The Password that Put You at Risk

The Password that Put You at Risk

We're Security Researchers or Penetration Testers or other Security Wings in cyber space. So, you guys should know about attacker's behavior and the cyber taste. Consider not only the attackers behavior, but also the users on every corner of the county.

Today, I'm introducing the Top “The Password That Put Your Risk” List:

1 -Bad Password is Bad!!

At the end of 2015, password management company SplashData released its annual “WorstPasswords” report, which again reminded the world that“123456” and “password” are the worst possible choices to secure user accounts.

Millions of passwords were leaked over the course of 2015, and SplashData’s most recent report corroborates the statement that “regular humans are terrible at picking passwords.” And, "the carbon-based computers we store in our heads are certainly suboptimal password generation devices, since people tend to pick easy-to-remember, easy-to-type passwords. While reports on the inherent weaknesses of human-chosen passwords are valuable in communicating security shortcomings to the general population, it’s difficult to characterize people’s regular work, banking, e-mail, and other critical passwords based off of lists of password leaks."

"After all,the majority of the sources of these passwords are almost necessarily from sites with weak security standards. Most important accounts have passwords that are subject to “starwars” as  a password, no matter how much one might love the Disney franchise. Complexity requirements in the form of minimum lengths, mixes of character sets, and the like make it difficult to register a new account with “starwars” as a password, no matter how much one might love the Disney franchise."

 

To expose the Problem detail, I'm going to introduce an interesting data analytic solutions, Team Rapid7

Rapid7 do lot-off internet scale researching and they collected the data about the attackers behave of internet. Nearly a year’s worth of opportunistic credential scanning data collected from Heisenberg ( Project name of rapid 7 ) Rapid7’s public-facing network of low-interaction honeypots. Instead of focusing on the passwords that end users typically pick, with this data we can see what opportunistic scanners are using in order to test and likely compromise Internet-connected point of sale(POS) systems, kiosks, and scam were-compromised desktop PCs which offer the Remote Desktop Protocol (RDP) service for remote management.

 

Unique visibility into the credentials that attackers are choosing, we can measure a variety of statistics that are of interest to security practitioners and data scientists. For security practitioners, report on the frequency and source of opportunistic attacks; the top attempted usernames, passwords, and username:password combinations, and the overlap between these chosen credentials and published password dumps collected from breach data.

 

“Heisenberg honeypots are custom-engineered, low-interaction honeypots that are distributed geographically across several regions.” They are “low-interaction” in the sense that they merely emulate the authentication handshakes of several protocols without attempting to emulate (or actually offer) the full capabilities of the protocol or the underlying operating systems. So, while this honeypot network is an ideal collection system for opportunistic attacker-controlled credentials, it does not offer further insight into the motives of attackers in the event that they guess a “correct” password.

More interesting protocols, which the Heisenberg honeypots support, the Remote Desktop Protocol (RDP).

Remote Desktop Protocol (RDP)RDP enables remote desktop-based control of home, office, POS, and kiosk systems, and is often enabled intentionally and legitimately by those systems’ owners, since it is sometimes considered as a secure alternative to a Virtual Private Network (VPN) connection. RDP does provide native encryption by default, and is optionally configurable with the Transport Layer Security (TLS) encryption standard. While we at Rapid7 strongly recommend VPN-secured network access to internal resources (primarily to reduce attack surface), some IT organizations and Virtual Private Server (VPS) providers treat RDP as a viable alternative to traditional VPN access. 

RDP is implemented on the server side as Remote

Desktop Services (RDS) and ships with all Microsoft

Windows operating systems since Windows XP.

According to Sonar sscans conductedin February 2016, there were 10,822,679 IP addresses listening for 3389/ TCP, the default port for RDP. Attackers have taken notice of these millions of potential targets RDP is also a popular management interface for some Windows-based Point-Of-Sale (POS) systems. This was discussed extensively in FireEye’s mid-2014 report on BrutPOS 5 , and US-CERT’s alert regarding BackOff 6 ,both of which target RDP-enabled POS systems and kiosks. Since 2014, successful attacks targeting POSes remain in the headlines as a favored tactic for criminals. Because of its attractiveness to criminals, we feel that this is an ideal protocol to build out an attacker’s dictionary of commonly used, rarely changed passwords in addition, it is our belief that some fraction of these RDP endpoints are exposed as a result of the recent spike in “Windows tech support” scams 7 , where users are tricked into giving control of their desktops to scam perpetrators. On Windows 7, for example, the configuration for RDP is located on a screen for “Remote Assistance,” as seen in Picutre one As anti-virus and anti-malware consumer products started to identify and flag the third party screen-sharing and remote control software used in these scams,we believe these actors are now adopting Microsoft’s built-in tools in order to avoid antivirus (AV) detection.

 COLLECTED CREDENTIALS

Rapid7 collected credentials intended for our RDP listening services over the past 334 days, from 2015-03-12 to 2016-02-09. Over this period, we have recorded 221,203 attempts to login, sourced from 119 countries

 

Figure: Credentials collected worldwide

Attackers do not merely pick random strings as passwords (or usernames) Such brute force attacks are process intensive, time consuming, and tend to have very poor performance from the attacker’s point of view. Instead, attackers in our data set were clearly conducting dictionary attacks; i.e. they were using chosen usernames and passwords that have an assumed high likelihood of success when applied to a target system.

Figure: Top 10 Country Network Origins

For example, a Google search for “St@rt123,” the third most common password attempted, turned up only as a comment on a Krebs on Security blog post suggesting it as a merely hypothetical weak password 10 in connection to a Russian e-payment system breach. It’s possible that “St@ rt123,” is, in fact, a known-to-some common default. Given the appearance of this password on a blog that is concerned primarily with reporting high-profile data breaches, its possible its use was merely an error in translation Despite these unknowns, some inferences can be drawn from the tables that follow, especially when it comes to the relationships of passwords to usernames.Top Ten Usernames!

Figure: Top 10 Usernames

By far, the most common username is “administrator,” followed by “Administrator” Note that because RDP is strongly associated with Windows, usernames are not case-sensitive. While apparently omnipresent, it’s good to know that these attackers are not omniscient, too. The sixth most common username, “pos,” has a strong implication for point of sale systems, while the usernames “db2admin” and “sql” imply a hunt for Internet-facing database instances.

Top Ten Passwords!

 Figure: Top 10 Passwords

The most surprising aspect of the top ten passwords is that only the third, fifth, and sixth most common passwords of Sta@rt123, P@ssw0rd, and bl4ck4ndwhite (respectively) are even mildly complex, made up of simple letter substitutions which many, many dictionaries are likely to contain.

Truly,the surprising detail to be uncovered here is just how weak these passwords are. One or two characters, easily guessed strings, and a strange appearance of a series of dots. Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security.

Top Passwords for the Top Ten Usernames

Taking a look at the top passwords per username can give a much clearer picture of what the scanners are after. We can see, for example, the lowercase “administrator” account is associated with two very strong passwords, as well as the very weak “x” and “Zz”

We can also see that, for some usernames, default passwords seem to be the most common target rather than merely weak passwords. For example, the “db2admin:d-b2admin” credential is the default credential for many versions of IBM’s DB2 database, and it is one of only two passwords that are attempted with that user account.

Figure: Top Passwords for the Top Ten Usernames

Figure: Top Passwords for the Top Ten Usernames

Top Usernames Associated with the Top Ten PasswordsWe can also look at the reverse: how many passwords are reused across several user names? This is a common tactic for quick dictionary testing, especially in environments that may have account lockouts in place. An attacker may only have five guesses for a particular username, but given 10,000 users, that amounts to 40,000 guesses with four passwords each (leaving the last guess off to avoid triggering the lockout). we can see that “x” is, by far, the most commonly guessed password. Would be intruders are likely banking on the fact that POS and kiosk administrators may not realize their device is reachable from the Internet, and would rather not set a password at all. We can also see that the “St@rt123” password is associated with exactly one user account, “user1,” just as the password “alex” is almost entirely associated with the user name “alex.” This would imply that perhaps “user1:St@rt123” and “alex:alex” are default credentials to a particular brand of device, or even a particular botnet default.

Figure: Top Usernames Associated with the Top Ten Passwords

Figure: Top Usernames Associated with the Top Ten PasswordsDistinct Passwords per Username and Distinct Usernames per PasswordWhen studying online dictionary attacks, it’s helpful to realize that while the password is “private” and the user name is “public,” they are really two equal halves of a valid credential. If you happened to write an e-mail password on a piece of paper, but never reveal the associated e-mail address, you haven’t effectively compromised your account. You are simply reversing the roles of username and password, as long as you keep the username secret. Of course, keeping usernames secret is far more difficult, since usernames tend to be publicly disclosed many, many times in normal operations. Passwords, on the other hand are “disclosed” only upon authentication, and ideally over an encrypted channel. This is a real problem for online attacks where very little about the system or its users is known the scanners are clearly targeting well-known, non-secret default Windows accounts, such as “administrator,” default usernames associated with a particular product. 

                   Figure: Distinct Passwords per Username

 

 

Figure: Distinct Usernames per Password

SOLVING THESE PROBLEMS

One of the most straightforward actions any enterprise can take is to assess the need to expose RDP to the Internet. If these services are not absolutely critical, immediate action should be taken to block access to port3389 (the most common and default port for RDP services). If access is required, a little security by obscurity will go a long way. simply changing RDP’s listening port, and configuring the corresponding clients to attempt this alternate port, can alleviate most opportunistic scanning.

Many other solutions are available, ranging from enforcing account lockouts to more complex, adaptive user behavior solutions that recognize and react to credential-based attacks in progress. However, we don’t believe this advice will be heeded by the majority of victim organizations. That may sound harsh, but remember that it is likely that many (likely, most) of the RDP endpoints discovered by Project Sonar are exposed unintentionally, so no amount of security advice will reach the people responsible for these systems. Unfortunately, it’s difficult to know for sure without further investigation. Periodic credential sweeps in order to size the problem appropriately would be most helpful but are blocked by legal barriers.

Ideally, we assessed the actual threat exposure to the credentials collection which might help organizations manage their risks and also the personal. Now that we are armed with the sources, usernames, passwords, complexity patterns, and password provenance all associated with real-world scanning evidence we should expect that the security research community would be in an excellent position to determine exactly how effective these tactics are against Internet endpoints on a continuous basis.

After all, RDP-based break-ins are strongly associated with both point of sale and personal banking attacks, as indicated earlier in this paper, and is a continuous problem for many companies, large and small. We strongly believe that routine credential scans can help protect both individual and organizational sensitive information, prevent opportunistic fraud and crime, and ultimately make the Internet a safer and more trustworthy platform for commerce, communication and expression.

 Thank You!And thank you to Cybraty.IT and Rapid7.