APNIC Senior Security Specialist Adli Wahid gives a presentation on the threats the APNIC honeynet project has observed and how these were mitigated or remediated at CommunicAsia 2021, held online from 14 to 16 July 2021.
2. 3
Introduction
1. Observations from APNIC
Community Honeynet Project
2. Detection and Remediation
3. Lessons Learned
Let’s Connect!
o Adli Wahid
o @adliwahid
3. 4
4
APNIC Community Honeynet Project
• Learning & Information Sharing
– DASH https://dash.apnic.net for APNIC members
– Security Community / CERTs/CSIRTs
– Collaboration & Sharing with partners
• Highlights
– Telnet / SSH honeypots
– Port 23 / 22 Exposed on the Internet
– Emulate Telnet/SSH services + interaction
– Linux-based systems/IoTs & Linux Malware
4. 5
So What?
• Honeypots have no production value,
any traffic is suspect
– Useful for internal network
monitoring / detection
• Malware spreads via Telnet/SSH
– telnet/ssh enabled by default by
many systems and devices
– Exposed on the Internet
• Exploit weak authentication or default
authentication
• What happens after a ‘successful login’
provides a bigger picture.
Activities in the last 24 hours
5. 6
Highlights
DDOS Agents / Stressers
• Drops script that downloads ELF binaries
– Different architectures available (x86,
x86_64, mips, sparc, etc)
– Mirai variant
• Perl scripts / bots
• Connects to mothership (command and
control)
• Waits for further instruction to ddos
• End goal – part of ddos
botnet/stresser/booter service, $$
– https://www.imperva.com/learn/ddos/booters-
stressers-ddosers/
Coin Miners (Monero/XMR)
• Drops script that download ELF binaries
(i.e. xmrig) or some other scripts
• Starts mining
• Sends results to mining pool
• End goal - part of mining botnet, $$
– https://www.zdnet.com/article/cyber-attackers-
are-cashing-in-on-cryptocurrency-mining-but-
heres-why-theyre-avoiding-bitcoin/
10. 11
11
Detection & Remediation
• Detection is quite straight forward*
– Spreading via telnet/ssh bruteforce
– Monitor activities on hosts / outbound activities
– OSINT information abound for context (virustotal,dshield, etc)
• Remediation
– Types of devices already infected
– Capabilities in removing malicious codes & hardening
– Patch not available
– Work-arounds*
• Remediation II
– Actors’ infrastructure (dns, hosts, network) serving malware
and providing command and control
11. 12
12
Lessons Learned
• Lack of visibility, no monitoring, not monitoring things that
matter*
– All levels
– Threat sharing platform / OSINT / free feeds (i.e Shadowserver) can
provide context
• Lack of awareness*
– We deal with APT / ”Big Ddos Attacks” only
– Attackers build their infrastructure to carry out the “big attacks”
– ”It doesn’t affect us” syndrome
– Security specialization
• Lack of resources
– Responsive mode
– No remediation & proactive security (including reviewing security
policy)
– No able to track (CGNAT) and follow up with customers or clients
One of the recent Linux backdoor/trojan
campaigns – spread over time
12. 13
13
Conclusion
• Snap-shot, there’s more!
– Malware spreads via other means
– Different payloads i.e. Windows Systems spreading malware over
SMB
• Proactive monitoring & detection
– Policies, procedures, people
• Collaboration – with clear goals
– Capability and capacity
• APNIC Community Honeynet Project
– MISP feeds, Analysis, Let’s Chat