SlideShare a Scribd company logo

CommunicAsia 2021: What is hitting my honeypots?

APNIC
APNIC

APNIC Senior Security Specialist Adli Wahid gives a presentation on the threats the APNIC honeynet project has observed and how these were mitigated or remediated at CommunicAsia 2021, held online from 14 to 16 July 2021.

Internet
1 of 13
Download to read offline
2 What is Hitting My Honeypots? Adli Wahid adli@apnic.net APNIC
3 Introduction 1. Observations from APNIC Community Honeynet Project 2. Detection and Remediation 3. Lessons Learned Let’s Connect! o Adli Wahid o @adliwahid
4 4 APNIC Community Honeynet Project • Learning & Information Sharing – DASH https://dash.apnic.net for APNIC members – Security Community / CERTs/CSIRTs – Collaboration & Sharing with partners • Highlights – Telnet / SSH honeypots – Port 23 / 22 Exposed on the Internet – Emulate Telnet/SSH services + interaction – Linux-based systems/IoTs & Linux Malware
5 So What? • Honeypots have no production value, any traffic is suspect – Useful for internal network monitoring / detection • Malware spreads via Telnet/SSH – telnet/ssh enabled by default by many systems and devices – Exposed on the Internet • Exploit weak authentication or default authentication • What happens after a ‘successful login’ provides a bigger picture. Activities in the last 24 hours
6 Highlights DDOS Agents / Stressers • Drops script that downloads ELF binaries – Different architectures available (x86, x86_64, mips, sparc, etc) – Mirai variant • Perl scripts / bots • Connects to mothership (command and control) • Waits for further instruction to ddos • End goal – part of ddos botnet/stresser/booter service, $$ – https://www.imperva.com/learn/ddos/booters- stressers-ddosers/ Coin Miners (Monero/XMR) • Drops script that download ELF binaries (i.e. xmrig) or some other scripts • Starts mining • Sends results to mining pool • End goal - part of mining botnet, $$ – https://www.zdnet.com/article/cyber-attackers- are-cashing-in-on-cryptocurrency-mining-but- heres-why-theyre-avoiding-bitcoin/
7 7 vol.py --plugins=. -f mem01.raw --profile=LinuxDebian-4_19_0-16-686x86 linux_yarascan –y malware_rules.yar Task: pty pid 7978 rule LinuxTsunami addr 0x8055d84 0x08055d84 4e 4f 54 49 43 45 20 25 73 20 3a 49 27 6d 20 68 NOTICE.%s.:I'm.h 0x08055d94 61 76 69 6e 67 20 61 20 70 72 6f 62 6c 65 6d 20 aving.a.problem. 0x08055da4 72 65 73 6f 6c 76 69 6e 67 20 6d 79 20 68 6f 73 resolving.my.hos 0x08055db4 74 2c 20 73 6f 6d 65 6f 6e 65 20 77 69 6c 6c 20 t,.someone.will. 0x08055dc4 68 61 76 65 20 74 6f 20 53 50 4f 4f 46 53 20 6d have.to.SPOOFS.m 0x08055dd4 65 20 6d 61 6e 75 61 6c 6c 79 2e 0a 00 00 00 00 e.manually...... 0x08055de4 4e 4f 54 49 43 45 20 25 73 20 3a 6b 74 68 72 2e NOTICE.%s.:kthr. 0x08055df4 73 73 68 20 7c 20 02 44 44 4f 53 02 20 6d 65 74 ssh.|..DDOS..met 0x08055e04 68 6f 64 73 0a 00 00 00 4e 4f 54 49 43 45 20 25 hods....NOTICE.% 0x08055e14 73 20 3a 02 58 4d 41 53 20 3c 74 61 72 67 65 74 s.:.XMAS.<target 0x08055e24 3e 20 3c 70 6f 72 74 3e 20 3c 73 65 63 73 3e 20 >.<port>.<secs>. 0x08055e34 3c 63 77 72 2c 65 63 65 2c 75 72 67 2c 61 63 6b <cwr,ece,urg,ack 0x08055e44 2c 70 73 68 2c 72 73 74 2c 66 69 6e 2c 73 79 6e ,psh,rst,fin,syn 0x08055e54 20 6f 72 20 6e 75 6c 6c 3e 20 3c 72 61 6e 64 6f .or.null>.<rando 0x08055e64 6d 2f 6e 6f 74 3e 02 20 3d 3d 3d 3e 20 6d 65 73 m/not>..===>.mes 0x08055e74 73 79 20 70 61 63 6b 65 74 20 67 65 6e 65 72 61 sy.packet.genera
8 8 Ddos agents
9 9 Miners
10 10 Spreading to others
11 11 Detection & Remediation • Detection is quite straight forward* – Spreading via telnet/ssh bruteforce – Monitor activities on hosts / outbound activities – OSINT information abound for context (virustotal,dshield, etc) • Remediation – Types of devices already infected – Capabilities in removing malicious codes & hardening – Patch not available – Work-arounds* • Remediation II – Actors’ infrastructure (dns, hosts, network) serving malware and providing command and control
12 12 Lessons Learned • Lack of visibility, no monitoring, not monitoring things that matter* – All levels – Threat sharing platform / OSINT / free feeds (i.e Shadowserver) can provide context • Lack of awareness* – We deal with APT / ”Big Ddos Attacks” only – Attackers build their infrastructure to carry out the “big attacks” – ”It doesn’t affect us” syndrome – Security specialization • Lack of resources – Responsive mode – No remediation & proactive security (including reviewing security policy) – No able to track (CGNAT) and follow up with customers or clients One of the recent Linux backdoor/trojan campaigns – spread over time
13 13 Conclusion • Snap-shot, there’s more! – Malware spreads via other means – Different payloads i.e. Windows Systems spreading malware over SMB • Proactive monitoring & detection – Policies, procedures, people • Collaboration – with clear goals – Capability and capacity • APNIC Community Honeynet Project – MISP feeds, Analysis, Let’s Chat
14 14 Thank You Let’s Connect! o adli@apnic.net o Adli Wahid o @adliwahid

Recommended

Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
arbitrarycode
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
qqlan
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Cyber Security Alliance
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Positive Hack Days
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
Slawomir Jasek
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 

Recommended

Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
arbitrarycode
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
qqlan
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Cyber Security Alliance
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Positive Hack Days
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
Slawomir Jasek
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
Router hardening project.slide
Router hardening project.slideRouter hardening project.slide
Router hardening project.slide
Alya Al Saadi
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
Cyber Security Alliance
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
robbuddingh
 
Intro to firewalls
Intro to firewallsIntro to firewalls
Intro to firewalls
Joshua Johnston
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Luca Bongiorni
 
SIEM
SIEMSIEM
SIEM
Napier University
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
Napier University
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Incident Response: Tunnelling
Incident Response: TunnellingIncident Response: Tunnelling
Incident Response: Tunnelling
Napier University
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
 
Webshield internet of things
Webshield internet of thingsWebshield internet of things
Webshield internet of things
Raghav Shetty
 
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Ajeet Singh
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
Cyber Security Alliance
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking Report
Synack
 
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
APNIC
 
Cybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from HoneypotsCybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from Honeypots
APNIC
 

More Related Content

What's hot

Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
 

What's hot (20)

Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
Router hardening project.slide
Router hardening project.slideRouter hardening project.slide
Router hardening project.slide
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
 
Intro to firewalls
Intro to firewallsIntro to firewalls
Intro to firewalls
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
SIEM
SIEMSIEM
SIEM
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Incident Response: Tunnelling
Incident Response: TunnellingIncident Response: Tunnelling
Incident Response: Tunnelling
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
 
Webshield internet of things
Webshield internet of thingsWebshield internet of things
Webshield internet of things
 
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking Report
 

Similar to CommunicAsia 2021: What is hitting my honeypots?

Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
Yury Chemerkin
 
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
Vulnerable Out of the Box: An Evaluation of Android Carrier DevicesVulnerable Out of the Box: An Evaluation of Android Carrier Devices
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
Priyanka Aash
 
Malwares Malwares Malwares Malwares Malwares
Malwares Malwares Malwares Malwares MalwaresMalwares Malwares Malwares Malwares Malwares
Malwares Malwares Malwares Malwares Malwares
NioLemuelLazatinConc
 

Similar to CommunicAsia 2021: What is hitting my honeypots? (20)

2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
 
Cybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from HoneypotsCybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from Honeypots
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet 38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
 
Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
 
formation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .pptformation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .ppt
 
virusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.pptvirusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.ppt
 
Toward a Mobile Data Commons
Toward a Mobile Data CommonsToward a Mobile Data Commons
Toward a Mobile Data Commons
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
Vulnerable Out of the Box: An Evaluation of Android Carrier DevicesVulnerable Out of the Box: An Evaluation of Android Carrier Devices
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
 
Malwares Malwares Malwares Malwares Malwares
Malwares Malwares Malwares Malwares MalwaresMalwares Malwares Malwares Malwares Malwares
Malwares Malwares Malwares Malwares Malwares
 

More from APNIC

More from APNIC (20)

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 

Recently uploaded

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 

Recently uploaded (20)

best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 

CommunicAsia 2021: What is hitting my honeypots?

  • 1. 2 What is Hitting My Honeypots? Adli Wahid adli@apnic.net APNIC
  • 2. 3 Introduction 1. Observations from APNIC Community Honeynet Project 2. Detection and Remediation 3. Lessons Learned Let’s Connect! o Adli Wahid o @adliwahid
  • 3. 4 4 APNIC Community Honeynet Project • Learning & Information Sharing – DASH https://dash.apnic.net for APNIC members – Security Community / CERTs/CSIRTs – Collaboration & Sharing with partners • Highlights – Telnet / SSH honeypots – Port 23 / 22 Exposed on the Internet – Emulate Telnet/SSH services + interaction – Linux-based systems/IoTs & Linux Malware
  • 4. 5 So What? • Honeypots have no production value, any traffic is suspect – Useful for internal network monitoring / detection • Malware spreads via Telnet/SSH – telnet/ssh enabled by default by many systems and devices – Exposed on the Internet • Exploit weak authentication or default authentication • What happens after a ‘successful login’ provides a bigger picture. Activities in the last 24 hours
  • 5. 6 Highlights DDOS Agents / Stressers • Drops script that downloads ELF binaries – Different architectures available (x86, x86_64, mips, sparc, etc) – Mirai variant • Perl scripts / bots • Connects to mothership (command and control) • Waits for further instruction to ddos • End goal – part of ddos botnet/stresser/booter service, $$ – https://www.imperva.com/learn/ddos/booters- stressers-ddosers/ Coin Miners (Monero/XMR) • Drops script that download ELF binaries (i.e. xmrig) or some other scripts • Starts mining • Sends results to mining pool • End goal - part of mining botnet, $$ – https://www.zdnet.com/article/cyber-attackers- are-cashing-in-on-cryptocurrency-mining-but- heres-why-theyre-avoiding-bitcoin/
  • 6. 7 7 vol.py --plugins=. -f mem01.raw --profile=LinuxDebian-4_19_0-16-686x86 linux_yarascan –y malware_rules.yar Task: pty pid 7978 rule LinuxTsunami addr 0x8055d84 0x08055d84 4e 4f 54 49 43 45 20 25 73 20 3a 49 27 6d 20 68 NOTICE.%s.:I'm.h 0x08055d94 61 76 69 6e 67 20 61 20 70 72 6f 62 6c 65 6d 20 aving.a.problem. 0x08055da4 72 65 73 6f 6c 76 69 6e 67 20 6d 79 20 68 6f 73 resolving.my.hos 0x08055db4 74 2c 20 73 6f 6d 65 6f 6e 65 20 77 69 6c 6c 20 t,.someone.will. 0x08055dc4 68 61 76 65 20 74 6f 20 53 50 4f 4f 46 53 20 6d have.to.SPOOFS.m 0x08055dd4 65 20 6d 61 6e 75 61 6c 6c 79 2e 0a 00 00 00 00 e.manually...... 0x08055de4 4e 4f 54 49 43 45 20 25 73 20 3a 6b 74 68 72 2e NOTICE.%s.:kthr. 0x08055df4 73 73 68 20 7c 20 02 44 44 4f 53 02 20 6d 65 74 ssh.|..DDOS..met 0x08055e04 68 6f 64 73 0a 00 00 00 4e 4f 54 49 43 45 20 25 hods....NOTICE.% 0x08055e14 73 20 3a 02 58 4d 41 53 20 3c 74 61 72 67 65 74 s.:.XMAS.<target 0x08055e24 3e 20 3c 70 6f 72 74 3e 20 3c 73 65 63 73 3e 20 >.<port>.<secs>. 0x08055e34 3c 63 77 72 2c 65 63 65 2c 75 72 67 2c 61 63 6b <cwr,ece,urg,ack 0x08055e44 2c 70 73 68 2c 72 73 74 2c 66 69 6e 2c 73 79 6e ,psh,rst,fin,syn 0x08055e54 20 6f 72 20 6e 75 6c 6c 3e 20 3c 72 61 6e 64 6f .or.null>.<rando 0x08055e64 6d 2f 6e 6f 74 3e 02 20 3d 3d 3d 3e 20 6d 65 73 m/not>..===>.mes 0x08055e74 73 79 20 70 61 63 6b 65 74 20 67 65 6e 65 72 61 sy.packet.genera
  • 10. 11 11 Detection & Remediation • Detection is quite straight forward* – Spreading via telnet/ssh bruteforce – Monitor activities on hosts / outbound activities – OSINT information abound for context (virustotal,dshield, etc) • Remediation – Types of devices already infected – Capabilities in removing malicious codes & hardening – Patch not available – Work-arounds* • Remediation II – Actors’ infrastructure (dns, hosts, network) serving malware and providing command and control
  • 11. 12 12 Lessons Learned • Lack of visibility, no monitoring, not monitoring things that matter* – All levels – Threat sharing platform / OSINT / free feeds (i.e Shadowserver) can provide context • Lack of awareness* – We deal with APT / ”Big Ddos Attacks” only – Attackers build their infrastructure to carry out the “big attacks” – ”It doesn’t affect us” syndrome – Security specialization • Lack of resources – Responsive mode – No remediation & proactive security (including reviewing security policy) – No able to track (CGNAT) and follow up with customers or clients One of the recent Linux backdoor/trojan campaigns – spread over time
  • 12. 13 13 Conclusion • Snap-shot, there’s more! – Malware spreads via other means – Different payloads i.e. Windows Systems spreading malware over SMB • Proactive monitoring & detection – Policies, procedures, people • Collaboration – with clear goals – Capability and capacity • APNIC Community Honeynet Project – MISP feeds, Analysis, Let’s Chat
  • 13. 14 14 Thank You Let’s Connect! o adli@apnic.net o Adli Wahid o @adliwahid