Security Experts:

Attack Traffic Caught by Honeypots Triples Over Six Months

The attack traffic recorded by F-Secure's global network of honeypots tripled from the last six months of 2018 to the first six months of 2019. In H2 2018, the network recorded 813 million attacks. In H1 2019, that figure leapt to 2.98 billion attacks.

Some of this increase will be down to a few additional honeypots added to the network, and improvements to their telnet and SMB plugins; but there's no doubt, writes F-Secure in an analysis (PDF) of the attack landscape, "given the continuing spread in infected IoT devices, the prevalence of Eternal Blue, and increasing numbers of DDoS attacks, that attack traffic is also simply on the increase."

Much of this traffic is down to two fundamental causes: the growing internet of things, and the continuing prevalence of SMB worms. "Attacks may come from any sort of connected computing device -- a traditional computer, malware infected smartwatch or IoT toothbrush can be a source," says F-Secure. 

Of the 2.9 billion hits, 2.1 billion were on TCP ports. The most common attack was against the telnet-related port 23. Telnet is still often used by IoT devices, and Mirai remains a prime cause. Earlier this week, Vulnerability-Lab disclosed zero-day flaws in Telestar Digital IoT radios. "We noticed an undocumented Telnet service on the standard port 23 on the said end devices during a port scan," said the researchers. "Since port forwarding was activated for all ports on this network, it could be addressed from the outside."

This led Bob Rudis, chief data scientist at Rapid7, to comment, "Organizations should not allow Telnet to be used as a means of device access or control either in development or in production in any way, shape or form. Telnet is a decades' old, plaintext protocol that is impossible to secure." But telnet is still common in IoT devices. In this one instance, more than 1 million devices were at risk.

The next most prevalent attack caught by the F-Secure honeypots was against port 445, representing SMB worms and exploits such as Eternal Blue. "Since its debut during WannaCry over two years ago," comments F-Secure, "Eternal Blue continues to be used by criminals, and it's currently at the height of its popularity. Data from our malware labs backs this up, as WannaCry is currently one of the most prevalent forms of malware in our telemetry."

"Three years after Mirai first appeared, and two years after WannaCry, it shows that we still haven't solved the problems leveraged in those outbreaks," said F-Secure principal researcher Jarno Niemela. "The insecurity of the IoT, for one, is only getting more profound, with more and more devices cropping up all the time and then being co-opted into botnets. And the activity on SMB indicates there are still too many machines out there that remain unpatched."

Third in the hierarchy of TCP attacks were those against SSH port 22. This represented brute force password attempts to gain remote access to devices, and further IoT malware that also uses SSH. Brute force remains surprisingly simple through continuing design failures by manufacturers. In the IoT radio example, the password was hardcoded into the system, and was... 'password'.

The fourth most frequent TCP attacks were against SQL-related ports. These usually represent database attacks aiming to steal data. "But more recently in a new trend," says F-Secure, "attacks are also targeting the server with cryptomining bots or even ransomware."

Outside of TCP, most of the remaining traffic was to UDP port 1900. "1900 is commonly used for scanning to determine if the target is running UPnP, or plug-and-play devices," says F-Secure, "which are used for exploitation or in DDoS attacks."

It will surprise no-one that the three primary sources of this attack traffic are China, U.S. and Russia -- although this is the source of the attack rather than necessarily the location of the attacker. China, however, has moved up from ninth position in H2 2018 to second place in H1 2019, while the UK has dropped from fourth to being unlisted in the current top ten. 

The four most attacked countries in H1 2019 were the U.S., Austria, Ukraine and UK. The U.S. is no surprise given its size, economy and connectivity. "Ukraine is prominent on both source [sixth] and destination [second] lists," notes F-Secure; "not a surprise given its status as a cyber battlefield and a target of Russian hackers."

The UK as a target is also unsurprising for the same reasons, on a smaller scale, as those for targeting the U.S. That Austria was the second most targeted country -- with figures almost equaling those of the U.S. -- is more surprising. There is no immediately apparent cause for this high attack traffic against Austria. Most of these attacks came from Chinese IP spaces (91 million), with Russia sourcing a further 40 million attacks.

The malware found in the honeypots is dominated by various versions of Mirai. But, notes F-Secure, "In a new trend that should concern every business, Mirai has recently spawned variants that are specifically engineered to infect enterprise IoT devices such as wireless presentation systems and digital signage TVs. The expansion to enterprise allows attackers access to greater bandwidth connections than are available with consumer devices, affording them greater power for DDoS attacks."

Related: Millions of Devices Remain Exposed via SMB, Telnet Ports: Rapid7 

Related: UK Publishes Proposed Regulation for IoT Device Security 

Related: Encrypted Threats, IoT Malware Surge Past 2018 Levels: Report 

Related: Honeypot Shows the Power of Automation in the Hands of Hackers 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.