It Takes Hackers 60 Seconds to Find and Attack a Vulnerable Server

Movies and, to a certain extent, mainstream media would have us believe that organizing a cyberattack involves a lot of planning, plenty of resources, and a teenage computer geek who's in a bad mood all the time. This is a misconception that has had a profound effect on the way people view their online security. Because they have been led to believe that 'hacking' (a term that has also seen its fair share of abuse) is a lot of hard work, regular users think that nobody is going to bother with attacking them because the effort is just not worth it. The sooner people realize that this is not the case, the better. To help them out, researchers from Sophos conducted an experiment with which they proved that whether or not you will be attacked is not a question of 'if', but of 'when'. And the answer to that question is 'Sooner than you think'.

The setup

Sophos' experts have been monitoring the threat landscape for years. They know exactly what the hackers want and what they're prepared to do to get it. The researchers are also perfectly aware of the alarmingly common configuration mistakes hardware vendors, system administrators, and regular users make when they're setting up their internet-connected devices.

On January 17, they deliberately repeated some of these mistakes and set up honeypots in Amazon's data centers in California, Ohio, Sao Paulo, Ireland, London, Paris, Frankfurt, Mumbai, Singapore, and Sydney. A honeypot, as you might have guessed already, is a device that is connected to the internet and is intentionally left vulnerable in order to lure the hackers into attacking it.

Sophos used both low- and high-interaction honeypots. The low-interaction honeypots presented attackers with a login form that was impossible to bypass, and they helped Sophos gain a better understanding of how many brute-force attempts attackers are prepared to make and what sort of login credentials they use. With the high-interaction honeypots, the experts wanted to see why hackers attack servers and other devices and what they do once they compromise them. That's why, the high-interaction honeypots allowed attackers to log in and execute secure shell (SSH) commands.

The results

Sophos knew from the very beginning that, as they put it, "every device is worth hacking when the process is automated", and they also knew that in the real world, the process is highly automated. The researchers expected to see the first attacks soon after the experiment started, but even they were surprised by how quickly the hackers found the vulnerable servers. The first login attempt on the honeypot in Sao Paulo was detected just 52 seconds after the server was put online. Four minutes later, the crooks were also trying to brute-force Ohio's honeypot, and within half an hour, they were all over the servers in California, Paris, and Sydney. Finding the rest of the honeypots proved a bit more difficult, but not by much. About an hour and forty-five minutes after the beginning of the experiment, the honeypot in Ireland registered the first unauthorized login attempt which meant that all ten servers were under attack.

Based on all this, you might be thinking that users in Ireland are safer than those in Brazil, but this isn't really the case. In just 30 days, each and every one of Sophos' honeypots recorded hundreds of thousands of login attempts, with Ohio's server leading the pack with a total of 950 thousand tries. On average, across the ten honeypots, the hackers were trying to break in 17 times a minute or just under 760 times an hour. Considering all this, the extra time needed to find some of the honeypots really doesn't make that much of a difference.

The figures are especially frightening when you consider how many devices are still protected by default login credentials that are publicly available. Unfortunately, the hackers are aware of this as well.

Default usernames and passwords make brute-forcing easy

The login credentials Sophos logged during the brute-force attacks can give us an insight into what sort of devices the crooks are after. The default username for the administrative account on a *NIX system, for example, is "root", and it was used in a whopping 96% of the login attempts. Most servers and virtually all CCTV cameras and IoT gadgets run on *NIX operating systems.

Rather predictably, the most common passwords the hackers used during the brute-force attempts was "123456", and "password" was not far behind. Most of the other commonly used passwords were device-specific, including "raspberry", which is the default root password on Raspbian – a Linux distribution created for the Raspberry Pi minicomputer.

The post-compromise operation

The presence of Raspberry Pi's default credentials is interesting because we're talking about a device that doesn't have a whole lot of resources. The hackers think that hacking it is justifiable which may sound a bit baffling at first, but when you see what they do once they're in, you'll realize that it makes a whole lot of sense.

The data collected during Sophos' experiment shows that back in January, the hackers were mounting a highly targeted attack that didn't require an especially powerful piece of hardware. After breaking in and confirming that the pwned device has a stable internet connection, the crooks would use the honeypot as a proxy in an attempt to exploit the infrastructure of a "major retail chain" which Sophos decided not to name.

As you can see, the hackers aren't necessarily interested in what sort of device they're compromising. If they need a proxy, they'll find a proxy, which means that even if you're setting up something as seemingly harmless as an internet-connected kettle, you need to make sure that the device is configured properly. Changing the default login credentials is the first step.