Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
AWS Community Day CPH - Three problems of Terraform
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
1. All Your Cloud Are
Belong to Us
Hunting Compromise in Azure
Nate Warfield & Ben Ridgway – Microsoft
2. Who we are: Nate Warfield
▪ Senior Security Program Manger - MSRC
– Windows: Hyper-V, Kernel, Server, Networking,Crypto,WSL
– Azure: Networking, Compute
▪ Background
– 18 years in Network Engineering
– Hacking the planet since ‘94
▪ Hobbies
– Internet of InsecurableThings
– Radio hacking (SDR, BT/BLE, LoRaWAN, RFID/NFC)
– Physical (in)security
– Snowboarding, skydiving, things that go boom
3. Who we are: Ben Ridgway
▪ Senior Security Program Manger – MSRC
– Azure Security Incident Response
– “Putting out fires in the cloud” since before that statement made sense
▪ Background
– Previously traveling SOC builder/pentester for US Gov
– Hired by Microsoft to work on their very first cloud offerings
▪ Hobbies
– Breaking things
– Hitting things
– Riding over the top of things
4. Agenda
▪ Framing the Problem
– It is easier than ever to shoot yourself in the foot
▪ Scratching the Underbelly
– Wanna Petya?
▪ Hunting for Badness
– It takes a thief…..
▪ An Exercise in Self Preservation
– What is a cloud to do?
▪ Questions
6. A brief history of Network Security
Technology
• 1988 – DEC Packet Filter Firewall
• 1989 – AT&T Bell Labs Stateful Firewall
• 1991 – DEC SEAL Application Layer Firewall
• 1994 – Check Point Firewall
• Today – Hundreds; software FW included in most Operating Systems
Design
• Network segmentation
• Demilitarized Zone (DMZ)
• Access Control Lists (ACL)
7. Network Security Best Practices
• Limit inbound access from the Internet
• Default deny
• ACLs on all network devices
• Authentication. Everywhere.
• Install security updates
• Isolate public-facing servers in DMZ
• Strict isolation between Corporate, Developer &Test networks
• All changes to Firewall/ACL done by security team
• …and many more
8.
9. How Cloud Changes This Model
• EveryVirtual Machine is exposed to the Internet
• At a minimum, SSH or RDP exposed by default
• Required for administration
• Anyone with subscription access can deploy systems
• Anyone with subscription access can expose BadThings™
• Patch management decentralized
• VM’s deploy with predefined firewall configuration
• One insecureVM image == thousands of insecure deployments
• This is not unique to Azure;AWS & others see similar problems
11. Scratching the Underbelly
When the past is always with you, it may as well be present; and if it is present, it will be
future as well.
―WilliamGibson, Neuromancer
12. NoSQL - Exposure & Impact
• NoSQL solutions were not designed to be Internet-facing
• “..it is not a good idea to expose the Redis instance directly to the internet”
• “Allow only trusted clients to access the network interfaces and ports on which
MongoDB instances are available.”
• “Elasticsearch installations are not designed to be publicly accessible over the
Internet.”
• Naturally, people exposed them to the Internet
• August 2016 – Redis
• January 2017 - Present: MongoDB, CouchDB, Hadoop, Elastic, etc.
• Databases replaced with ransom note
• Hundreds of thousands of systems compromised globally
• Azure – 2500+VM’s affected
13. Finding NoSQL Compromise in Azure
• Large attack surface – 1.6million IP addresses
• Each NoSQL solution runs on a different port
• Open port != compromise
• Need to see DB names to determine whether compromised
• Fortunately Shodan.io already indexes this data!
• The Google of port scans
• Can search by organization
• DB names are collected & searchable
• Results downloadable in JSON format for post-processing
14. Why Shodan?
• Fast
• Most things we care about are already indexed
• Extremely accurate
• Accurate to within 0.14% of in-house scanning solution
• More than just a port scan
• Full DB details, SMB versions, Authentication, etc.
• Machine readable output
• Data easily parsed by scripts
16. The Untold Backstory of MS17-010
▪ January 2017, AWindows engineer discovers a potential RCE in
SMBv1
▪ March 14 2017: MS17-010 released to the public
▪ April 14 2017: Shadowbrokers release of “somebody’s” favorite toys
– Eternal Blue, Double Pulsar
▪ Noon: MSRC andWindows commence reverse engineering
▪ 10PM: conclusion that security updates fix all Microsoft issues
▪ 11PM: Blog released
17.
18. Mission Accomplished? Not Quite
▪ May 10 2017: Azure CSS notes influx of cases sighting random
reboots
▪ May 12 2017: Sensors start detecting new malware outbreak. Media
starts covering WannaCry
▪ 64 days since the release of MS17-010
19. (Most) Enterprise Patch Management
Strategy
▪ “I can’t install the patch because it causes downtime”
▪ “The SOC will detect any attacks and mitigate them before they
become a problem”
▪ “My Cloud Service Provider takes care of it for me”
▪ “I don’t need the patch because my system isn’t exposed”
20. Fallacy: “My Cloud Service Provider
takes care of patching for me”
▪ Requires understanding of
shared responsibility
▪ We will (if you let us)
Requires
– SaaS
– PaaS (if you let us)
▪ IaaS is completely your
responsibility
▪ People don’t patch
because….
21. Fallacy: “I don’t need the patch because
my system isn’t exposed”
▪ Well intentioned, yet doomed attempt to
use threat models to drive patching
▪ Why doomed?
– Threat models change
– Systems are complicated
– ACLs are never implemented right
▪ Discovery:
– Excellent patch hygiene for production
systems
– Terrible hygiene for “science experiments”
▪ Of course nobody ever connects the two…
All it takes is a trail of breadcrumbs
22. Hunting for Badness
TheShadowBrokers has is having little of each as our auction was an apparent failure. Be
considering this our form of protest.
--ShadowBrokers, April 8th 2017
23. Exposure & Impact
• [REDACTED] weaponized an SMBv1 exploit (EternalBlue)
• [REDACTED] added it to their Metasploit clone
• [REDACTED] lost control of this tool
• Dontcha hate it when that happens?
• Microsoft patched in March 2017 (MS17-010)
• But nobody in their right mind would expose SMB to the Internet..
• #holdmybeer
• #yolo
• #facepalm
24. Finding DoublePulsar in Azure
• “Only” 14k hosts exposingTC P/445
• DoublePulsar implant does not visibly alter the system
• It did however allow operators to test for it’s existence
• Send “trans2 SESSION_SETUP” request to target
• All systems will reply with “Not Implemented”
• Infected systems will add Multiplex ID 81 (0x51)
• Manually scanned all IP’s exposingTCP/445
• Shodan added MS17-010 detection in May 2017
• Low rate of infection (<50)
25. WannaCry: Exposure & Impact
• Attack started May 12 2017
• Targeted systems missing MS17-010 patches
• 230k+ systems / 150 countries affected
• Initial infection via Internet-exposed SMB port*
• Lateral movement via EternalBlue
• Kill-switch domain stopped propagation (thanks @MalwareTech!)
• Comparatively low-tech
• Weapons test?
• Profit?
• Both?
*https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/
26.
27. NotPetya: Exposure & Impact
• Attack started June 27 2017
• Initial infection via backdoored MEDocs software
• Specifically targeted Ukraine
• Lateral movement via psexec,WMIC, mimikatz and MS17-010
• Infection rate of ~500 systems/minute
• Wiper, not ransomware
• $300M damage to Maersk alone
• Comparatively high-tech
• Blast radius increased due toVPN links to Ukraine
• I’m not saying it was a nation state attack….
30. Network Security Group
• Network Security Group == Default firewall config
• Of 2100+ images in Azure Marketplace, 1151 contained NSG
• 890 (77%) of these opened 2 or more ports by default
• 308 (27%) opened 4 or more ports
• 31 images deploy with 10+ ports open
• Worst offender: 83 ports open by default
• Users can modify prior to deployment (assuming they look)
32. Default Passwords
• VM Descriptions occasionally contain a default password
• Users are advised to change PW after installation
• At least it’s a strong* PW!: P@sswOrd123
• *actual PW changed to protect the innocent
• Users always follow instructions
• Fortunately “only” for services like MySQL, SQL, etc.
• Unknown how many were left unchanged
• Do databases really need to be Internet facing?
34. How do we save people who can’t save
themselves?
▪ ‘MemberWannacry?
– 14,480 Exposed CustomerVMs
– 661 Belonged to me
▪ ‘Member NotPetya?
– 16,750 Exposed CustomerVMs
– 16 Belonged to me
▪ Didn’t they get the memo?
35. What do we do about this?
▪ Customer notifications: Where do you draw the line?
– Any issue Microsoft causes
– Any issue which causes harm to the platform (enables ddos)
– Any issue which is subject to rampant exploitation (MS17-010, Elastic, Mongo….)
– Any real issue which is causing a media firestorm (Heartbleed)
▪ Giving customers tools
– Azure Security Center FREE tier provides security recommendations
– Platform as a Service (PaaS) manages updates for you
– Availability zones prevent downtime
– SSH requires client certificates by default
– Default DenyACLs
36. Attribution
• Quick, point fingers!
• Hackers!
• We did it for the lulzCoin, GTFO
• Customer!
• Our security team is responsible
• Customer’s security team!
• Our cloud provider is responsible
• Cloud Provider!
• Don’t deploy insecure configurations/VM’s
• CloudVM image provider!
• InsecureVM’s don’t compromise systems, evil hackers
compromise systems
• Bad PR == Brand damage == Loss of [trust|customers|revenue]
Nate
-
Been hacking things since modems were a thing
-
Ben
Ben
Nate
Nate
Firewalls aren’t new technology
In addition to filtering packets, numerous design concepts aided in securing networks (historically)
Nate -> Ben for next slide
Ben
https://www.theregister.co.uk/2015/04/13/aws_security_sleepless_nights/
Ben -> Nate for next slide
Most of these failures aren’t “cool” 0-days
Most of these are – at cloud scale – PERMISSIONS PROBLEMS
These are old problems!
These problems are not unique to Azure; this is simply the cloud I’m paid to keep secure
Chris Vickery has done fantastic research into the S3 bucket problems with Amazon
No voiceover
Nate
By their own admission, NoSQL databases aren’t designed to be internet-facing
Most of the DB’s “ransomed” weren’t backed up; no point in paying ransom since data was deleted
MongoDB attack even noticed locally (local restaurant menu board for example)
This is still occurring over a year after the first attacks were seen
This campaign was comparatively easy to hunt
Look for DB’s with names in all caps, obscenities or names like “please_read”
After first two it was obvious attackers were reusing the technique against all NoSQL solutions
Wikipedia -> find all NoSQL solutions
Run shodan queries against Microsoft IP space + [NoSQL flavor] -> Profit
Nate -> Ben for next slide
In case anyone was wondering why I use Shodan for my work
Like it or not, attackers also use Shodan for scoping targets
Internet facing is all I care about / can see which is exactly where Shodan excels
Ben
Ben
Image Credit https://blogs.technet.microsoft.com/daven/2014/08/05/pizza-as-a-service/
To be clear, I have never seen this attack vector nor do I have any knowledge that it’s happened before
That said, it’s not outside the realm of possibility
Nate
-
Significantly harder to find than ransomwared DBs
Dump list of IP’s on TCP/445, run python code against each IP manually
Only determined whether the DP implant was present, didn’t indicate whether system patched for MS17-010
2 months after Microsoft shipped MS17-010
1 month after ShadowBrokers released the Equation Group files
Motivation was likely profit
Unlike WannaCry this was a targeted attack
Only reason it escaped Ukraine was through VPN links
Fairly elegant weapon; multiple lateral movement methods == high quality code
Motivation was most likely nation-state
Game is shifting from ransomware to mining
If done well, mining is hard to detect since nothing is “broken” – only CPU time is being stolen
Nate
These insecure configurations will be inherited by EVERY user who deploys with defaults
Call to action: Use least-privileges / open ports when submitting to Marketplace
Marketplace vendor responses vary from “we know, it’s by design” to “we fixed it, thanks for the heads up”
Project I started back in March 2017
I pull top 200 exposed ports from Shodan every day, dump into MySQL DB
I do this for Azure, AWS, Google & others
USA, India, Russia, UK, China
Globally NTP ranks 9th (9.8million). 1.5mil more than DNS. Weird huh?
Number of VM’s with unchanged defaults unknown (I’m not allowed to brute-force customers)
Call to action: Stop advertising default PW, set something random during boot (like Bitnami does)