I enjoy being wrong.
The most I have ever learned has always been from the realization that something I believed was really not true at all. It always causes evaluation and introspection which is needed so as to not become an “Archie Bunker” like character as years go by.
I had a moment like this a while back sometime after my Dear Abby parody post, and that was that the Chinese Government is Really attacking Government and business networks and websites. I know most of you are thinking “Just now? Its been all over the news for years” I know this, but the fact was I did not really believe it then because I saw Spammers based in China doing scripted attacks in order to get an unwilling machine to host a website selling pills or providing backlinks to “SEO” nonsense that complimented their message board and social media SPAM posts. So I had good reason to believe others were misidentifying the pattern that I had correctly identified.
Until I started seeing patterns myself.
The first patterns I saw were coming from 210.75.192.0 – 210.75.223.255 owned by the Beijing Information Highway Corp (love that name) but they followed the ones I see from all over the world; random times, pointless visits and attempts to register and attempts to post. Successful posts are done in poor English and it is clearly the model of spammers using compromised computers that likely have pirated software installed on them so they never have security patches. This is what made me believe that there was no Chinese Government conspiracy. Then from the same IP blocks I started seeing things differently. I still saw the spammers but I also saw attempted logins to ssh, ftp and telnet. I even saw port 25 get lots of VRFY attempts. The pages searched for on port 80 and port 443 involved wp-admin and another for chef/common.rb and chef/cookbook/cookbook.rb which seemed to be a directory traversal attempt or perhaps looking for an error message. What was odd about these attacks was that they started at about 8:30pm EST and ended about 4:30am EST. I blocked one particularly annoying IP that was doing the weird directory traversal thing looking for Chef Configuration Management software (I suspect one would really like to get a hold of configuration management software to configure your own compromised machines) and trying MySQL injection with attempts like '1'='1-- and admin'/* and as soon as I did that the same stuff appeared again from an IP in Bogota Colombia that turned out to have been an Adtran 904 that had a default setting of admin and password for its security credentials and a VPN to the IP in China I had just blocked and a few others on the same Beijing IP block as well.
So I did what any sane person would do and didn’t touch anything and instead blocked the Colombian IP (I was very tempted to remove all VPN configurations and change the password but I did not). After that I just got the same old spammy probes from China and visitors to index.html that just hung around until their sessions timed out.
What I checked out later is that Beijing switched government hours from 8:30 to 5:30 to 9am to 6pm. This, to me, meant that people showed up for work 13 hours ahead of EST in Beijing, checked e-mail and assignments for maybe 30 minutes and then started working on their 9 hour day and then around 30 minutes before leaving they stopped working and perhaps wrote summaries of their day and went home. What is odd is that I did not see what appeared to be a “lunch” hour. This tells me they are either being worked very hard or (more probably) love their jobs attempting to break into stuff.
I wish I had more IP addresses to fool around with. I could then make a virtual machine as a honeypot but really customize it. Maybe with some poorly written php that would make MySQL vulnerable and a separate virtual machine for logging. But I do not have those kind of resources.
I would really like to write a script to focus on timestamps between commands and see what commands are made when they do get in. I could then judge whether they are using a script like Metasploit or perhaps even have to get approval from a supervisor before privilege escalation and even be able to judge their language proficiency based on spelling and grammar mistakes. In a way I am not sure why we are afraid of them when we can use them to actually understand them since they do not really hide (or not the one’s I saw anyway).
Now..How to Thwart them. I do not know why they use directory traversal maybe just testing to see if a web application forgot to check for ../../ and unicode type strings or maybe there is another vulnerability out there? But I think I would avoid writing my own web applications to go live right away for a while especially when so many more secure CMS exist today.
I also would make it so Configuration Management Software such as Puppet or Chef is never available to remote administration (that could be one of those disasters no one knows about until it is too late).
The other steps are normal security best practices like good passwords, never putting in a DVD or pen drive that you find just laying around somewhere.
I believe the main key to thwarting hackers from China (I really should not say “Chinese hackers but you all know that I mean “Sponsored and employed by the government of China” when I say that) is studying their bureaucracy from what clues they give us by their online presence. Right now I know from my experience with them is that they show up for work, put in about 8 hours and then stop working. I also am pretty sure they are based in Beijing and they attacked routers in countries other than the nation where their target exists. (perhaps we have compromised Adtran Routers here in the US that are used to attack Iran, Venezuela or Russia).
More exploration is needed and I am quite sure this is what they are saying about us as well.