lolloj - Fotolia

Botnets shift focus to credential abuse

Cyber criminals are increasingly using automated attacks that make use of stolen credentials, a security threat report warns

There was a sharp increase in the threat of credential abuse in the last three months of 2017, according to the latest internet threat report from cloud delivery firm Akamai.

The report, based on the analysis of more than 7.3 trillion automated or bot requests per month, shows that more than 40% of login attempts in the quarter were malicious, and that the hospitality industry was the biggest target, with 82% of its login attempts being from malicious botnets.

According to the Ponemon Institute, credential stuffing attacks which make use of automated trial of stolen username and password pairs to gain control of user accounts, can cost businesses as much as $2.7m (£1.9m) a year.

“These attacks are taking advantage of the fact that people use the same login credentials across multiple applications, sites and services,” said Jay Coley, senior director, security planning and strategy at Akamai. “Once they are in, they can take over that account and abuse it until the account owners become aware and change their passwords.”

The Akamai data indicates that although there is a shift in automated attacks to credential abuse, distributed denial of service (DDoS) attacks remain a consistent threat, and the Mirai IoT botnet mainly of compromised internet-connected security cameras is still capable of strong bursts of activity.

While other reports have shown the intensity of the Mirai botnet fading, Akamai saw a spike of nearly one million unique IP addresses from the botnet scanning the internet in late November, showing it is still capable of explosive growth.

“Over the past few years, we have seen a decrease in the number of PC-based botnets and a migration to server-based botnets with much more capacity, and more recently we have seen botnets using mobile devices and connected devices making up the internet of things,” said Coley.

“The botnets are evolving. They are getting much bigger and a lot more flexible in what they can do, mainly due to the huge number of mobile and IoT devices that can be compromised,” he said, adding that this unprecedented scale is something businesses should be aware of in the threat landscape.

“Bots present a unique problem with regard to scale,” he said. “Old, on-site appliances are not capable of withstanding the larger attacks we are seeing with some of these botnets.” In the face of this threat, Coley said many companies are looking to cloud-based services to provide the capacity, experience and threat intelligence to deal with large-scale DDoS attacks when required.

Akamai’s findings also confirmed that the total number of DDoS attacks in the last quarter of 2017 was up 14% compared with the equivalent period in 2016.

“Credential abuse is a relatively new trend in bot-enabled cyber criminal activity, but bots are being used across the entire spectrum of cyber abuse, such as DDoS attacks, web application attacks, and site scanning and scraping,” said Coley.

The financial industry saw a sharp increase in the number of DDoS attacks during the quarter, experiencing 298 DDoS attacks against 37 distinct organisations, with application layer DDoS attacks up 115% on the previous quarter.

“Increased automation and data mining have caused a massive flood of bot traffic to impact websites and internet services,” said Martin McKeay, senior security advocate at Akamai. “Although most of that traffic is useful for internet businesses, cyber criminals are looking to manipulate the powerful volume of bots for nefarious gains. Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal.”

The Akamai data shows that the UK is the third-most targeted country for web application attacks with 19 million recorded in the quarter, up from fourth place in the third quarter. In the last quarter of 2017, the US was the most targeted country for web application attacks (323 million), followed by Brazil (28.6 million).  

Read more about DDoS attacks

SQL injection remained the dominant web attack vector in the quarter, making up 50% of all web application attacks, which are mainly aimed at stealing data. The report noted that SQL injection is a well-known and well-understood attack that has remained in the top position over time because organisations have not made the effort to protect their sites.

“Attackers will continue to utilise these vectors to gain access to systems if applications do not take the simple, but necessary, step of sanitising data input and output,” the report said. “These types of attack are easily automated and scalable, looking for any vulnerable system, rather than targeting specific organisations.”

Local file inclusion (LFI) came second after SQL injection attacks, with a 36% share of the attacks, down from 38% in the previous quarter. Cross-site scripting (XSS) came third with 8% of the attacks, down from 9% in the third quarter.

Akamai researchers have also seen recent hacker activity turning to exploit remote code execution vulnerabilities in enterprise-level software to make enterprise systems part of the botnet threat. For example, hackers have been exploiting vulnerabilities in the GoAhead embedded HTTP server – which has 700,000 potential targets – and Oracle WebLogic Server.

Aided by the disclosure of Spectre and Meltdown earlier this year, Akamai researchers said the GoAhead and Oracle WebLogic vulnerabilities open the door to a new wave of attacks, including the surreptitious installation of crypto mining software that ties up computing resources.

“A key motive of attackers has always been financial profit,” said McKeay. “In the past few years, we have seen adversaries move to more direct methods to achieve that goal, such as ransomware. Crypto mining offers attackers the most direct avenue to monetise efforts by putting money immediately into their crypto wallets.”

Read more on Hackers and cybercrime prevention