Russian Attacks Against Singapore Spike During Trump-Kim Summit
Attack Destination Ports
The following ports in order of prevalence were targeted in the Singapore attacks:
- 5060 — clear text Session Initiation Protocol (SIP)
- 23 — Telnet remote management
- 1433 — Microsoft SQL Server database
- 81 — Alternate web server port for host-to-host communication
- 7547 — TCP port used by ISPs to remotely manage routers via the TR-069 protocol
- 8291 — Remote management port commonly used by MikroTik routers
- 8080 — Alternate web server port often used for a proxy server or caching
The SIP port 5060 received 25 times more attacks than port 23 in the #2 position. SIP is an IP phone protocol, and port 5060 is specifically the non-encrypted port versus port 5061, which is encrypted. It is unusual to see port 5060 as a top attack destination port. Our assumption is that the attackers were trying to gain access to insecure phones or perhaps the VoIP server. Attacks against this port haven’t been in the news since 2011 when the SIPVicious VoIP tool was popular.3
Telnet is the most commonly attacked remote administration port by IoT attackers. It’s very likely these attackers were looking for any IoT device they could compromise that could provide them access to targets of interest, which would then enable them to spy on communications and collect data.
Port 7457 is used by ISPs to remotely manage their routers. This protocol is targeted by Mirai and Annie, a Mirai spinoff that caused millions of dollars of damage to European ISPs in late 2016.4 If any devices in Singapore had this port open and were protected with default admin credentials, it is likely the attackers gained access and used man-in-the-middle attacks to intercept traffic through those devices, collecting data, redirecting traffic, and so on.
Port 8291 was recently attacked by Hajime,5 the vigilante thingbot created to PDoS devices that would otherwise be infected by Mirai.6 If any devices in Singapore were listening on this port, and protected with vendor default credentials, it is likely the attackers could have gained access.
Conclusion
It is unclear what the attackers were after with the SIP attacks or whether they were successful. We will continue to analyze the attack data we have collected and update this story as we make new discoveries.
We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin.
In regard to mitigating the threat of these types of attacks which, in this case, involved IoT devices and databases directly touching the Internet, our advice is to always:
- Protect remote administration to any device on your network with a firewall, VPN, or restrict to a specified management network. Never allow open communication to the entire Internet.
- Always change vendor default administration credentials.
- Stay up to date with any security patches released by the manufacturer.
Source link
lol
Attack Destination Ports The following ports in order of prevalence were targeted in the Singapore attacks: 5060 — clear text Session Initiation Protocol (SIP) 23 — Telnet remote management 1433 — Microsoft SQL Server database 81 — Alternate web server port for host-to-host communication 7547 — TCP port used by ISPs to remotely manage…