How Do Hackers Find Me?

One of the questions that we often get when doing an Incident Response is “How did the hackers find me?” Many mid-sized businesses assume that because they have very little or no marketing, no one can find and infiltrate their network. That couldn’t be further from the truth. Usually these attacks are not targeted based on information from the company’s website, but rather based on how easy it is to access their devices and their network.

Finding a target

Like most of us, threat actors want the biggest payout for the least effort. Many hackers code or purchase bots to search for unsecured endpoints and test default passwords. There are even search engines designed specifically for threat actors to identify potential targets. Instead of ranking sites based on keywords, like “financial services” or “local accountants”, these search engines rank devices by model type and with keywords such as “webcam”, “admin”, and “default”.

Hackers (and the bots they code to do their dirty work) are not looking for the same things that regular people look for when doing a browser search. Instead, much like a thief checking for unlocked doors, they are searching for open ports and unsecured IoT devices that they can use to carry out their attack. Typically, attackers automate this process- using bots, specialized software, and port scanners to seek out vulnerable devices- which allows them to test thousands of devices per second. Unless your network has advanced monitoring software (something most MSSPs lack), you likely won’t even be aware that the port scanner is trying to communicate with your devices. Once an endpoint has been discovered, the threat actor (or the bot) can attempt to gain access to the device through the port.

“Hacking” the device

If the user has not enabled a firewall on their network, a port scanner can provide valuable information about the easiest way to access a device (and then jump into the network). Different devices have different numbers of ports, so bots are able to look at the number of open ports on a device and make an educated guess about the make and model. From there, the bot is able to scrape the web for default usernames and passwords of the device it is trying to access, and attempt to log in. If the defaults were never changed, the threat actor will quickly gain access to the device.

If the defaults were changed, threat actors still have options. They can brute force usernames and passwords, or use IP addresses to socially engineer likely passwords. In the case of RDPs and other corporate APIs, bots use scrapers to obtain employee information from public sources such as corporate employee pages and social media to generate potential usernames and passwords. Again, all of this is typically automated, meaning the threat actor doesn’t even need to be at their computer to carry out a fairly advanced attack.

Escalating privileges

Wifi and IoT devices have made it very easy for threat actors to maneuver from one device to another. Traditional cybersecurity measures do not monitor lateral network movement, so once a threat actor has infiltrated the thermostat, they can easily grant themselves network admin privileges- often without being detected. From here threat actors can easily see, and often record or manipulate, everything inside the network- security cameras, industrial control systems, passwords, programs, and data. Depending on their goal, they can install malware, ransomware, spyware, or a crypto-miner on any or all devices on the network.  As you can see, for an advanced threat actor, it is not a huge leap from accessing a “smart” device (like a thermostat) to accessing an entire network. This is why changing default passwords and usernames on all connected devices is crucial.

How do I secure my network?

It all boils down to risk management. No network will ever be completely secure, no matter how many protections are in place. Careful risk management means making it harder for hackers to find, infiltrate, and escalate within your network. It is important to carefully analyze your company’s existing cybersecurity strategy, identify vulnerabilities, and make sure that you are focusing your efforts on protecting the data that is most important to you and your business.

It is also important to lower the attack surface of your network, and only make devices internet accessible if absolutely necessary. When purchasing new devices, always choose the device that lets you change default passwords if you have the option. If you don’t have the option, seriously consider whether or not that device needs to be connected to the network at all. Smart devices are fun, and can be useful, but if they don’t offer any security measure you need to ask yourself “at what cost?”

By mitigating the biggest risks, and implementing Managed Threat Detection and Response (MTDR) services, or at the very least, some form of ongoing network monitoring, your company will greatly reduce the likelihood of experiencing a serious breach.

Have questions about how to better secure your network? Contact Us.

Lisa BantonComment