the reason people use the internet to data · install-a-bot multi-purpose bot fraud trojan ics...
TRANSCRIPT
The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE
765Average # of
Apps in use per
enterprise
6 minbefore its scanned
If vulnerable, you
could be PWND in
<2 hrs
1/3Mission critical
TLS
Access
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
Abuse of functionality
Man-in-the-middleDDoS
Malware
API attacks
InjectionCross-site scripting
Cross-site request forgery
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
App services
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
Network
DDoS
Cross-site scripting
Dictionary attacks
2005
2017
2018
The majority of breaches start
with application or identity attack.
Identity attacks surpassed
application attacks to be the
leading cause of breaches in 2018.~ongoing analysis pending publication
58%
56%
6%
4%
3%
2%
2%
1%
1%
PHP
SQL
Exchweb
Comments
Cart
Betablock
Admin
Affiliates
Login
Injection → PHP & SQL
Vuln released
Continuous improvement
Firewall what you can’t fix
Applicable?
Test
Apply & Retest
1.7
0.8
0.5
0.40.5
1.4
0.9
0.6
0.2
0.3
2014 2015 2016 2017 2018
Average Days Between Vulnerability Releases
Critical High
9-12 hours
Attack
1. Mobile Apps
2. Direct APIs
Basic Security Fails
1. Authentication
2. Injection
3. Permissions
2011
2018
Sep 2011 – Westfield: “find my car app”
Mar 2018 – Google: API attack impacted 438 apps and 500k records
Mar 2018 – Binance: Phished target accounts → created fake API trading
accounts → fraud transactions
Apr 2018 – RSA Conference App: Data leaked through API
Aug 2018 – T-Mobile: 2 Mill customer records exposed through API
Sep 2018 – Apple MDM: API brute-forced, registering rouge devices
Sep 2018 – British Airways: Magecart API attack 380k records
Oct 2018 – Girl Scouts: API breach - 2800 members
Oct 2018 – Quoine: crypto-exchange breach via API
2019Nov 2017 – Nov 2018: US Postal Service: API auth vuln
Oct 2018 – Gitthub: “Events” API leaked projects and logs
Sep 2018 – Facebook: Dev API leaked 50 mill accts
Aug 2018 – SalesForce: API vuln exposes contact data and prospects
July 2018 – Venmo: Public API -> 200 million payment transactions
Jan 2018 – Tinder: HTTPS API data leakage vuln
Aug 2017 – Instagram: API vuln allowed access to user contact info
Feb 2017 – WordPress: REST API Vuln
Mar 2015 – Tinder: API to Facebook cred spoof
Access Attacks
3%
5%
12%
17%
13%
53%
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Peaks Oct → Jan
Social Media• Interests / interest groups
• Friends, Family and relationship information
• Style of speaking
• Writing style
• Work history
• Education
• Comments on links
• Important life event dates
• Places visited
• Favorite sites, movies, TV shows, books,
quotes
• Photographs
• Hacked “Private” account data
People Search Engines • Facebook information
• Email address (which leads to possible
usernames)
• Education, income / salary range
• Phone numbers
• Age / Age range
• Race
• Home address
• Middle name, maiden name, spouse and
family names
Company Research• Who works there
• Tech infrastructure
• Types of endpoints (PC/Mac/OS
• SEC filings
• Lawsuit filings
• Aggregator search tools for
corporations
• Individuals & department
names
• business partners & affiliates
• IP space
• WHOIS info
• Email addresses and format
Mis configurations• Server names
• Private network addresses
• Email addresses
• Usernames
• DNS servers
• Self-signed certs
• Email headers
• Web servers
• Web cookies
• Web applications
APT’s and/or Nation-states That Begin Attacks With Phishing
Phishing emails are 3 times more likely to have a malicious link than a malicious attachment.
Malicious link
Email sent from North Korean ATP in Sony compromise.
Email sent from North Korean APT related to Bangladesh Bank heist.
3X
Encryption is an Attacker Disguise
of phishing domains use HTTPS to appear more legitimate
93%
Majority of Malware Hides in Encryption
of all Internet traffic is encrypted70%
of malware phones home over port 44368%
Clients are phished → malware installed
Banking Trojans→ Fraud Trojans
Fraud targets = any site with a login page
Affected Devices
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1BotPsyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
CCTVDVRs
WAPsSet-Top BoxesMedia Center
Android
Wireless ChipsetsNVR Surveillance
Busybox Platforms
Smart TVs
VoIP DevicesCable Modems
ICS
74% Discoveredin last 2 years
SOHO routersiOS
IP Cameras
RFC2324:
Hyper Text Coffee Pot
Control Protocol
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-19T20:31:04.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 56946, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-23T12:16:41.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 49180, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:04:52.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:14:46.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, }
{ "_id" : {"protocol" : "http", "timestamp" : { "$date" : "2018-07-28T06:29:53.000-0700" }, "source_ip" : "185.112.249.28", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 50225, "destination_port" : 80, }
Various
dynamic /
private
source ports
49152 - 65535
Thingbot Attack Type
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot
Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
DNS Hijack
DDoSPDoS
Proxy ServersUnknown…Rent-a-bot
Install-a-botMulti-purpose BotFraud trojanICS protocol monitoring
Tor NodeSniffer
Credential Collector
Shifting from primarily DDoS to multi-purpose
Crypto-miner
22
31%
17%
12%
11%
11%
9%
3%2%
1% 1% 1%1%0%
2017 DDoS Attacks by Industry
Hosting / Colo Financial Service Tech Company Telecom / ISP Online Gaming
Domain Registrar Business Services Government Education Entertainment
Retail Automotive Engineering
31%
23%
22%
7%
5%
4%
3%2% 2%1%0%0%
2018 DDoS Attacks by Industry
Online Gaming Financial Service Hosting / Colo Domain Registrar
Tech Company Telecom / ISP Education Entertainment
Business Services Retail Aerospace Government
23© 2018 F5 Networks
Application targeted DDoS attacks are a large portion of the attack types that get escalated to our SIRT for assistance.
2%
5%3% 2% 2% 2%
2017 2018
SOC-Mitigated SIRT-Mitigated
• Investigating airport incident in Europe +
BASHLITE on a DVR digital signage
solution (same timeframe as Dyn DNS
DDoS attack).
• Service and host managed by 3rd party
• 39 active threat actors
• Numerous log entries show incoming
attacks
• Mirai, shellshock, brute force
• Sierra Wireless device
Oct 2016: Cellular Gateway Discovered
Note: System owner sent drives to us for forensic
analysis and authorized scanning of their network.
Source: Sierrawireless.com
Sierra Wireless Mirai Warnings
“Exploiting” the Vulnerability
WAN IP
166.139.19.193
PUBLIC GPS COORDINATES
40° 49’ 51.5” N
47° 26’ 03.5” W
DEFAULT
PASSWORD
*****
NO DEPENDENCY
on any vulnerability
within the hardware
or software.
Bruteforce
attack(s) are
unnecessary.
GPS Data Logging (TAIP) TRACCAR – Open Source Fleet Software
Fleet / Vehicle Tracking
SierraWireless.com Case Studies
St John Ambulance, Western Australia
California Highway Patrol, California
Ventura County Fire Department,
California
South Bay Regional Public
Communications Authority (SBRPCA),
California
West Metro Fire Protection District,
Colorado
Westminster Police Department,
Colorado
Danish National Police, Denmark
Acadian Ambulance Service, Louisiana
& Texas
East Baton Rouge Parish Emergency
Medical Services (EMS), Louisiana
Mississippi Highway Safety Patrol
Gem Ambulance, New Jersey
City of Charlotte, North Carolina
Dickinson Police Department (DPD),
Texas
Fairfax's Urban Search and Rescue
Team, Virginia
South Wales Police, Wales
City of Yakima, Washington
Seattle Fire Department, Washington
DISCLOSED 10/16/2018
SIERRA
WIRELESS LS300
Weak
Authentication
SIERRA
WIRELESS GX450
Weak
Authentication
SIERRA
WIRELESS ES440
Weak
Authentication
MOXA ONCELL
G3xxx
No
Authentication
DIGI TRANSPORT
WR44
Weak
Authentication
CradlePoint
Hard coded tech
support back door
Avoiding a breach is cheaper than dealing with one.
$6.56
$7.18
$8.53
$9.07Leakage of Confidential
or Sensitive Information
Tampering /
Unauthorized
Modifications to Apps
Hack Resulting in
Failure to Access
Data and/or Apps
Leakage of PII About
Customers, Consumers
or Employees
Cost of Breach in Millions of $
*may be underestimated / not include ligation and class action lawsuit fines
1UnderstandYourEnvironment
CISO’S #1 MISSION
PreventDowntime
EVERYONE’S #1 CHALLENGE
Visibility
Reduce Your Attack Surface
2
Sub domains hosting other versions of the main
application site
Dynamic web page generators
HTTP headersand cookies
Admin interfacesApps/files linked
to the app
Web service methods
Helper apps on client
(java, flash)
Server-side features such as search
Web pages and directories
Shells, Perl/PHP
Data entry forms
Administrative and monitoring stubs
and tools
Events of the application—triggered
server-side code
Backend connections through the server (injection)
APIs
Cookies/state tracking mechanisms
Data/active content pools—the data that populates and
drives pages
CRITICAL
Every 9 hrs
vulnerability
is released
VULNERABILITIES
Attackers are
weaponizing
in <24 hrs
ATTACKED!
configuration
WAF
Does it
apply to you?
Has a patch
been released?
Did you
test it?
Did you
apply it?
Continuous security scanning
Continuous improvement
Firewall what you can’t fix
Team review
Remediate
Retest
Username Password Username Password Username Password Username Password
root root ts ts manager manager123 plcmspip plcmspip
admin admin bot bot teamspeak3 teamspeak3 weblogic weblogic
user user deploy deploy nobody nobody redhat redhat123456
test test monitor monitor csgoserver csgoserver developer developer
ubuntu ubuntu administrator administrator test2 test2 public public
ubnt ubnt bin bin demo demo student student
support support default nopass 0 webmaster webmaster
oracle oracle adm adm a a osmc osmc
pi raspberry vagrant vagrant minecraft minecraft c c
guest guest anonymous any@ alex q1w2e3r4t5 server server
postgres postgres uucp uucp postfix postfix supervisor supervisor
ftpuser asteriskftp www www glassfish glassfish 22 backup
usuario usuario jenkins jenkins jboss jboss hdfs hdfs
nagios nagios apache apache master master linux linux
1234 1234 sshd sshd ghost ghost postmaster postmaster
ftp ftp PlcmSpIp PlcmSpIp vnc vnc csserver csserver
operator operator cisco cisco info info prueba prueba
git git sinusbot sinusbot 111111 856149100 matt matt
hadoop hadoop user1 user1 debian debian vyatta vyatta
ts3 ts3 backup backup centos centos hduser hduser
teamspeak teamspeak Management TestingR2 testuser testuser nexus nexus
mysql mysql steam steam system sytem ethos live
tomcat tomcat mother fucker www-data www-data Admin Admin
service service dev dev test1 test1 mc mc
butter xuelp123 zabbix zabbix upload upload telnet telnet
Top 100 Admin Creds Used in SSH Brute Force Attacks
Prioritize Defenses Based on Attacks
3
Focus OpEx & CapEx spend
Phishing success without training.33%
Phishing success with training.13%
Sys Admins
Execs
Identities
Desktops
HR
Accounting
Laptops
Phones
Data
Apps
MoneyIP71%of phishing impersonates 10 organizations