In this blog post, we explore how there is a rise in bots attacking organizations using credential stuffing attacks and why there is a need to understand them for better and more secure mitigations against them.
Understanding Bots and Botnets
When we say “bots are performing attacks”, what exactly does the term bot mean? “Bot” is just the short version of “robot” and robots are known to perform automatic tasks. That’s exactly what a bot does but here the tasks are digital/internet related. A bot will perform any activity that a programmer can write a script for and resulting in automation of that task. Want to see if the PS5 is restocked? Write a script to check the store page every hour and voila! You have created a “bot”.
Numerous examples are present where people leverage scripting skills to automate mundane tasks to increase efficiency with fewer efforts. But like everything in life, bad actors leverage the same skills to develop bots performing malicious tasks. These include DoS/DDoS attacks, directory fuzzing, price scraping, site crawling/spider, and many more activities performed with not-so-good intents. One such malicious activity performed by bots is credential stuffing attacks, a major cause of breaches faced by multiple organizations every year, which we will dive into in the following sections.
Let’s talk about bots more. A single system performing bot activity might not be enough to carry out successful attacks. Today’s web applications are so highly scalable that they can withstand large amounts of traffic without any issues. Add load balancer, CDNs, etc to the equation and things become even more secure.
To generate an overwhelming amount of traffic multiple bots are used, making them a “network of bots” or a “botnet”. These bots are controlled by a central system called the “command and control (C&C) server”, managed by the bot handler. The bots are just compromised devices that are exploited previously by a campaign of attacks, usually leveraging popular vulnerabilities (funnily enough, these compromised machines are also called “zombies” as they are controlled using remote access). Mirai botnet is a very frequently used name when talking about bot attacks, as Mirai targeted major organizations in late 2016 through a vast horde of compromised smart devices (Mirai is still active in 2022, attempting Log4j exploits!).
There are numerous examples of botnets being a nuisance to security professionals at a global level. One such attack performed by bots is called credential stuffing, which we will go over in the following section.
Credential Stuffing: How and Why
Attackers brute-forcing things is an age-old problem the security industry has faced. Brute-force attacks, as the name suggests, consist of a hit-and-trial method of trying out as many combinations as possible, in hopes of getting at least one true positive.
Credential stuffing is, in essence, a brute-force technique like any other but with certain advantages. There are mainly two types of brute-forcing: pure brute-force and dictionary-based brute-force. Pure brute-force attempts all possible combinations, rendering it the least efficient technique which is a major reason it is not widely used. Dictionary-based attacks use a list of possible passwords (there can be other motives of brute-forcing other than retrieving passwords) which might give the attacker a little bit of edge in case the correct password is present in the list (also called the “wordlist”).
Credential stuffing is a form of dictionary-based attacks – except the dictionary is a list of passwords stolen (or sometimes bought) from a third-party service. These passwords or credentials could be collected from a successful database breach, a password dump, or bought from a dark web forum! No matter the source, the attackers rely on a human weakness that makes credential stuffing such a nightmare: password reuse. Most internet users today have one password that they use on multiple accounts and services. If any of those services is breached, it can mean a potential compromise of other accounts! This makes credential stuffing a huge issue and that’s why it is replacing traditional dictionary attacks.
Mitigation and Measures
Not every attack can be stopped, but there is always an opportunity to thwart most of them. Let’s take a look at some indicators that might show that a bot is knocking on your doors instead of legit users:
Unusual login time: Is one of your services that users usually log into in the morning hours, getting hammered at midnight? You just might be a target of a credential stuffing attack. Make sure to monitor any login activity that is not expected.
Traffic pattern: If you are seeing traffic pouring in from multiple IPs, with each IP making the same (or almost the same) amount of requests, it might point towards scripted bot activity. These bots are configured in a way that they send a set amount of requests so as not to trigger any alerts but sometimes traffic patterns emerge that stand out like a sore thumb, indicating maliciousness.
Request anomalies: Received login requests which have the user-agent fingerprint of Chrome 49? Could be an indication of non-human interaction. Most of the actual users are using the latest version of the browser (it can be any browser) and if not the latest, at least a fairly new version. Requests originating from outdated or end-of-life versions of the browser indicate something is fishy. Similarly, more discrepancies can be spotted: missing HTTP headers, unusual HTTP versions, etc.
High rate activity: Bots can send multiple requests in a second as they go through their credential wordlist. A normal user might send 1 or 2 login requests, that too not within a second. The presence of multiple requests in quick succession is a clear indication of brute-forcing.
These observations might be a deciding factor between a successful attack and a successful block against the attack. Collating the data, analyzing it, and deploying mitigation according to traffic behaviors towards your infrastructure and inventory is a necessary process to fight against these attacks. This is not an exhaustive list of parameters to be considered while protecting against bot attacks as you can always fine-tune your mitigation methodology to be grainier, with a reduced amount of false negatives/positives.
Conclusion: Ever-Evolving Bots
TrickBot wreaked havoc performing credential stuffing against RDP instances. Chimera group compromised multiple accounts, brute-forcing remote accounts, and many more instances in the past (and even today) where credential stuffing attacks were carried out. And these bots are evolving forever.
The rules you used to thwart attacks yesterday might be obsolete tomorrow. From being a single terminal command to mimicking human users, bots have come far in complexity and functionality but so have the tools that we have at our disposal. Software intelligence combined with skillful human intelligence, no matter how much bots transform themselves, there will be ways to stop them.
Bot attacks are on an increase and there is a need for constant analysis of their modus operandi and how it changes. We hope this article fulfills its intention of providing insights against bots and related attacks, especially credential stuffing, and broadening your security horizon in the process!
- Credential Stuffing - MITRE ATT&CK