Hacker botnets can automate a cyber attack in 15 seconds

A graphic displaying an ethical hacker

Hackers are using botnets to automate the process of hacking into networks, security researchers have found.

The discovery was made when a 'honeypot' of fake user data was released to the dark web to tempt hackers into exploiting the data. Masquerading as data from a financial services company, the security firm released usernames and passwords for the Remote Desktop Protocol (RDP) for three servers in the network to dark markets and paste sites to see how hackers would respond, according to a blog post by Ross Rustici, head of intelligence services at Cybereason.

He said that once set up, automated bots came along to the honeypot to carry out the groundwork for human attackers before they entered the network environment, including exploiting known vulnerabilities, scanning the network and dumping the credentials of compromised machines.

The botnet also created new user accounts, which would allow the attackers to access the environment if the users of the compromised machines changed their passwords. And the botnet carried out these functions in approximately 15 seconds.

"For defenders, automatic exploitation in a matter of seconds means they'll likely be overwhelmed by the speed at which the botnet can infiltrate their environment," Rustici said.

He added that the increasing automation of internal network reconnaissance and lateral movement is an even larger concern.

"These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes," he said.

Two days after the third botnet finished its work, a human attacker entered the environment, according to the post. Cybereason researchers knew it was a human because the attacker logged in with a user account created by the botnet. Also, a user interface application was opened and remote access capabilities were accessed, functions not typically carried out by bots.

"The attacker already had a roadmap to the environment and wasted no time creating an exfiltration capability and siphoning off 3GB of information. This data was junk files with little value to any criminals, which is why the stolen data never appeared on the dark web," he said.

He added that the experiment revealed the commoditisation of using bots to perform low-level tasks. "At one time, only advanced attackers had this capability. But as tools that were once used by only sophisticated adversaries become more generally available, even novice attackers now have this capability."

Oliver Pinson-Roxburgh, EMEA director at Alert Logic told IT Pro that he was not surprised that organisations are starting to see this behaviour given the rise in popularity of browser miners as a way to monetise attacks.

"We see the miner malware automatically looking to identify other miners in the environment and shut the current hackers down in order to spin up their own systems. They are also looking to stay persistent for as long as possible in an asset, as controls on the cryptocurrency side starts to improve ways to detect what a valid miner looks like," he said.

Image: Shutterstock

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.