The rise of poorly secured Internet of Things (IoT) devices has made it possible for attackers to gain access to targets of interest. Nation-states, spies, mercenaries, and others don’t need to dress up as repairmen to plant bugs in rooms anymore; they can just hack into a room that has vulnerable IoT devices.
In May, the CIA admitted their agents were being tracked by technology, so they had to adopt new tactics to ensure they stayed under cover.1 This practice has likely been going on behind the scenes for years. Russia has been compromising global network infrastructure, including small office/home office (SOHO) routers and switches to spy on adversaries and maintain persistent access for future operations. Attacking technology infrastructure to spy and collect data is not a new attack type. Nefarious attackers learn from nation-state APTs and attempt to follow in their footsteps.
In June, we published a story about a spike in Russian attack traffic towards Singapore during Trump’s meeting with Kim Jung-Un. Following that story, we (F5 Labs in partnership with Loryka) decided to follow Trump’s travel schedule to see if attacks followed him, as we expected they would. If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage.
On July 16th, President Trump met with Vladimir Putin in Helsinki, Finland. As expected, attacks against Finland skyrocketed days before the meeting. What’s interesting this time around is that Russia wasn’t the top attacker—perhaps because Trump was meeting with Putin? In this case, China was the top attacker.
The attacks launched from China came from networks that are commonly in our top 10 attacking networks list. It’s also interesting to note the change in ports and protocols that were attacked. Between the Singapore and Finland attacks, some common protocols were targeted, such as SIP port 5060 that VoIP phones and video conferencing systems use (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland attacks, #3 in Singapore attacks), and Telnet port 23, often used for remote administration of IoT devices (#3 in Finland attacks, #9 in Singapore attacks). However, SSH port 22 was the number 1 attacked port followed by SMB port 445 in the Finland attacks. SSH is often used by IoT devices for “secure” remote administration. The challenge is that the device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks. Other ports and protocols targeted in the Finland attacks that we did not see in the Singapore attacks include HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.
Trendline in the Attacks Against Finland
Finland is not typically a top attacked country; it receives a small number of attacks on a regular basis. Figure 1 shows the trendline of attacks before the Trump-Putin meeting. Starting on July 12, 2018, attacks towards Finland spiked, the majority of which were brute force attacks against SSH port 22 (see attacked ports below).
Figure 1: Trendline of attacks against Finland
To get a sense of how infrequently Finland is attacked, we compared a week of attacks from 7/10/2018 – 7/16/2018, against what Canada received in that same time period (Canada is routinely a top 10 attacked country, but not typically in the top 3–5). Aside from the attacks on 7/12 and 7/14, Finland doesn’t even register on the chart.
Figure 2: Finland attack traffic in comparison to Canada
Top Attack Source Countries
China is typically the top attacking country on a regular basis (see 5/12/2018 – 7/13/2018 in the table below). This was also the case during the spike in attack traffic around the Trump-Putin meeting (7/14/2018 – 7/16/2018), however during that time, China launched a higher percentage of the attacks than normal. The US was consistently in the number two attacking position. Russia fell from its #3 baseline position to #5 during the attack spike. Given that the targeted meeting included Putin, it is not surprising that Russia would back off their attacks. Noticeably, Italy and Germany jumped from their 13th and 14th positions into the 4th and 7th positions respectively during the Trump-Putin traffic spike.
|Top 20 Finland Attacking Countries|
|5/12/2018 – 7/13/2018||7/14/2018 – 7/16/2018|
|Pos #||Country||% of Total||Pos #||Country||% of Total|
|2||United States||14%||2||United States||12%|
|9||Republic of Korea||3%||9||Canada||3%|
|10||Hong Kong||2%||10||United Kingdom||3%|
|14||Germany||1%||14||Republic of Korea||1%|
F5 Labs continually monitors top attacking networks. A handful of networks shown in the table below (highlighted in yellow) are not consistently top threat actor networks (see F5 Labs IoT Hunt research series). This indicates consistency of threat actors, and the networks they choose to launch their attacks from.
ChinaNet was the top attacking network both before the Trump-Putin meeting and during the attack spike. ChinaNet is also consistently at the top of the threat actor network list globally. It is our opinion that since attacks from China go unpunished, threat actors from around the world feel confident to use their networks to launch attacks, as well.
|Pos #||ASN Name||Country||% of Total||Pos #||ASN Name||Country||% of Total|
|2||OVH SAS||France||18%||2||Aruba S.p.A.||Italy||11%|
|3||JSC Internet-Cosmos||Russia||11%||3||OVH SAS||France||10%|
|4||Chinanet (SiChuan DC)||China||9%||4||CNCGROUP China169 Backbone||China||7%|
|5||Online S.a.s.||France||7%||5||Online S.a.s.||France||7%|
|6||Henan Telcom Union Technology Co., LTD||China||5%||6||Paradise Networks LLC||US||6%|
|7||Kassir, Ltd.||Russia||4%||7||myLoc managed IT AG||Germany||3%|
|8||CNCGROUP China169 Backbone||China||3%||8||Forthnet||Greece||2%|
|9||EDIS GmbH||Austria||2%||9||Netversor GmbH||Germany||2%|
|10||Korea Telecom||Korea||2%||10||ChinaNet (Jiangx DC)||China||2%|
|11||Digital Ocean, Inc.||Netherlands||2%||11||Hostkey B.v.||Netherlands||2%|
|12||Aruba S.p.A.||Italy||2%||12||HostPalace Web Solution PVT LTD||India||2%|
|13||VNPT Corp||Vietnam||2%||13||VNPT Corp||Vietnam||2%|
|14||ColoCrossing||US||2%||14||Digital Ocean, Inc.||Netherlands||2%|
|15||MediaServicePlus LLC||Russia||2%||15||NForce Entertainment B.V.||Netherlands||1%|
|16||Henan Mobile Communications||China||2%||16||MediaServicePlus LLC||Russia||1%|
|17||PT Telekomunikasi Indonesia||Indonesia||2%||17||Wowrack.com||US||1%|
|18||B2 Net Solutions Inc.||Canada||2%||18||PT Telekomunikasi Indonesia||Indonesia||1%|
|19||Wowrack.com||US||2%||19||IT Expert LLC||Ukraine||1%|
|20||Hostkey B.v.||Netherlands||2%||20||PJSC Rostelecom||Russia||1%|
The top 5 attacked ports before and during the Finland attack spike were SSH, SMB, SIP, HTTP, and MySQL. SSH brute force attacks are commonly used to exploit systems and IoT devices online. They accounted for the majority of the attacks against Finland and are something we see consistently across global attack traffic. This is why we choose to publish the top 50 admin credentials used in SSH brute force attacks in our Hunt for IoT report series.
Note: We have no data to suggest the attacks against Finland were successful. That would require access to the targeted systems, which is illegal. We collect attack data and publish the threat intelligence in an effort to educate the security community on attackers’ efforts and targets so they can protect themselves.
|5/12/2018 – 7/13/2018||7/14/2018 – 7/16/2018|
|Pos #||Port||Protocol||% of Total||Pos #||Port||Protocol||% of Total|
|10||25||SMTP||< 1%||10||3389||RDP||< 1%|
|11||21||FTP||< 1%||11||8291||TCP||< 1%|
|12||8291||TCP||< 1%||12||25||SMTP||< 1%|
|13||8088||TCP||< 1%||13||443||HTTPS||< 1%|
|14||443||HTTPS||< 1%||14||53||DNS||< 1%|
|15||7547||TCP||< 1%||15||7547||TCP||< 1%|
|16||81||UDP/TCP||< 1%||16||21||FTP||< 1%|
|17||9200||UDP/TCP||< 1%||17||135||RCP||< 1%|
|18||53||DNS||< 1%||18||8080||HTTP||< 1%|
|19||135||RCP||< 1%||19||9200||UDP/TCP||< 1%|
|20||8089||TCP||< 1%||20||81||UDP/TCP||< 1%|
The common use of the ports shown in the table below is an indicator of what the attackers are after. IoT devices are moving to SSH for remote administration because it’s more secure than Telnet—although “protecting” with default admin credentials doesn’t secure anything. Just check out the top attacked admin credentials list, which typically includes default username and passwords that are the name of the manufacturer or software provider. The SIP protocol, although in the top 3, did not account for a large percentage of the attacks in the Finland attacks. Since we are not aware of a SIP vulnerability that would give attackers instant access to a phone inside a meeting room, we’re not surprised SSH attacks accounted for the majority of the attacks surrounding the Trump-Putin meeting.
|21||FTP||File Transfer Protocol (FTP)|
|22||SSH||SSH remote management port|
|23||Telnet||Remote management port|
|25||SMTP||Simple Message Transfer Protocol (SMTP)|
|53||DNS||DNS and facetime|
|81||UDP/TCP||Alternate web server port for host-host communication|
|135||RCP||Remote Procedure Call (RCP)|
|445||SMB||Server Message Block (SMB) port|
|1433||SQL||SQL database port|
|3306||MySQL||MySQL database port|
|3389||RDP||Remote Desktop Protocol|
|5060||SIP||Clear text Session Initiation Protocol (SIP) port commonly used by VoIP phones and video conferencing systems|
|7547||TCP||TCP port used by ISP’s to remotely manage routers via the TR-069 protocol|
|8080||HTTP||Alternate web server port often used for a proxy or caching, some routers use for remote management.|
|8088||TCP||Apple software update and Lord of the Rings game|
|8089||TCP||Mac OS X Web email rules, Splunk management port, MyDiskServer|
|8090||HTTP||Alternate web server port often used for Webcams|
|8291||TCP||Remote management port commonly used by MikroTik routers|
|9200||UDP/TCP||WAP Connectionless Wireless Session Protocol|
Using technology—most specifically, IoT devices—to target people of interest or spy on large portions of populations isn’t new. This practice should be expected, but we write the stories to prove a point about the necessity for security that impacts everyone from the President of the United States to an unassuming civilian standing by a hacked wireless IP camera. You don’t need a smart home to be personally impacted by insecure technology. Every business is impacted by insecure technology as they become attack pivots, relays, and botnet hosts that attack businesses, which drives up the costs of doing business for everyone.
All businesses should be securing all of their Internet connected infrastructure. All? This spans from servers in a rack in a data center (and everything installed on them), to security cameras, wireless access points, phone systems (including mobile devices), video conferencing systems, entertainment systems, TVs, DVRs, HVAC systems, fish tanks, vending machines, etc. Every “thing” that is Internet-connected.
At a minimum, securing means:
- Protect remote administration to any device on your network with a firewall, VPN, or restrict to a specified management network. Never allow open communication to the entire Internet.
- For home IoT, leverage network address translation (NAT) if you can’t install a home firewall (note that home firewalls have also been targeted by thingbots).
- Always change vendor default administration credentials.
- Stay up to date with any security patches released by the manufacturer.