Cybercriminals are increasingly leveraging automation to increase the speed and scale of their attacks. Malicious bots can take advantage of simple cybersecurity errors to gain access to and control over an organization’s applications and systems.
A prime example of this is the Stealthworker botnet, which was recently discovered on a security researcher’s honeypot system. The botnet leverages poor password security on Internet-facing applications to add systems to the botnet and use them to perform a distributed password guessing attack against similar systems.
The Growing Threat of Password-Based Attacks
Obviously, passwords have been around for a while. They are the most popular option for user authentication since they are relatively easy to implement and are easily understood by users. This understanding translates to trust in the system, making it difficult to convince people to transition to a less user-friendly but more secure alternative.
Passwords are easy to implement, easy to use, and easy to crack. In theory, passwords are a fairly secure system for user authentication since the space of possible passwords is far too large for an attacker to search and find the password for a single account, let alone dozens or hundreds. In reality though, passwords are easy for cybercriminals to take advantage of. People use weak passwords and reuse them across multiple accounts. This makes it possible for a cybercriminal to guess an account password with little to no effort.
Exacerbating this problem is the fact that automated attacks are becoming increasingly common on the Internet. Performing a password guessing attack requires no sophistication, only the ability to try many different login combinations one after another. As a result, botnets performing credential stuffing and brute-force password guessing attacks have become common, and almost a quarter of Internet traffic is driven by malicious bots.
Stealthworker Attempts to Crack User Accounts
One example of a botnet taking advantage of insecure user credentials is the Stealthworker botnet. This botnet targets a wide variety of popular tools, including WordPress, Drupal, Magento, and many others.
The Stealthworker botnet performs a distributed brute-force password guessing attack against a target application. Each bot within the network has a list of commonly-used passwords that it uses to attempt to log into various systems. By distributing the attack over multiple bots, the botnet makes it more difficult for security solutions to identify and block all of the IP addresses of the systems participating in the attack.
The goal of the attack is breaching the administrator account on the target system. Administrator access allows the attacker to add or remove components on the software, enabling it to eventually gain access to and control over the computer running the software. In the end, the attacker has complete control over the Internet-facing computer running the exploited software.
Once the underlying server has been exploited, it is added to the Stealthworker botnet. The machine is instructed to contact a command and control (C2) server, which provides it with instructions on its role in the ongoing attack. Additionally, the botnet collects any sets of user credentials that it can from the exploited machine and adds them to the list of user credentials used to attack other systems. This enables the botnet to take advantage of passwords that are reused across multiple applications to exploit multiple servers.
Currently, the end goal of the cybercriminals behind the Stealthworker botnet is unknown. Its current focus appears to be upon growing the number of bots under its control, and its ability to do so is quite impressive. After clearing the malware from an infected decoy system (honeypot), researchers discovered that the system was reinfected within minutes. Only changing the password associated with the target application protected the server from further exploitation.
Lessons Learned from Stealthworker
The Stealthworker botnet is one of many examples of botnets taking advantage of poor security practices. However, Stealthworker’s attacks underscore the potential impact of several common cybersecurity failures:
- Use of Weak Passwords: The Stealthworker botnet gains access to applications by cracking the administrator account’s password. This is only possible if this password is weak and guessable.
- Password Reuse: Stealthworker collects passwords extracted from compromised machines for future use. Reusing passwords across multiple accounts and systems aids the spread of the botnet.
- Lack of System Monitoring: The Stealthworker malware conscripts a compromised server into the botnet and uses it in password guessing attacks. This anomalous behavior should raise an alert and trigger incident response activities.
- Implementation of Least Privilege: Stealthworker leverages control over an application on a system into control of the system itself. Internet-facing applications should run in dedicated accounts within minimal privileges.
- Weak Patch Management: Stealthworker may exploit privilege escalation vulnerabilities to gain full control over compromised systems. Failing to keep systems up-to-date makes this possible.
Addressing the Threat of Automated Attacks
Malicious automated programs or “bad bots” are a serious threat to the security of Internet-facing systems. These bots account for a growing percentage of the traffic passing over the Internet today. Botnets are commonly used by cybercriminals to efficiently perform large-scale but unsophisticated attacks like brute-force password guessing.
Blocking this malicious automated traffic from reaching an organization’s website is essential to maintaining security and preventing attackers from wasting valuable resources. However, not all bots are malicious. When selecting a web application firewall (WAF) to protect against these automated attacks, choose one from a provider with deep experience in identifying and blocking malicious bots.