Welcome to this week’s Heuristic Security Weekly Internet Weather Report. This report does not attempt to discuss the state of attacks and attackers across the entire internet, rather it discusses what I see on my company’s firewalls from my vantage in Colorado and discusses what I believe are general trends and recommended preventative measures based on this information.
Since so many of the attacks today are driven by automated bots scanning the internet for open ports (what I call an attack), I think that the trends I observe locally can be broadly extrapolated to consumer and small business networks across the US. However, as always, the best indication of what is impacting your company’s systems are the results you get by monitoring your own networks. To the extent that you see significantly different results for your network, that may be indicative of a targeted attack on your business (or perhaps on mine?).
Weekly Attack Analysis
The first table, Weekly Attacks and Attackers, summarizes the number of attacks from the top 10 countries originating these attacks, and the number of unique attacking IPs per country. In this week’s summary, there were 35,630 attacks originating from 128 countries for the 7 day period ending with Saturday midnight, an increase in 7 attacking source countries while a 6.6% decrease in overall attacks.
Items of note: The distribution of attackers stayed the same, with the US still at #1, Russia #2, Netherlands #3 and China #4. While attacks originating from the US were down 7.7%, attacks from Russia were down 33.4% while attacks from China rose 12.1%. So much for the significant spike in attacks from Russia I saw this week. Also of interest is the increase in the number of attacking countries – just goes to show that compromised servers exist everywhere that can be used to initiate attacks. I doubt New Caledonia and Lesotho are hotbeds of internet-based criminal activity though both of these are on my list of attackers.
This also illustrates the complete idiocy of the proposed “hack back” legislation in the US. Just because an attack originated from a particular IP, does not mean that the attacker is directly behind that IP as well. The world is filled compromised servers, any one of which can be used as a jump box to originate attacks on someone else. Encouraging “hacking back” through legislation would be the digital equivalent of a circular firing squad.
The second table, Weekly Attack Targets, summarizes and sorts the attacks by most frequently targeted port and protocol. The top 4 targets remain the same with Telnet (23) on top by far, tcp port 55555 at #2, NetBios Name Service (137) at #3 and SSH (22) at #4. Upon further research, port 55555 seems to be associated with the trojan Shadow Pyhre that has been around since 2016. Not sure why this trojan would be getting this much attention over this long a period of time, however, the SANS Internet Storm Center also confirms that 55555 scans are a consistent trend.
Jumping up one slot to #5 from number this week is tcp port 8080. This is both commonly used as an alternative to port 80 for HTTP, as well as being associated with a variety of backdoors and trojans.
Finally, the third chart, Weekly Attacker Trend Report, is a trend chart on changes in attack frequency for the top 5 attacking countries over time. As I mentioned earlier, the sharp rise from last week in attacks from Russia has leveled out though there was a spike on Tuesday. Overall all the top 5 countries were exhibiting more stable attack trends last week indicative of bot-driven activity. This is also confirmed by the relatively stable number of attackers from the first report for each of these countries.
So what does this all mean? One, that attacks are pervasive, constant and diverse in origin and target. If you expose it, expect it to be attacked. And if whatever you expose has any vulnerabilities (and what doesn’t these days), expect that they will be exploited as an entree into your network to steal information, steal resources (cryptojacking), extort money (ransomware) or perhaps all of the above.
So what should you do? My recommendations are:
- Scan your public IPs to see what ports you may have exposed. Two free tools you can use are the Shields Up! scanner from Gibson Research, as well as the informative Shodan tool. Of course, don’t scan an IP address you do not own.
- If you discover open ports, unless you have a legitimate business reason for them to be there (for example 443 for your website), close them in your firewall after confirming what internal system they are forwarding to! If you are scanning your consumer IP, it may be that your router is configured to allow UPnP, which means that your IoT devices (your baby cams, alarm systems, internet-connected toaster, etc.), may be reconfiguring your firewall to open ports for themselves (convenient for them, dangerous for you). Disable UPnP in your router unless you like to live dangerously!
- Also, if you have the acumen and a commercial firewall, implement egress filtering in your firewall, in addition to ingress filtering. The SANS Institute Information Security Reading Room has a great paper on Egress Filtering. I highly recommend reading it and implementing it’s recommendations on your firewall – assuming you have the skills and technology to do so. Most consumer routers will not have this functionality.
- Finally, make sure your systems are patched! Behind every open port exposed on your firewall is likely to be a service that is unpatched and vulnerable to an exploit of one kind or another. The constant stream of alerts for vulnerabilities and patches just goes to show how vital it is to keep your systems up to date.
- If you would like to do further research on IPs that are shown in this report (or from your own network’s firewalls), two resources I recommend are the Wikipedia List of TCP and UDP port numbers and the Internet Storm Center as good starting points.
I am an expert in addressing the information security and privacy challenges of complex and fast-paced organizations as both a CISO and adviser to management and the board, in roles ranging from security architect, to risk management, to virtual or permanent CISO. Contact me to discuss how I can help you and your organization achieve your security, risk and privacy objectives.
Please feel free to share or distribute this report. If you have questions on its contents, please feel free to contact me to discuss. And, if you would like to subscribe to have these weekly updates emailed directly to you each Monday, you can do so by signing up on the heuristicsecurity.com website.
I will be presenting at the Interface-Denver conference on September 5th, 2019 on the topic of CISO/Board communications and challenges.