Are you sure you’re really in control of your servers?

AlienVault recently shared research into the phenomenon of hackers selling credentials to compromised servers in the cyber underground.

The operative word in “your servers” is “your”. It implies that the servers belong to you, and suggests ownership. There is a concerning business model for cyber thieves, though, and it’s possible your servers might be “0wn3d” by someone else, and may even be for sale on the cyber underground.

A blog post by AlienVault Labs poses the question, “Have you ever had a server open to the Internet with SSH service running? Then you know how common it is to receive break-in attempts against your servers produced by automated bots that scan wide ranges of hosts trying weak combinations of user/password to log into remote machines.”

Wolfgand Kandek, CTO of Qualys, explains, “There are many servers on the Internet that have management services open and weak passwords, so it is no wonder that "stores" pop up that sell access to these machines.”

Customers (other cyber criminals) shop at the underground store, and buy working credentials for an admin-level account on a hacked server. Using the login, the attacker can then use their unfettered access to the compromised server to distribute malware, set up a botnet CnC (Command & Control) server, upload illegal content, distribute spam, launch a denial of service (DoS) attack, or whatever else they choose to do—all hidden comfortably behind the fact that the illegal activity is originating from the compromised server.

The underground criminal clearinghouse AlienVault focuses its investigation on is apparently quite profitable. At the time of AlienVault’s blog post, the site had over 400 customers and counting. To add another cruel irony, the cyber criminals know they should protect their servers from attack, so they use CloudFlare to guard the servers and hide the true location.

Dwayne Melancon, CTO for Tripwire, suggests that the right tools and diligence by IT admins can help prevent and detect activity such as this. “Every one of these attacks leaves a detectable mark on your servers, but if you aren't paying attention you'll never see the signs,” adding, “Knowing what you actually have versus what you expect to have is a sure way to detect signs of tampering—such as new listening ports show up on your systems; unrecognized software being installed on a server; or new users are added without a good business reason.”

Lamar Bailey, director of security research for Tripwire, says, “Any system connected directly to the Internet is a prime target for attackers. If you have one, you should make sure you secure it.”

Bailey added, “If you own a server connected to the Internet you should be running IPS and File integrity monitoring (FIM) on that system at all times. The server should also be audited using automated configuration management and vulnerability assessment tools on a regular basis.”

You may be in physical possession of “your” servers, but if you don’t take the necessary precautions, and pay close attention it’s likely that someone else “0wns” them, and they might just be available on the cyber underground for a price.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies