Authored by Mr. Dan Schiappa, Chief Product Officer, Sophos
Any system that serves data to the public internet lives on the edge, figuratively and literally. Whether it’s an IoT device or an enterprise-grade server, you can guarantee it will be hit with a nonstop barrage of attacks the minute you allow the world to reach it.
We discovered an attack method recently while providing support to a company that runs an Apache Tomcat web server that was repeatedly getting infected. Operators of servers have not traditionally used endpoint antimalware tools out of concern that such tools may hinder the server’s performance or create instability that can lead to downtime, but those concerns may now be outdated. SophosLabs researchers have discovered an attack method used to carry out attacks on servers. Researchers captured a rare real-world sample on a breached server. It’s the first time we’ve seen such an attack in the wild.
In breaking down the attack, we uncovered unique insights into attacker behavior – notably, how adversaries use automated bots to deliver malicious code as a first step in their coordinated blended cyberattacks. Our research shows that cybercriminals routinely use automated scripts that relentlessly attempt to exploit vulnerabilities or brute force weak passwords in various internet-facing services.
What makes the attack so concerning is that if successful, an attacker could disarm alarms and go completely undetected as they wreak havoc. In our sample, the attacker installed a Monero cryptocurrency miner app and a remote access tool to modify the Windows firewall and install additional malware at a later time.
Surprisingly, the attack could have been easily prevented through basic security best practices. It’s absolutely critical that server administrators enforce strong server control panel passwords; implement two-factor authentication on all credentials with administrative privileges to servers; ensure they’re running the latest version of server software; and keep operating systems fully patched with the latest available updates.
“When adversaries break into a network, they head straight for the server. Unfortunately, the mission critical nature of servers restrains many organizations from making changes, often significantly delaying patch deployment. Cybercriminals are counting on this window of opportunity.”
“Blended cyberattacks, once a page in the playbook of nation state attackers, are now becoming regular practice for everyday cybercriminals because they are profitable. The difference is that nation state attackers tend to persist inside networks for long lengths of time whereas common cybercriminals are after quick-hit money making opportunities. Most malware is now automated, so it’s easy for attackers to find organizations with weak security postures, evaluate their payday potential, and use hand-to-keyboard hacking techniques to do as much damage as possible.” – Dan Schiappa, Chief Product Officer, Sophos.