This document summarizes several major security events that occurred in 2014, including large DDOS attacks against gaming companies and a Hong Kong voting system, as well as the discovery of vulnerabilities and malware. The Hong Kong DDOS attack reached 300 Gbps using reflection techniques like NTP amplification and involved a coordinated attack from botnets, floods, and other vectors. The document also discusses growing security issues involving the Internet of Things, including vulnerabilities found in routers and devices like IP cameras that can enable remote access, as well as malware targeting point-of-sale systems and the potential use of IoT devices in botnets.

1. Security Events in 2014
and Related Research Issue
C.K.Chen
2015.2.4

2. Outline
• Security
events
in
2014
• DDOS
• Hong
Kong
DDOS
a<ack
• IOT
• Router
• Pos
• Hacking
into
Internet
Connected
Light
Bulbs
• APT
• PLEAD
A<ack
• Regin
Malware
• Sony
Hacked

3. What Happened in 2014
• 2014-­‐1-­‐5
DDOS
against
EA,
Blizzard
• 2014-­‐2-­‐26
Apple
iOS
goto
fails
• 2014-­‐4-­‐9
HeartBleed
for
OpenSSL
• 2014-­‐5
OperaRon
Top
Gear(APT
target
TW
gov)
• 2014-­‐6-­‐20
DDOS
against
Hong
Kong
PopVote
• 2014-­‐08
Synolocker
appear
• 2014-­‐08-­‐11
Xiaomi
Phones
Backdoor
Discovered
• 2014-­‐9-­‐24
Bash
Shellshock
Vulnerability
• 2014-­‐10-­‐17
Sandworm
PPT
vulnerability
used
to
a<ack
TW
gov
• 2014-­‐11
Regin
Malware
Discovered
• 2014-­‐11-­‐11
Garena
Online
Plaorm
Hacked
to
plant
backdoor
• 2014-­‐11-­‐24
Sony
Hacked
By
GOP
• 2014-­‐12-­‐23
KHNP(Korea
Hydro
and
Nuclear
Power)
hacked

4. DDOS

5. DDOS Size
• Scale
of
DDOS
increase
to
400+
Gbps

6. DDOS Events
• 2014-­‐1-­‐5
DDOS
against
EA,
Blizzard
• 2014-­‐6-­‐20
DDOS
against
Hong
Kong
PopVote,
an
online
voRng
system

7. Hong Kong DDOS aAack
• Before
the
voRng,
the
small
DDOS
a<ack
has
occurs
• The
a<ack
flow
is
2nd
place
in
the
history
• About
300
Gbps
• Some
big
internet
companies
cooperate
to
against
this
DDOS
a<ack
• Amazon
• Google
• CloudFlare

8. Hong Kong DDOS aAack
• Amazon’s
AWS
terminate
it’s
cloud
service
to
Honk
Kong
due
to
the
massive
network
flow
• Google
try
to
employ
Project
Shield
to
handle
the
DDOS,
but
finally
fails
• Because
a<ack
flow
already
affect
other
service
of
google
• The
voRng
deadline
extend
from
3
days
to
10
days
• CloudFlare
successful
protect
the
voRng
system
from
DDOS,
the
a<ack
stop
immediate
ager
voRng
result
announce
• But
how?

9. NTP ReflecGon AAack
• NTP
as
a
new
a<ack
vector
of
DDOS
• Similar
to
tradiRonal
DNS
amplificaRon
a<ack
• Start
from
2014

10. AAack Technique
• CEO
of
CloudFlare
said
it
is
a
“Kitchen
Sink
A<ack”
• DNS
AmplificaRon
A<ack
-­‐>
100
Gbps
• NTP
AmplificaRon
A<ack
-­‐>
300
Gbps
• Botnet
• SYN
Flood
-­‐>
hundred
million
connecRons
per
second
• ApplicaRon
layer
a<ack,
HTTP/HTTPS
flood
a<ack
• DNS
Flood
A<ack
-­‐>
2.5
hundred
million
connecRons
per
second
• How
CloudFlare
handle
such
massive
a<ack
flow

11. How CloudFlare defense the DDOS
• Global
Anycast
Network
• Unicast:
One
Machine,
One
IP
• Anycast:
Many
Machines,
One
IP
• Separate
the
a<ack
flow
• Hidden
origin
IP
of
real
service
• Separate
IP
by
protocols
• NTP
requests
cannot
reach
HTTP
server
• Early
filter
the
flow
at
the
edge
of
your
infrastructure

12. Some Interest Topic
• TesRng
if
certain
protocols(applicaRon)
may
surfer
from
DOS
a<ack
• Service
that
allocate
more
resource
in
server
than
in
the
client
• The
service
not
check
the
idenRty/original
of
request
especial
for
UDP
• The
service
response
more
data
than
request
• How
can
we
against
DDOS
• Can
SDN
help?
• Does
DNSSEC
also
suffers
from
DOS
a<ack?
• DNSSEC
response
more
data
than
DNS

13. IOT Security

14. IOT Security
• What
is
IOT?
• Every
devices
not
PC
are
things
• Currently,
a<ack
to
IOT
is
starRng
from
router
• Widely
deploy,
less
protecRon

15. Router Backdoor
• First
router
backdoor
discovered
in
2013
• D-­‐Link
router
can
be
remote
accessed
by
a
magic
string
“xmlset_roodkcableoj28840ybRde”
• edit
by
048820
joel
backdoor.
• TP-­‐Link
IP
camera
have
several
vulnerabiliRes
which
allow
remote
access
• All
of
Netgear,
Linksys
and
Cisco
routers
contain
backdoor

16. PoS RAM Scraper Malware
• POS(point-­‐of-­‐sale,銷售櫃台系統)
• Steal
user’s
credit
card
informaRon
• On
December
19,
2013,
Target
announced
a
data
breach
affecRng
40
million
in-­‐store
whose
credit
and
debit
card
informaRon
was
stolen

17. Botnet in IOT
• Bad
guys
are
launching
denial
of
service
a<acks
from
Windows
and
Linux
boxes
and
in
a
sign
of
desperaRon
even
fridges,
freezers
and
Raspberry
Pi
• 215
gigabits
per
second
and
150
million
packets
per
second

18. Ransomware in IOT
• Ransomware
is
a
type
of
malware
which
restricts
access
to
the
computer
system
that
it
infects
• Demands
a
ransom
paid
to
the
creator
of
the
malware
in
order
for
the
restricRon
to
be
removed.
• Synolock
is
one
of
famous
ransomware

19. Hacking into Internet Connected Light Bulbs
• The
LIFX
light
bulb
is
a
“WiFi
enabled
mulR-­‐color,
energy
efficient
LED
light
bulb”
that
can
be
controlled
from
a
smartphone
• The
bulbs
are
connected
in
the
form
of
mesh
network
• Only
one
bulb
will
connect
to
the
wifi
network.
• This
“master”
bulb
receives
commands
from
the
smart
phone,
and
broadcasts
them
to
all
other
bulbs
over
an
802.15.4
6LoWPAN
wireless
mesh
network.

20. Hacking into Internet Connected Light Bulbs
• How
a<acker
hack
bulbs
• Protocol
Analysis
• Obtaining
the
Firmware
• Reversing
the
Firmware(to
find
key)
• Re-­‐Implement
the
communicaRon
protocols
• As
result,
a<acker
can
control
the
bulbs
within
the
range
of
6LoWPAN
wireless
network

21. First IOT Security Conference
•
Hacked
Successful
• Smart
Phone
• Door
Lock
• Smart
Band
• Smart
Plug

22. Research Issue of IOT
• Explosion
of
Android/Linux
malware
• Security
must
be
consider
when
designing
API/
protocols.
• Backdoor
analysis
and
sogware
vulnerability
will
be
important
topic
for
IOT
• Firmware
analysis
• Different
instrucRon
set(arm/mips)

23. APT AAack

24. PLEAD AAack Target TW Government
• Trend
Micro
discovers
the
a<ack
to
TW
• Named
as
PLEAD
• Use
fishing
email
as
first
step
of
a<ack

25. RTLO obfuscated
• The
malicious
file
is
zipped
with
7z
• RTLO
is
“Right
to
Leg
override”
• xxx.[RTLO]fdp.scr
-­‐>
xxx.rcs.pdf
• Ager
executable
trigger,
an
fake
ppt
file
is
dropped
and
displayed.

26. APT with Social Network
• An
APT
target
Tibet
organizaRon
• Use
twi<er
to
send
malicious
link
to
vicRm
• The
link
contain
an
exploit
to
Adobe
Flash
SWF
• CVE-­‐2013-­‐0634

27. Use Legal Website for C&C
• Use
legal
website
as
C&C
channel
• h=p://blog.sina.com[.]cn/rss/2050950612.xml

28. Other Example Use Social Network
• Decode
the
content
of
blog
to
retrieve
updated
malware

29. Regin Malware
• Designed
by
NSA
and
GCHQ(英國政府通訊總部)
• A<ack
procedure
are
divided
into
several
stage
• To
ensure
every
situaRon
is
suitable
for
a<ack
• Highly
modulaRon
• Clear
previous
stage
trace

30. Invisible Malicious File
• Most
malicious
files
are
not
land
in
disk
• NTFS
Extended
A<ributes
• Hidden
in
Registry(Config
file
in
Windows)
• Store
in
un-­‐parRRoned
part
of
hard
disk
• Customize
File
System(VFSes)
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file
again. If the red x still appears, you may have to delete the image and then insert it again.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted.
Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

31. Bypass DetecGon
• Fake
CerRficate
• Include
Benign
Code

32. Sony Hack
• Sony
Pictures
is
hacked
11/24
• The
informaRon
infrastructure
are
crash
• 15232
user
private
informaRon
is
leak(SSN)
• Many
internal
private
data
leak
• The
hackers
called
themselves
the
"Guardians
of
Peace"
or
"GOP”
• Demanded
the
cancellaRon
of
the
planned
release
of
the
film
The
Interview

33. Kill AnGvirus First
• One
of
Backdoor
BKDR64_WIPALL.F
is
used
to
kill
McAfee
• KProcessHacker
to
wipe
out
process
of
AnRvirus
in
memory

34. DestrucGve AcGvity
• overwrite
the
MBR
with
certain
repeated
strings.
Sony
a<ack
used
a
repeaRng
0xAAAAAAAA
pa<ern.

35. KHNP(Korea Hydro and Nuclear
Power) hacked
• KHNP
is
responsible
for
maintain
23
nuclear
power
plants
in
Korea
• The
technique
documents
of
nuclear
power
and
the
staff
personal
informaRon
are
leak
• A<acker
ask
Korea
government
to
close
3
nuclear
power
plants
• The
malicious
e-­‐mails
are
send
to
staff
of
KHNP
• 3000+
users
• 5000+
emails
• The
malware
are
triggered
in
12/10
• Hacker
expose
informaRon
in
facebook,
twi<er

36. Customize 0 day aAack
• Use
the
special
file
format
used
in
Korea(hwp)
• Just
like
.doc
or
.r

37. Use Online Free Service
• To
avoid
being
traced,
free
online
services
are
used

38. DestrucGve AcGvity
• A<acker
wipe
out
all
the
disk
• To
avoid
invesRgaRon
• To
make
data
unavailable
• Rewrite
MBR

39. Research Issue of APT
• Most
APT
may
not
leave
the
malware
in
hard
disk
• Some
backdoor
will
mix
the
code
of
legal
applicaRon
• Similarity-­‐based
detecRon
may
not
efficient
• Current
IDS/IPS
is
not
sufficient
to
address
the
problem
of
social
network
• How
to
trace
the
original
compromise
point

40. Reference
• HITCON
FreeTalk
h<ps://www.youtube.com/watch?v=rPF53u78KsY
h<ps://www.youtube.com/watch?v=IIg0FNsy5P8
• Bot2014
• 大型APT行動Regin揭秘與Sony
Picture被駭研究
• 急速齒輪行動及艾沙西病毒分析

41. Q&A