Attack Observation Report: Do The Botnet

Executive Summary

This report summarizes activity observed on the DShield sensor between September 12 and 15, 2024, targeting both web and SSH services. Multiple techniques, including SSH brute-force attacks and web-based automated reconnaissance attempts, were identified. The attackers primarily leveraged poorly configured services and default credentials across both attack surfaces. This analysis maps these activities to relevant MITRE ATT&CK techniques to better understand the tactics used.

1. SSH Brute-Force Attacks

SSH brute-force attacks were one of the primary methods observed. Attackers attempted to gain unauthorized access by repeatedly guessing passwords and targeting default credentials like "root" and common weak passwords. Attackers often altered SSH configurations following successful login attempts to secure persistent access.

• Tactic: Credential Access
  • Technique: T1110.001 - Brute Force: Password Guessing
  • Repeated SSH login attempts using weak or default credentials, such as "root", "123456", and "password".
• Tactic: Persistence
  • Technique: T1098.001 - Account Manipulation: SSH Authorized Keys
  • Attackers injected malicious SSH keys into the .ssh/authorized_keys file to maintain persistent access.
• Tactic: Credential Access
  • Technique: T1556.004 - Input Capture: Credential Stuffing
  • The credential stuffing was detected as attackers attempted to use previously stolen credentials to log into multiple SSH instances.

2. Web Honeypot Data Analysis

The web honeypot logs indicated multiple scanning and reconnaissance attempts targeting common vulnerabilities in web applications.

• Tactic: Initial Access
  • Technique: T1190 - Exploit Public-Facing Application
  • Exploitation attempts targeted /wp-includes/wlwmanifest.xml and other known vulnerable paths in WordPress.
• Tactic: Discovery
  • Technique: T1046 - Network Service Scanning
  • IP addresses such as 185.191.126.213 and 141.255.160.234 repeatedly scanned and enumerated various endpoints (e.g., /config.json, /sitemap.xml).
• Tactic: Execution
  • Technique: T1203 - Exploitation for Client Execution
  • Repeated attempts to execute code or initiate connections using the CONNECT method to obscure the nature of the attack.

3. Botnet Activity

Specific IP addresses were seen repeatedly in the DShield sensor logs, suggesting using a botnet. These IPs conducted SSH and HTTP-based attacks, showcasing a coordinated attack approach across different service vectors.

• Tactic: Command and Control
  • Technique: T1071.001 - Application Layer Protocol: Web Protocols
  • Attackers used HTTP and HTTPS protocols for command and control, as seen from multiple requests originating from the same IPs across different attack surfaces.
• Tactic: Command and Control
  • Technique: T1090.002 - Proxy: External Proxy
  • Repeated attempts to use HTTP CONNECT methods and tunnel traffic through proxy-like behaviors indicate botnet C2 mechanisms.
• Tactic: Resource Development
  • Technique: T1583.005 – Botnets
  • The repeated scanning and probing by the same IP addresses on different days indicate botnet-driven attacks.

Recommendations

1. SSH Hardening:
   • Enforce strong password policies and disable password-based SSH authentication in favor of key-based authentication.
   • Monitor SSH logs for unusual login attempts and key modifications.
2. Web Application Security:
   • Regularly update web applications, especially CMS platforms like WordPress, and secure standard directories.
   • Implement web application firewalls (WAF) to detect and block scanning attempts.

Conclusion

The attacks observed in this report highlight botnets' persistent and evolving threat. These botnets leverage automated reconnaissance, brute-force tactics, and vulnerability exploitation across multiple services exposed by the DShield sensor. The attackers aimed to establish and maintain long-term access via SSH brute force and web application exploits. Their approach indicates an opportunistic reliance on poor configurations and weak credentials.