Some interesting and even quirky pieces caught our eye this month. Read on for the news we’ve been following and chatting about around the proverbial water cooler.
Microsoft Engineer Says Attackers Don’t Bother Brute-forcing Long Passwords
Security Researcher at Microsoft Ross Bevington has used data gathered from a network of honeypot servers to learn more about the actions of threat actors against networks in their server. One of the interesting findings from this deception decoy setup was that 77% of brute force attack attempts on passwords were six numerals or less. Only 7% of the attacks employed a special character.
“This article cites the existence of a “Head of Deception” position within Microsoft, someone “tasked with creating legitimate-looking honeypot systems in order to study attacker trends”. That is pretty cool, and it shows they are actively using deception to aid with getting new insights on attackers.” —Fernando, Founder
Source: The Record, November 23
Observing Attacks Against Hundreds of Exposed Services in Public Clouds
In this post from Unit42 researchers, the importance of configuring cloud environments correctly and securely is shown. Unit42 deployed multiple honeypots across the web, and 80% were compromised within a day, and 100% within a week. The most attacked application was SSH—one honeypot was even compromised 169 times in a single day. The findings will help better understand the attacks against exposed services in public clouds.
“This post gives an idea about the wild internet, how exposing something to the Internet makes it easily discoverable by attackers in a very small time frame. In our latest blog posts we also showed this, as well as how attackers use the latest vulnerabilities in order to compromise the maximum number of servers.” — A member of our threat intel team
Source: Unit 24, November 24
REvil: Day of Reckoning For Notorious Cyber Gang
Finally, we have some more news about REvil’s demise. Coordinated action against the REvil gang was announced on Monday by Romanian police, the US Department of Justice (DOJ) and Europol. Raids led to the arrests of two alleged hackers in Romania and one from Ukraine, putting a stop to the activity for one of the major hacking groups in recent years. In the announcement, the US DoJ announced it had successfully retrieved more than $6 million in cryptocurrency from the gang. Interpol’s part of the operation has been ongoing since February, and has led to 7 arrests of the hacker gang in total in Romania, Ukraine, South Korea and Kuwait.
“This is really good news. We need to include it this month because it’s almost always bad news, so when something good this big happens, it’s important to talk about it!” — A member of our development team
Source: BBC, November 9
China Says a Foreign Spy Agency Hacked Its Airlines, Stole Passenger Records
In an unusual move, China revealed a large-scale hacking campaign on its airlines. The officials from the Ministry of State Security, China’s civilian intelligence, security, and secret police agency, confirmed that a foreign intelligence agency hacked several airlines in 2020 and stole travel records. The hack was accomplished with a custom trojan that the attackers used to exfiltrate passenger details and other data from this first target.
“This interesting piece of news was published by RecordedFuture. As the author explained in the article, even if China hasn’t attributed the hack, this is still remarkable because China rarely talks about the cyberattacks they have played victim to.” — Fernando, Founder
Source: The Record, November 9
US Says Iran-backed Hackers Are Now Targeting Organizations With Ransomware
The U.S. government has issued a rare warning along with counterparts in Australia and the U.K. The warning states that Iranian state-backed hackers are targeting U.S. organizations in critical infrastructure sectors, sometimes using ransomware. The attackers have been exploiting Fortinet vulnerabilities since at least March and a Microsoft Exchange ProxyShell vulnerability since October to gain access to U.S. critical infrastructure organizations in the transport and public health sectors, as well as organizations in Australia. The officials believe the aim of the hackers is ultimately to leverage this access for follow-on operations such as data exfiltration, extortion and ransomware deployment.
“This article shows—again—that things are getting really serious on the nation-state hacking front. APT groups are very active in this cyber arms race and U.S. strategic and critical infrastructure companies are being targeted by enemy-states backed companies.” — A member of our development team
Source: Tech Crunch, November 17