The Hunt for IoT by our own F5 Labs threat researchers continues. Its latest report exposes not only an active search for vulnerable IoT devices, but the targeting of build infrastructure.
As part of their tracking of attacks on IoT devices – primarily via telnet and SSH access – F5 Labs threat researchers perhaps inadvertently uncovered attempts to take over build infrastructure systems including Jenkins and Vagrant. Additionally, database systems – Oracle, MySQL, PostGres, and Hadoop – appear to be common targets, as well as monitoring provider, Nagios.
The credentials used during brute force attacks are seen in the “Top 50 Attacked Admin Creds” in which all the aforementioned systems appear prominently.
It should be noted that these attacks are focused on SSH and telnet – remote access – via the operating system users routinely created on install by these systems. The majority are deployed on a Linux-based system and automatically create a neutered system-level user for execution, as per best practices. By default, these users have no password. But as the Vagrant documentation on creating a base box notes, these users are often given passwords and login privileges.
“This user should be setup with the insecure keypair that Vagrant uses as a default to attempt to SSH. Also, even though Vagrant uses key-based authentication by default, it is a general convention to set the password for the "vagrant" user to "vagrant". ”
It is noteworthy that in the latest F5 Labs report, it is exactly this combination that is used by attackers attempting to access the system, namely “vagrant:vagrant”. Interesting, as well, is the inclusion in the top fifty attacked credentials of “deploy/deploy”. Along with the identifiable build infrastructure credentials for Jenkins and Vagrant, this indicates a growing awareness of the accessibility of such systems and the target-rich environment they offer. Access to a build or deploy system would offer a wealth of opportunity for attackers given the distributed nature of these systems and their purpose. Comprising a Jenkins user could ostensibly enable access to source code, which in turn offers untold opportunities to inject a variety of malicious code inside an application or system.
Build infrastructure is increasingly vital to business. To wit, 90% of Jenkins users consider it mission-critical. But it’s not just Jenkins, it’s automation frameworks and build infrastructure in general.
A significant percentage of organizations are using automation, in general, to push changes into production based on our latest State of Application Delivery survey. That invariably means that systems like Vagrant are active in production environments, but not necessarily isolated.
Caution is warranted and careful consideration of the credentials used by build infrastructure and associated systems should be required. Given the purpose of these systems, it is doubly important to take care with credentials and limit (if not completely deny) remote access with external security services if necessary.
As automation consumes more of the production environment, it behooves the business leaders and security professionals to be mindful of the threat posed by a compromise of such systems. As our threat researchers have uncovered, attackers are already aware of the rich target that build and automation systems offer and are actively seeking access.
Stay safe out there.
About the Author
Related Blog Posts
F5 ADSP Partner Program streamlines adoption of F5 platform
The new F5 ADSP Partner Program creates a dynamic ecosystem that drives growth and success for our partners and customers.
Accelerate Kubernetes and AI workloads with F5 BIG-IP and AWS EKS
The F5 BIG-IP Next for Kubernetes software will soon be available in AWS Marketplace to accelerate managed Kubernetes performance on AWS EKS.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.