The introduction on January 30th of AutoSploit, a self-described “automated mass exploiter” that makes it disturbingly easy for less technical hackers to launch cyber attacks, caused some panic in the security community.
The tool leverages the Shodan search engine to find potential targets, and can provide targets in response to search terms. “After [the search] operation has been completed the ‘Exploit’ component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them,” AutoSploit author VectorSEC wrote.
In an analysis of the tool, Rapid7 research director Tod Beardsley noted that AutoSploit “doesn’t appear to offer any mechanism to assess and exploit targets that aren’t picked essentially at random.”
“In the end, I can’t figure out how to use Autosploit.py in a way that isn’t merely a random act of vandalism,” Beardsley added. “As a user, I have little to no control over target selection, which means I am necessarily going to cause headaches and harm to innocent bystanders.”
In response, VectorSEC tweeted, “Don’t worry guys. The new version will have an option included that will allow the user to select a custom list of targets.”
Regardless, it’s worth questioning how much of a threat AutoSploit presents on its own. British security architect Kevin Beaumont suggested, “If anybody is concerned about this, your threat model collapses at kids being bored running python scripts.”
An opportunity for script kiddies
Still, AutoSploit could provide a less skilled attacker with an unprecedented amount of power. Stephanie Weagle, vice president of Corero, told eSecurity Planet by email that AutoSploit “provides an unending opportunity for cybercriminals and script kiddies to hijack vulnerable devices and subsequently launch attacks against online organizations with ease.”
And Weagle said companies have to respond. “It is now imperative for organizations to implement a next generation Internet gateway that includes a DDoS layer of security to immediately detect and mitigate DDoS attacks,” she said. “Without this DDoS mitigation layer, companies who are hit with a DDoS attack could face significant loss of revenues and reputation due to outages.”
At the same time, Plixer director of strategic relationships and marketing Bob Noel said it’s important to remember that AutoSploit doesn’t introduce anything new in terms of malicious code or attack vectors. “What it does present is an opportunity for those who are less technically adept to use this tool to cause substantial damage,” he said.
Ultimately, Noel said, AutoSploit expands the threat landscape by allowing a wider range of people to launch major attacks. “It also demonstrates that it is impossible for organizations to prevent all cyber attacks, and this should act as a wake-up call to invest in incident response technologies, people and best security practices,” he said.
But Synopsys vice president of security technology Gary McGraw cautioned against overreacting to the news. “Tools for improving computer security can also be used to do bad things,” he said. “Try to do good things with them.”
“Oh, and fix the broken software,” he added. “Really.”