Bots and Credential Stuffing Attacks

There is a rise in bots attacking organizations using credential stuffing attacks. Why is it important to understand these cyberattacks?

We will explore this question throughout this article and much more, namely:

1. Understanding bots and botnets

2. Credential stuffing: what, how, and why?

3. Defense methods, mitigation, and measures

4. Evel-evolving bots
   
   

Understanding bots and botnets

When we say bots are performing attacks, what exactly does the term bot mean?

A bot will perform any activity that a programmer can write a script for, resulting in the automation of that task. Want to see if the PS5 is restocked? Write a script to check the store page every hour, and voila! You have created a bot.

People frequently leverage scripting skills to automate mundane tasks to increase efficiency with fewer efforts.

But like everything in life, bad actors leverage the same skills to develop bots that perform malicious tasks. These include DoS and DDoS attacks, directory fuzzing, price scraping, site crawling and spidering, and many more activities performed with not-so-good intent.

Credential stuffing attacks are one of the malicious activities performed by bots. These cyberattacks provoke breaches faced by multiple organizations every year.

Bots and credential-stuffing attacks

A single system performing bot activity might not be enough to carry successful attacks.

Today’s web applications are so highly scalable that they can withstand large amounts of traffic without issues. Add load balancers, CDNs, etc., to make things more secure.

Multiple bots are used to generate an overwhelming amount of traffic, making them a network of bots or a botnet.

A central system called the Command and Control (C&C) server controls these bots.

The bots are compromised devices that have been exploited previously by a campaign of attacks, usually leveraging vulnerabilities (these compromised machines are also called “zombies”).

The Mirai botnet is a frequently used name to talk about bot attacks, as it targeted major organizations in late 2016 through a vast horde of compromised devices (Mirai is still active in 2022, attempting Log4j exploits!).

There are numerous examples of botnets being a nuisance to security professionals. One such attack performed by bots is called credential stuffing.

Credential Stuffing: What, How, and Why?

Attackers brute-forcing things is an age-old problem the security industry has faced. Brute-force attacks are a hit-and-trial method of trying out as many combinations as possible to get at least one true positive.

Brute-fortece techniques

Credential stuffing is, in essence, a brute-force technique like any other but with certain advantages. There are mainly two types of brute-forcing:

1. Pure brute force. Attempts all possible combinations, rendering it the least efficient technique, which is why it is not widely used.
   
   

2. Dictionary-based brute-force. Use a list of possible passwords (there can be other motives for brute-forcing other than retrieving passwords), which might give the attacker a little bit of edge in case the correct password is present in the list (also called the “wordlist”).
   
   

Credential stuffing is a dictionary-based attack, except the dictionary is a list of passwords stolen (or sometimes bought on the dark web, for instance) from a third-party service.

These passwords or credentials could be collected from a successful database breach, a password dump, or bought from a dark web forum. No matter the source, the attackers rely on a human weakness that makes credential stuffing a nightmare: password reuse.

Most internet users today have one password that they use on multiple accounts and services. If any of those services are breached, it can mean a potential compromise of other accounts. This makes credential stuffing an issue, and that’s why it is replacing traditional dictionary attacks.

Mitigation and Measures

Not every attack can be stopped, but there is always an opportunity to thwart most of them. Let’s take a look at some indicators that might show that a bot is knocking on your doors instead of legit users:

• Unusual login time: Is one of your services that users usually log into in the morning hours getting hammered at midnight? You might be the target of a credential-stuffing attack. Make sure to monitor any login activity that is not expected.
  
  

• Traffic pattern: Refers to traffic pouring in from multiple IPs, with each IP making the same (or almost the same) amount of requests. It might point towards scripted bot activity.
  
  These bots are configured to send a set amount of requests to avoid triggering any alerts, but sometimes traffic patterns emerge that stand out like sore thumbs, indicating maliciousness.
  
  

• Request anomalies: Receiving login requests with the user-agent fingerprint of Chrome 49 could indicate non-human interaction.
  
  Most users have the latest version of the browser (it can be any browser) or, if not the latest, a recent one. Requests originating from outdated versions indicate something is fishy. Similarly, more discrepancies can be spotted: missing HTTP headers, unusual HTTP versions, etc.
  
  

• High-rate activity: Bots can send multiple requests in a second as they go through their credential wordlist. A user might send 1 or 2 login requests, but not within a second. The presence of multiple requests in quick succession is a clear indication of brute-forcing.

These observations might be factors in a successful attack and a successful block against the attack.

Collating the data, analyzing it, and deploying mitigation according to traffic behaviors toward your infrastructure and inventory is a necessary process to fight against these attacks.

This is not an exhaustive list of parameters to consider while protecting against bot attacks, as you can fine-tune your mitigation methodology to be grainier with a reduced amount of false negatives/positives.

Conclusion: Ever-Evolving Bots

TrickBot wreaked havoc by performing credential stuffing against RDP instances.

Chimera group compromised multiple accounts by brute-forcing remote access, and there were many more instances in the past (and even today) where credential stuffing attacks were carried out. And these bots are evolving forever.

The rules you used to thwart attacks yesterday might be obsolete tomorrow. From being a single terminal command to mimicking human users, bots have come far in complexity and functionality, but so have the tools that we have at our disposal.

With software intelligence combined with skilled human intelligence, no matter how much bots transform themselves, there will be ways to stop them.

Bot attacks are increasing, and there is a need for constant analysis of their modus operandi and how it changes.

We hope this article fulfills its intention of providing insights against bots and related attacks, especially credential stuffing.