There is a lot of interesting discussion going on at the moment across the interwebs on the intention of the latest string of Brute Force attacks, much of which I find very interesting. While I can’t repudiate what is being said, I can add my own insight into the anatomy post attack success.
How Are These Attacks Happening
First, let’s address the first, and most important piece of information, the how. What we know, based on the data we reported earlier is that a very large majority of the attacks are coming from local PC boxes. How do we know? We’re seeing the IP’s and their incoming signatures.
A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia
What is the end-game?
This is a lot harder to address. Some of the discussion I’m seeing is specific to things post attack, what they’re doing once they gain access.
The discussion at the moment is the creation of a large WordPress botnet. While we haven’t seen evidence of this, it’s an interesting theory. Some are describing similar tactics being employed as those employed last year in 2012.
This is where I get confused because the tactics used in 2012 were exploiting TimThumb, fundamentally different than web-based brute-force attacks against CMS administrator panels.
That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads. – Information Week Security
In this scenario, the attackers were making use of a Remote File Inclusion (RFI) vulnerability, not an authentication vulnerability that comes from poor access control – i.e., poor passwords..
This in itself changes the entire attack signature and brings about very little similarities in all seriousness. This doesn’t mean though that they are wrong, could they be looking to build a large botnet for some nefarious use? Absolutely, but that is one of many things they can do as well.
The other thing to understand about the botnet used last year, to disrupt the financial institutions, is that they were performed by hactivists using what is known as the itsoknoproblembro Distribute Denial of Service (DDoS) toolset which was then wired into a large criminal botnet. Why is this important? Because hacktivists, as the name implies are out to push a cause, an agenda, of some kind, this event was no different:
A self-described hacktivist group, the Cyber fighters of Izz ad-din Al qassam, has taken credit for organizing the related Operation Ababil, which it claims is a grassroots campaign to protest the recent release of a film that mocked the founder of Islam. – InformationWeek Security
Is this attack similar and run by hacktivists? I honestly don’t know, haven’t seen any evidence of that at all. Why is this important? To me, the people behind the attacks are as important as the attacks themselves, they help us understand intent.
What am I getting at?
There are many things that can be done once access is gained, the creation and distribution of a large botnet is but one of them. In our experience these are the two things we know happens, in many cases, once an environment is compromised:
Similar to bombs, there is a time delay once access is gained. This makes sense, it allows for all the traffic to die down, more importantly move beyond the logs. We have seen this too often, some hosts will retain up to 7 days of logs, and in some instances no more than 24 hours (which is kind of sad). This means if they wait long enough they can log in however they like and website owners are none the wiser, making for a horrendous incident handling case.
Once the attacker does gain access they have to figure out what to do. Do they wait? Do they inject a shell? Do they create new accounts? What kind of malicious payload do they add to the site? Do they want to sell access to the site? These are but a few thoughts running through their heads. Each one though will dictate a different approach and infection unfortunately.
Many could argue though that the real objective is for large scale search engine poisoning (SEP) attacks. This is perhaps one of the more lucrative attacks, in terms of financial gain, with the least amount of overhead and risk. Most of the other scenarios will include the integration of more complex attack sequences which would include things like various toolkits, like the Blackhole Exploit kit. A SEP also has more immediate return, just look at the recent issues with Joomla and WordPress.
What this also tells us is that the creation of a large botnet for a simliar DDoS attack, while plausible, is one of many various scenarios. The reality being that no-one really knows the objective, except for the attacker[s]. Is there an end-game? Isn’t there always? Will it be nefarious? Yeah, of course, but there are just too many possible scenarios at this point.
The one thing that is probably more realistic than anything else is the shear value that this data will have in the underground. Imagine a new updated wordlist, not only with the latest usernames and passwords, but the website link itself.
Can I get a cha’ching? But again, only speculation..