Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Odd Persistent Password Bruteforcing SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Odd Persistent Password Bruteforcing

This isn't something new, but I think it is often overlooked: "slow and low" password brute forcing.

One of the daily reports I like to look at is password brute force attempts. more or less "forever", A few networks stick out in these daily reports. The password brute force attempts are not particularly agressive, with usually less then 10 attempts per day from any particular IP address. The other odd thing is that the accounts being brute forced don't exist, which a heave focus on "@hotmail.com" accounts. 

By far the most agressive network is 193.201.224.0/22,"Besthosting" in the Ukraine, followed by an other Ukraining network, 91.207.7.0/24 (Steephost). 

The top brute forced domains:

    gmail.com
    outlook.com
    zfymail.com <- this domain is associated with many bots/spam messages.
    hotmail.com

The intend isn't perfectly clear as the accounts don't exist, and the attempts are not very aggressive (maybe to avoid getting locked out?). 

Anybody observing similar attacks and able to figure out what they are after?

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3697 Posts
ISC Handler
Which service are they going after? I'm guessing SMTP/POP3/IMAP?
Anonymous
I have checked through some of our logs, and am seeing traffic from the 91.207.7. network on udp/1033 and udp/14482. Pattern is 2 tries per hour within about 30 seconds of each other.
Craig

2 Posts
You mentioned in this morning's podcast you used various scripts to scan you server logs. Are any of these something you would share? I'm assuming that you grep the logs with some regex's.

Thanks!
chrisl1977

6 Posts
I too am seeing a very low/slow use of these IPs on my secure web server. The IP 91.207.7.209 was active for about 20 connection attempts back from May 28th to June 18th. The IP range 193.201.224.0/22 saw about 205 attempts from June 25th to September 4th using several IPs. All activity was to port 80 and nothing "upset" my IPS to cause it to capture packets.
chrisl1977
1 Posts
Besides "slow and low", "distributed" type brute force attacks are common for the WordPress websites we hosts, i.e. 3-4 login attempts from each source IP.


Few ways to mitigate: captcha, 2FA and geo-blocking.
Geo-blocking was very effective for us; we limit the login page to our country IP range only.
This works because we are not in a big country such as US or Russia
Mike7

43 Posts
Someone on Reddit mentioned experiencing a similar attack but they found that the person was looking for accounts that may have migrated email addresses while retaining the same password. Basically they had an old credentials list and what they were doing is substituting more popular / modern email providers with the same username. Surprisingly the script kiddie was having some success with the list.

http://www.reddit.com/r/talesfromtechsupport/comments/2g2jlx/the_socalled_gmail_credentials_leak_and_the/
Mike7
1 Posts

Sign Up for Free or Log In to start participating in the conversation!