Adversaries Employing new TTPs to Launch Credential Stuffing Attacks

Over the past few months, HYAS has observed a noticeable increase in the number of credential stuffing attacks targeting multiple verticals including the enterprise market.

“A credential stuffing attack involves attempting to use credentials that were publicly exposed during previous breaches in an automated fashion against new targets.”

Multiple customers and partners reached out to HYAS for assistance in investigating large scale credential stuffing attacks they were being targeted by. Customers reported that the attacks they were experiencing originated from very large ranges of IP addresses (25k-50k+ nodes) across multiple geographical areas.

Initial investigation of the infrastructure in HYAS Comox platform determined that the majority of the IP addresses involved in the attacks were located in Eastern Europe, Africa, South America and Southeast Asia. Using the highly granular IP location data in Comox, we were able to precisely geo-locate over 75% of the reported IP addresses.

Further analysis and fingerprinting of the attacker infrastructure revealed that a large number of the devices were Internet of Things (IOT) devices and Linux servers running vulnerable services. In particular, we were able to positively identify over 70% of the devices as running Mikrotik RouterOS.

MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. An easy target with 9 reported vulnerabilities in the last two years, MikroTik RouterOS equipment is a prime choice for adversaries to compromise and use to conduct a host of different campaigns.

The TTP used in these credential stuffing attacks first involves the actors remotely compromising Linux servers or IOT devices. Once the attacker has gained a foothold on the device, they implement a scheduled task that periodically downloads an attack script from an attacker-controlled server. The script first shuts down or moves to a nonstandard port any vulnerable services running on the device. Next, they set up a SOCKS proxy service on the compromised device. The attackers limit access to the SOCKS proxy to certain CIDR ranges where they will be launching the attacks. The proxy is subsequently used to execute the credential stuffing attacks on the target company’s web service.

Through the additional telemetry offered by Comox, we were able to pivot from a small handful of adversary-controlled domains used to control the botnet to over a dozen malicious domains registered by the same actor group. By using the enhanced whois information features in Comox, we were able to identify multiple actors that are involved with the scheme.