Transcript
Page 1: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

SESSION ID:SESSION ID:

#RSAC

Josh Shaul

The Internet of Attacking Things

SPO3-T10

Vice President Akamai Technologies

Or KatzPrincipal Security ResearcherAkamai Technologies@or_katz

Page 2: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

The Year of Attacking Things

2016 2017OctSep Nov

Page 3: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

“Things”

Page 4: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

“Attacking Things” From Defensive Point of View

Unlimited attacking resources Good vs. Bad Fixing is complicated

Challange

Page 5: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Spotlight on Some of Those Challenges

How IoT devices are being exploited without being pwned

How compromised IoT devices empowers credentials abuse attacks (and why)

And finally, thoughts about how to fight it

Page 6: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

TRILLIONInternet transactions each day3

When The Data Tell You A Story…

Page 7: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

THOUSANDservers around the world220

When The Data Tell You A Story…

Page 8: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

WAF rule triggers every hour

80 million

When The Data Tell You A Story…

Page 9: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

600,000 log lines a second

When The Data Tell You A Story…

Page 10: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

new attack data daily

20 TB

When The Data Tell You A Story…

Page 11: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

According to Akamai’s Threat Research Team

30% of the total login transactions are credential abuse attacks

Page 12: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

The Credential Abuse Numbers

Malicious activity (Avg. per day):400K IP addresses

167 attack campaigns

Campaign: Average of 5K IPs and 100K email accounts

Largest Campaign: 200K IPs and 25M email accounts

IP is targeting the average Web site with 20 login attempts in 24 hours

Page 13: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

The Credential Abuse Numbers

Data intelligence:Out of 400K IPs per day, ~25% of IPs as “single use” (no repeat activity)

Over 1 month, ~70% of the IPs only attacked 1 day

API login vs. Web login – API is targeted 3.7 times more than Web

Page 14: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

The Story Behind the Numbers

Many attack campaigns?

Most attacking resources are sending few logins?

Many attacking resources?

API login interfaces are much more targeted?

How come so many attacking resources and why high % of “single use”? ?

Page 15: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSACMany Credential Abuse Source IPs Expose a Web Interface

CCTVs

Routers

Servers

Satellite Antennas(?!)

ADSL/Cable Modems

Hotspots

Page 16: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Page 17: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Page 18: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Search for ESTABLISHED TCP Connections

Seems like the SSH daemon is responsible for many active HTTP/HTTPS connections – some of which are to Akamai Edge Servers

Page 19: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Default “admin” User Cannot SSH Into the Machine

~# ssh [email protected]

This account is currently not available

root:x:0:0:root:/root:/bin/bashnobody:x:99:99:Unprivileged User:/dev/null:/bin/falsesshd:x:50:50:sshd PrivSep:/var/lib/sshd:/bin/falseftp:x:45:45:anonymous_user:/home/ftp:/bin/falsemessagebus:x:18:18:D-BUS Message Daemon User:/dev/null:/bin/falseadmin:x:600:600::/var:/sbin/nologinlocaldisplay:x:700:700::/tmp:/sbin/nologin

/etc/passwd format:<username>:<encrypted password>:<uid>:<gid>:<Full Name>:<Home Dir>:<Shell>

Page 20: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

What Do We Know So Far?

No active shell sessions seen – not under ”root” or “admin” users

The “admin” user (which has the default admin:admin credentials) has /sbin/nologin configured – so an attacker can’t SSH into the machine and run commands

Was SSHD tampered with and contains a backdoor? We checked - No...

Page 21: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

SSH as SOCKS Proxy When the User has no SHELL access permissions

<AllowTcpForwarding yes> (default)

SSH(1) FreeBSD General Commands Manual SSH(1)

NAME ssh -- OpenSSH SSH client (remote login program)

-D [bind_address:]portSpecifies a local ''dynamic'' application-level port forwarding.This works by allocating a socket to listen to port on the localside, optionally bound to the specified bind_address. Whenever aconnection is made to this port, the connection is forwarded overthe secure channel, and the application protocol is then used todetermine where to connect to from the remote machine. Currentlythe SOCKS4 and SOCKS5 protocols are supported, and ssh will actas a SOCKS server. Only root can forward privileged ports.Dynamic port forwardings can also be specified in the configura-tion file.

-N Do not execute a remote command. This is useful for just forwarding ports.

Page 22: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Demo

Attacker

Vulnerable IoTDevice Target Web Server

SSH TUNNEL

/> ssh –D 8080 –N [email protected] (requires “default” account credentials)

/> curl --proxy socks5h://localhost:8080 http://target.site/

Malicious HTTP

SOCKS PROXY

Page 23: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

And For My Next Trick...

SSH TUNNEL 1

SSH TUNNEL 2

SSH TUNNEL n

....

AttackerVulnerable IoT

Device

Target Web Server

Page 24: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Some of The Vulnerable Devices

Satellite Antennas

WiMax Routers

Ruckus HotSpot/Switch

Synology NAS Disk Station

Page 25: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

And the Cherry on the Cake....Breaching Internal Networks

Page 26: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSACAttackers Can Use the SSH Tunnel to Access Machines on the Internal Network

IP of an internal machine Scanning the Internal Network

Page 27: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

SSHownDowN

Page 28: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

The Challenges That Are Ahead of Us

Abuse IoT devices to execute more behavioral attacks (that are harder to be detected)

More and more compromised devices will join the “game”

The scale of volumetric attacks is going to be increased

As more and more devices will get connected IPv6 adoption rate will increase, amplifying IPv6 issues

Page 29: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

How To Fight It?

IoT Vendors should make sure they build devices that are:Safe

Secured

patchable

Anti Automation - differentiate Bots from humans

Threat Intelligence – with emphasis on infected IoT devices

Use crowd sourcing techniques to fight elusive attackers

Be prepared to fight off the new generation of volumetric attacks (>600Gbps)

Page 30: The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …

#RSAC

Q&A


Top Related