Disclaimer: This article aims to provide an insight into cyber threats as viewed by CrowdSec’s community of users.
What can tens of thousands of machines tell us about illegal hacking activity?
Remember that scene in Batman – The Dark Knight where Batman uses a system that collects active audio data from countless cell phones to create a meta sonar feed of what’s going on at a specific location?
It’s an interesting analogy to what we do at CrowdSec. By aggregating intrusion signals from our community, we are able to provide a clear picture of what is happening in the world in terms of illegal hacking.
After 2 years of activity and daily analysis of 1 million attack signals from tens of thousands of users in 160 countries, we have an accurate global “Batman Sonar” feed of cyber threats. And there are some interesting takeaways to outline.
A cyber threat with many faces
First of all, the global cyber threat is very multifaceted. What do we see when we look at the types of reported attacks, their origin, and the autonomous systems (AS) behind the malicious IP addresses?
Scanners and brute force are still the most popular attack vectors seen by our community, ranking #1. Pretty logical since monitoring is the first step to a more advanced intrusion. The scanning activities seen by our community are mostly port scans or HTTP-based probes.
Among the different intrusion types used by hackers, brute force attacks on sensitive services (SSH, email, admin urls, etc.) are number 2. No groundbreaking information, but if studies show it Brute force attacks account for 6% of cyber attacks in the world it’s not surprising that it’s considered dominant, especially as it’s still one of the easiest and cheapest to automate and deploy (hello script kiddies). Since it’s fairly easy to counter, you’d think it rarely works, but hey, 6%!
Log4J is far from settled
One of our community’s most popular exploit attempts is Log4j. Indeed, they enjoyed last year’s storm over how a simple, open-source Apache logging utility with a vulnerability took over the cybersecurity world and caused endless headaches for cybersecurity professionals. And of course, the criminal world was more than happy to exploit it with automated scan bots looking for vulnerable services.
Well, our community has seen the storm. When the December post-disclosure peak passed, things calmed down a bit, but scanning activity for Log4j started again, albeit at a lower but steady level, driven by bots.
The key message is this: if you think you’re protected because the “marketing” storm is over, think twice.
There is still very aggressive activity trying to exploit the vulnerability.
For example, a few weeks ago, a wide spectrum of our community was scanned when the IP address 220.127.116.11 was reported by more than 500 users in less than 12 hours. It has joined 20000+ other IP addresses on the community blocklist for remediation.
IP addresses: The core resource of cyber criminals
IP addresses are rarely malicious forever, and their reputation can change from one day to the next. Since the community is constantly sharing information about them, any update can be pushed out to users immediately. In the long term, it provides invaluable data on the duration of IP address aggressiveness.
This is a snapshot of the number of IP addresses that ended up in the CrowdSec data lakes (flagged as malicious). What is interesting is that cyber criminals actually change the IPs they use for their attacks:
* Only 2.79% of them are permanent members of our database
* 12.63% of all collected IPs change every week
* The daily renewal rate is 1.8%
**Autonomous systems have different approaches to mitigate compromised IPs**
Each IP is part of an address pool managed by an AS (Autonomous System). An AS is a large network or group of networks that share a common routing policy. Any computer or device that connects to the Internet is connected to an AS. Typically, each AS is operated by a single large organization, such as an Internet Service Provider (ISP), a large enterprise technology company, a university, or a government agency, and as such is responsible for the IP addresses.
Every aggressive IP shared by the CrowdSec community is enriched by its AS. Combined with aggressiveness duration data, this can provide a clear picture of how AS are managing compromised IPs.
While simply looking at the number of compromised assets might be an approach, it wouldn’t necessarily be fair. Not all operators are the same size, and some host more “risky” services (hello outdated PHP CMS) than others.
The average malicious duration of all IPs in the same AS shows the operator’s due diligence in identifying and dealing with compromised assets. The average duration distribution is shown with arrows pointing to the position of the most frequently reported AS for the leading cloud providers. For example, at AWS, compromised addresses remain compromised for an average of 3 days. Azure 9 days. At the bottom of the chart, ASs from China or Russia are (surprise…) “less quick” to respond to compromised IPs.
This article aims to provide an overview of the threat activity and information that CrowdSec users see on a daily basis. Please Consult the full version of the report here if you want more details.