An IETE, CyberPeace Foundation and Autobot Infosec Report

The vulnerable exposed systems that are unmonitored and facing the internet, are the most attacked system for the attackers nowadays. As per the research done by The Institution of Electronics and Telecommunication Engineers (IETE) and CyberPeace Foundation (CPF) along with Autobot Infosec Private Limited, nearly 51 million attack events have been recorded between April to December 2021 on the Data Centers Network based Threat Intelligence sensors network specifically simulated in India.

The Institution of Electronics and Telecommunication Engineers (IETE) and CyberPeace Foundation (CPF) along with Autobot Infosec Private Limited have jointly deployed Threat Intelligence sensor networks to capture and examine the behavioral techniques of threat actors.

The study is a part of CyberPeace Foundation’s e-Kawach programme to implement a comprehensive public network and threat intelligence sensors across the country in order to capture internet traffic and analyze the real time Cyber attacks that a location or an organization faces. A credible intelligence on real time threats empower organizations or a Country to build CyberSecurity policies.

The objective for this research was to examine the different types of signatures that can be used as exhibitors of compromise on the simulated Data center network by collecting information which can mitigate the future attacks on real networks.

“By deploying the simulated network we can collect data on patterns of attack, the different types of attack vector for the different protocols and the recent trends of malicious activity.” spokesperson, CyberPeace Foundation added.

Trends noticed by the research

Data collection for the current study started from April, 2021 to December, 2021. It was found that during the aforementioned time span the deployed network instance captured a total number of 50,477,393

• 
  HTTPS (44.277%)

• 
  SSH (23.743%)

• 
  HTTP (19.305%)

• 
  SMTP (6.621%)

Image: Report Statistics

Image: Attacks Statistics

The study also found a total number of 26166 usernames that were used to log into the networks by attackers while a total number of 80282 passwords were found that were used to log into the networks by attackers.

During the threat analysis the Researchers also identified that after compromising the environment, attackers tried to run multiple terminal commands and also tried to download malicious payloads on the system. Researchers found a total number of 131388 unique terminal commands were run in the system while a total number of 1262 unique payloads have been identified that were injected to the environment. The payloads include the malicious files like botnet, trojan etc.

The Advisory

• 
  Do not expose services like SSH, HTTP, HTTPS, SMTP, SMB, MSSQL, MYSQL unnecessarily to the internet.

• 
  Maintain strong Password Policy:

• 
  Use a strong password for all devices and online accounts.

• 
  Passwords should be at least 8-13 characters long.

• 
  Passwords should contain at least one upper case (A-Z), numeric character (0-9) and a special character (!@%&….).

• 
  Do not use the same password for all your online accounts. All the passwords should be different for different accounts.

• 
  Try avoiding a password that consists in the dictionary.

• 
  Network firewalls should always be patched with latest security updates.

• 
  Add the attacker IP addresses mentioned in the report to the blacklist of the firewall solution in order to block inbound connections from the respective IP addresses.