There is a lot of interesting discussion across the interwebs on the intention of the latest string of brute force attacks. While I can’t repudiate what is being said, I can add my own insight into the anatomy post-attack success.
How Are These Attacks Happening
First, let’s address the most important piece of information, the how. Based on the data we reported earlier a majority of the attacks are coming from local PC boxes. How do we know this? We’re seeing the IP addresses and their incoming signatures.
A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia
What is the End Game?
This is a lot harder to address. Some of the discussion is specific to things post attack; what they’re doing once they gain access.
Another interesting theory is the creation of a large WordPress botnet. While we haven’t seen evidence of this, some are describing similar tactics being employed as those employed last year in 2012.
The tactics used in 2012 were exploiting TimThumb, fundamentally different than web-based brute-force attacks against CMS administrator panels.
This finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads. – Information Week Security
In this scenario, the attackers were making use of a Remote File Inclusion (RFI) vulnerability, not an authentication vulnerability that comes from poor access control – i.e., poor passwords.
This changes the entire attack signature and brings about very little similarities. Could they be looking to build a large botnet for some nefarious use? Absolutely! But that is one of many things they can do as well.
The botnets last year, which disrupted financial institutions, were used by hacktivists using what is known as the itsoknoproblembro Distribute Denial of Service (DDoS) toolset, then wired into a large criminal botnet. Why is this important? Because hacktivists, as the name implies, are out to push a cause or an agenda of some kind. This event was no different:
A self-described hacktivist group, the Cyber Fighters of Izz ad-din Al qassam, has taken credit for organizing the related Operation Ababil, which it claims is a grassroots campaign to protest the recent release of a film that mocked the founder of Islam. – InformationWeek Security
Is this attack similar and run by hacktivists? I haven’t seen any evidence of that at all. But to me, the people behind the attacks are just as important as the attacks themselves. They help us understand intent.
What Am I Getting At?
There are many things that can be done once access is gained. The creation and distribution of a large botnet is only one of them. In our experience once a compromise occurs two things happen:
Similar to bombs, there is a time delay once access is gained. This allows for all the traffic to die down, more importantly move beyond the logs. Some hosts will retain up to 7 days of logs, and in some instances no more than 24 hours (which is kind of sad). This means, if they wait long enough they can log in however they like and website owners are none the wiser, making for a horrendous incident handling case.
Once the attacker does gain access they have to figure out what to do. Do they wait? Do they inject a shell? Do they create new accounts? What kind of malicious payload do they add to the site? Do they want to sell access to the site? These are but few options. Each one though will unfortunately dictate a different approach and infection.
Many could argue that the real objective is for large scale search engine poisoning (SEP) attacks. This is perhaps one of the more lucrative attacks – in terms of financial gain – with the least amount of overhead and risk. Most of the other scenarios will include the integration of more complex attack sequences which would include various toolkits, like the Blackhole Exploit kit. A SEP also has more immediate return. Just look at the recent issues with Joomla and WordPress.
What this also tells us is that the creation of a large botnet for a similar DDoS attack, while plausible, is one of many scenarios. The reality being that no one really knows the objective, except for the attacker. Is there an end-game? Isn’t there always? Will it be nefarious? Yeah, of course, but there are just too many possible scenarios at this point.
The one thing that is probably more realistic than anything else, is the sheer value that this data will have in the underground. Imagine a new updated wordlist, not only with the latest usernames and passwords, but the website link itself.