#RSAC LMG Security 1

Size: px

Start display at page:

Download "#RSAC LMG Security 1"

Dinah Craig
5 years ago
Views:

1 1

2 SESSION ID: HTA-R02 Cryptojacking Meets IoT Matt Durrin Cybersecurity Consultant & Sherri Davidoff CEO,

3 3

4 4

5 5

6 To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate 6 more than $100 million per year theoretically.

7 Cryptojacking for Sale 7

8 Anatomy of a Cryptojacking Attack 8

9 Patient Zero Likely Brute Force RDP Internet-Facing User-Level Privileges Hacked Workstation Credential Theft & Pivoting 9

10 The Attacker Makes RDP More Vulnerable 10

11 Installing the Coin Miner 11

12 Malicious Files Server #1: Server #2: 12

13 The Hacker s Web Surfing History 13

14 Why USAA? 14

15 The Hacker s Web Surfing History 15

16 It s a Driver s License! And a Credit Card Made with Stolen Customer Data 16

17 The Hacker s Web Surfing History 17

18 18

19 What Else Could Have Been Going On? Made with Stolen Customer Data 19

20 What s Going On? (one theory) Criminal broke into the server Installed cryptocurrency miner on server Transferred coins to wallet Stole PII Logged in to (likely hacked) USAA account Created fake DL & CC images using stolen PII Criminals use these to: Link a bank account to a cryptocurrency wallet Buy cryptocurrency using stolen cards/hacked bank accounts 20

21 Why Do We Care About CryptoMiners? Steal your resources Slow down your systems Fire! May also be a data breach! 21

22 22

23 Detection Strategies Endpoint performance monitoring CPU Power Processes User training & reporting Antivirus Network traffic DNS queries Miner communication protocols Pool mining 8080, 443 Remember the computer that caught on fire a couple of slides ago? 23

24 24

25 Stefan Prandl Black Hat 17 25

26 Meet Our Victim 26

27 System-on-a-Chip Main Processor: GK7102 Embedded Linux OS CPU: ARM MHz 512MB Integrated DDR2 Cheap! 27

28 28

29 Mirai Easter Eggs 29

30 Mirai RickRoll 30

31 What Is Love? 31

32 Apparently The Attacker Found Out 32

33 The Do-Not-Attack List 33

34 Guessing the Password Username: root Password:

35 The Password Hard-Coded in the Botnet 35

36 Remote Login Success (or Fail) 36

37 Modifying Mirai 37

38 Mining Software: Minerd Minerd is a compact and easy to use crypto currency CPU miner. Small Easy to use Supports a wide array of processors There is a version specifically tailored to ARM processors Compatible with Linux from kernel forward Small list of dependencies Installation and execution can be easily scripted 38

39 Wallet Setup 39

40 Initial Hack The bins.sh script retrieves and executes the Mirai exploit files making this camera part of our botnet. 40

41 Command and Control Traffic 41

42 Starting the Miner The not_a_miner.sh script retrieves and executes the Monero mining software. 42

43 Miner Network Activity 43

44 Miner in Action 44

45 Sad Camera 45

46 We re Monero Rich! 46

47 Scaling Up 47

48 Protect Your IoT Devices Vet manufacturers prior to purchase Passwords Strong Not default Audit Firmware updates 48

49 Protect Your Organization (2) Network Strong perimeter Segment IoT Devices IDS/IPS 49

50 Join Us for a Book 12-12:30 PM Breaking and Entering: the Extraordinary Story of a Hacker Called Alien RSA Bookstore Alien will be there J 50

Questions? Sherri Davidoff / Matt Durrin Email: info@lmgsecurity.

51 Questions? Sherri Davidoff / Matt Durrin info@lmgsecurity.com Phone: Book signing the RSA Bookstore!

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website: