version 1.x that first appeared as a shareware product in 1992 and later inspired a commercial product.17

Another way to glean footprinting data is to use a search engine that is searching data from ongoing Internet mapping projects. Shodan (2009) is one of the most popular projects and is thought by many to be the most comprehensive.18 Censys (2015) is geared towards computer scientists and researchers.19 Thingful (2013) is for Internet of Things (IoT) devices.20 Internet mapping search engines such as these allow attackers to gain access to footprinting information without actually sending packets to the victim, who then remains unaware they’re being targeted.


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

4


Top 10 portsIn a sampling of IBM Managed Security Services customers over two days in Q1 2016, the telnet port (TCP port 23) received the most number of sweeps, accounting for 79 percent of the events. Port 80 is excluded from the network IDS signature represented in this data due to the likelihood of false positives because legitimate web traffic also uses port 80.21 Popular ports such as 25 (SMTP), 21 (FTP), 53 (DNS), 135 (RPC), 137 (NETBIOS), 139 (NETBIOS), 445 (Microsoft-DS), and others ranked lower than the top 10. This is shown in Figure 1 and Table 1.


Footprinting

Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7







Recommendations


About IBM Security

About the author

References

Top 10 TCP service sweep destination ports

23 (telnet); 78.65%

Other 9.87%

1433 (SQL Server) 2.61%3306 (MySQL) 1.59%3389 (MS WBT) 1.54%3128 (Active API) 1.00%

21320 (N/A) 0.54%9200 (WAP) 0.56%

5900 (RmtFrameBuffer) 0.61%443 (HTTP over SSL) 0.90%

8080 (HTTP-alt) 2.14%

Figure 1. Top 10 TCP service sweep destination ports. Source: IBM MSS data.

Rank Destination TCP port Sweeps

Internet Assigned Numbers Authority (IANA)-assigned service description and popular use22

1 23 78.65% telnet

2 1433 2.61% Microsoft SQL Server

3 8080 2.14% HTTP alternate for port 80

4 3306 1.59% MySQL

5 3389 1.54%MS WBT Server, Windows Remote Desktop

6 3128 1.00%Active API Server Port, some proxy servers (squid-http, 3proxy)

7 443 0.90% http protocol over TLS/SSL

8 5900 0.61%Remote framebuffer, VNC (virtual network computing), Apple Remote Desktop

9 9200 0.56%

WAP connectionless session service, EMC2 (Legato) Networker or Sun Solstice Backup

10 21320 0.54% N/A

All other 9.87% All other TCP ports combined

Table 1. Rank, destination TCP port, sweeps and service description and popular use for the top 10 ports. Source: IBM MSS data.

5


Ports provide multiple pieces of useful information. Attackers may be seeking:• Specific vulnerabilities for known services, such

as Heartbleed on web servers• Services that can be exploited for a brute force

password attack• Information on a target, such as what can be

found in a login banner

Banners can be particularly revealing. “Welcome to the ACME central bank system running Widgets OS version 3.43.23c” reveals that the attacker has found both a prime target and an easy path to unauthorized access via what may be its operating system’s many known vulnerabilities. Certain malware are also known to use many common ports. Table 2 highlights those associated with the top 10 TCP destination ports revealed in Table 1.


Footprinting

Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7







Recommendations


About IBM Security

About the author

References

Table 2. Illegitimate uses of the top 10 ports. Rank, destination TCP port, sweeps. Source: IBM MSS data. Trojans, worms, malware using port. Source: Various.23 24 25

Rank Destination TCP port Sweeps Trojans, worms or malware using the port

1 23 78.65%ADM worm (May 1998), Aphex’s Remote Packet Sniffer, AutoSpY, ButtMan , Fire HacKer, My Very Own Trojan, Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (2005.10.26)

2 1433 2.61% Digispid.B.Worm (2002.05.21), W32.Kelvir.R (2005.04.12), Voyager Alpha Force

3 8080 2.14%

Reverse WWW Tunnel Backdoor, RingZero, Screen Cutter, Mydoom.B (2004.01.28), W32.Spybot.OFN (2005.04.29), W32.Zotob.C@mm (2005.08.16), W32.Zotob.E(2005.08.16), Backdoor.Naninf.D (2006.02.01), Backdoor.Naninf.C (2006.01.31), W32.Rinbot.A (2007.03.02), Android.Acnetdoor (2012.05.16), Feodo/Geodo (a.k.a. Cridex or Bugat), Backdoor.Tjserv.D (2005.10.04), RemoConChubo, Brown Orifice, Feutel, Haxdoor, Hesive, Nemog, Ryknos, W32.Kelvir, W32.Mytob, W32.Opanki, W32.Picrate, W32.Spybot, W32.Zotob, Webus

4 3306 1.59% Nemon backdoor (discovered 2004.08.16), W32.Mydoom.Q@mm, W32.Spybot

5 3389 1.54% Backdoor.Win32.Agent.cdm, TSPY_AGENT.ADDQ

6 3128 1.00%Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero, Mydoom.B (2004.01.28), W32.HLLW.Deadhat (2004.02.06)

7 443 0.90% W32.Kelvir.M (2005.04.05), Slapper, Civcat, Tabdim, W32.Kelvir, W32.Kiman

8 5900 0.61% Backdoor.Evivinc, W32.Gangbot (2007.01.22)

9 9200 0.56% Unknown

10 21320 0.54% Spybot, TopArcadeHits malware installing unapproved proxy

6


Telnet: TCP port 23

Telnet, which has been around since the beginning of the ARPANET in 1969 in what evolved to be the Internet in 1982, accounts for more than three-quarters of the sweep traffic we analyzed. People might wonder “How could that be? I thought telnet didn’t get used much anymore.” That’s true enough, but only partly so. While telnet is no longer enabled by default in many UNIX/Linux distributions, as it once was, it still gets enabled by naïve administrators, and it can be found enabled by default on many IoT devices such as refrigerators, DVRs, televisions, beds, toothbrushes and some older SCADA (Supervisory Control And Data Acquisition) devices. Telnet doesn’t encrypt its communications, making it easy for someone to sniff the traffic for user IDs and passwords.

Telnet servers aren’t limited to only UNIX/Linux; some telnet servers connected to the Internet are running on Windows systems ranging from Windows 10 all the way back to Windows XP. Many embedded system applications are used in equipment such as routers, VOIP phones and industrial control systems (ICSs). People think of ICS as infrastructure—in utility or manufacturing environments—but ICS is used in other industries, for example at the car wash. At least one car wash system has been known to have a telnet server listening and reachable from the Internet.26 When

you pull into one of those automated car washes with no attendant anywhere in sight, one could wonder whether there’s some criminal in control from hundreds or thousands of miles away.

A report created on 4 April 2016 from the world’s first search engine for internet-connected devices, Shodan, shows that telnet is still alive and serving (see Figure 2).27 28

Once an attacker discovers an open telnet port, she or he may have several options:• See if the banner reveals something about the

system and the entity that owns it• If authentication isn’t required, gain immediate

access to the system• Try common default accounts such as root/root,

system/system, manager/manager, or operator/operator to gain unauthorized access

• Perform brute force attacks to obtain passwords for common user accounts or system (root or Administrator) accounts.

An attacker with unauthorized access will normally explore the system to view its features, see what data it contains, and gain experience with the technologies used, building up a toolbox and learning additional ways to exploit the targeted organization.


Footprinting

Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7







Recommendations


About IBM Security

About the author

References

7



Footprinting

Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7







Recommendations


About IBM Security

About the author

References

1 . China 5,199,724

2 . United States 1,327,980

3 . Brazil 1,257,974

4 . Republic of Korea 1,030,702

5 . India 723,424

6 . Spain 526,469

7 . Russian Federation 467,227

8 . Viet Nam 409,888

9 . Italy 350,927

10 . Dominican Republic 296,118

Telnet port 23 search results

Top Countries

Figure 2. A search for port 23 on 5 April 2016 returned over 16 million results. Source: Shodan.

8


Telnet vulnerabilities

“Common Vulnerabilities and Exposures” (CVE®) is a dictionary of common names (also called CVE Identifiers) for publicly known cybersecurity vulnerabilities.29 Vulnerabilities related to telnet have been disclosed every year since its launch in 1999, and by the end of 2015 they totaled 266 (see Figure 3). While their disclosure has slowed over

time, there has been a small resurgence in number during the past few years. It should be interesting to see the count for 2016.

A few of the telnet server vulnerabilities disclosed in 2015 could impact many organizations without their ever suspecting such a vulnerability exists. This includes CVE-2015-2874 and CVE-2015-3459.


Footprinting

Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7







Recommendations


About IBM Security

About the author

References

Count of telnet CVE IDs

0

5

10

15

20

25

30

35

40

1999 20

112007

2009

2000

2001

2002

2003

2004

2005

2006

2008

2010

2012

2014

2013

2015

Figure 3. Total number of telnet vulnerabilities since 1999. Source: CVE Project, MITRE Corporation.30

9


CVE-2015-2874 is associated with a vulnerability in a few Seagate portable hard drives used to share content with mobile devices such as cell phones and tablets.31 The vulnerability is also linked to a common weakness enumeration ID, CWE-798, which is for “Use of Hard-Coded Credentials.”32 An attacker could exploit this vulnerability by establishing a telnet session into a vulnerable device and typing in the default username and password to gain root privileges to the system and access all the files stored on the drive. A firmware update to remediate the issue is now available from the manufacturer.

CVE-2015-3459 is associated with a vulnerability affecting the Hospira LifeCare PCA Infusion System prior to version 7.0. Vulnerable systems do not require authentication for root telnet sessions, potentially allowing a remote attacker to modify the pump configuration. The implications are life-threatening: a malicious actor could bypass authentication and relatively easily change the upper limit of a drug being administered to a patient. According to the vendor, version 7.0 has the telnet port disabled by default to prevent unauthorized access.33

2015 saw the disclosure of several other telnet vulnerabilities where admin access could be gained fairly easily (see Table 3).


Footprinting

Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7







Recommendations


About IBM Security

About the author

References

Table 3. Additional notable telnet vulnerabilities. Note that specific software or firmware versions of vulnerable products are not noted in the table. Refer to the IBM X-Force Exchange for more information.

CVE ID Product Vulnerability

CVE-2015-0924Ceragon FiberAir IP-10 bridges

Default password for the root account

CVE-2015-2897Sierra Wireless AirLink ES, GX, and LS devices

Hardcoded root accounts

CVE-2015-7251ZTE ZXHN H108N R1A devices

Hardcoded password of root for the root account

CVE-2015-7289Arris DG860A, TG862A, and TG862G devices

Hardcoded administra-tor password derived from a serial number

https://exchange.xforce.ibmcloud.com/

https://exchange.xforce.ibmcloud.com/

10


SQL Server: port 1433The number two ranked destination port for TCP service sweeps, at only three percent of the traffic, is 1433, commonly used for Microsoft SQL Server. In addition to the common footprinting tools noted earlier, a freely available software package called Metasploit34 has an auxiliary module, mssql ping, used to discover exposed Microsoft SQL Server instances. Metasploit also includes modules named mssql_login and mssql_hashdump used to gain unauthorized access to a Microsoft SQL Server instance. An open source penetration tool called sqlmap35 will locate and exploit SQL injection flaws of database servers such as Microsoft SQL Server. Another tool to exploit Microsoft SQL Server installations is sqlninja.36 Both sqlmap and sqlninja are included in the current releases of Kali Linux, a Linux distribution designed to be used for penetration testing.37

Other ports

Some of the ports noted in the top 10 are associated with well-known older attacks such as MyDoom, Slapper, SQL Slammer, and Spybot. While these attacks may or may not still be active in the wild, the services with which they are associated are still of interest to today’s attackers. Malware may use some of these ports because some organizations’ firewalls already have rules allowing these services to go through.


Footprinting

Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7







Recommendations


About IBM Security

About the author

References

Telnet vulnerabilities persist, largely because of administrators activating telnet ports and because of open ports on IoT devices.

11


Brute force password attacksA brute force password attack is a tactic in which an intruder tries to guess a username and password combination in order to gain unauthorized access to a system or data. The attacker will try a litany of common usernames and passwords, well-known default credentials, and passwords derived from a dictionary. The target could be a local console, an encrypted file or a service across a network, such as a social media account or a secure shell (SSH) access to a remote system.

Brute force password attacks have been around since the early days of the Internet and are still a significant presence in the wild. Often an attacker will come across a new system during a footprinting attack against a targeted network and see a login screen banner. A banner that reveals the operating system version will give the attacker an idea of what system-level account names to begin trying. Many brute force password hacking

and cracking programs exist. Some of the more popular remote network password hacking tools are Brutus38, Medusa39, Ncrack40 (alpha), and THC Hydra41. They work against a variety of protocols which may include FTP, SSH, SMB, telnet, MySQL, Microsoft SQL, SMTP and VNC, and might find a simple dictionary password in less than a second.

The data included in this report shows that brute force password hacking attacks occurred consistently throughout 2015. Some of the top attackers carried out the same type of brute force attacks against many targets every day for months, even for a full year in some cases. Several times an attacker carrying out an SSH brute force attack came back months later looking for another service to target, such as a database server. Even though attacks may come from a compromised system or an anonymous proxy rather than the attacker’s own IP address, the persistence we’ve seen in brute force attacks means that it’s wise to block the source IP address of the attacking system.


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

Brute force password attackers can be very persistent, continuing their attacks for months or even a full year.

12


Secure shell (SSH) brute force attacksAttackers favor SSH because it provides shell account access across the network. SSH brute force attacks peaked in May 2015, then trended downward for the rest of the year except for a slight increase in December over November (see Figure 4). It’s likely that the botnet known as SSHPsychos was responsible for much of the activity early in the year, and the downward trend in later months reflected efforts by members of the security community to mitigate this threat.42

The number of unique attacker IP addresses associated with SSH brute force attacks also peaked in May (see Figure 5). While there was a pronounced downward trend in attacks from June through December, the unique attacker count was closer to trending flat during that time period. The main point is that SSH brute force attacks aren’t limited to a small set of attackers, and protecting your systems from such attacks is important.


Footprinting

Top 10 ports


Secure shell (SSH) brute force attacks 1 • 2 • 3





Recommendations


About IBM Security

About the author

References

SSH brute force attacks

0%

5%

10%

15%

20%

January

September

November

February

MarchApril

MayJune

July

August

October

December

Figure 4. Percentage of SSH brute force attacks for each month in 2015 (1 January 2015 – 31 December 2015). Source: IBM MSS data.

13


Unique attacker IP count

0

200

400

600

800

1000

January

Septemb

er

Novemb

er

February

March Ap

rilMay

June Ju

ly

August

Octob

er

Decemb

er

Figure 5. Unique attacker IP count for SSH brute force attacks (1 January 2015 – 31 December 2015). Source: IBM MSS data. Note: A single IP address is considered unique and counted as “1” for each month that it appeared in the data. For example, the IP address 1.2.3.4 would be counted as “1” in both January and February if found in both months.


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

The brute force attack source IP locations collected by IBM Managed Security Services covered 98 countries (see Figure 6), with 93 percent of the total brute force attack activity coming from the top 10 countries. Hong Kong and China combined represented 76 percent of the total—not surprisingly, since the networks most known as sources for the SSHPsychos botnet, 103.41.124.0/23 and 43.255.190.0/23, were from there.43

IP addresses hosted in the United States were targets in almost 67 percent of the attacks (see Figure 7).

14



Footprinting

Top 10 ports



Persistence of SSH brute force top 20 attacker IP addresses 1 • 2




Recommendations


About IBM Security

About the author

References

Netherlands 0.84%

Top 10 source countries for SSH brute force attacks

Hong Kong 40.28%

United States 8.76%

Republic of Korea 1.31%Germany 1.15%

United Kingdom 1.04% Russian Federation 0.88%

Brazil 0.72%France 2.50%

China 35.51%

Figure 6. Top ten source countries for SSH brute force attacks (1 January 2015 – 31 December 2015). Source: IBM MSS data.

Australia 0.22%

Top 10 destination countries for SSH brute force attacks

United States 66.91%

Europe 0.03%Denmark 1.26%

Italy 0.80%

Japan 0.79% France 0.43%

Germany 0.17%

Canada 1.95%United Kingdom 2.16%

Figure 7. The top destination countries for SSH brute force attacks (1 January 2015 – 31 December 2015). Source: IBM MSS data.

Persistence of SSH brute force top 20 attacker IP addressesAttackers behind the top 20 IP addresses actively targeted their victims during two or more calendar months (see Table 4). Any amount of attack activity is a concern, but activity noted for three or more months from the same IP address may signify

a more targeted and prolonged effort against a particular organization. According to the Talos Security Intelligence and Research Group,44 several IP addresses in the table are known to be associated with the SSHPsychos group. Talos reported that the SSHPsychos attacks involved targeting only the root account, trying over 300,000 passwords.

15



Footprinting

Top 10 ports



Persistence of SSH brute force top 20 attacker IP addresses 1 • 2




Recommendations


About IBM Security

About the author

References Table 4. The top attacking IP addresses for SSH brute force in 2015 (1 January 2015 – 31 December 2015). Source: IBM MSS data.Note: Percentages shown represent the percentage of customers the attacking IP targeted during 2015. The red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

Ran

k

Att

acki

ng IP

Janu

ary

Febr

uary

Mar

ch

Apr

il

May

June

July

Aug

ust

Sep

tem

ber

Oct

ober

Nov

embe

r

Dec

embe

r

Tota

l Cus

tom

ers

Aff

ecte

d*

Mon

th C

ount

1 221.229.160.237 8% 22% 10% 7% 0% 0% 0% 0% 0% 0% 0% 0% 29% 4

2 115.231.222.23 9% 22% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 24% 2

3 115.239.248.237 15% 13% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 20% 2

4 115.239.248.205 10% 16% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 20% 2

5 27.221.10.43 0% 0% 2% 7% 7% 9% 6% 7% 9% 2% 5% 3% 18% 10

6 88.150.240.59 0% 3% 14% 6% 0% 0% 0% 0% 0% 0% 0% 0% 17% 3

7 58.218.213.238 6% 10% 5% 0% 0% 0% 0% 0% 0% 0% 0% 0% 16% 3

8 103.41.124.63 7% 10% 10% 0% 0% 0% 0% 0% 0% 0% 0% 0% 16% 3

9 103.41.124.111 8% 8% 9% 0% 0% 0% 0% 0% 0% 0% 0% 0% 16% 3

10 43.255.190.147 0% 0% 0% 14% 5% 0% 0% 0% 0% 0% 0% 0% 15% 2

11 43.255.190.160 0% 0% 0% 15% 2% 0% 0% 0% 0% 0% 0% 0% 15% 2

12 218.26.11.118 0% 0% 10% 8% 0% 0% 0% 0% 0% 0% 0% 0% 15% 2

13 59.47.0.150 0% 7% 3% 8% 6% 9% 9% 5% 2% 0% 0% 0% 15% 8

14 218.65.30.61 0% 7% 7% 11% 13% 9% 7% 2% 3% 0% 0% 0% 15% 8

15 58.218.204.172 7% 9% 6% 0% 0% 0% 0% 0% 0% 0% 0% 0% 15% 3

16 43.255.190.125 0% 0% 0% 14% 3% 0% 0% 0% 0% 0% 0% 0% 15% 2

17 58.218.213.249 5% 13% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 15% 2

18 43.255.190.134 0% 0% 0% 15% 2% 0% 0% 0% 0% 0% 0% 0% 15% 2

19 8.254.73.28 3% 9% 5% 1% 0% 0% 0% 0% 0% 0% 0% 0% 15% 4

20 103.41.124.48 7% 8% 8% 0% 0% 0% 0% 0% 0% 0% 0% 0% 15% 3

16


SSH brute force top five IP addressesThe following section highlights the top five source IP addresses that conducted SSH brute force attacks in 2015. For each of the following tables, the signature names shown in the first column represent intrusion detection/protection system signatures from multiple vendors. These tables show that the same IP address that initiates TCP service sweeps also carries out brute force password attacks. While the network ranges of 103.41.124.0/23 (China) and 43.255.190.0/23 (Hong Kong) were previously noted as sources for much of the SSHPsycho botnet activity, the LongTail SSH Honeypot project confirms other IP addresses outside those ranges exhibiting the same patterns.45 It’s interesting that all top five source IP addresses reside in China and much of the activity happened within the first few months of the year.

1: Attacker IP address 221.229.160.237Country location: China

Most of the activity from this address occurred from January 2015 through June 2015, with a little showing up in September (see Table 5). While all its activity in January through April was focused on SSH, the TCP service sweeps in June (6/3 – 6/4) and September (9/17) targeted SQL Server (and were sourced from port 6000).

Observations regarding this IP address include:• The SSH_Brute_Force signature directly

indicates the SSH brute force attacks. • Brute force attacks require making many

connections to a service. “Multiple Rapid SSH Connections,” “OpenSSH Repeated CRC DoS,” “SSH connection flood,” and “SSH_Connection_DoS” signatures indirectly indicate SSH brute force attacks based on the large number of connections.

• The footprinting signatures shown are “TCP_Service_Sweep,” “SSH client scan,” “TCP_Probe_SSH,” “Sweep Scan,” “SSH_Service_Sweep,” and “TCP: SYN Host Sweep.”


Footprinting

Top 10 ports




SSH brute force top five IP addresses 1 • 2 • 3 • 4 • 5 • 6



Recommendations


About IBM Security

About the author

References

17



Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

Signature

Janu

ary

Febr

uary

Mar

ch

Apr

il

June

Sep

tem

ber

Dec

embe

r

Tota

l Eve

nt

Cou

nt*

SSH_Brute_Force 10.26% 32.49% 8.44% 8.31% 0.00% 0.00% 0.00% 59.49%

TCP_Service_Sweep 0.00% 0.00% 0.00% 0.00% 30.07% 0.34% 0.00% 30.41%

Multiple Rapid SSH Connections 1.14% 4.50% 0.15% 0.00% 0.00% 0.00% 0.00% 5.79%

OpenSSH Repeated CRC DoS 0.52% 3.52% 0.00% 0.00% 0.00% 0.00% 0.00% 4.04%

SSH connection flood 0.01% 0.07% 0.00% 0.00% 0.00% 0.00% 0.00% 0.08%

SSH client scan 0.01% 0.05% 0.00% 0.00% 0.00% 0.00% 0.00% 0.07%

Geo Protection 0.00% 0.00% 0.00% 0.00% 0.04% 0.00% 0.00% 0.04%

TCP_Probe_SSH 0.01% 0.00% 0.01% 0.00% 0.00% 0.00% 0.00% 0.02%

SSH_Connection_DoS 0.00% 0.00% 0.00% 0.02% 0.00% 0.00% 0.00% 0.02%

Sweep Scan 0.00% 0.00% 0.00% 0.00% 0.01% 0.00% 0.00% 0.01%

SSH_Service_Sweep 0.00% 0.00% 0.01% 0.00% 0.00% 0.00% 0.00% 0.01%

TCP: SYN Host Sweep 0.00% 0.00% 0.00% 0.00% 0.01% 0.00% 0.00% 0.01%

Grand Total* 11.96% 40.63% 8.60% 8.33% 30.14% 0.34% 0.00% 100.00%

Table 5. Activity from IP address 221.229.160.237 (1 January 2015 – 31 December 2015). Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

18



This attacker IP address was seen in the logs for only two months in 2015 conducting brute force attacks. It ranks number two based on the high count of customers targeted. Actual dates were 17 January 2015 through 25 February 2015 (see Table 6).


This attacker IP was seen in logs at the same time as the previous attacker IP address, and most of the IDS signatures were the same (see Table 7).


This attacker was logged primarily in January and February of 2015, with a little activity in July. All the activity in January and February centered on SSH scanning and brute force SSH attacks. In July the traffic triggered a different signature, indicating that the attacker was attempting to launch a denial of service (DoS) attack against the target’s DNS system (see Table 8).


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

Signature

Janu

ary

Febr

uary

Tota

l Eve

nt

Cou

nt*

SSH_Brute_Force 34.19% 51.73% 85.92%

Multiple Rapid SSH Connections 1.97% 6.67% 8.63%

OpenSSH Repeated CRC DoS 0.20% 2.65% 2.85%

Sequence Verifier 0.73% 1.49% 2.22%

TCP_Probe_SSH 0.04% 0.06% 0.10%

TCP Invalid Checksum 0.08% 0.00% 0.08%

SSH client scan 0.02% 0.06% 0.08%

SSH connection flood 0.00% 0.06% 0.06%

TCP anomaly 0.04% 0.00% 0.04%

OpenSSH maxstartup Threshold Connection Exhaustion denial of service

0.00% 0.02% 0.02%

Grand Total* 37.26% 62.74% 100.00%


19



Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References



Signature

Janu

ary

Febr

uary

Tota

l Eve

nt

Cou

nt*

SSH_Brute_Force 31.47% 49.76% 81.23%

Multiple Rapid SSH Connections 5.33% 3.67% 9.01%

OpenSSH Repeated CRC DoS 2.67% 5.26% 7.92%

Sequence Verifier 0.81% 0.25% 1.06%

TCP Invalid Checksum 0.10% 0.10% 0.20%

TCP_Probe_SSH 0.15% 0.05% 0.20%

TCP anomaly 0.08% 0.10% 0.18%

SSH client scan 0.05% 0.08% 0.13%

SSH connection flood 0.03% 0.05% 0.08%

Grand Total* 40.68% 59.32% 100.00%

Signature

Janu

ary

Febr

uary

July

Tota

l Eve

nt

Cou

nt*

SSH_Brute_Force 31.46% 56.32% 0.00% 87.78%

Multiple Rapid SSH Connections

4.09% 2.75% 0.00% 6.84%

OpenSSH Repeated CRC DoS

0.00% 4.41% 0.00% 4.41%

Sequence Verifier 0.24% 0.08% 0.00% 0.32%

SSH User Authentication Brute-force Attempt(40015)

0.24% 0.00% 0.00% 0.24%

SSH connection flood 0.00% 0.12% 0.00% 0.12%

SSH client scan 0.00% 0.12% 0.00% 0.12%

DNS ANY Queries Brute-force DOS Attack(40033)

0.00% 0.00% 0.08% 0.08%

TCP_Probe_SSH 0.04% 0.02% 0.00% 0.06%

SSH_Service_Sweep 0.02% 0.00% 0.00% 0.02%

Grand Total* 36.09% 63.83% 0.08% 100.00%

20



Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

Signature

Mar

ch

Apr

il

May

June

July

Aug

ust

Sep

tem

ber

Oct

ober

Nov

embe

r

Dec

embe

r

Tota

l Eve

nt

Cou

nt*

SSH_Service_Sweep 2.14% 7.43% 10.62% 11.40% 2.29% 9.05% 7.58% 2.97% 4.78% 0.71% 65.82%

SSH_Brute_Force 0.30% 2.80% 2.37% 1.85% 1.04% 1.69% 2.93% 0.88% 0.96% 1.72% 20.69%

TCP_Probe_SSH 0.06% 1.07% 1.12% 0.84% 0.38% 0.93% 0.66% 0.01% 0.01% 0.74% 7.61%

SSH.Client.Request.Mimicking

0.51% 0.02% 0.01% 0.26% 0.00% 1.68% 2.10% 0.24% 0.00% 0.00% 4.81%

Geo Protection 0.01% 0.04% 0.08% 0.08% 0.05% 0.04% 0.02% 0.01% 0.01% 0.00% 0.52%

TCP: SYN Host Sweep 0.01% 0.03% 0.01% 0.01% 0.00% 0.02% 0.01% 0.01% 0.00% 0.18% 0.31%

Sweep Scan 0.00% 0.03% 0.02% 0.01% 0.00% 0.01% 0.01% 0.01% 0.00% 0.08% 0.17%

TCP SYN Host Sweep 0.00% 0.01% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01%

TCP_Service_Sweep 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01%

PSNG_TCP_PORTS-WEEP_FILTERED

0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

SSH_Connection_DoS 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

Grand Total* 3.03% 11.44% 14.23% 14.44% 3.78% 13.42% 13.30% 4.13% 5.78% 3.43% 100.00%

Table 9. Activity from IP address 27.221.10.43 (1 January 2015 – 31 December 2015). Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. Orange cells containing “0.00%” indicate a value greater than 0.00%, but less than 0.01%. *Totals rounded to the nearest hundredth.


The first activity from this IP address appeared in March 2015 and continued throughout the year (see Table 9) and into the first months of 2016 (see Table 10).

This attacker was still being seen as of March 2016, making it the most persistent attacking IP address identified for the period 1 January 2015 through 31 March 2016.

21



Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

Signature

Janu

ary

Febr

uary

Mar

ch

SSH_Service_Sweep 0.81% 5.54% 0.59%

SSH_Brute_Force 0.65% 3.46% 0.03%

TCP_Probe_SSH 0.82% 0.85% 0.13%

Geo Protection 0.00% 0.16% 0.00%

TCP: SYN Host Sweep 0.00% 0.03% 0.00%

Sweep Scan 0.00% 0.01% 0.00%

NetScreen_Dest_IP_Session_Limit

0.00% 0.00% 0.00%

Grand Total* 2.28% 9.99% 0.75%

Table 10. Activity from IP address 27.221.10.43 (1 January 2016 – 31 March 2016). Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

Often we see that the same IP address is associated with both TCP service sweeps and brute force password attacks.

22


File Transfer Protocol (FTP) brute force attacksThe service File Transfer Protocol (FTP) has been around a long time and isn’t used as it once was because it doesn’t encrypt either the authentication process or the data transfer. While FTP should be configured to deny access to administrator accounts, we have witnessed successful FTP brute force attacks against these accounts (see Figure 8).

Figure 8 shows that brute force FTP attacks occurred throughout 2015, ranging from 3 to 12 percent of total attacks each month.

Most months in 2015 had over 100 different attacker IP addresses (see Figure 9). July had the highest with 276, which is 55 percent above the monthly average. The second highest month was November at 236 unique attacker IP addresses.


Footprinting

Top 10 ports





File Transfer Protocol (FTP) brute force attacks 1 • 2 • 3


Recommendations


About IBM Security

About the author

References

FTP brute force attacks

0%

2%

4%

6%

8%

10%

12%

January

September

November

February

MarchApril

MayJune

July

August

October

December

Figure 8. FTP brute force attacks as a percentage of all observed attacks (1 January 2015 – 31 December 2015). Source: IBM MSS data.

23


Unique attacker IP count (FTP)

0

50

100

150

200

250

300

January

Septemb

er

Novemb

er

February

March Ap

rilMay

June Ju

ly

August

Octob

er

Decemb

er

Figure 9. Unique attacker IP counts for FTP brute force attacks (1 January 2015 – 31 December 2015). Source: IBM MSS data.


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

China edges out the United States with just a two percent difference to take first place as the country where most FTP brute force attacks appeared to originate (see Figure 10). Interestingly, only four of the top source countries, United States, India,

France, and United Kingdom, are also part of the top ten destination countries (see Figure 11). The top two destination countries for FTP brute force attacks were the United States and France with nearly 60 percent of the total attacks.

24


Top 10 source countries for FTP brute force attacks

United States 19%

China 21%

Vietnam 5%

United Kingdon 3%

Ukraine 7%

Indonesia 3%

Brazil 5%

France 4%

India 10%

Russian Federation

7%

Figure 10. The top two source countries for FTP brute force attacks were China and the United States (1 January 2015 – 31 December 2015). Source: IBM MSS data.

Australia 2.25%

Top 10 destination countries for FTP brute force attacks

United States32.30%

Hong Kong 1.16%

Italy 0.23%

Japan 6.74%

France 27.81%

Germany 0.62%Denmark 0.85%United Kingdom 0.93%

India 0.15%

Figure 11. The top two destination countries for FTP brute force attacks were the United States and France (1 January 2015 – 31 December 2015). Source: IBM MSS data.


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

25


Top five FTP brute force attacker IP addressesThe top five FTP brute force password attackers were seen conducting FTP brute force attacks spanning anywhere from 2 to 12 calendar months (see Table 11). Three out of the five IP addresses had several months of activity followed by a pause of one or more months, then resumed activity.

1: Attacker IP address 27.251.65.195Country location: India

This attacker was seen in FTP brute force attack logs every month in 2015. The activity from this IP was made up largely of FTP brute force attacks, but there were also footprinting and SSH brute force attacks. (See Table 12.)


Footprinting

Top 10 ports






Top five FTP brute force attacker IP addresses 1 • 2 • 3 • 4 • 5 • 6 • 7

Recommendations


About IBM Security

About the author

References

Ran

k

Att

acki

ng IP

Janu

ary

Febr

uary

Mar

ch

Apr

il

May

June

July

Aug

ust

Sep

tem

ber

Oct

ober

Nov

embe

r

Dec

embe

r

Tota

l Cus

tom

ers

Aff

ecte

d*

Mon

th C

ount

1 27.251.65.195 4.76% 2.38% 4.76% 9.52% 2.38% 4.76% 7.14% 11.90% 0.00% 0.00% 0.00% 2.38% 28.57% 9

2 141.105.70.98 0.00% 0.00% 0.00% 2.38% 7.14% 0.00% 2.38% 9.52% 0.00% 0.00% 0.00% 0.00% 19.05% 4

3 113.20.30.182 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 2.38% 7.14% 2.38% 2.38% 2.38% 14.29% 5

4 211.109.1.231 0.00% 0.00% 0.00% 0.00% 9.52% 2.38% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 11.90% 2

5 141.105.70.96 0.00% 0.00% 0.00% 4.76% 2.38% 0.00% 9.52% 0.00% 0.00% 0.00% 0.00% 0.00% 11.90% 3

Table 11. The top attacking IP addresses for FTP brute force in 2015. Source: IBM MSS data. Note: Percentages shown represent the percentage of customers the attacking IP targeted during 2015. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

26


Signature

Janu

ary

Febr

uary

Mar

ch

Apr

il

May

June

July

Aug

ust

Sep

tem

ber

Nov

embe

r

Dec

embe

r

Tota

l Eve

nt

Cou

nt*

FTP_User_Root 1.91% 33.35% 0.28% 18.90% 0.01% 15.82% 1.59% 6.57% 0.00% 0.00% 9.26% 87.69%

FTP_Auth_Failed 0.65% 0.20% 0.04% 2.40% 0.00% 3.53% 0.05% 1.15% 0.00% 0.00% 0.00% 8.11%

FTP_User 0.09% 0.08% 0.12% 0.00% 0.09% 2.26% 0.00% 0.00% 0.00% 0.00% 0.00% 2.64%

TCP_Service_Sweep 0.33% 0.08% 0.13% 0.01% 0.01% 0.00% 0.02% 0.03% 0.04% 0.02% 0.04% 0.71%

FTP Authorization Failure

0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.41% 0.00% 0.41%

SSH_Brute_Force 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.18% 0.00% 0.01% 0.00% 0.00% 0.19%

SSH_Service_Sweep 0.00% 0.00% 0.00% 0.00% 0.00% 0.08% 0.00% 0.00% 0.02% 0.02% 0.00% 0.12%

PSNG_TCP_PORT SWEEP_FILTERED

0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

TCP: SYN Host Sweep 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

Sweep Scan 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

Grand Total* 2.98% 33.71% 0.56% 21.32% 0.12% 21.79% 1.84% 7.74% 0.06% 0.58% 9.30% 100.00%



Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

27


2: Attacker IP address 141.105.70.98Country location: Russia

This attacker was logged across six different months in 2015, but there was no activity in either June or September. The footprinting attack activity had scans for the FTP port and resulted in FTP brute force attacks. More ports were scanned,

however; other ports seen were for SIP (Session Initiation Protocol, used in internet telephony)46 including ports 5060, 5061, 5095, 5070, 5095, 6060, and 6090. The FTP attacks from this attacker could have been attempts to gain access to a digital voice or collaboration system.

Signature

Apr

il

May

July

Aug

ust

Oct

ober

Nov

embe

r

Tota

l Eve

nt

Cou

nt*

FTP_Auth_Failed 2.67% 6.60% 13.21% 23.55% 0.00% 0.00% 46.03%

TCP_Service_Sweep 27.29% 0.00% 0.42% 0.29% 5.99% 0.00% 33.99%

FTP_User_Root 2.64% 1.27% 6.31% 6.47% 0.00% 0.00% 16.69%

Geo Protection 0.00% 0.00% 0.00% 0.00% 0.00% 3.12% 3.12%

TCP: SYN Host Sweep 0.00% 0.00% 0.00% 0.00% 0.13% 0.00% 0.16%

Grand Total* 32.60% 7.87% 19.94% 30.35% 6.12% 3.12% 100.00%



Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

28


3: Attacker IP address 113.20.30.182Country location: Indonesia

This attacker was seen in FTP brute force attack logs for 5 out of 12 months, but was seen in SSH brute force attack logs the month before attacks from this address appeared for FTP brute force.

Signature

July

Aug

ust

Sep

tem

ber

Oct

ober

Nov

embe

r

Dec

embe

r

Tota

l Eve

nt

Cou

nt*

FTP_User_Root 0.00% 34.22% 37.66% 0.54% 8.00% 0.66% 81.07%

TCP_Service_Sweep 0.01% 0.09% 3.67% 0.41% 0.00% 4.66% 8.85%

FTP_Auth_Failed 0.00% 1.34% 5.41% 0.05% 1.66% 0.34% 8.81%

SSH_Brute_Force 0.18% 0.00% 0.00% 0.58% 0.20% 0.00% 0.96%

SSH_Service_Sweep 0.00% 0.05% 0.00% 0.04% 0.12% 0.00% 0.21%

TCP: SYN Host Sweep

0.00% 0.00% 0.05% 0.00% 0.00% 0.00% 0.05%

Sweep Scan 0.00% 0.01% 0.00% 0.00% 0.00% 0.01% 0.03%


0.00% 0.00% 0.01% 0.00% 0.00% 0.00% 0.01%

Grand Total* 0.20% 35.72% 46.81% 1.62% 9.97% 5.68% 100.00%



Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

29


4: Attacker IP address 211.109.1.231Country location: Korea

This attacker was seen for just a little over one month (7 May 2015 – 12 June 2015), so we’re showing a daily view of this particular data rather than a whole year’s worth (Tables 15 and 16). Even though this is a short time frame of activity, due to the high number of customers it attacked, this IP address ranked fourth.

There are both footprinting and brute force (against FTP) attack patterns. FTP User Root covers login attempts for administrator accounts such as “root,” “Administrator,” and “admin.” The largest event count was from the brute force attacks, but the footprinting attacks were seen across the greatest number of days. The FTP User signature is an audit event that isn’t enabled often, which explains why the same volume of events is not seen for both FTP User and FTP User Root.


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

ReferencesTable 15. Activity from IP address 211.109.1.231 (7 May 2015 – 26 May 2015). Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

Signature

7 M

ay 2

015

8 M

ay 2

015

10 M

ay 2

015

12 M

ay 2

015

13 M

ay 2

015

17 M

ay 2

015

18 M

ay 2

015

19 M

ay 2

015

22

May

201

5

24 M

ay 2

015

25 M

ay 2

015

26 M

ay 2

015

Tota

l eve

nt

coun

t*

FTP_User_Root 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 53.51% 0.00% 0.00% 0.00% 0.00% 6.76% 74.50%

FTP_Auth_Failed 0.34% 0.01% 0.00% 0.00% 0.00% 0.00% 0.00% 0.20% 0.00% 0.00% 0.00% 1.97% 15.27%

FTP_User 0.00% 0.00% 0.00% 2.03% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 5.00%

TCP_Service_Sweep

1.24% 0.01% 0.04% 0.12% 0.04% 0.11% 0.00% 1.25% 0.00% 0.15% 0.14% 0.02% 4.98%

FTP: login Brute-force attempt (40001)

0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% 0.24%

PSNG_TCP_PORT SWEEP_FILTERED

0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01%

TCP: SYN Host Sweep

0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01%

Grand Total* 1.58% 0.02% 0.05% 2.14% 0.04% 0.12% 53.51% 1.43% 0.00% 0.15% 3.11% 10.78% 100.00%

30


Table 16. Activity from IP address 211.109.1.231 (27 May 2015 – 12 June 2015). Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

Signature

27 M

ay 2

015

28 M

ay 2

015

30 M

ay 2

015

31 M

ay 2

015

2 Ju

ne 2

015

4 Ju

ne 2

015

5 Ju

ne 2

015

8 Ju

ne 2

015

10 J

une

2015

11 J

une

2015

12 J

une

2015

Tota

l Eve

nt

Cou

nt*

FTP_User_Root 0.00% 0.03% 12.02% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% 0.14% 0.00% 74.50%

FTP_Auth_Failed 0.00% 0.00% 12.69% 0.00% 0.00% 0.00% 0.01% 0.00% 0.00% 0.03% 0.03% 15.27%

FTP_User 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 5.00%

TCP_Service_Sweep 0.02% 0.00% 0.00% 0.00% 0.01% 0.14% 0.15% 0.01% 0.02% 0.14% 1.38% 4.98%

FTP: login Brute-force attempt(40001)

0.09% 0.00% 0.00% 0.14% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.24%


0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01%

TCP: SYN Host Sweep 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% 0.00% 0.01%

Grand Total* 0.11% 0.03% 24.71% 0.14% 0.01% 0.14% 0.15% 0.01% 0.03% 0.33% 1.41% 100.00%


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

5: Attacker IP address 141.105.70.96Country location: Russia

This attacker acted differently from the other top five FTP brute force attacker IP addresses in that its FTP brute force events (signatures highlighted in grey in Table 17) did not have a high volume. Its footprinting attacks logged higher event counts and included sweeps and scans not only for port 21 (FTP), but also for common HTTP proxy ports

(81 through 88, 8080 through 8089), plus port 8086, registered with IANA for “Distributed SCADA Networking Rendezvous Port,” and port 8383, registered with IANA for “M2M Services”. M2M means machine-to-machine and is associated with IoT (Internet of Things) device use, generally in an industrial context. We surmise that the attacker was searching for specific industrial control equipment with an exposed FTP service.

31


Table 17. Activity from IP address 141.105.70.96 (1 March 2015 – 31 July 2015). Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

Signature

Mar

ch

Apr

il

May

June

July

Tota

l Eve

nt

Cou

nt*

TCP_Probe_Other 0.00% 0.00% 0.00% 52.10% 0.00% 52.10%

TCP_Service_Sweep 13.74% 0.02% 17.88% 0.01% 2.64% 34.30%

TCP_Port_Scan 0.03% 0.00% 9.11% 0.02% 0.00% 9.17%

FTP_User_Root 0.00% 0.91% 0.12% 0.01% 0.97% 2.01%

FTP_Auth_Failed 0.00% 0.49% 0.20% 0.00% 0.89% 1.58%

FTP_User 0.00% 0.74% 0.00% 0.00% 0.00% 0.74%

TCP: SYN Host Sweep 0.00% 0.02% 0.00% 0.00% 0.03% 0.05%

FTP Authorization Failure 0.00% 0.00% 0.02% 0.00% 0.00% 0.02%

PSNG_TCP_PORTSWEEP_FILTERED 0.00% 0.01% 0.00% 0.00% 0.00% 0.01%

HTTP_AuthResponse_Possible_CSRF 0.00% 0.00% 0.00% 0.00% 0.01% 0.01%

PSNG_TCP_FILTERED_PORTSCAN 0.00% 0.01% 0.00% 0.00% 0.00% 0.01%

Grand Total* 13.78% 2.20% 27.33% 52.15% 19.94% 100.00%


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

32


RecommendationsOur data shows that footprinting techniques such as service sweeps and port scans are still being carried out with some frequency. Attackers often use the results of scanning to conduct brute force password attacks. Because the IoT devices and industrial control systems increasingly present in networks don’t always get the level of security review given a new computer, they can more easily fall victim to both footprinting and brute force attacks. We provide the following recommendations to help avoid this result.

Footprinting

• Footprint your own network from the Internet, using the same techniques as an attacker. While you may be able to assemble a kit of tools like Kali Linux, a vulnerability scanning service can continuously monitor your attack surface.

• Check network mapping search engines such as Shodan to see if your banners are revealing details they shouldn’t.

• Footprint your network from the inside to help ensure that only approved and inventoried devices are connected and to detect unapproved devices. Your footprinting should include port detection and software versions to ensure that no unpatched, vulnerable versions are present.

• Disable all unnecessary or insecure services, replacing services that have weak security with stronger counterparts. For example, replace telnet with SSH.

• If a service such as SSH, which defaults to listening on TCP port 22, can be changed to another port number without negatively impacting operations, doing so would lessen its chance of being attacked by systems that could connect to it.

• Use a firewall to allow access only from authorized networks and IP addresses to services they require. Do not allow “all” to connect to services such as SSH, FTP and databases unless that’s absolutely necessary for the type of service you provide.


Footprinting

Top 10 ports







Recommendations 1 • 2


About IBM Security

About the author

References

33


Brute force attacks

• Enforce complex passwords. Stipulate a minimum length of eight characters and a combination of upper- and lower-case letters, numbers and special characters such as punctuation marks and mathematical symbols.

• Change your password every so often, even when not forced to do so, but do NOT use a derivation of a previously used password. And never, ever use weak passwords.

• When you use the same password across many sites, you risk multiple account compromises if even just one vendor is breached. A local password manager helps in managing the use of many passwords. Keep the master password written down and locked securely in a safe.

• Make sure the answers to your security questions are difficult to guess or to look up in publicly available information. If a site lets you create your own question, make it as esoteric as possible. For example, one comedian suggested the question “What are you wearing right now?” and the answer “That’s a totally inappropriate question!” But obviously, don’t use that question and answer

because we’ve just published it openly, haven’t we? Never use your real high school, mother’s maiden name, or any other information that can be gleaned from social media and public records such as obituaries. You can still use the maiden name option, of course. Just choose an answer that’s not true, and would be difficult to guess.

• Use two-factor authentication when available.• Disable accounts if they’re not being used. If

you’ve been granted access to an application or service but don’t plan to use it, have the account disabled. If you think you might happen to need it sometime in the distant future, challenge yourself to make the password the toughest one to crack.

• Implement account lockout features. That can be very effective at slowing down or blocking remote brute force password attacks, but please be aware of the considerations found here: https://www.owasp.org/index.php/Blocking_Brute_Force Attacks

• Do not allow administrator accounts to be logged into directly. Disable them in operating systems that allow you to do so.


Footprinting

Top 10 ports







Recommendations 1 • 2


About IBM Security

About the author

References

https://www.owasp.org/index.php/Blocking_Brute_Force Attacks

https://www.owasp.org/index.php/Blocking_Brute_Force Attacks

34


Protect your enterprise while reducing cost and complexity From infrastructure, data and application protection to cloud and managed security services, IBM Security Services has the expertise to help safeguard your company’s critical assets. We protect some of the most sophisticated networks in the world and employ some of the best minds in the business.

IBM offers services to help you optimize your security program, stop advanced threats, protect data and safeguard cloud and mobile. With IBM Managed Security Services, you can take advantage of industry-leading tools, security intelligence and expertise that will help you improve your security posture—often at a fraction of the cost of in-house security resources. Our Managed Protection Service offers around-the-clock monitoring, management and incident escalation to help protect your networks, servers and desktops. Identity and Access Management services target virtually every aspect of identity and access management across your enterprise, including user provisioning, web access management, enterprise single sign-on, multi-factor authentication, and user activity compliance.

About IBM SecurityIBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors billions of security events per day in more than 130 countries, and holds more than 3,000 security patents.


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

http://www.ibm.com/security/services

http://www.ibm.com/security/services

http://www.ibm.com/security/services/managed-security-services/index.html

http://www-03.ibm.com/security/services/managed-protection-services/index.html



http://www.ibm.com/security/

IBM X-Force

35


About the AuthorScott Craig is a Threat Researcher for IBM Managed Security Services. Scott has worked in the IT field for more than 20 years, 17 of which were dedicated to computer security. Before being dedicated to computer security, Scott’s work as an enterprise Unix system administrator and a systems architect helped him to understand the way security fits into overall systems. Scott’s unique ability to find patterns of interest in security device logs is what helped him become successful in his last role in IBM Managed Security Services as a team lead of the Data Intelligence group. In his role as an IBM Threat Researcher, Scott mines through millions of rows of data in search of stories worth sharing with others. Through these efforts, he hopes to improve every entity’s data security which, in turn, helps every person who has a file about them somewhere.

ContributorsDave McMillen – Senior Threat Researcher, Threat Research Group

Michelle Alvarez – Threat Researcher, Threat Research Group

For more information To learn more about the IBM Security portfolio, please contact your IBM representative or IBM Business Partner, or visit:ibm.com/security

For more information on security services, visit:ibm.com/security/services

Follow @IBMSecurity on Twitter or visit the IBM Security Intelligence blog


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

http://ibm.com/security

http://ibm.com/security/services

http://twitter.com/@ibmsecurity

https://securityitelligence.com/

https://securityitelligence.com/

36

◀ Previous Next ▶1 http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=

WH&infotype=SA&htmlfid=WGL03114USEN&attachment= WGL03114USEN.PDF

2 http://capec.mitre.org/data/definitions/169.html 3 http://capec.mitre.org/data/definitions/49.html 4 http://capec.mitre.org/data/definitions/112.html5 http://capec.mitre.org/data/definitions/300.html 6 http://www.theregister.co.uk/2016/02/08/alibaba_taobao_

security_process_failure/ 7 http://www.itworldcanada.com/article/nasa-breach-shows-again-

that-brute-force-password-attacks-work/380475 8 http://capec.mitre.org/data/definitions/1000.html 9 http://capec.mitre.org/data/definitions/169.html 10 https://nmap.org/ 11 http://dankaminsky.com/2002/11/18/77/ 12 http://www.irongeek.com/i.php?page=backtrack-3-man/amap13 https://www.defcon.org/images/defcon-13/dc13-presentations/

DC_13-Lee.pdf 14 https://zmap.io/ 15 https://www.washingtonpost.com/news/the-switch/wp/2013/08/

18/heres-what-you-find-when-you-scan-the-entire-internet-in-an-hour/

16 http://blog.erratasec.com/2013/09/masscan-entire-internet-in- 3-minutes.html#.VtR_S3UrIkV

17 ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/iss/ 18 http://fossbytes.com/the-hacker-search-engine-shodan-is-the-

scariest-search-engine-on-internet/19 https://censys.io/about20 https://thingful.net/21 https://exchange.xforce.ibmcloud.com/signature/TCP_Service_

Sweep22 http://www.iana.org/assignments/service-names-port-

numbers/service-names-port-numbers.xhtml

23 http://www.speedguide.net/ports.php 24 http://www.simovits.com/trojans/trojans.html 25 http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html 26 http://www.darkreading.com/vulnerabilities---threats/hackin-at-

the-car-wash-yeah/d/d-id/1319156 27 https://en.wikipedia.org/wiki/Shodan 28 https://www.shodan.io/ 29 http://cve.mitre.org/about/index.html30 http://cve.mitre.org/data/downloads/index.html 31 https://exchange.xforce.ibmcloud.com/vulnerabilities/10613732 https://cwe.mitre.org/data/definitions/798.html33 https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01B34 http://www.metasploit.com/35 http://sqlmap.org/ 36 http://sqlninja.sourceforge.net/ 37 https://en.wikipedia.org/wiki/Wikei/Kali_Linux38 http://sectools.org/tool/brutus/39 http://foofus.net/goons/jmk/medusa/medusa.html40 https://nmap.org/ncrack/41 https://www.thc.org/thc-hydra/42 http://blog.level3.com/security/breaking-botnets-how-level-3-

and-cisco-worked-together-to-improve-the-internets-security-and-stop-sshpsychos/

43 http://blog.level3.com/security/breaking-botnets-how-level-3-and-cisco-worked-together-to-improve-the-internets-security-and-stop-sshpsychos/

44 https://blogs.cisco.com/security/talos/sshpsychos 45 http://longtail.it.marist.edu/honey/index.shtml 46 https://en.wikipedia.org/wiki/Session_Initiation_Protocol


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&htmlfid=WGL03114USEN&attachment=WGL03114USEN.PDF



http://capec.mitre.org/data/definitions/169.html




http://www.theregister.co.uk/2016/02/08/alibaba_taobao_security_process_failure/

http://www.theregister.co.uk/2016/02/08/alibaba_taobao_security_process_failure/

http://www.itworldcanada.com/article/nasa-breach-shows-again-that-brute-force-password-attacks-work/380475

http://www.itworldcanada.com/article/nasa-breach-shows-again-that-brute-force-password-attacks-work/380475



https://nmap.org/

http://dankaminsky.com/2002/11/18/77/

http://www.irongeek.com/i.php?page=backtrack-3-man/amap

https://www.defcon.org/images/defcon-13/dc13-presentations/DC_13-Lee.pdf

https://www.defcon.org/images/defcon-13/dc13-presentations/DC_13-Lee.pdf

https://zmap.io/

https://www.washingtonpost.com/news/the-switch/wp/2013/08/18/heres-what-you-find-when-you-scan-the-entire-internet-in-an-hour/



http://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html#.VtR_S3UrIkV

http://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html#.VtR_S3UrIkV

ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/iss/

http://fossbytes.com/the-hacker-search-engine-shodan-is-the-scariest-search-engine-on-internet/

http://fossbytes.com/the-hacker-search-engine-shodan-is-the-scariest-search-engine-on-internet/

https://censys.io/about

https://thingful.net/

https://exchange.xforce.ibmcloud.com/signature/TCP_Service_Sweep

https://exchange.xforce.ibmcloud.com/signature/TCP_Service_Sweep

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

http://www.speedguide.net/ports.php

http://www.simovits.com/trojans/trojans.html

http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html

http://www.darkreading.com/vulnerabilities---threats/hackin-at-the-car-wash-yeah/d/d-id/1319156

http://www.darkreading.com/vulnerabilities---threats/hackin-at-the-car-wash-yeah/d/d-id/1319156

https://en.wikipedia.org/wiki/Shodan_(website)

https://www.shodan.io/

http://cve.mitre.org/about/index.html

http://cve.mitre.org/data/downloads/index.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/106137

https://cwe.mitre.org/data/definitions/798.html

https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01B

http://www.metasploit.com/

http://sqlmap.org/

http://sqlninja.sourceforge.net/

http://sectools.org/tool/brutus/

http://foofus.net/goons/jmk/medusa/medusa.html

http://blog.level3.com/security/breaking-botnets-how-level-3-and-cisco-worked-together-to-improve-the-internets-security-and-stop-sshpsychos/






https://blogs.cisco.com/security/talos/sshpsychos

http://longtail.it.marist.edu/honey/index.shtml

https://en.wikipedia.org/wiki/Session_Initiation_Protocol


© Copyright IBM Corporation 2016

IBM Security Route 100 Somers, NY 10589

Produced in the United States of America April 2016

IBM, the IBM logo, ibm.com and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.


Footprinting

Top 10 ports







Recommendations


About IBM Security

About the author

References

SEL03093-USEN-00

http://ibm.com/legal/copytrade.shtml

beware of older cyber attacks - ibm

Documents