Read Time: 5 Minutes
F-Secure researchers employ a global network of honeypots to help monitor the online threat landscape. These honeypots passively analyze Internet traffic directed to and from locations all over the world. While there are limitations to what honeypots can tell us, they are an excellent source of information regarding high-level patterns and trends, such as how attackers, self-replicating botnets, and other sources find targets.
Reconnaissance allows attackers to investigate companies, networks, IP addresses, people, and other potential targets to determine whether or not they are suitable and vulnerable to attack. Resourceful attackers use open-source intelligence freely available to everyone on the Internet, such as LinkedIn, Google, Shodan, and more.
Active reconnaissance involves hackers using techniques like port scanning to probe devices and networks. This probing allows them to collect specific information about potential targets in preparation for executing additional stages of an attack. There are a wide variety of tools that attackers can use to do this.
In the latter half of 2016, we detected an overwhelming amount of what we believe to be active reconnaissance traffic coming from Russian IP addresses – nearly 60% of the global volume. Following Russia was the Netherlands, which accounted for 11%; the United States with 9%; and Germany and China with approximately 4% each. The top 10 sources of this traffic accounted for nearly 95% of the total amount we observed last year.
With Russia being the largest source of this traffic, it’s no surprise that most countries in the world were targeted by Russian IPs, including Russia. The US was the most frequent target of both global and Russian traffic. Traffic originating from Chinese IPs provided a few notable exceptions to this trend: the US and Germany were both the most frequent source and destination for reconnaissance traffic to and from China.
It is very common for attacks to be conducted through proxies. There are many different ways attackers all over the world can leverage proxies to help them conduct attacks. For example, attackers can compromise a machine (such as by infecting a computer with malware) and then use it to conduct scans looking for additional targets. Worms, bots, and other types of malware programmed to automatically begin scanning for new targets after infecting a particular device are often spread in this fashion.
The more prominently countries appear in these observations, the more likely it is that there are compromised networks or infrastructure (such as bulletproof hosting services) used by attackers located in the same country or somewhere else in the world. The use of proxies to transcend national borders makes law enforcement and other efforts to combat abuse more difficult, essentially hardening criminal enterprises against takedown attempts.
Automating active reconnaissance allows attackers to effectively scale their operations and grow their infrastructure. Such expansion can help attackers develop their capabilities by giving them what they need to perform DDoS attacks, conduct spam/phishing campaigns, and more. A portion of the traffic observed by our honeypots is most likely the result of automated scanning and self-replicating botnets.
What are they looking for?
Nearly half of the traffic observed by our honeypots was looking for exposed http/https ports. Attackers probe these ports in an attempt to look for vulnerable software that can be exploited in order to upload malware or otherwise compromise the device. Even though the honeypots were clearly not high-value targets, nor capable of being “owned” in the way that an actual vulnerable device could, they attract interest from attackers looking to leverage vulnerable machines as proxies for further attacks.
SMTP ports were another popular target. Again, attackers probe these ports looking for exploitable software. These ports are also frequently targeted by spam and phishing campaigns, putting them in the line of fire for a wide variety of scams used by opportunistic cyber criminals.
Ports used for more specific purposes, such as Telnet and SSDP, were also targeted by the traffic we observed. Telnet and SSDP are both easy targets for attackers looking to hijack devices and have both been associated with DDoS-related botnets, so it’s no surprise that leaving them open was enough to attract attention.
Mirai-based botnets made big news in the last half of 2016. Mirai was originally designed to infect devices by brute forcing Telnet credentials (see Appendix: Mirai Source Code Analysis for a list of credentials used by the original variant), which is a common attack vector for similar types of malware. Open Telnet ports allow Mirai and similar threats to spread.
We observed the bulk of scanning for open Telnet ports to originate from Asian countries. The top five sources of scans came from Taiwan, China, India, Vietnam, and the Republic of Korea. The most common targets of these scans were the United Kingdom, Turkey, and Taiwan.
There were a handful of attempts to infect our honeypots with malware. The most common malware used in these attempts were Gafgyt (Mirai-like malware commonly used to create IoT botnets), Tsunami (a backdoor used to create botnets), and PnScan (also used to created botnets from infected Linux routers). All of these malware families are well-known tools used by botnet operators, providing additional evidence that a significant amount of traffic detected last year was intended for this purpose.
This map shows the countries which are the top sources and targets of attacks. (Right click to enlarge)
This article was extracted from our recent report, The State of Cyber Security 2017. Read more about cyber security trends and topics when you download the full report here.