The Hunt for IoT by our own F5 Labs threat researchers continues. Its latest report exposes not only an active search for vulnerable IoT devices, but the targeting of build infrastructure.
As part of their tracking of attacks on IoT devices – primarily via telnet and SSH access – F5 Labs threat researchers perhaps inadvertently uncovered attempts to take over build infrastructure systems including Jenkins and Vagrant. Additionally, database systems – Oracle, MySQL, PostGres, and Hadoop – appear to be common targets, as well as monitoring provider, Nagios.
The credentials used during brute force attacks are seen in the “Top 50 Attacked Admin Creds” in which all the aforementioned systems appear prominently.
It should be noted that these attacks are focused on SSH and telnet – remote access – via the operating system users routinely created on install by these systems. The majority are deployed on a Linux-based system and automatically create a neutered system-level user for execution, as per best practices. By default, these users have no password. But as the Vagrant documentation on creating a base box notes, these users are often given passwords and login privileges.
“This user should be setup with the insecure keypair that Vagrant uses as a default to attempt to SSH. Also, even though Vagrant uses key-based authentication by default, it is a general convention to set the password for the "vagrant" user to "vagrant". ”
It is noteworthy that in the latest F5 Labs report, it is exactly this combination that is used by attackers attempting to access the system, namely “vagrant:vagrant”. Interesting, as well, is the inclusion in the top fifty attacked credentials of “deploy/deploy”. Along with the identifiable build infrastructure credentials for Jenkins and Vagrant, this indicates a growing awareness of the accessibility of such systems and the target-rich environment they offer. Access to a build or deploy system would offer a wealth of opportunity for attackers given the distributed nature of these systems and their purpose. Comprising a Jenkins user could ostensibly enable access to source code, which in turn offers untold opportunities to inject a variety of malicious code inside an application or system.
Build infrastructure is increasingly vital to business. To wit, 90% of Jenkins users consider it mission-critical. But it’s not just Jenkins, it’s automation frameworks and build infrastructure in general.
A significant percentage of organizations are using automation, in general, to push changes into production based on our latest State of Application Delivery survey. That invariably means that systems like Vagrant are active in production environments, but not necessarily isolated.
Caution is warranted and careful consideration of the credentials used by build infrastructure and associated systems should be required. Given the purpose of these systems, it is doubly important to take care with credentials and limit (if not completely deny) remote access with external security services if necessary.
As automation consumes more of the production environment, it behooves the business leaders and security professionals to be mindful of the threat posed by a compromise of such systems. As our threat researchers have uncovered, attackers are already aware of the rich target that build and automation systems offer and are actively seeking access.
Stay safe out there.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...