When attacks against companies are described, frequently the targets are said to be either individual end users or large enterprises. Many targets of cybercrime, however, are small businesses. In this post, we’ll look at how small business in Taiwan are attacked and what lessons others can take from these events.
Many small businesses in Taiwan run their Web server from inside their own networks, without much awareness about how to secure them properly. They’re primarily concerned with running their business, which makes their insecure servers a prime target for attacks.
Let’s look at a recent case which is a good example of how these attacks work. On May 30, our assistance was requested after an unidentified company (which we’ll call Company A) was hit by denial of service attacks that interrupted access to their servers.
What we found was another problem entirely. We found that their web server had been compromised, using a vulnerability in their web server. Because, as noted earlier, this web server also had access to Company A’s internal network, the attackers had taken control over the company’s Active Directory servers as well. We were also able to confirm that at least two separate attackers were at work: one was active before April 24, the other after that date.
Figure 1. Timeline of Attacks
The behavior of this threat was not particularly unusual – these behaviors are all commonplace when a network has been breached. In addition, the attackers keep adding tools through their backdoors continuously.
Many businesses would simply reinstall and rebuild their systems so they can get back to work, but this wouldn’t solve the problem. Because the root of the problem – the vulnerable and insecure web server – has not been addressed, the attacker can simply go ahead and plant backdoors into the target’s networks again and again.
Figure 2: Continuing attacks
There are many ways to plant backdoors onto a network. One can use either remote access tools (legitimate or otherwise), vulnerabilities, and embedded scripts (for starters). Many of these can be difficult to detect and remove. In this case, we even found that uploaded images (for user avatars) could be used to inject scripts that the web server would then run.
This attack was made possible because of some rather insecure procedures that some SMBs use. Hosting a web server within your own network exposes a business to serious risks (as happened here). It’s much safer for a small business to use some sort of managed hosting for their sites.
However, on one level, this insecurity is understandable. Businesses see the opportunities of new technology, but are often blind to the security risks. They feel the need to compete with larger enterprises when it comes to the tools they use – but don’t have the resources to match their competitors. Efficiency and cost-effectiveness are the order of the day – and, unfortunately, security can fall by the wayside.
While the specific lessons of this attack may only apply to some businesses, the larger is lesson is clear: tempting as technological improvements can be, security has to be considered as well. It’s dangerous – and irresponsible – to put in place new tools without considering how they can be secured. Otherwise, businesses expose themselves to being compromised repeatedly.