Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

From Mirai to Monero – One Year’s Worth of Honeypot Data

16 views

Published on

Adrian Hada and Mihai Vasilescu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The slides and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

From Mirai to Monero – One Year’s Worth of Honeypot Data

  1. 1. 1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | MIRAI TO MONERO – ONE YEAR’S WORTH OF HONEYPOT DATA Adrian Hada, Senior Security Researcher Mihai Vasilescu, Senior Security Researcher
  2. 2. 2© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHO ARE WE? • Senior security researchers • Love exploits, malware, honeypots and tinkering • Good guys • Hope for unemployment because #securityissolved • @ht_adrian & @me_high4eva
  3. 3. 3© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHO ARE WE?
  4. 4. 4© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HONEY NETWORK Honeypot distribution
  5. 5. 5© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT ARE ATTACKERS LIKE?
  6. 6. 6© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACKERS ARE... • Persistent • Not very fashionable • Resourceful • Opportunistic • All the above • Driven
  7. 7. 7© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HONEY NETWORK Distribution by targets
  8. 8. 8© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE • TELNET • SSH • SMTP • POP3 • IMAP • VNC • HTTP • Wordpress • Joomla • PHPMyAdmin • And the list goes on Protocols
  9. 9. 9© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE • Note: one “event” is per-hour aggregation Events 0 50000 100000 150000 200000 250000 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 Bucketed Brute Force Events
  10. 10. 10© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Unique IP Addresses 0 5000 10000 15000 20000 25000 30000 35000 40000 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 Unique IP Addresses
  11. 11. 11© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Target Prevalence Telnet-Bruteforce 53% SSH-Bruteforce 38% MySQL/MSSQL Bruteforce 7% SMTP Authentication Bruteforce 2% Generic PHP Application Login Bruteforce 0% RDP-Bruteforce 0% POP3 Bruteforce 0% VNC Bruteforce 0% XMLRPC sys.multicall Bruteforce Authentication 0% Top 10 Bruteforce Targets Telnet-Bruteforce SSH-Bruteforce MySQL/MSSQL Bruteforce SMTP Authentication Bruteforce Generic PHP Application Login Bruteforce RDP-Bruteforce POP3 Bruteforce VNC Bruteforce XMLRPC sys.multicall Bruteforce Authentication
  12. 12. 12© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Bruteforce Stats - October 2018 Telnet-Bruteforce SSH-Bruteforce MySQL/MSSQL Bruteforce VNC Bruteforce Generic PHP Application Login Bruteforce RDP-Bruteforce POP3 Bruteforce XMLRPC sys.multicall Bruteforce Authentication
  13. 13. 13© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT - CSI • Not that many hits (aprox 6000) • VMs, not Cisco hardware Cisco Smart Install
  14. 14. 14© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • CVE-2013-6117 Dahua DVRs
  15. 15. 15© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • Yes, it's the WannaCry one... ETERNALBLUE
  16. 16. 16© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • It’s all fun and games • Until you expose a DNS “open resolver” NTP & DNS
  17. 17. 17© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  18. 18. 18© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  19. 19. 19© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  20. 20. 20© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker 0 200 400 600 800 1000 1200 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 XAttacker Bucketed Hits
  21. 21. 21© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | OPPORTUNISTIC Drupalgeddon[23]
  22. 22. 22© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ALL OF THESE DLink – multiple vulnerabilities
  23. 23. 23© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ALL OF THESE MySQL
  24. 24. 24© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Evolution of number of events Mirai & Clones
  25. 25. 25© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Evolution of number of events Mirai & Clones
  26. 26. 26© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Fortinet blogged: https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by- bushido-botnet-.html Mirai & Clones
  27. 27. 27© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Antique bot, Windows, possibly modified • Seen via MySQL and ETERNALBLUE Nitol
  28. 28. 28© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Multiple documented families • DDoSTF via MySQL (reported by MalwareMustDie in 2016) • DoFloo DDoS Trojan – validate using CC decryptor from https://github.com/felicitychou/RATConf- DecryptScript Other Bots
  29. 29. 29© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Seen via multiple exploits • Monero is the go-to currency • Reuse open mining tools • Example from ETERNALBLUE
  30. 30. 30© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Notice something strange? certutil.exe –urlcache –split –f <url>
  31. 31. 31© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Technique described previously, not new • Xavier Mertens’ ISC diary: https://isc.sans.edu/diary/rss/23517
  32. 32. 32© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - BACKDOORS • Main source – ETERNALBLUE • (allegedly) Chinese backdoor - https://artemonsecurity.blogspot.com/2012/12/zegost- analysis-of-chinese-backdoor.html • DLL file contains download URL for executable • Payload conf can be decrypted via RADconf-DecryptScript Zegost Trojan
  33. 33. 33© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN – BACKDOORS WITH A TWIST • One sample URL downloaded 8.5M of data.. • Apparently, Themida-packed binary • Sandbox it! Zegost Trojan
  34. 34. 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | “IT’S 2019. THE INTERNET IS STILL A DANGEROUS PLACE. WHETHER WINDOWS OR LINUX. OR MAC.” Us,2018
  35. 35. 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
  36. 36. 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | “ATTACKERS ARE A LOT LIKE US. IF THEY CAN BREAK THINGS, WE CAN PROTECT THEM.” Us,2018
  37. 37. 37© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

×