Pretty much any MSP or IT professional that manages large networks will tell you that their networks have been probed at some point or another.
Although technically network probes are not intrusions themselves, they shouldn’t be ignored as they can easily lead to actual intrusions and infections.
So what are they and where do they come from?
It all boils down to the fact that there are known (and sometime not that well known) vulnerabilities in software and hardware that hackers have discovered. Network probes are a result of the pieces of software these hackers have written searching out vulnerabilities to exploit on your network.
There are two phases of a network probe-based attack. First, the malware will scan your network, either using a port scan or a ping sweep. If it locates a vulnerable device it will infect that device with the malware.
Second, once installed, the host device becomes part of the infection matrix as on top of allowing the bad guys into that network as and when they chose, the malware will also then scan for other vulnerable devices on the Internet. And so the process goes as the malware copies itself from machine to machine and the infection spreads.
One common misconception is that with the hundreds and thousands of different devices attached to the Internet and the billions of people using it, the chances of getting infected in this way would be fairly remote.
However, a story from last year proves just how easily this can happen if you let your guard down. In this instance a Brazilian ISP supplied routers to its customers with a common vulnerability – generic router login details such as ‘admin’.
With tens of thousands of customers all with the same hardware or basic models of the same hardware, this presented a treasure trove of opportunity for the bad guys to get in. Furthermore, with all potential victims being from the same ISP, the malware in this particular case was able to spread quickly as it was able to scan merely a subset of the Internet where it knew – or was at least fairly certain – it would find what it was looking for.
Of course, once an infection has taken place, all sorts of activity can happen on the target networks as unrestricted access can now easily be gained by the bad guys. But network probes is how it all begins.
This is largely an automated attack with infected systems reaching out to find other vulnerable systems. It can also be difficult to detect. The Brazilian ISP is a useful case study as this could happen to any ISP because the routers provided at commercial level more often than not don’t have a lot of robust features or don’t undergo solid vulnerability and Q&A assessments.
On top of this, the ISP would usually be responsible for this piece of hardware, and patching and updating that as required. In a lot of cases these attacks continue until the supplier discovers that there is a problem, and they then face a huge expense patching and updating the machines in their infrastructure.
So what should your mitigation strategy be?
One of the biggest lessons here is not to rely on the infrastructure that is provided to you. In the case of ISPs, put in your own firewall or router to control access to your network. This can be tough for small and medium businesses but relying on hardware supplied by smaller ISPs, for example, could leave you way too open to attack.
To find out more about how to defend against this type of attack and to know what tools you need to protect your networks by downloading our free Cyber Threat Guide.
Also, you can watch our Security Lead Ian Trump talking about this subject in his video: Trumpy in the Cyber Trenches – Understanding Network Probes and Scans…