The explosion of IoT devices across the world, both consumer-oriented ones and the ones used by enterprises, has resulted in attackers shifting their tactics and targeting these devices regularly to breach industrial control systems and to spy on or steal personal data of IoT device users.
Even though the basic purpose behind compromising IoT devices is to create large botnets to target large organisations, hackers are also spreading SMB worms on a large scale to propogate ransomware, targeting vulnerable Telnet ports, and targeting web services.
A network of decoy "honeypot" servers deployed by F-Secure emulating popular services like SMB, SSH and HTTP recorded as many as 813 million attacks in the second half of 2018, nearly four times as many attacks they recorded in the first half of the year. Year over year, the total number of attacks targeting these honeypots rose by 32 percent in 2018 compared to 2017.
F-Secure noted that a large number of organisations located in the US and in the EMEA region only have firewalls and endpoint protections in place but do not have detection and response solutions which can track attacks that could be missed by standard firewalls and endpoints.
The lack of detection and response capabilities of organisations means that they are failing to detect a large number of attacks targeting TCP ports, SMBs, and endpoints. While F-Secure's detection and response solutions detected 15 threats in a single month at a company with 1300 endpoints and 7 threats in a single month at a company with 325 endpoints, a survey carried out by it found that 22 percent of companies did not detect a single attack in a 12-month period.
The survey also found that 20 percent of organisations detected just 1 attack in a 12-month period and another 31 percent detected 2 to 5 attacks. Taken together, nearly three in four organisations across the developed world detected no more than five attacks in a calendar year. This clearly does not represent the true picture as a small number of decoy honeypots deployed by F-Secure attracted hundreds of millions of attacks in the same period.
"Preventative measures and strategies won’t stop everything anymore, so I’ve no doubt that many of the companies surveyed don’t have a full picture of what’s going on with their security. Many organisations don’t really value security until an incident threatens to cost them a lot of money, so I’m not completely surprised that there are companies detecting zero attacks over the course of a year," said Leszek Tasiemski, vice president of Cyber Security Products Research & Development at F-Secure.
"We find that companies running detection and response solutions tend to have a better grasp of what they’re doing right and what they’re doing wrong. Ideally, the visibility these solutions have will show companies that they’re blocking most of the standard, opportunistic attacks, like the ones our public honeypots usually attract. But these solutions will also pick up what preventative measures like firewalls or endpoint protection misses, which makes detection and response a pretty invaluable part of a healthy security strategy," he added.
F-Secure's decoy honeypots observed large-scale attacks targeting TCP ports which the firm said was a likely result of increasing numbers of compromised internet-of-things devices searching for additional vulnerable devices. In the second half of 2018, as many as 619 million attacks targeted TCP port 23 which is used for Telnet and another 78 million attacks targeted SSH ports (port 22).
However, attacks targeting SMB ports (port 445) declined sharply from 127 million in H1 2018 to just 42 million in H2, even though the latter figure is not insignificant. In fact, attacks targeting SMP ports increased rapidly following the WannaCry and NotPetya attacks prior to which, SMB traffic did not even register among the top 20 ports.
SC reached out to Mr. Tasiemski to understand the reason behind the sharp decline in SMB traffic between H1 and H2. He said that it could be related to the fact that finally, almost all machines have the vulnerable SMB protocol version 1 disabled, so the Eternalblue exploit is no longer useful.
"This hypothesis is also backed up by a sharp decline in those type of attacks recently observed by Rapid Detection Center, the team responsible for detecting attacks within F-Secure's MDR service. It’s worth pointing out here, that due to delayed patching, Eternalblue exploit was observed in the wild for a really long time, definitely over one year," he added.
SC also asked if F-Secure have a way to know which type of the 813 million attacks that targeted their honeypot servers in H2 or how many of them were state-sponsored. To this, Mr. Tasiemski said that even though the firm believes that at least part of the observed attack traffic was indeed state sponsored, but there's no easy or certain way of saying how much or which types belong to this category. "Nation states behind any cyber-attacks, both targeted and mass-scale, are diligent in not leaving such footprint," he added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout