While automated attacks remain a major security concern to enterprises, findings from a Bulletproof analysis highlight the challenge created by inadequate security hygiene. According to research conducted in 2021, bot traffic currently accounts for 70% of total web activity.
Default credentials are the most popular passwords used by malicious attackers, acting as a 'skeleton key' for criminal access. With attackers increasingly deploying automated attack methods
Brian Wagner, CTO at Bulletproof stated, “On the list are the default Raspberry Pi credentials (un:pi/pwd:raspberry). There are more than 200,000 machines on the internet running the standard Raspberry Pi OS, making it a reasonable target for bad actors. We also can see what looks like credentials used on Linux machines (un:nproc/pwd:nproc). This highlights a key issue – default credentials are still not being changed.”
“Using default credentials provides one of the easiest entry points for attackers, acting as a ‘skeleton key’ for multiple hacks. Using legitimate credentials can allow attackers to avoid detection and makes investigating and monitoring attacks much harder.”
According to the findings, attackers are continuously utilising the same typical passwords to gain access to systems. Some are default passwords that haven't been updated since the company started using them.
The RockYou database leak from December 2009 is accountable for a quarter of all passwords used by attackers today. This degree of activity suggests that these passwords are still valid.
During the period of the research, threat actors started almost 240,000 sessions. The top IP address, which came from a German server, started 915 sessions and stayed on the Bulletproof honeypot for a total of five hours. Another attacker spent 15 hours on the honeypot, successfully logging in 29 times with more than 30 different passwords.
In sum, 54 per cent of the more than 5,000 distinct IP addresses had intelligence indicating they were bad actor IP addresses.
Wagner continued, “Within milliseconds of a server being put on the internet, it is already being scanned by all manner of entities. Botnets will be targeting it and a host of malicious traffic is then being driven to the server.”
“Although some of our data shows legitimate research companies scanning the internet, the greatest proportion of traffic we encountered to our honeypot came from threat actors and compromised hosts. These insights, combined with our data, highlight the importance of proactive monitoring to ensure you are aware of the threats to your business on a daily basis, as well as a tried and tested incident response plan.”
