Attack Observation Report: Do The Botnet

Attack Observation Report: Do The Botnet

Executive Summary

This report summarizes activity observed on the DShield sensor between September 12 and 15, 2024, targeting both web and SSH services. Multiple techniques, including SSH brute-force attacks and web-based automated reconnaissance attempts, were identified. The attackers primarily leveraged poorly configured services and default credentials across both attack surfaces. This analysis maps these activities to relevant MITRE ATT&CK techniques to better understand the tactics used.

1. SSH Brute-Force Attacks

SSH brute-force attacks were one of the primary methods observed. Attackers attempted to gain unauthorized access by repeatedly guessing passwords and targeting default credentials like "root" and common weak passwords. Attackers often altered SSH configurations following successful login attempts to secure persistent access.

2. Web Honeypot Data Analysis

The web honeypot logs indicated multiple scanning and reconnaissance attempts targeting common vulnerabilities in web applications.

  • Tactic: Initial Access
  • Tactic: Discovery
    • Technique: T1046 - Network Service Scanning
    • IP addresses such as 185.191.126.213 and 141.255.160.234 repeatedly scanned and enumerated various endpoints (e.g., /config.json, /sitemap.xml).
  • Tactic: Execution

3. Botnet Activity

Specific IP addresses were seen repeatedly in the DShield sensor logs, suggesting using a botnet. These IPs conducted SSH and HTTP-based attacks, showcasing a coordinated attack approach across different service vectors.

  • Tactic: Command and Control
  • Tactic: Command and Control
    • Technique: T1090.002 - Proxy: External Proxy
    • Repeated attempts to use HTTP CONNECT methods and tunnel traffic through proxy-like behaviors indicate botnet C2 mechanisms.
  • Tactic: Resource Development
    • Technique: T1583.005 – Botnets
    • The repeated scanning and probing by the same IP addresses on different days indicate botnet-driven attacks.

Recommendations

  1. SSH Hardening:
    • Enforce strong password policies and disable password-based SSH authentication in favor of key-based authentication.
    • Monitor SSH logs for unusual login attempts and key modifications.
  2. Web Application Security:
    • Regularly update web applications, especially CMS platforms like WordPress, and secure standard directories.
    • Implement web application firewalls (WAF) to detect and block scanning attempts.

Conclusion

The attacks observed in this report highlight botnets' persistent and evolving threat. These botnets leverage automated reconnaissance, brute-force tactics, and vulnerability exploitation across multiple services exposed by the DShield sensor. The attackers aimed to establish and maintain long-term access via SSH brute force and web application exploits. Their approach indicates an opportunistic reliance on poor configurations and weak credentials.

Follow my journey