Spike in Brute-Force Attacks Hints to Kickoff of Malicious Campaign. Heimdal™ Security Discovers Brute-Force Campaign Targeting Danish Companies
By Vladimir Unterfingher
Introduction
Heimdal™ Security’s Incident Response and Management team has recently unearthed evidence regarding an anonymous Moscow-based hacking cell operating on Danish soil. The data we have analyzed reveals the prevalence of brute-force attacks directed towards various organizations. Factoring in the frequency and severity of the attacks, we have surmised that they have been orchestrated by an organized crime group. The network telemetry analysis supports this assessment – the IP addresses involved in the DK reseller attacks appear to have been concentrated around Moscow. This hypothesis is still being discussed, as the threat actors could have used a proxy approach for obfuscation.
Our company’s latest approach to firewall security made it possible to intercept and counter these attacks before the threat group could exfiltrate sensitive data from the Danish reseller. Internal data has yielded valuable intel regarding the group’s modus operandi.
The Muscovite group has launched brute-force and dictionary-type attacks from 8 different IP addresses, targeting four major economical operators (i.e. the Danish reseller and three other international brands) as well as a personal email address. This last operation could signify the beginning of a data-gathering phase for a (potential) future business email compromise (B.E.C) campaign. However, there are insufficient data to support this claim. Given the context, collateral credential-harvesting is the only plausible explanation for the sustained attacks against the personal email address.
Brute-force attacks are not especially efficient in the context of a multi-pronged malicious campaign. However, given enough time, attempts, and subpar cybersecurity habits, a brute-force attack can be as efficient as ransomware.
Reconstructing incident’s timeline
On the 14th of October, our Incident Response and Management team was notified regarding a brute-force attempt on the Danish reseller. The dashboard telemetry indicated several brute-force attempts carried out at around 9 AM. In the case of this particular customer, a total of 1,168 attacks were launched against the reseller.
Eight distinct, Moscow-based, IPs were used throughout this brute-force session. See picture below.
Over 30% of brute-force attempts originated from one IP address. The digital forensic analysis revealed that the same IP – 45.141.87.18 – was involved in attacks conducted against three other companies (i.e. one of them is also headquartered in Denmark).
Upon establishing the brute-force/attack dictionary etiology, we proceeded to gather additional data on the incident in order to determine if this indeed the beginning of a malicious campaign.
The intel we have so far shows that the primary attack IP address was used three months ago during a sustained attack against a USA-based company. Interestingly enough, all the aggressions carried out against the North American operator were done from a single IP address, namely the one intensively used during the Danish reseller offensive.
Eight IP changes were detected. IP switching was done at regular intervals (i.e. 30-40 seconds apart). Percentile decreases are as follows:
- -18% between first and second IP change.
- -61% between second and third IP change.
- -11% between third and fourth IP change.
- -45% between the fourth and the fifth IP change.
Attempt number remains unchanged for the remaining IP switches.
Minimal threshold has been recorded at 56 – brute-force attempts amplitude = 390. The sole denominator between the earlier US brute-force aggression and the Danish incident is the Muscovite IP. It stands to reason that the group may have used the data gathered during the North American assault to brute-force their way into the Danish company’s database. This fact can be easily deduced by comparing the number of attempts during each attack:
1000+ (Danish retailer) vs. 20,000+ (US company)
The fifth IP (185.202.0.117) was also utilized in a brute-force attack directed against a personal email address. Around 30 brute-force attempts against the Gmail address were registered. From the list of malicious IP addresses, a single IP address has been utilized to carry out this brute-force cracking. The email address in question is not connected to any of the companies targeted by the threat group.
The IP-based distribution of brute-force attempts is surmised in the graph below.
The numbers associated with each attack are as follows:
| IP | No. of hits |
| 45.141.57.18 | 21155 |
| 45.145.67.73 | 316 |
| 193.57.40.29 | 124 |
| 193.106.31.106 | 110 |
| 185.202.0.117 | 93 |
| 195.54.161.6 | 113 |
| 45.145.66.175 | 56 |
| 45.145.67.139 | 56 |
Assumptions
In analyzing the security incident, we have drawn the following conclusions:
- A learning curb is involved.
Taking into account the numbers associated with the US and the DK attacks, we can surmise that the purpose of the first aggression was to enrich the attack dictionary. The hypothesis is very plausible considering that all the numbers seemed to have decreased across the board, especially after each IP switch. One may be inclined to say that the latest batch is almost surgical.
- There is more than one perpetrator.
Attacks conducted against large targets are seldom the work of a lone wolf. There may be more than one individual involved in this operation. Factoring in the number of brute-force attacks, the target’s high profile, and the lateral movement, we can conclude that this a malicious campaign or at the very least, a burgeoning one.
Unique intelligence for unparalleled results
Brute-force attacks are among the least effective data-exfiltration methods. In fact, they are used as teaching tools in ethical hacking courses to demonstrate the importance of alpha-numerical variations in password creation. Still, this resurgence in brute-force attacks demonstrates that the human factor or, human error, in this case, can invalidate even the most effective cyber-defenses.
This is the very reason why actionable intelligence is vital – to know when or where a threat actor will strike. For instance, if the dashboard wouldn’t have logged the brute-force attempts, we wouldn’t have discovered this threat group. Numbers alone are not relevant; human expertise makes a big difference in threat-hunting.
Thor Vigilance’s brute-force detection and mediation feature is the place where number-driven Machine-Learning meets human expertise and unique intelligence.
Heimdal Security Interview with Harbor DK, following Brute-Force Attack Incident
- How long have you been a Heimdal™ Security reseller?
“We’ve been with Heimdal for over two years now and saw no reason to make any change, of course. After this though, we’re definitely going to hold on to this partnership.”
- What Heimdal Security products are you currently offering to your customers and using in your own environment as well?
“Thor Premium Enterprise, the all-in-one Endpoint Detection and Response suite which contains the DNS traffic filter, the wonderful AV with its firewall integration feature and brute-force attack blocking (which saved us from these Russian hacker attacks just now) and the automated patch management. We’re also using Thor AdminPrivilege, the PAM solution and we’re so happy they come in one integrated dashboard. We are currently finalizing acquisition of the email security module as well. Bottom line – we are using everything from Heimdal Security and we’re also promoting everything to our own customers.”
(excerpt from the interview with Martin Mikael Lauritzen, Harbor APS Internal representative)
Conclusions
The brute-force attempt on the Danish reseller proves that we mustn’t let our guard down even for a second. This type of hacking technique is far from retirement. Over the past six months, we have witnessed a resurgence in brute-force attacks. Most of them were launched against SMBs and institutions. As far as we are concerned, BFAs can easily be countered by keeping your AV database up-to-date and by regularly checking your firewall’s exclusion rules.
About Vladimir Unterfingher
Vladimir’s a blogging wizard, tech ‘junkie’, and always itching to learn new things about cybersecurity and digital forensics.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.