What Defenders Must Do to Fight Hackers and Cyber Attacks Using More Powerful Weapons?

Abstract

  • Hackers use IP addresses of some Cloud providers and IDC providers to stage cyberattacks. Defenders must monitor the traffic from specific providers.
  • Hackers use dynamic dial-up IP addresses that are difficult to detect to circumvent defenses. The defenders must promptly establish a system in response to attacks from dynamic dial-up IP addresses.
  • Hackers are quick to exploit new vulnerabilities, and worm programs keep evolving. Defenders must repair vulnerabilities faster and be more capable of detecting worms.
  • The encryption methods of Web shell connections are upgraded, and defenders put more effort into detecting Web shells, particularly new hacking tools.
  • Defenders must be more attentive to increasingly frequent attacks at management ports and databases.

Attack Sources

Increasing Numbers of Attacks Initiated by Using IP Addresses from Cloud and IDC Vendors

As the most frequently used Internet identity, IP addresses are the foundation of many security and risk control measures, including throttling and attack interception based on IP behaviors. IP addresses are also the core resources for hackers and cybercriminals.

Dynamic Dial-up IP Addresses Preferred by Cyber Criminals

For years, hackers mainly used open proxy servers to obtain IP resources that are limited in quantity and unreliable. In recent years, dynamic dial-up IP addresses enabled cybercriminals to access large numbers of IP addresses to fight against IP-based security and risk control measures. Household broadband connections get new IP addresses after resuming from a disconnection. By taking this advantage, dial-up IP providers gather massive IP resources and package them into dynamic dial-up IP addresses that are sold to cybercriminals.

Attack Methods

New Vulnerabilities Keep Emerging, Leaving Even Less Time for Fixes

In 2019, new vulnerabilities of different programs, from the OS default services to Web middleware, constantly tested the nerves of online users. Some vulnerabilities result in the running of remote commands or allow hackers to directly exploit host resources of the victims, inflicting heavy mental and financial damage.

Frequently Updated Worms: Need Prevention and Prompt Handling

As most virtual currency prices are below their all-time highs as compared to those at the end of 2017, worms are not making as much news as they did in the last couple of years. However, some worms are still quietly growing and have developed new techniques. In addition to well-studied worms, such as Ddgs, some new worms have emerged. The following graph ranks active worms in 2019.

Spread on Linux and Windows Systems

There are many cross-platform spreading methods, such as the use of cross-platform languages to compile malware. For example, MinerGuard writes worms with the Go language. Some hacker groups, such as CryptoSink, choose to compile different malware for Linux and Windows.

Suppress Rivals with Sinkhole

Unlike other means aimed at hosts, Sinkhole is mainly used by a worm program to fight other worms on the same host. They simply modify the /etc/hosts file to point the server addresses of "rival worms" to 127.0.0.1 or 0.0.0.0. This way, the requests of other worms to pull files from the server or send online information is directed to the localhost and denied consequently.

Invade Existing Botnet for Further Spread

In addition to suppressing rivals, some worms try to invade existing botnets and use them as the base for their further transmission. In April 2019, the notorious botnet, C&C of Ddgs, experienced a plummet of activity. Metrics show that this was the result of the invasion of another worm, SystemdMiner, into the Ddgs infrastructures and the addition of its own malicious code to the end of the major scripts of the botnet.

“Evolution” of Web Shell Connection Tools Poses New Detection Challenges

Also known as the Website backdoor, Web shell files are in .php or .jsp formats. After invading a Website, a hacker usually uploads the Web shell to the Web directory of the Website server and gets the environment to run commands by accessing Web shell files. This way, hackers control the Website server. A web shell is used by fraudsters for invasion and widely used in Internet hacking and defense tests.

Targets and Trends of Cyber Attacks

More Attacks during Summer

Records show that average attacks from June to August were much more frequent than earlier in the year and during the same period in 2018. It was an eventful summer. The following graph shows the trend of the average number of attacks on each IP address from January to September in 2018 and 2019.

Rising Number of Attacks on Management Ports and Databases: Need for Properly Managing High-risk Services

Records show that attacks on management ports, such as SSH and RDP, and database services, such as MySQL and Redis, increased in 2019. The following graph shows the percentage of attacks on different types of services.

Windows vs Linux: More Secure OS

There’s saying in the cyber world that Linux is superior to Windows, in terms of Internet security. Is this true?
More than 75% of applications run on Linux, and the percentage of attacks on Linux systems is slightly lower than 75%. Mathematically, the Linux system is indeed “more secure” than Windows because Windows systems are more “attractive” to hackers.

Recommendations

Following are some key suggestions to help user defend against cybercrimes:

  • Defenders must particularly monitor and restrict traffic from Cloud/IDC providers that have many IP addresses being used by hackers. For example, take stricter security strategies.
  • To defend against fraud, establish a mechanism to tackle dynamic dial-up IP addresses promptly so massive numbers of dial-up IP addresses do not circumvent security strategies.
  • Fix newly released vulnerabilities quickly as fraudsters exploit such vulnerabilities faster.
  • Reinforce the detection of and protection against Web shells and worms, including the deployment and use of host security tools and Web application firewalls (WAFs).
  • Isolate high-risk services, such as management ports and databases, from hacker attempts to gain access, or use a firewall to protect these services.
  • Cloud security solutions are enabled by big data and designed with expert guidance, and therefore, are more secure than traditional data centers. Security team members must advise on-premises businesses to gradually use Cloud security infrastructures to reduce security risks and operating costs.

References

Original Source:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com