In the past week a new and emerging pattern is being observed which indicates cyber criminals have refined their techniques around attacking email accounts with the end goal of compromising the accounts for malicious purposes.
A Botnet is being used to facilitate these cyber attacks. This Botnet is typically operating from compromised IoT devices and routers. Some examples of compromised devices detected are the “Huawei Technologies” HG8546M and the “TP-LINK SOHO Router”.
What makes this extremely dangerous is the distributed style of the attack. Multiple unique IPs can target the same email account. It is designed to bypass the common types of protection (such as IP Rate Limiters). It can also lead to DoS (denial of service) or worse in some cases, as typical intrusion detection tools (such as AUTH Rate Limiters) might inadvertently block the owner from legitimately accessing their email account.
This Bot appears to be intelligently designed to only perform a limited amount of attempts from each IP (approximately one attempt every two hours against a single email server). However, it commands hundreds of thousands of individual compromised routers from which it can launch its attacks.
Fortunately, this particular Botnet is only looking for ‘low hanging fruit’. It uses the world’s most common (viz. worst) passwords like ‘password123’ to test against email accounts.
At the time of writing, we aren’t sure where they are sourcing their email address database. However, given the actual passwords being used, we can make the assumption that this is related to specific Botnet behaviors seen in the past; the difference is this time they are using a new methodology. They usually attempt to connect to insecure ports (e.g. IMAP port 143) simply because the coding is easier, and that ISP’s which allow connections to insecure ports are less likely to have more advanced security in place. Nevertheless, upon failure the Bot does attempt to retry on a more secure port (e.g. port 993).
These attacks are coming from all parts of the world. This would mean that implementing ‘Country Authentication Restrictions’ may reduce the threat, where its use is applicable.
While in the short term country authentication restrictions can greatly reduce the size of the attack field, the most correct way to prevent these types of attacks is to ensure that your email account is protected by only allowing connections from approved devices (e.g. CLIENTID, or 2FA “Two Factor Authentication”).
There is the possibility that the email address database used is specifically for high value targets, possibility stripped from addresses advertised on corporate websites. It is important to enforce password restrictions, especially for senior employees, to prevent important email accounts from being ‘low hanging fruit’.
Email servers should also enforce TLS/SSL connections for ALL email communications, and no longer permit access to unencrypted protocols such as IMAP on port 143, POP3 on port 110, or SMTP AUTH on port 25.
This emerging trend is important to be aware of as it is a threat to the worldwide operators of email servers.