IoT
July 19, 2018
9 min. read

Cyber Attacks Spike in Finland Before Trump-Putin Meeting

By Sara Boddy, Justin Shattuck

The rise of poorly secured Internet of Things (IoT) devices has made it possible for attackers to gain access to targets of interest. Nation-states, spies, mercenaries, and others don’t need to dress up as repairmen to plant bugs in rooms anymore; they can just hack into a room that has vulnerable IoT devices.

In May, the CIA admitted their agents were being tracked by technology, so they had to adopt new tactics to ensure they stayed under cover.1 This practice has likely been going on behind the scenes for years. Russia has been compromising global network infrastructure, including small office/home office (SOHO) routers and switches to spy on adversaries and maintain persistent access for future operations. Attacking technology infrastructure to spy and collect data is not a new attack type. Nefarious attackers learn from nation-state APTs and attempt to follow in their footsteps.

In June, we published a story about a spike in Russian attack traffic towards Singapore during Trump’s meeting with Kim Jung-Un. Following that story, we (F5 Labs in partnership with Loryka) decided to follow Trump’s travel schedule to see if attacks followed him, as we expected they would. If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage.

On July 16th, President Trump met with Vladimir Putin in Helsinki, Finland. As expected, attacks against Finland skyrocketed days before the meeting. What’s interesting this time around is that Russia wasn’t the top attacker—perhaps because Trump was meeting with Putin? In this case, China was the top attacker.

The attacks launched from China came from networks that are commonly in our top 10 attacking networks list. It’s also interesting to note the change in ports and protocols that were attacked. Between the Singapore and Finland attacks, some common protocols were targeted, such as SIP port 5060 that VoIP phones and video conferencing systems use (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland attacks, #3 in Singapore attacks), and Telnet port 23, often used for remote administration of IoT devices (#3 in Finland attacks, #9 in Singapore attacks). However, SSH port 22 was the number 1 attacked port followed by SMB port 445 in the Finland attacks. SSH is often used by IoT devices for “secure” remote administration. The challenge is that the device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks. Other ports and protocols targeted in the Finland attacks that we did not see in the Singapore attacks include HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Trendline in the Attacks Against Finland

Finland is not typically a top attacked country; it receives a small number of attacks on a regular basis. Figure 1 shows the trendline of attacks before the Trump-Putin meeting. Starting on July 12, 2018, attacks towards Finland spiked, the majority of which were brute force attacks against SSH port 22 (see attacked ports below).

 

Figure 1: Trendline of attacks against Finland

 

To get a sense of how infrequently Finland is attacked, we compared a week of attacks from 7/10/2018 – 7/16/2018, against what Canada received in that same time period (Canada is routinely a top 10 attacked country, but not typically in the top 3–5). Aside from the attacks on 7/12 and 7/14, Finland doesn’t even register on the chart.

 

Figure 2: Finland attack traffic in comparison to Canada

 

Top Attack Source Countries

 

China is typically the top attacking country on a regular basis (see 5/12/2018 – 7/13/2018 in the table below). This was also the case during the spike in attack traffic around the Trump-Putin meeting (7/14/2018 – 7/16/2018), however during that time, China launched a higher percentage of the attacks than normal. The US was consistently in the number two attacking position. Russia fell from its #3 baseline position to #5 during the attack spike. Given that the targeted meeting included Putin, it is not surprising that Russia would back off their attacks. Noticeably, Italy and Germany jumped from their 13th and 14th positions into the 4th and 7th positions respectively during the Trump-Putin traffic spike.

 

Top 20 Finland Attacking Countries
5/12/2018 – 7/13/2018 7/14/2018 – 7/16/2018
Pos # Country % of Total Pos # Country % of Total
1 China 29% 1 China 34%
2 United States 14% 2 United States 12%
3 Russia 14% 3 France 9%
4 France 10% 4 Italy 8%
5 Canada 4% 5 Russia 7%
6 United Kingdom 4% 6 Netherlands 5%
7 Netherlands 4% 7 Germany 4%
8 Vietnam 3% 8 Vietnam 3%
9 Republic of Korea 3% 9 Canada 3%
10 Hong Kong 2% 10 United Kingdom 3%
11 India 2% 11 India 2%
12 Indonesia 2% 12 Greece 2%
13 Italy 2% 13 Indonesia 1%
14 Germany 1% 14 Republic of Korea 1%
15 Brazil 1% 15 Brazil 1%
16 Singapore 1% 16 Poland 1%
17 Ukraine 1% 17 Singapore 1%
18 Taiwan 1% 18 Mexico 1%
19 Thailand 1% 19 Ukraine 1%
20 Poland 1% 20 Hong Kong 1%

 

Attacking Networks

F5 Labs continually monitors top attacking networks. A handful of networks shown in the table below (highlighted in yellow) are not consistently top threat actor networks (see F5 Labs IoT Hunt research series). This indicates consistency of threat actors, and the networks they choose to launch their attacks from.

ChinaNet was the top attacking network both before the Trump-Putin meeting and during the attack spike. ChinaNet is also consistently at the top of the threat actor network list globally. It is our opinion that since attacks from China go unpunished, threat actors from around the world feel confident to use their networks to launch attacks, as well.

 

Pos # ASN Name Country % of Total Pos # ASN Name Country % of Total
1 Chinanet China 19% 1 Chinanet China 34%
2 OVH SAS France 18% 2 Aruba S.p.A. Italy 11%
3 JSC Internet-Cosmos Russia 11% 3 OVH SAS France 10%
4 Chinanet (SiChuan DC) China 9% 4 CNCGROUP China169 Backbone China 7%
5 Online S.a.s. France 7% 5 Online S.a.s. France 7%
6 Henan Telcom Union Technology Co., LTD China 5% 6 Paradise Networks LLC US 6%
7 Kassir, Ltd. Russia 4% 7 myLoc managed IT AG Germany 3%
8 CNCGROUP China169 Backbone China 3% 8 Forthnet Greece 2%
9 EDIS GmbH Austria 2% 9 Netversor GmbH Germany 2%
10 Korea Telecom Korea 2% 10 ChinaNet (Jiangx DC) China 2%
11 Digital Ocean, Inc. Netherlands 2% 11 Hostkey B.v. Netherlands 2%
12 Aruba S.p.A. Italy 2% 12 HostPalace Web Solution PVT LTD India 2%
13 VNPT Corp Vietnam 2% 13 VNPT Corp Vietnam 2%
14 ColoCrossing US 2% 14 Digital Ocean, Inc. Netherlands 2%
15 MediaServicePlus LLC Russia 2% 15 NForce Entertainment B.V. Netherlands 1%
16 Henan Mobile Communications China 2% 16 MediaServicePlus LLC Russia 1%
17 PT Telekomunikasi Indonesia Indonesia 2% 17 Wowrack.com US 1%
18 B2 Net Solutions Inc. Canada 2% 18 PT Telekomunikasi Indonesia Indonesia 1%
19 Wowrack.com US 2% 19 IT Expert LLC Ukraine 1%
20 Hostkey B.v. Netherlands 2% 20 PJSC Rostelecom Russia 1%

 

Attacked Ports

The top 5 attacked ports before and during the Finland attack spike were SSH, SMB, SIP, HTTP, and MySQL. SSH brute force attacks are commonly used to exploit systems and IoT devices online. They accounted for the majority of the attacks against Finland and are something we see consistently across global attack traffic. This is why we choose to publish the top 50 admin credentials used in SSH brute force attacks in our Hunt for IoT report series.

Note: We have no data to suggest the attacks against Finland were successful. That would require access to the targeted systems, which is illegal. We collect attack data and publish the threat intelligence in an effort to educate the security community on attackers’ efforts and targets so they can protect themselves.

 

5/12/2018 – 7/13/2018 7/14/2018 – 7/16/2018
Pos # Port Protocol % of Total Pos # Port Protocol % of Total
1 22 SSH 50% 1 22 SSH 62%
2 5060 SIP 21% 2 445 SMB 12%
3 445 SMB 16% 3 5060 SIP 10%
4 80 HTTP 4% 4 80 HTTP 6%
5 3306 MySQL 3% 5 3306 MySQL 4%
6 1433 SQL 3% 6 1433 SQL 2%
7 23 Telnet 1% 7 5061 SIP-TLS 1%
8 8080 HTTP < 1% 8 8090 HTTP 1%
9 3389 RDP < 1% 9 23 Telnet 1%
10 25 SMTP < 1% 10 3389 RDP < 1%
11 21 FTP < 1% 11 8291 TCP < 1%
12 8291 TCP < 1% 12 25 SMTP < 1%
13 8088 TCP < 1% 13 443 HTTPS < 1%
14 443 HTTPS < 1% 14 53 DNS < 1%
15 7547 TCP < 1% 15 7547 TCP < 1%
16 81 UDP/TCP < 1% 16 21 FTP < 1%
17 9200 UDP/TCP < 1% 17 135 RCP < 1%
18 53 DNS < 1% 18 8080 HTTP < 1%
19 135 RCP < 1% 19 9200 UDP/TCP < 1%
20 8089 TCP < 1% 20 81 UDP/TCP < 1%

 

 

The common use of the ports shown in the table below is an indicator of what the attackers are after. IoT devices are moving to SSH for remote administration because it’s more secure than Telnet—although “protecting” with default admin credentials doesn’t secure anything. Just check out the top attacked admin credentials list, which typically includes default username and passwords that are the name of the manufacturer or software provider. The SIP protocol, although in the top 3, did not account for a large percentage of the attacks in the Finland attacks. Since we are not aware of a SIP vulnerability that would give attackers instant access to a phone inside a meeting room, we’re not surprised SSH attacks accounted for the majority of the attacks surrounding the Trump-Putin meeting.

 

Port Protocol Description
21 FTP File Transfer Protocol (FTP)
22 SSH SSH remote management port
23 Telnet Remote management port
25 SMTP Simple Message Transfer Protocol (SMTP)
53 DNS DNS and facetime
80 HTTP HTTP
81 UDP/TCP Alternate web server port for host-host communication
135 RCP Remote Procedure Call (RCP)
443 HTTPS HTTPS
445 SMB Server Message Block (SMB) port
1433 SQL SQL database port
3306 MySQL MySQL database port
3389 RDP Remote Desktop Protocol
5060 SIP Clear text Session Initiation Protocol (SIP) port commonly used by VoIP phones and video conferencing systems
5061 SIP-TLS Secure SIP
7547 TCP TCP port used by ISP’s to remotely manage routers via the TR-069 protocol
8080 HTTP Alternate web server port often used for a proxy or caching, some routers use for remote management.
8088 TCP Apple software update and Lord of the Rings game
8089 TCP Mac OS X Web email rules, Splunk management port, MyDiskServer
8090 HTTP Alternate web server port often used for Webcams
8291 TCP Remote management port commonly used by MikroTik routers
9200 UDP/TCP WAP Connectionless Wireless Session Protocol

 

Conclusion

Using technology—most specifically, IoT devices—to target people of interest or spy on large portions of populations isn’t new. This practice should be expected, but we write the stories to prove a point about the necessity for security that impacts everyone from the President of the United States to an unassuming civilian standing by a hacked wireless IP camera. You don’t need a smart home to be personally impacted by insecure technology. Every business is impacted by insecure technology as they become attack pivots, relays, and botnet hosts that attack businesses, which drives up the costs of doing business for everyone.

All businesses should be securing all of their Internet connected infrastructure. All? This spans from servers in a rack in a data center (and everything installed on them), to security cameras, wireless access points, phone systems (including mobile devices), video conferencing systems, entertainment systems, TVs, DVRs, HVAC systems, fish tanks, vending machines, etc. Every “thing” that is Internet-connected.

At a minimum, securing means:

  • Protect remote administration to any device on your network with a firewall, VPN, or restrict to a specified management network. Never allow open communication to the entire Internet.
  • For home IoT, leverage network address translation (NAT) if you can’t install a home firewall (note that home firewalls have also been targeted by thingbots).
  • Always change vendor default administration credentials.
  • Stay up to date with any security patches released by the manufacturer.

Need-to-know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.