SAN FRANCISCO – The use of automated bots is becoming more prevalent for novice attackers as tools become more available, researchers found.
A honeypot experiment, detailed by Cybereason at this year’s RSA Conference, showed the commoditization of using bots to perform low-level tasks. The honeypot showed an automated bot come in and lay the groundwork – by exploiting vulnerabilities and other automated tasks – for the hacker to then come in and siphon off 3GB of data.
“If exploit automation wasn’t enough of a concern for security teams, this technique has grown even more potent with attackers using bots that can automatically exploit vulnerabilities, create backdoors, dump passwords, conduct network reconnaissance and laterally move in seconds,” according to Cybereason’s report.
Cybereason set up the honeypot by releasing usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network in dark markets and paste sites to see how suspicious hackers have become of the forums that were once thriving with illicit activity.
“The genesis of the project was to test a hypothesis about what hackers did once they get access to high functioning networks, how automated bots took advantage of the environment, and when hackers actually entered,” said Ross Rustici, Cybereason’s Senior Director of Intelligence Services, in an interview with Threatpost.
Cybereason researchers observed a bot break in through the RDP and complete launch an automated exploitation of the network, taking actions very quickly through automated scripting.
This bot created the groundwork for human attackers before they entered an environment. It carried out a bucket list of tasks such as exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines via malicious code.
The bot also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords.
The bot carried these functions out in approximately 15 seconds, said Cybereason.
“For defenders, automatic exploitation in a matter of seconds means they’ll likely be overwhelmed by the speed at which the bot can infiltrate their environment. The increasing automation of internal network reconnaissance and lateral movement is an even larger concern,” according to Cybereason’s report.
Two days after the bot finished its work, a human attacker entered the environment. Rustici said that researchers knew it was a human because the attacker logged in with a user account created by the bot. Also, a user interface application was opened, and remote access capabilities were accessed, functions not typically carried out by bots.
“The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark Web,” according to Cybereason.
“The actual user interaction was most interesting,” said Rustici. “The fact that the hacker had a shopping list, meant he could quickly grab the information he wanted. He knew what he wanted… this means attackers are wasting less time.”
Cybereason said that the use of this technique proves that the operational profile of hackers is changing, with less sophisticated hackers gaining access to tools usually reserved for more advanced attackers.
“At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability,” according to Cybereason.