Carna Botnet Conducts Biggest Internet Census To Date – Findings are Troubling…

A group of unidentified researchers had a novel idea: Scan the Internet for unprotected devices and enlist them for service in a benign botnet that would in turn seek out other unprotected devices, all of which would ultimately work to complete what may be the largest IPv4 survey of the web ever conducted. What was not expected was that in the process, they would end up identifying nearly half-a-million devices that are completely unprotected from remote access and takeover because they were using empty or default credentials.

“Two years ago while spending some time with the Nmap Scripting Engine (NSE) someone mentioned that we should try the classic telnet login root:root on random IP addresses. This was meant as a joke, but was given a try. We started scanning and quickly realized that there should be several thousand unprotected devices on the Internet,” the researchers explained.

They believed that they could create a distributed port scanner which could survey the breadth of the Internet in a short period of time, working under the assumption  that one single device could scan an average of ten IP addresses per second, and would find an unprotected device within one hour.  If the scanner was expanded to include the new device, the rate of the scan would then double. The botnet they created was named Carna after the Roman goddess of health, who they say was later confused with the goddess of doors and hinges. Clever name.

“After doubling the scan rate in this way about 16.5 times, all unprotected devices would be found; this would take only 16.5 hours. Additionally, with one hundred thousand devices scanning at ten probes per second we would have a distributed port scanner to port scan the entire IPv4 Internet within one hour,” the researchers theorized.

The survey of the Internet revealed that there are a ridiculously huge number of devices that should never have been directly connected to the web, let alone connected with no precautions taken to prevent their exploitation. How many devices? According to the researchers, it’s in the millions, mostly routers and other consumer devices.

“As a rule of thumb, if you believe that ‘nobody would connect that to the Internet, really nobody’, there are at least 1000 people who did. Whenever you think ‘that shouldn’t be on the Internet but will probably be found a few times’ it’s there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password,” they stated.

But as they dug deeper into the data, they “found IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment and so on.”

While such an operation could have allowed the team to wreak much havoc, they maintain that they had not intentions of committing any mischief, stating that “We had no interest to interfere with default device operation so we did not change passwords and did not make any permanent changes. After a reboot the device was back in its original state,” and that the script used “was not permanently installed and stopped itself after a few days. We also deployed a readme file containing a description of the project as well as a contact email address.”

Regardless of their noble intentions, the researchers have taken more than a risks where the legalities of such an endeavor are concerned. “We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world,” the researchers said.

NSA

NSA Had Green Light for Cyber Attacks Since 1997…

The National Security Agency may have had the authority to conduct offensive cyber operations for more than 16 years, according to reports based on what are said to be newly declassified agency documents.

The document states that “On 3 March 1997, the Secretary of Defense officially delegated to the National Security Agency the authority to develop computer network attack techniques,” and includes discussions on whether or not the NSA would have difficulty undertaking this mission given its already controversial public perception as a domestic spying apparatus. The power to launch offensive operations against targeted networks is classified as an Information Warfare (IW) capability, and is administered by the U.S. Cyber Command structure, which is the domain of General Keith Alexander, NSA chief.

The document goes on to say that the agency needed to undertake this “third dimension” in its “one mission future” because “warfare in cyberspace is an exclusive feature of the Information Age” and that they believe “its biggest impact is yet to come.”

The release of the document comes on the heels of  Alexander’s recent testimony before Congress in which he revealed the NSA’s plans for the development of as many as thirteen teams of cyber warriors who will specialize in attack methods in addition to 27 units will be focused on monitoring an surveillance activities, and several days after he offered testimony before the Senate Armed Services Committee in which he expressed concerns over the continued distributed denial of service (DDoS) attacks that have been targeting U.S. financial institutions since mid-September of last year.

websense

Websense Threat Report: 600% Increase in Cyber Attacks…

Security provider Websense has released their annual threat report which notes an “explosive year-over-year growth in global cyberattack trends.” The report focuses on the “primary attack vectors” which seek to exploit the Internet, email services, social media platforms and the rapid dissemination of mobile devices, and states that the majority of CISOs surveyed admit that the blended nature of the multistage attacks bypassed traditional defense systems.

“Year-over-year, the number of malicious web-based attacks increased by nearly 600 percent. These attacks were staged predominantly on legitimate sites and challenge traditional approaches to security and trust,” said Websense VP Charles Renert in a press release.

Key finding include:

  • - Each week, organizations faced an average of 1,719 attacks for every 1,000 users.
  • - Malicious websites increased by nearly 600 percent worldwide.
  • - North American malicious sites increased by 720 percent and EMEA saw a 531 percent increase.
  • - Legitimate web hosts were home to 85 percent of those malicious sites.
  • - Half of web-connected malware downloaded additional executables in the first 60 seconds.
  • - Only 7.7 percent of malware interacted with the system registry—circumventing many behavioral detection systems and antivirus solutions.
  • - Thirty-two percent of malicious links in social media used shortened URLs. Once cybercriminals gain access to a host, they typically hide their own malicious pages deep in the directory tree. This process generates very long and complex web links that might tip off a wary user. Link shortening solves that problem.
  • - The United States of America, Russia and Germany were the top three countries hosting malware. Meanwhile, the Bahamas made its debut into the list of top five countries hosting phishing sites, with a second place ranking.
  • - China, the United States of America and Russia were the top three countries hosting command and control servers.
  • - Only one in five emails were legitimate and email spam increased to 76 percent. Worldwide spam volumes reached more than a quarter of a million emails per hour.
  • - One in 10 malicious mobile applications asked for permission to install other apps, something rarely required by legitimate apps.

“The timed, targeted nature of these advanced threats indicates a new breed of sophisticated attacker who is intent on compromising increasingly higher-yield targets. Only proactive, real-time security techniques, that inspect the entire lifecycle of a threat, can withstand the assault and prevent data theft,” Renert noted.

Images courtesy of ShutterStock

Categories: IT Security and Data Protection, ,

Tags: , , , , , , , , , , ,


Leave a Reply

Anthony M Freed

Anthony M Freed has contributed 495 posts to The State of Security.

View all posts by Anthony M Freed >