Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. threat analysis, news and alerts.

Cybersecurity Threat Spotlight: Malicious Bots

8/24/2020

0 Comments

 
malicious bots

Cybersecurity Threat Spotlight: Malicious Bots

The recent hacking incident affecting thousands of Canadian Government accounts highlights the growing threat of malicious bots.

Hacking of Thousands of Canadian Government Accounts

The Government of Canada, through the Treasury Board of Canada Secretariat, last August 15th issued a statement stating that an unidentified attacker or attackers targeted the Canadian Government's GCKey system. This system is used by 30 Canadian federal departments as a single sign-on (SSO) system for the public to access government services, such as social services including access to Covid-19 relief programs. The GCKey system is also a means to access the Canadian Revenue Agency (CRA) accounts.

According to the Treasury Board of Canada Secretariat, out of the approximately 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to access government services.

Of the total number of accounts fraudulently accessed by the attackers, approximately 5,500 CRA accounts were fraudulently accessed. This prompted authorities to shut down the CRA web portal. To date, the web portal is up and running.

In the August 15th statement, the Treasury Board of Canada Secretariat attributed the hacking incident to the cyberattack called "credential stuffing". In credential stuffing, usernames and passwords stolen from past unrelated data breaches are used to login to victims’ accounts on the assumption that people typically reused usernames and passwords across multiple online accounts. 

Tests conducted by BleepingComputer showed that accessing the Canadian departments' web portals, such as CRA, multi-factor authentication and security CAPTCHA (short for Completely Automated Public Turing Test To Tell Computers and Humans Apart in use) aren't enabled in the workflow. "When signing-in from a new computer, the user would be asked a security question (e.g. pet's name), however, there is no mechanism prompting the user for a 2FA code, for example, to be sent via a text message (SMS)," BleepingComputer said.

CNN, meanwhile, reported that Canadian officials disclosed that at one point, they detected as many as 300,000 malicious attempts to access accounts on at least 24 government web portals. 

In a press conference held days after the issuance of the August 15th statement of the Treasury Board of Canada Secretariat, Marc Brouillard, acting Chief Technology Officer for the Secretariat said that at one point, the CRA portal was directly targeted with a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing". Brouillard added that the attackers were able to bypass the CRA security questions and fraudulently access CRA accounts by exploiting a vulnerability in the configuration of security software solutions that the Government of Canada used. The acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that this security vulnerability has since been fixed by applying the latest security update.

Malicious Bots

Credential stuffing attacks and exploitation of known security vulnerabilities are executed through the use of malicious bots.

The word "bots" originates from the word " internet robots". Bots are software programs created for the purpose of automating repetitive tasks.

The repetitive task, for instance, of indexing new webpages had been taken over by bots. For its search engine, Google uses the bot known as "Googlebot" to crawl the internet to index new webpages. Googlebot is one example of a non-malicious bot.

Threat actors, on the other hand, use bots in conducting malicious activities such as credential stuffing attacks, exploitation of known security vulnerabilities, and other cyberattacks such as distributed denial-of-service (DDoS) attacks.

Malicious bots start with one " bad bot". This bad bot is used by a cybercriminal to hijack a computer. This hijacked computer is referred to as a "zombie" computer. Over a period of time, a cybercriminal could hijack thousands to millions of computers to create a network of zombie computers. These zombie computers, collectively called as "botnet", are then used to launch a large-scale malicious attack.

Necurs is an example of a botnet that wreaked havoc globally for years. This botnet was first observed in the wild in 2012. In March 2020, Microsoft said that along with partners across 35 countries, they took coordinated legal and technical steps to disrupt the operation of Necurs.

According to Microsoft, during the span of 8 years, the group behind Necurs, hijacked more than 9 million computers globally to form part of its botnet. During a 58-day period, Microsoft observed one Necurs-hijacked computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.

Aside from sending spam emails, botnet can be used to amass a large list of usernames and passwords used for credential stuffing attacks and can be used to automatically scan websites for software vulnerabilities.

Cybersecurity Best Practices Against Malicious Bots

Malicious bots threaten both the target as well as the zombie computers used as part of the botnet.

In the hacking incident affecting thousands of Canadian Government accounts, compromised accounts are at risk as attackers can change bank account details and siphon money out of the victims' accounts. Being part of a botnet, on the other hand, will slow down and hasten the wear and tear process of hijacked computers.

Some of the best practices in preventing your organization's computers (including IoT devices) from being hijacked as part of a botnet include changing default login details and keeping all software up to date.

To prevent the exploitation of known security vulnerabilities, it's important to keep all of your organization's software up to date.

Here are some of the best practices in preventing or minimizing the effects of credential stuffing attacks:

  • Use CAPTCHA
  • Use multi-factor authentication
  • Use Web Application Firewall – allowing legitimate traffic and preventing malicious traffic
  • Use an alert system to monitor and notify your organization in case of an out of the ordinary bot traffic
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    Social Engineering
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​
Contact us
​
Blog
Resources & Tools
​Incident Management Playbook
Privacy Policy | CASL
Copyright © 2021 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit