Disclaimer: This article is meant to give insight into cyber threats as seen by the community of users of CrowdSec.
What can tens of thousands of machines tell us about illegal hacker activities?
Do you remember that scene in Batman - The Dark Knight, where Batman uses a system that aggregates active sound data from countless mobile phones to create a meta sonar feed of what is going on at any given place?
It is an interesting analogy with what we do at CrowdSec. By aggregating intrusion signals from our community, we can offer a clear picture of what is going on in terms of illegal hacking in the world.
After 2 years of activity and analyzing 1 million intrusion signals daily from tens of thousands of users in 160 countries, we start having an accurate "Batman sonar" global feed of cyber threats. And there are some interesting takeaways to outline.
A cyber threat with many faces
First of all, the global cyber threat is highly versatile. What do we see when looking at the types of attacks reported, their origin, and the Autonomous Systems (AS) behind the malicious IP addresses?
Scanners and Brute force attempts are still the most popular intrusion vectors our community sees and rank #1. Pretty logic, as surveillance is the first step to a more advanced intrusion. The scanning activities seen by our community are mostly port scans or HTTP-based probings.
Amongst the different intrusion types used by hackers, brute force attempts on sensitive services (SSH, email, admin URLs, etc.) is #2. Not breakthrough information, but when studies show that brute force attacks are accounted for 6% of cyber attacks in the world, it is not surprising to see it as dominant, especially since it is still one of the easiest and cheapest ones to automate and deploy (hello script kiddies). Because it is pretty easy to counter, one would think it rarely works, but hey, 6%!
Log4J is still not yet a done deal
Amongst the most popular exploit attempts our community sees, we have Log4j. You indeed enjoyed last year's storm on how a simple open-source logging utility for Apache with a vulnerability took over the cybersecurity world and caused endless headaches to cybersecurity experts. And, of course, the criminal world was more than happy to exploit it with automated scanning bots looking for vulnerable services.
Well, our community has witnessed the storm. Once the December peak following the disclosure passed, things calmed down a little bit, but scanning activities for Log4j started again, although at a lower but constant level, fueled by bots.
The key message is that if you think you are protected because the "marketing" storm passed, think twice.
There is still a very aggressive activity looking to use the vulnerability.
For instance, a couple of weeks ago, a large spectrum of our community was scanned as the IP address 126.96.36.199 was reported by more than 500 users in less than 12 hours. It joined 20000+ other IP addresses on the community blocklist for remediation.
IP addresses: cyber criminals' core resource
IP addresses are rarely malevolent forever and their reputation can change from one day to another. With the community constantly sharing information on them, any update can be instantaneously transferred to users. In the long run, it provides invaluable data on the aggressiveness duration of IP addresses.
This is a snapshot of the number of IP addresses that landed in the CrowdSec data lakes (flagged as malicious). What is interesting to note is that cybercriminals are indeed changing the IPs they are using to commit their attacks:
* only 2,79% of these are permanent members of our database
* 12,63% of all collected IPs change every single week
* The daily renewal rate sits at 1.8%
**Autonomous systems have different approaches to mitigating compromised IPs**
Each IP is part of a pool of addresses managed by an AS (Autonomous System). An AS is an extensive network or group of networks that have a unified routing policy. Every computer or device that connects to the Internet is connected to an AS. Typically, each AS is operated by a single large organization, such as an Internet service provider (ISP), a large enterprise technology company, a university, or a government agency, and is, as such, responsible for the IP addresses.
Each aggressive IP shared by the CrowdSec community is enriched by its AS. This, combined with the data on aggressiveness duration, can provide a clear picture of how AS manage compromised IPs.
While looking simply at the number of compromised assets might be an angle, it wouldn't be necessarily fair. Not all operators are equal in size, and some are hosting "riskier" services (hello outdated PHP CMS) than others.
The average malevolent duration of all the IPs in the same AS indicates the operator's due diligence in identifying and dealing with compromised assets. The distribution of the average duration is shown with arrows pointing to the position of the most reported AS for the leading cloud providers. For instance, at AWS, compromised addresses remain compromised for an average of 3 days. Azure 9 days. At the end of the chart, AS from China or Russia (surprise…) "are less quick" to act upon compromised IPs.
This article is meant to give an overview of the threat activity and intelligence CrowdSec users see daily. Please consult the full version of the report here if you want more details.