Have you been targeted?
There are a number of ways to detect Sentry MBA attacks. Here are two low-effort mechanisms to determine if you have been targeted by a Sentry MBA attacker. The first is to search the web and the second is to look for the default User Agent strings that comes with Sentry MBA.
Searching the web
If your organization is a sufficiently high-profile target, you may be able to find criminals offering Sentry MBA configs for your website and mobile applications on various forums. Googling “sentry mba X”, where X corresponds to a name of your organization or web property is a good starting place. In this process, it’s critical that in addition to searching the Shallow Web, you also find ways to search the Deep Web. If you are unfamiliar with searching the Deep Web, you should consider consulting experienced open source intelligence analysts.
Sentry MBA default User Agent strings
As Dan Ariely has highlighted, humans tend to use defaults. Attackers are no different and we regularly see proof of this across the Shape network.
By default, Sentry MBA uses the following five User Agent strings:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3
Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00
If you find these User Agent strings in your web logs, you should also be able to find some characteristics of credential stuffing. The OWASP Automated Threat handbook notes that you should observe a high authentication failure rate when a credential stuffing attack is taking place. The term “high” is left to interpretation, but it’s fair to say that any authentication failure rate that is multiple standard deviations beyond the mean for your website qualifies as “high.”
If you decide to blacklist these User Agent strings, you should recognize that they can be changed to bypass such a control. Before you take any action, we recommend you consider the associated game theory.
The rise of Sentry MBA illustrates how automation enables cybercriminals to achieve unprecedented efficiency, efficacy and scale. The script kiddies have grown up and now have access to powerful attack frameworks which rival the complexity of the programming stacks used to create legitimate applications.
There are many automated attack tools, including other credential stuffing frameworks, that vastly exceed Sentry MBA in sophistication. However, this serves to illustrate the real security challenge: the fact that Sentry MBA is so effective on so many major websites and mobile application API services today highlights the need for significantly more advanced application defense mechanisms.
Click here to go to the content.