Cyber-attackers are turning to tools that automate the process of finding and hijacking vulnerable servers, a study has found.
The study used a fake server known as a honeypot to log everything done to it by digital intruders.
Put online by security firm Cybereason, the server was quickly found and hijacked in seconds by a bot that broke through its digital defences.
The firm said it expected to see more attacks staged with little human help.
“The bot did all the hard work,” said Ross Rustici, head of intelligence services at Cybereason. “It shows how lazy hackers have become.”
To make the fake server look more convincing, Cybereason thought up a company name, generated staff identities and spoofed network traffic. This, said Mr Rustici, helped it pass the “sniff test” and convince bots it was a target that was worth their attention.
About two hours after the server for the fake finance firm was put online it was found by a bot which then aggressively set about taking it over.
Passwords to protect some of the server’s functions were left intentionally weak to tempt the bot which duly cracked them and then went on to plunder information on the machine.
Within 15 seconds of getting access, the bot:
- sought out and exploited several known vulnerabilities
- scanned the network to which the server was connected
- stole and dumped credentials for other vulnerable machines
- created new user accounts for its creators to use
“It completely owned the network in an automated fashion,” said Mr Rustici.
While bots are widely used by cyber-criminals to seek out and subvert vulnerable servers, the process of going from initial compromise to a full-blown breach is often carried out by a human, he said.
But in this case in just a couple of minutes the bot did 80% of the work a human hacker would typically have to carry out, he said.
“We have never seen this first-hand before,” said Mr Rustici. “If you are only concerned with gaining as much access to as many machines as possible then this bot is fantastic for you.”
Once the bot had done its work, the attackers went quiet for two days but returned to steal data to which the compromised server allowed access. In total, the attackers took about four gigabytes of data, all of which was fake.
“Once they looked at the data they stole they probably lost interest and were probably quite annoyed,” said Mr Rustici.
Cyber-attackers were mounting a vast number of attacks every day, said Martin Lee, technical lead at Cisco’s security information arm.
“We block more than 20 billion attacks each and every day,” said Mr Lee adding that this involved booby-trapped emails, malicious web pages and novel strains of malware.
“There’s a wide spectrum in the threat landscape ranging from the least sophisticated ‘script kiddies’ through to the criminal threat actors that have a lot of resources at their disposal,” he said.