the reason people use the internet to data · install-a-bot multi-purpose bot fraud trojan ics...

The business

The reason people

use the Internet

The gateway

to DATA

the target

APPLICATIONS ARE

765Average # of

Apps in use per

enterprise

6 minbefore its scanned

If vulnerable, you

could be PWND in

<2 hrs

1/3Mission critical

TLS

Access

Man-in-the-browser

Client

Session hijacking

Malware

Cross-site request forgery

Abuse of functionality

Man-in-the-middleDDoS

Malware

API attacks

InjectionCross-site scripting

Cross-site request forgery

Certificate spoofing

Protocol abuse

Session hijacking

Key disclosure

DNS hijacking

DDoS

DNS spoofing

DNS cache poisoning

Man-in-the-middle

App services

DNS

DDoS

Eavesdropping

Protocol abuse

Man-in-the-middle

Credential theft

Credential stuffing

Session hijacking

Brute force

Phishing

Network

DDoS

Cross-site scripting

Dictionary attacks

2005

2017

2018

The majority of breaches start

with application or identity attack.

Identity attacks surpassed

application attacks to be the

leading cause of breaches in 2018.~ongoing analysis pending publication

58%

56%

6%

4%

3%

2%

2%

1%

1%

PHP

SQL

Exchweb

Comments

Cart

Betablock

Admin

Affiliates

Login

Injection → PHP & SQL

Vuln released

Continuous improvement

Firewall what you can’t fix

Applicable?

Test

Apply & Retest

1.7

0.8

0.5

0.40.5

1.4

0.9

0.6

0.2

0.3

2014 2015 2016 2017 2018

Average Days Between Vulnerability Releases

Critical High

9-12 hours

Attack

1. Mobile Apps

2. Direct APIs

Basic Security Fails

1. Authentication

2. Injection

3. Permissions

2011

2018

Sep 2011 – Westfield: “find my car app”

Mar 2018 – Google: API attack impacted 438 apps and 500k records

Mar 2018 – Binance: Phished target accounts → created fake API trading

accounts → fraud transactions

Apr 2018 – RSA Conference App: Data leaked through API

Aug 2018 – T-Mobile: 2 Mill customer records exposed through API

Sep 2018 – Apple MDM: API brute-forced, registering rouge devices

Sep 2018 – British Airways: Magecart API attack 380k records

Oct 2018 – Girl Scouts: API breach - 2800 members

Oct 2018 – Quoine: crypto-exchange breach via API

2019Nov 2017 – Nov 2018: US Postal Service: API auth vuln

Oct 2018 – Gitthub: “Events” API leaked projects and logs

Sep 2018 – Facebook: Dev API leaked 50 mill accts

Aug 2018 – SalesForce: API vuln exposes contact data and prospects

July 2018 – Venmo: Public API -> 200 million payment transactions

Jan 2018 – Tinder: HTTPS API data leakage vuln

Aug 2017 – Instagram: API vuln allowed access to user contact info

Feb 2017 – WordPress: REST API Vuln

Mar 2015 – Tinder: API to Facebook cred spoof

Access Attacks

3%

5%

12%

17%

13%

53%

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Peaks Oct → Jan

Social Media• Interests / interest groups

• Friends, Family and relationship information

• Style of speaking

• Writing style

• Work history

• Education

• Comments on links

• Important life event dates

• Places visited

• Favorite sites, movies, TV shows, books,

quotes

• Photographs

• Hacked “Private” account data

People Search Engines • Facebook information

• Email address (which leads to possible

usernames)

• Education, income / salary range

• Phone numbers

• Age / Age range

• Race

• Home address

• Middle name, maiden name, spouse and

family names

Company Research• Who works there

• Tech infrastructure

• Types of endpoints (PC/Mac/OS

• SEC filings

• Lawsuit filings

• Aggregator search tools for

corporations

• Individuals & department

names

• business partners & affiliates

• IP space

• WHOIS info

• Email addresses and format

Mis configurations• Server names

• Private network addresses

• Email addresses

• Usernames

• DNS servers

• Self-signed certs

• Email headers

• Web servers

• Web cookies

• Web applications

APT’s and/or Nation-states That Begin Attacks With Phishing

Phishing emails are 3 times more likely to have a malicious link than a malicious attachment.

Malicious link

Email sent from North Korean ATP in Sony compromise.

Email sent from North Korean APT related to Bangladesh Bank heist.

3X

Encryption is an Attacker Disguise

of phishing domains use HTTPS to appear more legitimate

93%

Majority of Malware Hides in Encryption

of all Internet traffic is encrypted70%

of malware phones home over port 44368%

Clients are phished → malware installed

Banking Trojans→ Fraud Trojans

Fraud targets = any site with a login page

Affected Devices

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

7Bots

SORA

OWARI

UPnPProxy

OMNI

RoamingMantis

Wicked

VPNFilter

1Bot

Brickerbot

2Bots

WireX

Reaper

3Bots

Mirai

BigBrother

Rediation

1Bot

Remaiten

1BotMoon

1Bot

Aidra

1Bot

Hydra

3Bots

Satori Fam

Amnesia

Persirai

6Bots

Masuta

PureMasuta

Hide ‘N Seek

JenX

OMG

DoubleDoor

1Bot

Crash

override

1Bot

Gafgyt

Family

2Bots

Darlloz

Marcher

1BotPsyb0t

4Bots

Hajime

Trickbot

IRC Telnet

Annie

CCTVDVRs

WAPsSet-Top BoxesMedia Center

Android

Wireless ChipsetsNVR Surveillance

Busybox Platforms

Smart TVs

VoIP DevicesCable Modems

ICS

74% Discoveredin last 2 years

SOHO routersiOS

IP Cameras

RFC2324:

Hyper Text Coffee Pot

Control Protocol

{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-19T20:31:04.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 56946, "destination_port" : 80, }




{ "_id" : {"protocol" : "http", "timestamp" : { "$date" : "2018-07-28T06:29:53.000-0700" }, "source_ip" : "185.112.249.28", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 50225, "destination_port" : 80, }

Various

dynamic /

private

source ports

49152 - 65535

Thingbot Attack Type

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

7Bots

SORA

OWARI

UPnPProxy

OMNI

RoamingMantis

Wicked

VPNFilter

1Bot

Brickerbot

2Bots

WireX

Reaper

3Bots

Mirai

BigBrother

Rediation

1Bot

Remaiten

1BotMoon

1Bot

Aidra

1Bot

Hydra

3Bots

Satori Fam

Amnesia

Persirai

6Bots

Masuta

PureMasuta

Hide ‘N Seek

JenX

OMG

DoubleDoor

1Bot

Crash

override

1Bot

Gafgyt

Family

2Bots

Darlloz

Marcher

1Bot

Psyb0t

4Bots

Hajime

Trickbot

IRC Telnet

Annie

DNS Hijack

DDoSPDoS

Proxy ServersUnknown…Rent-a-bot

Install-a-botMulti-purpose BotFraud trojanICS protocol monitoring

Tor NodeSniffer

Credential Collector

Shifting from primarily DDoS to multi-purpose

Crypto-miner

22

31%

17%

12%

11%

11%

9%

3%2%

1% 1% 1%1%0%

2017 DDoS Attacks by Industry

Hosting / Colo Financial Service Tech Company Telecom / ISP Online Gaming

Domain Registrar Business Services Government Education Entertainment

Retail Automotive Engineering

31%

23%

22%

7%

5%

4%

3%2% 2%1%0%0%

2018 DDoS Attacks by Industry

Online Gaming Financial Service Hosting / Colo Domain Registrar

Tech Company Telecom / ISP Education Entertainment

Business Services Retail Aerospace Government

23© 2018 F5 Networks

Application targeted DDoS attacks are a large portion of the attack types that get escalated to our SIRT for assistance.

2%

5%3% 2% 2% 2%

2017 2018

SOC-Mitigated SIRT-Mitigated

• Investigating airport incident in Europe +

BASHLITE on a DVR digital signage

solution (same timeframe as Dyn DNS

DDoS attack).

• Service and host managed by 3rd party

• 39 active threat actors

• Numerous log entries show incoming

attacks

• Mirai, shellshock, brute force

• Sierra Wireless device

Oct 2016: Cellular Gateway Discovered

Note: System owner sent drives to us for forensic

analysis and authorized scanning of their network.

Source: Sierrawireless.com

Sierra Wireless Mirai Warnings

“Exploiting” the Vulnerability

WAN IP

166.139.19.193

PUBLIC GPS COORDINATES

40° 49’ 51.5” N

47° 26’ 03.5” W

DEFAULT

PASSWORD

*****

NO DEPENDENCY

on any vulnerability

within the hardware

or software.

Bruteforce

attack(s) are

unnecessary.

GPS Data Logging (TAIP) TRACCAR – Open Source Fleet Software

Fleet / Vehicle Tracking

SierraWireless.com Case Studies

St John Ambulance, Western Australia

California Highway Patrol, California

Ventura County Fire Department,

California

South Bay Regional Public

Communications Authority (SBRPCA),

California

West Metro Fire Protection District,

Colorado

Westminster Police Department,

Colorado

Danish National Police, Denmark

Acadian Ambulance Service, Louisiana

& Texas

East Baton Rouge Parish Emergency

Medical Services (EMS), Louisiana

Mississippi Highway Safety Patrol

Gem Ambulance, New Jersey

City of Charlotte, North Carolina

Dickinson Police Department (DPD),

Texas

Fairfax's Urban Search and Rescue

Team, Virginia

South Wales Police, Wales

City of Yakima, Washington

Seattle Fire Department, Washington

DISCLOSED 10/16/2018

SIERRA

WIRELESS LS300

Weak

Authentication

SIERRA

WIRELESS GX450

Weak

Authentication

SIERRA

WIRELESS ES440

Weak

Authentication

MOXA ONCELL

G3xxx

No

Authentication

DIGI TRANSPORT

WR44

Weak

Authentication

CradlePoint

Hard coded tech

support back door

Avoiding a breach is cheaper than dealing with one.

$6.56

$7.18

$8.53

$9.07Leakage of Confidential

or Sensitive Information

Tampering /

Unauthorized

Modifications to Apps

Hack Resulting in

Failure to Access

Data and/or Apps

Leakage of PII About

Customers, Consumers

or Employees

Cost of Breach in Millions of $

*may be underestimated / not include ligation and class action lawsuit fines

1UnderstandYourEnvironment

CISO’S #1 MISSION

PreventDowntime

EVERYONE’S #1 CHALLENGE

Visibility

Reduce Your Attack Surface

2

Sub domains hosting other versions of the main

application site

Dynamic web page generators

HTTP headersand cookies

Admin interfacesApps/files linked

to the app

Web service methods

Helper apps on client

(java, flash)

Server-side features such as search

Web pages and directories

Shells, Perl/PHP

Data entry forms

Administrative and monitoring stubs

and tools

Events of the application—triggered

server-side code

Backend connections through the server (injection)

APIs

Cookies/state tracking mechanisms

Data/active content pools—the data that populates and

drives pages

CRITICAL

Every 9 hrs

vulnerability

is released

VULNERABILITIES

Attackers are

weaponizing

in <24 hrs

ATTACKED!

configuration

WAF

Does it

apply to you?

Has a patch

been released?

Did you

test it?

Did you

apply it?

Continuous security scanning

Continuous improvement

Firewall what you can’t fix

Team review

Remediate

Retest

Username Password Username Password Username Password Username Password

root root ts ts manager manager123 plcmspip plcmspip

admin admin bot bot teamspeak3 teamspeak3 weblogic weblogic

user user deploy deploy nobody nobody redhat redhat123456

test test monitor monitor csgoserver csgoserver developer developer

ubuntu ubuntu administrator administrator test2 test2 public public

ubnt ubnt bin bin demo demo student student

support support default nopass 0 webmaster webmaster

oracle oracle adm adm a a osmc osmc

pi raspberry vagrant vagrant minecraft minecraft c c

guest guest anonymous any@ alex q1w2e3r4t5 server server

postgres postgres uucp uucp postfix postfix supervisor supervisor

ftpuser asteriskftp www www glassfish glassfish 22 backup

usuario usuario jenkins jenkins jboss jboss hdfs hdfs

nagios nagios apache apache master master linux linux

1234 1234 sshd sshd ghost ghost postmaster postmaster

ftp ftp PlcmSpIp PlcmSpIp vnc vnc csserver csserver

operator operator cisco cisco info info prueba prueba

git git sinusbot sinusbot 111111 856149100 matt matt

hadoop hadoop user1 user1 debian debian vyatta vyatta

ts3 ts3 backup backup centos centos hduser hduser

teamspeak teamspeak Management TestingR2 testuser testuser nexus nexus

mysql mysql steam steam system sytem ethos live

tomcat tomcat mother fucker www-data www-data Admin Admin

service service dev dev test1 test1 mc mc

butter xuelp123 zabbix zabbix upload upload telnet telnet

Top 100 Admin Creds Used in SSH Brute Force Attacks

Prioritize Defenses Based on Attacks

3

Focus OpEx & CapEx spend

Phishing success without training.33%

Phishing success with training.13%

Sys Admins

Execs

Identities

Desktops

HR

Accounting

Laptops

Phones

Data

Apps

MoneyIP71%of phishing impersonates 10 organizations

the reason people use the internet to data · install-a-bot multi-purpose bot fraud trojan ics...

Documents