loading

First Analysis of Cyber Attacks on Lebanon - 2,500,000 attacks within 21 days

Announcement, Article or Vulnerability

Innovation and Effectiveness in Cyber Security

Introduction

The rapid growth of internet usage paved the way for the evolution of interconnected systems leading to a fully connected world of devices. Such devices as smart TV, smart fridge, baby monitor, and so on, are mostly targeted due to their low-cost values, lack of adequate security hardening, poor vendor focus on security aspects, and they can be easily used as a source to attack further systems or networks.

Traditional defensive controls in cyberspace are no longer efficient for protecting networks and data of interest due to many unexpected emerging flaws progressively in the IT protocols and digital systems. Matured intelligent security strategies consider orchestration of tools to cover the entire security posture across the protected scope. Key element within the set of tools is an early warning system as of Honeypots. Honeypots simulate vulnerable systems or services and trap threat actors , which help estimate their behavior to strengthen the deployed defensive strategy. In our study, we aim to understand the cyber-attacks that roam around the Lebanese perimeter. To this end, we deployed as a first step several honeypots on one public system located in the capital city area. The deployed system has a main goal to detect automated attacks where threat actors apply large scans to identify vulnerabilities and exploit these.

This study will discuss and visualize the result of 10 honeypots devices that mimic the T-Pot implementation originally created by Deutsche Telekom [1]. T-Pot is a ready-to-deploy system running on Linux which comprises multiple honeypots each is configured to track specific services and vulnerabilities. The systems are designed with a friendly graphical user interface that can be accessed through the web beside other access methods, which provides a meaningful option for viewing the captured logs in different formats. The traffic was collected by Honeypots over 21 days from January 8th – February 1st, 2022 . Throughout our study, we focused on answering the following:

  1. What are the most attractive services for attackers?
  2. Where do most attacks originate from?
  3. How are attacks distributed over time?
  4. What username/password are mostly attempted by threat actors?


Selected Honeypots

The following table shows a brief description of the deployed honeypots.

Honeypot Description
Dionaea A python script using libemu to detect shellcodes, supporting IPv6 and TLS
RDPy A python implementation of Microsoft Remote Desktop Protocol (RDP), client and server side
Mailoney An SMTP email honeypot that provides custom modes to fit the needs
Cowrie A medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker
Honeytrap A network security tool that observes attacks against TCP or UDP services
CiscoASA Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability
ADBHoney The Android Debug Bridge (ADB) is a protocol made to control and track connected android devices (phones, tablets…) using several tools and commands
Heralding Simple honeypot logger that collects credentials
SNARE/TANNER SNARE is a web application honeypot sensor, TANNER is SNARES "brain". Every event is sent from SNARE to TANNER, gets evaluated and TANNER decides how SNARE should respond to the client
Citrix Honeypot for CVE-2019-19781 (Citrix ADC), detects and logs CVE-2019-19781 scans and exploitation attempts


Number of Attacks

The selection of the honeypots is based on the criticality of the services they simulate. For example, the Cisco ASA is deployed in all Cisco firewalls deployed in most Cisco based networks. The RDPY is the python implementation of the Microsoft RDP protocol widely used in windows servers.
The analytics showed that within 21 days more than 2,500,000 attacks had been performed , as depicted in the next figure. Hereby, Cisco ASA and Citrix ADC had been tackled by 16,268 and 667 attacks, respectively. Pointing these two aforementioned services is because it has been previously proven in [2] that many systems in the Lebanese perimeter are vulnerable due to these services.

Number of Attacks per Honeypot

To identify the activeness of attackers over the Lebanese perimeter, the next figure presents the distribution of the attacks over the time, per honeypot. It can be noticed that for most of the deployed honeypots, the attacks are quasi-uniformly distributed, which might indicate a periodic scan performed over the perimeter. However, for some honeypots like Cisco ASA, one can realize that there are some specific periods where the attackers were very active, such as on 25-01-2022 with more than 15,000 attacks. This leads to a conclusion that the perimeter is exposed to the whole world and any existing vulnerability is actually known to thousands of attackers.

Distribution of Attacks over the Time Period


Origin of Attacks

Looking at the origin of attacks, it was noticed that the United States is ranked on top with more than 60% of the attacks . Other countries in the ranking scale are Lebanon, Vietnam, and Russia. It is unusual to count so many attacks from the origin country of Lebanon, therefore it is planned to further investigate the analysis results that are sourced from Lebanon as the assumption is that other countries have more powerful scanning capabilities in cyberspace.

Origin of Attacks

The next figure shows that 95% of the attackers are mainly classified in the “known attacker” category, whereas 2% are classified in the bad reputation category. The remaining attacks are classified as of crawling, mass scanning, and spamming activities. Such results highlight the high risk level of being exposed online and stresses more the importance of our work in [2] on uncovering unpatched critical vulernabilities..

Attacker Classification


Top Username Password Used by Hackers

The figure below illustrates the main used combination of usernames/passwords. It is obvious that trivial built-in accounts such as root, administrator, guest, beside other derivations and known service accounts, are the primary targets. Password provided attempts for the targeted accounts are basics from any password dictionary files as of admin, sequence of numbers, or default password set by product/application providers. The results demonstrate the need for a stronger password policy and the implementation of advanced authentication methods as of MFA (Multi-factor authentication) .

Most Tried Usernames and Passwords


Conclusion

The main purpose of this study is to demonstrate how threat actors are very active in the lebanese cyberspace and how system and application owners within the Lebanese perimeter scope should benefit from the analysis results to improve their security plans to assure continuous system patching, limit open ports, monitor unsolicited traffic reported by their monitoring systems, and build a strong identification & Authentication mechanism.


References
[1] T-Pot, Deutsche Telekom, Apr. 2022, https://github.com/telekom-security/tpotce
[1] Lebanon CERT, Jan. 2022, https://lebanoncert.org/en/blog/vulnerabilities_study