Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]

181 views

Published on

Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]

  1. 1. 1st Dual Stack Threat Feed
  2. 2. When your IDS/FW does not consider IPv6
  3. 3. #IPv6IsNotForMalware
  4. 4. Ngioweb represents a multifunctional proxy server which uses its own binary protocol with 2 layers of encryption. The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports with first samples seen in the second half of 2017. https://research.checkpoint.com/ramnits-network-proxy-servers/
  5. 5. Emotet on IOCFeed
  6. 6. #WhyNow
  7. 7. IPv6 and IPv4 Dual Stack Security Considerations ● Unauthorized deployment of IPv6 on existing IPv4 production networks ● Vulnerabilities present in IPv6 ● Complexity added by dual IPv4/IPv6 operations ● Immaturity of IPv6 security products and processes ● Lack of vendor support ● Operation team and security team lack of knowledge https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-119.pdf
  8. 8. Unauthorized deployment of IPv6 ● Most current operating systems now support IPv6 by default ● Firewall and IDS equipment not configured to recognize IPv6 traffic could be bypassed
  9. 9. #ThreatHunting
  10. 10. Threat analysis
  11. 11. Threat analysis
  12. 12. Threat analysis
  13. 13. Threat analysis
  14. 14. Why IPv6 prefix?
  15. 15. /64 in threat analysis IPv6 prefix (/64) IPv6 Address ASN
  16. 16. /64 in threat analysis IPv6 prefix (/64) IPv6 Address ASN IPv6 Address IPv6 Address IPv6 Address … 2^64
  17. 17. Iocfeed.mrlooquer.com
  18. 18. Threat analysis
  19. 19. /64 in threat analysis IPv6 prefix (/64) IPv6 Address ASNIPv6 Address IPv6 Address IPv6 Address IPv6 Address
  20. 20. /64 in threat analysis IPv6 prefix (/64) IPv6 Address ASNIPv6 Address IPv6 Address IPv6 Address IPv6 Address
  21. 21. #ShowMeTheData
  22. 22. IOCs clustered by ASN and Prefix
  23. 23. Dual Stack IOCs
  24. 24. Dual Stack Subcategories
  25. 25. Threat analysis
  26. 26. Threat analysis
  27. 27. Threat analysis
  28. 28. TOR
  29. 29. TOR ASN 14061
  30. 30. #Curious
  31. 31. FILTER “:dead:”
  32. 32. FILTER “:dead:” 4766 IOCs!!!
  33. 33. ASN
  34. 34. Why ASN?
  35. 35. Why ASN?
  36. 36. Why ASN?
  37. 37. Why ASN?
  38. 38. Why ASN?
  39. 39. Why ASN?
  40. 40. #HowDoWeDoIt?
  41. 41. How Do We Do It? Dual Stacks Analysis Fingerprinting CVE Scan ... IPv6 Discover IOC Sources
  42. 42. Categories ● Malware ○ botnet ■ C&C ■ Compromised ■ ExploitKit ■ Zeus ○ Sanbox ■ Malware ○ Distribution ■ Warez ■ ExploitKit ○ Trojan ■ Misc ○ Binary ○ HTA ○ Ransomware ○ DDoS ○ Shellcode ○ Exploit ○ Javascript ○ Downloader ○ Redirector ● Fraud ○ Phishing ■ Bulkphishing ○ Coinminer ■ Web ○ Market ■ Warez ■ Misleadingmarket ○ Spam ■ Astroturfing ■ Forumspammers ○ Hacking ■ Hijacking ○ Black market ■ Pharmacy ● Anonymization ○ TOR ■ Proxy
  43. 43. #Future
  44. 44. MrLooquer IPLake
  45. 45. Prefix scoring /64, /48 etc… ASN Scoring
  46. 46. The Alliance
  47. 47. IOCfeed.mrlooquer.com hi@mrlooquer.com @mrlooquer

×