Thought leadership. threat analysis, news and alerts.
Cybersecurity Threat Spotlight: Malicious Bots
The recent hacking incident affecting thousands of Canadian Government accounts highlights the growing threat of malicious bots.
Hacking of Thousands of Canadian Government Accounts
The Government of Canada, through the Treasury Board of Canada Secretariat, last August 15th issued a statement stating that an unidentified attacker or attackers targeted the Canadian Government's GCKey system. This system is used by 30 Canadian federal departments as a single sign-on (SSO) system for the public to access government services, such as social services including access to Covid-19 relief programs. The GCKey system is also a means to access the Canadian Revenue Agency (CRA) accounts.
According to the Treasury Board of Canada Secretariat, out of the approximately 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to access government services.
Of the total number of accounts fraudulently accessed by the attackers, approximately 5,500 CRA accounts were fraudulently accessed. This prompted authorities to shut down the CRA web portal. To date, the web portal is up and running.
In the August 15th statement, the Treasury Board of Canada Secretariat attributed the hacking incident to the cyberattack called "credential stuffing". In credential stuffing, usernames and passwords stolen from past unrelated data breaches are used to login to victims’ accounts on the assumption that people typically reused usernames and passwords across multiple online accounts.
Tests conducted by BleepingComputer showed that accessing the Canadian departments' web portals, such as CRA, multi-factor authentication and security CAPTCHA (short for Completely Automated Public Turing Test To Tell Computers and Humans Apart in use) aren't enabled in the workflow. "When signing-in from a new computer, the user would be asked a security question (e.g. pet's name), however, there is no mechanism prompting the user for a 2FA code, for example, to be sent via a text message (SMS)," BleepingComputer said.
CNN, meanwhile, reported that Canadian officials disclosed that at one point, they detected as many as 300,000 malicious attempts to access accounts on at least 24 government web portals.
In a press conference held days after the issuance of the August 15th statement of the Treasury Board of Canada Secretariat, Marc Brouillard, acting Chief Technology Officer for the Secretariat said that at one point, the CRA portal was directly targeted with a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing". Brouillard added that the attackers were able to bypass the CRA security questions and fraudulently access CRA accounts by exploiting a vulnerability in the configuration of security software solutions that the Government of Canada used. The acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that this security vulnerability has since been fixed by applying the latest security update.
Credential stuffing attacks and exploitation of known security vulnerabilities are executed through the use of malicious bots.
The word "bots" originates from the word " internet robots". Bots are software programs created for the purpose of automating repetitive tasks.
The repetitive task, for instance, of indexing new webpages had been taken over by bots. For its search engine, Google uses the bot known as "Googlebot" to crawl the internet to index new webpages. Googlebot is one example of a non-malicious bot.
Threat actors, on the other hand, use bots in conducting malicious activities such as credential stuffing attacks, exploitation of known security vulnerabilities, and other cyberattacks such as distributed denial-of-service (DDoS) attacks.
Malicious bots start with one " bad bot". This bad bot is used by a cybercriminal to hijack a computer. This hijacked computer is referred to as a "zombie" computer. Over a period of time, a cybercriminal could hijack thousands to millions of computers to create a network of zombie computers. These zombie computers, collectively called as "botnet", are then used to launch a large-scale malicious attack.
Necurs is an example of a botnet that wreaked havoc globally for years. This botnet was first observed in the wild in 2012. In March 2020, Microsoft said that along with partners across 35 countries, they took coordinated legal and technical steps to disrupt the operation of Necurs.
According to Microsoft, during the span of 8 years, the group behind Necurs, hijacked more than 9 million computers globally to form part of its botnet. During a 58-day period, Microsoft observed one Necurs-hijacked computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
Aside from sending spam emails, botnet can be used to amass a large list of usernames and passwords used for credential stuffing attacks and can be used to automatically scan websites for software vulnerabilities.
Cybersecurity Best Practices Against Malicious Bots
Malicious bots threaten both the target as well as the zombie computers used as part of the botnet.
In the hacking incident affecting thousands of Canadian Government accounts, compromised accounts are at risk as attackers can change bank account details and siphon money out of the victims' accounts. Being part of a botnet, on the other hand, will slow down and hasten the wear and tear process of hijacked computers.
Some of the best practices in preventing your organization's computers (including IoT devices) from being hijacked as part of a botnet include changing default login details and keeping all software up to date.
To prevent the exploitation of known security vulnerabilities, it's important to keep all of your organization's software up to date.
Here are some of the best practices in preventing or minimizing the effects of credential stuffing attacks:
Steve E. Driz, I.S.P., ITCP