Cybersecurity researchers at F5 Networks, an American application services and security company, have released a report which identifies a series of cyberattacks targeting Singapore on June 11 and 12 2018.
F5 Networks said Russia has been launching a steady barrage of coordinated cyberattacks against the US as many sanctions have been issued against Russian officials and businesses since the 2016 presidential election.
Beyond official sanctions, the US-Cert issued an alert in April regarding Russia maintaining persistent access to small office and home office routers warning of widespread espionage.
Specifically, 88% of malicious traffic originated in Russia and targeted VoIP Phones (the kind found in many hotels) and IoT devices.
Technical details:
The research by F5 Network revealed Russia accounted for 88% of the attacks against Singapore on June 12 2018.
- The attacks were primarily reconnaissance scans – looking for vulnerable systems – from a single Russian IP address, followed by actual attacks that came from both Russia and Brazil
- The top attacked target was a protocol known as SIP 5060, which is used by IP phones to transmit communications in clear text
- The number two attacked port was telnet, consistent with IoT device attacks that could be within proximity to targets of interest
- Other ports attacked include Port 7457, the same target used by the Mirai botnet and Annie to target ISP managed routers
About the attack
- SIP is an IP phone protocol, 5060 is specifically the non-encrypted port:
- It is unusual to see port 5060 as a top attack destination port
- F5 assessment is that the attackers were trying to gain access to insecure phones or perhaps the VoIP server
- Telnet is the most commonly attacked remote administration port by IoT attackers:
- F5 reports that it is very likely the attackers were looking for any IoT device they could compromise that could provide them access to targets of interest where they could then spy on communications and collect data
- Port 7457 is used by ISPs to remotely manage their routers. This protocol is targeted by Mirai and Annie, a Mirai spin off that caused millions of dollars of damage to European ISPs in late 2016
- If any devices in Singapore had this port open and were protected with default admin credentials, it is likely the attackers gained access and could see any traffic through those devices, collecting data, redirecting traffic, etc. in what’s known as a ‘Man in the Middle’ attack
- Port 8291 was recently attacked by Hajime, the vigilante thingbot created to PDoS devices that would otherwise be infected by Mirai. If any devices in Singapore were listening on this port, and protected with vendor default credentials, it is likely the attackers could have gained access
Conclusion
It is unclear what the attackers were after with the SIP attacks, nor if they were successful. F5 will continue to analyse the attack data and update this story as we make new discoveries.
F5 does not have evidence directly tying this attacking activity to nation-state sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia carrying out their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin.
In regards to mitigating the threat of these types of attacks, which in this case is internet of things devices and databases directly touching the internet, F5 advises to always:
- protect remote administration to any device on your network with a firewall, VPN or restrict to a specified management network. Never allow open communication to the entire Internet
- always change vendor default administration credentials
- stay up to date with any security patches released by the manufacturer
