Why hack a network when you can get a botnet to do it for you?
It turns out that botnets might be an easier way to break into a network, not least by taking the grunt work out of it. It's not a new concept -- we've seen it before with bots running through lists of default usernames and passwords to hijack Internet of Things devices.
It's not unheard of to see botnets conducting device exploitation using public and known vulnerabilities to silently break into devices to take them over, and steal data or conduct attacks.
But can a botnet be used to break into a network? New research from Boston-based Cybereason wanted to test that theory.
By creating a honeypot network, the researchers were able to see how hackers are using the same kind of tools to their advantage. Hackers took a botnet to conduct early exploitation and reconnaissance without needing to get stuck in themselves. Only when the botnet had a foot in the door did the hacker jump in and take over.
"For defenders, automatic exploitation in a matter of seconds means they'll likely be overwhelmed by the speed at which the bot can infiltrate their environment," said the report by Israel Barak, Cybereason chief information security officer.
"The increasing automation of internal network reconnaissance and lateral movement is an even larger concern," he said.
Here's how it worked.
The security firm set up a honeypot -- a fake financial firm -- with several points of attack. The network was small, but consisted of two Ubuntu servers -- one for email -- and a Windows-based dev-ops server. First, the researchers scattered "leaked" server credentials across dark web markets that would allow an attacker to gain access to the network over the RDP, a widely abused remote access system that when exploited allows attackers to sit at a compromised system as though they were really there.
To make the exploitation easier, additional RDP services from local administrator and root accounts using weak passwords were opened as bait.
Somewhat unexpectedly, the passwords dumped to the dark web didn't go anywhere.
"Despite dressing up the information as a low level hacker who got lucky and didn't know where to go from there, not a single set of credentials was used," said Ross Rustici, senior director at Cybereason.
But within a couple of hours, a bot had broken in with the weak passwords, scanned the network, and created new administrator user accounts using the command line -- essentially a backdoor for the hacker.
The bot also dumped the credentials of a compromised machine by scanning for browser cookies, including common banks, financial services, online retailers, and social networks and dating sites.
That effort took the bot just 15 seconds, said Barak.
Two days later, a human hacker dropped into the honeypot using one of the backdoored credentials -- possibly to determine what data needed to be stolen, the research said.
Knowing how the network looked, more than three gigabytes of dummy data was stolen.
"The bot attempted to discover various lateral movement options, including performing a network scan to discover other machines connected to the network, determine their level of potential value -- resolve their DNS names -- and discover open services," said Barak.
"The bot dumped locally cached credentials and checked whether they contained users that had high domain-level permissions," he said.
Read more: Fear the Reaper? Experts reassess the botnet's size and firepower | New IoT security rules: Stop using default passwords and allow software updates | More: What is the IoT? Everything you need to know about the Internet of Things right now | Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse | Your forgotten IoT gadgets will leave a disastrous, toxic legacy | What happens when every Internet of Things device is smart, and you don't even know it?
The research team hasn't said yet which botnet might have carried out the attack, but said that the activity originated from several IP addresses across the world -- particularly Russia, as well as Hong Kong, where the human attacker is said to have connected from.
Four days after the exfiltration -- almost a week after the initial hack -- the human attacker hadn't returned. The attack was over.
What used to be an arduous task -- picking out and targeting infrastructure to attack and steal data -- can now be semi-automated, making hacking easier than ever. Barak said that the honeypot experiment revealed how useful -- and common -- bots can be to perform low-level tasks.
"Even novice attackers now have this capability," he said.