What Does a Typical Brute Force Attack Look Like at a Service Provider?

Brute force attack methods vary. It’s not uncommon, for example, for mobile phone service providers to encounter unauthorized online account activity in which an attacker accesses accounts by trying a phone number in combination with a PIN code. These types of attacks are very easy to implement because phone numbers are easily available, and 4-digit PINs only allow for 10,000 combinations, making exhaustive, automated attacks quick.

Service providers also see brute force attacks against web login pages, such as those used for webmail or account access. Because many users continue to use the same credentials for multiple web-based accounts, credential stuffing is an effective attacker technique.

Further, attackers use “password spraying,” a form of brute force attack, to avoid detection. This technique involves the attacker rapidly trying a password across a large number of accounts that individually may only allow a few login attempts before the account is locked. In this way, over time, an attacker can hit many accounts again and again with new password attempts and stay below the threshold for simple detection techniques. The lack of widespread adoption of multi-factor authentication also enables attackers to conduct brute force activities with greater ease.

For a user, the result of a successful brute force attack can be account takeover in the worst case, or being locked out of their account if countermeasures are triggered. This leads to frustration for the customer and increased support desk calls for the provider.

As with DDoS attacks, the first indications of such an attack are customer complaints of account lockout rather than any sort of automated detection. This, in itself, can constitute a denial of service if a large number of accounts are locked out, and certainly can cause increased, at times overwhelming, stresses on support desk capabilities.

Defensively, early detection is key. If an increase in failed login attempts over a short period of time can be identified, this give defenders a window of time to take effective actions to mitigate the attack before customers are affected.

Other Attacks against Service Providers

DDoS and authentication attacks are the most common attacks the F5 SIRT helped customers mitigate, but they are by no means the only attack types observed. Compromised devices within service provider infrastructure accounted for 8% of the cases seen in 2018. These were usually detected because of increased outbound traffic because the compromised devices were used to launch denial-of-service attacks.

“General” web attacks also accounted for 8% in 2019. These can take many forms, but injections were by far the most commonly observed vector. These attacks attempt to leverage bugs in web application code to cause command execution or, in the case of SQL injection, attempt to execute SQL commands on backend database servers, often leading to data exfiltration, if successful. These attacks are usually caught by WAF technologies, or via alerts triggered from web server logs.

Service Provider Targeting in IoT Bot Building

An IoT bot named Annie, a fast-following variant of Mirai, was discovered in November of 2016 after causing at outage at Deutche Telekom. Annie was implicated in DDoS attacks against Liberian ISPs as well as attempts to take over routers of ISPs in the UK. The bot targeted custom protocols TR-069 and TR-064 used by ISPs to remotely manage large fleets of routers over port 7547. Whereas the threat actor who created Annie admitted to not using that bot in December of 2016, targeting of port 7547 is still prevalent and increasing in 2019.

In F5 Labs’ Hunt for IoT Report series, we have been following the targeting of port 7547 by botnets, as well as other ports commonly used to remotely administer SOHO routers. Attacker interest in port 7547 dipped off in 2018, however, interest in that port, as well as the Mikrotik remote management port 8291, has increased exponentially over the past 6 months.