automated attacks at scale
play

Automated Attacks at Scale Understanding Credential Exploitation - PowerPoint PPT Presentation

Feb 25, 2023 •241 likes •659 views

Automated Attacks at Scale Understanding Credential Exploitation Mayank Dhiman Will Glazier Principal Security Researcher Threat Intelligence Analyst mayank@stealthsec.com will@stealthsec.com @l0pher @wglazier21 What do we mean by

  1. Automated Attacks at Scale Understanding “Credential Exploitation” Mayank Dhiman Will Glazier Principal Security Researcher Threat Intelligence Analyst mayank@stealthsec.com will@stealthsec.com @l0pher @wglazier21

  2. What do we mean by an “Automated Attack”? Fundamentally a Bot problem Legitimate Attack toolkits • available on 25% Automated attacks underground 40% Custom scripts • Attacks on API • endpoints Search engines 5% How do we determine the intent of each request? Aggregators/scrapers 30%

  3. Attacker’s Goals Fake Account Creation PII / PHI Theft Account Take Over Shopping Bots API Abuse

  4. The Attacker’s Perspective

  5. The 5 Pillars of a credential exploitation attack 1) Black Market Attack Tool or Custom tool configured for a target 2) Set of Stolen Credentials 3) Ability to rotate over many IP addresses 4) Compute Power 5) Ability to bypass deployed security solutions

  6. Attack Toolkits & Config Files SentryMBA • Hydra • PhantomJS • Medusa • Curl, Wget • Ncrack • Other custom scripts • Understanding Config Files… • Program instructions for how to login and differentiate between failed and successful logins for that particular target. Writing config files is one of the chief ways to monetize in this criminal ecosystem. • “Capture” setting – optional setting enables attackers to understand the value of a compromised account without logging back in again.

  7. Quick Facts – Underground Ecosystem 1,853 unique target sites on sentry.mba • 10% of Alexa Top 1000 have config files readily available • 184 API config files - roughly 10% of targets • $1.73 – average cost of a config file. • Top industries targeted – Gaming, Entertainment, E-Commerce • https://goo.gl/AEwhRx

  10. The 5 Pillars of a credential exploitation attack 1) Black Market Attack Tool or Custom tool configured for a target 2) Set of Stolen Credentials 3) Ability to rotate over many IP addresses 4) Compute Power 5) Ability to bypass deployed security solutions

  11. Stolen Credentials Simple Pastebin • Crawler – harvests more than 20,000 credentials every day Users average 6.5 • credentials per 50 websites * Microsoft Research * https://haveibeenpwned.com/

  12. Quick aside – How much money can attackers really net? Attacker tries 1,000,000 credentials – if each stolen • account sells for only $0.25, then a successful login rate of only 0.1% will net $250.00

  13. The 5 Pillars of a credential exploitation attack 1) Black Market Attack Tool or Custom tool configured for a target 2) Set of Stolen Credentials 3) Ability to rotate over many IP addresses 4) Compute Power 5) Ability to bypass deployed security solutions

  14. IP Rotation & Compute Power How to gather the necessary infrastructure? Option 1: Cloud Hosting Providers High reputation – AWS & Azure will never get blacklisted • Virtualization allows easy instance creation programatically • OVH Hosting Linode QuadraNet * Data from a large United States retailer in Sept. 2017

  15. How long do these IP’s “stick around” and continue sending malicious traffic before being recycled? Answer: Surprisingly long…

  16. Example: AWS Attack tool behavior Leaked credentials

  17. Option 2: Compromised Devices, IoT Botnets • Easily exploitable routers, old firmware models & default credentials available with a quick google search • Client side fingerprinting challenges for defenders • Available for rent in black market Data Observed December 2016-2017 at large financial institution • Device Types: 175 open home routers, 10 DVR/camera systems, 10 web servers (incl. Apache Tomcat), 4 webcams, 1 SCADA system • Common ISPs – Telmex (25%) (Mexico), VDC (Vietnam), Claro Dominican Rebublic, Link Egypt, Telefonica del Peru, TE Data (Egypt), Qubee (Pakistan)

  18. Example – Open routers Admin page open to • public on port 8080 SSH logs showed other • attackers trying to brute force login via SSH – “tug- of-war” between attackers.

  19. Other device examples: Intelbras camera system D-Link, Huawei HG532 and HG8245H, Advantech WebAccess browser-based HMI/SCADA software system (not pictured) Mikrotic (v6.36.4 and v6.34.3)

  20. Option 3: An Artificially Geo-Distributed Proxy Farm – “The AWS for bad guys” Levi Strauss California Gold Rush of 1848 And the creation of Levi’s jeans

  21. Who is this actor and what are some indicators? Orgs, ISPs, ASNs ISPs Petersburg Internet Network ltd. – 38.7% • Transit Telecom LLC -- 15.6% • Atomohost -- 15% • Link Telecom LLC -- 7.5% • PP Trusov Ilya Igorevych -- 4.8% • Orgs DepoDataCenter -- 25% • net for depo40.ru -- 25% • Atomohost -- 11.5% • Petersburg Internet Network ltd. – 9.5% • ASNs 50896 • 29802 • 200557 • 44050, 32181, 44750 •

  22. More Indicators…

  23. Case Study: Large US Retailer Country Distribution according to MMDB Attack Statistics > 2% of login traffic for over 4 • months At least 6 unique attack tools • used 40,000 IP addresses from 61 • countries Nearly 75% of traffic blending in • with US customers Thousands of accounts • compromised every week

  24. Was this traffic really coming from the US? Distributed Traceroute Experiment RTT from Moscow RTT from Washington RTT from Moscow RTT from Washington

  25. Distributed Traceroute Experiment * https://wondernetwork.com/pings • Country labels according to MMDB for traffic from USA

  26. How do they monetize? Defender’s Challenge: How can we detect these attacks in a proactive way instead of • Remember that “break even” point of $250 with a reactive ? 0.1% successful login rate? Possible to hit that within 1-3 days.

  27. The Defender’s Perspective

  28. The 5 Pillars of Detection for protecting against automated attacks at scale 1) Analysis of HTTP/HTTPS requests and headers to fingerprint attack tools 2) Machine learning models to detect forged browser behavior 3) Threat intelligence designed to starve attackers of resources (IP addresses, compute power, stolen credentials) 4) Data analytics beyond the individual transaction level – need to detect “recon” behavior & “low and slow” attacks 5) Technology that covers Web, Mobile & API channels – attackers move to wherever there is the least resistance

  29. Case Study: SentryMBA – the “plug & play” attack tool Pillar 1: HTTP Request Fingerprinting Default User-Agent Strings Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; • .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; • .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) • Gecko/2009060215 Firefox/3.0.11 Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 • (KHTML,, like Gecko) Version/3.0 Safari/522.11.3 Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00 • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) **Testing UA** • SentryMBA HTTP Fingerprint observations We analyzed over 1500 config files and found that only 12% • changed the request fingerprint Often missing referrer, accept-language or accept-encoding •

  30. Traffic Patterns Both high velocity and low & slow 150,000 requests from 3,385 IP’s and 1,293 • • attacks. Suggesting multiple actors using Organizations (1 day). the tool Leaked credentials from MySpace, Yahoo, • Recon activity w/ successful login ratios < LinkedIN, others • .01% and verified credential attacks w/ successful login ratios > 95%

  31. The 5 Pillars of Detection for protecting against automated attacks at scale 1) Analysis of HTTP/HTTPS requests and headers to fingerprint attack tools 2) Machine learning models to detect forged browser behavior 3) Threat intelligence designed to starve attackers of resources (IP addresses, compute power, stolen credentials) 4) Data analytics beyond the individual transaction level – need to detect “recon” behavior & “low and slow” attacks 5) Technology that covers Web, Mobile & API channels – attackers move to wherever there is the least resistance

  32. Case Study: Drago & Vlad – “Forged Browser Family” Pillar 2: Forged Browser detection - ML Attack Tool “Vlad” Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Impersonating Firefox 40 on Windows 10 • Behaves similar to a command line tool like Wget or Curl • Attack Tool “Drago” Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Impersonating Chrome 56 on Windows 8.1 • Doesn’t behave like any other browser in Chromium family •

  33. Traffic Patterns Drago More than 3,769 ISPs, 4,160 • Organizations and more than 150 countries, with no single ISP/Organization being responsible for more than 3.5% of the tool’s traffic. Vlad All traffic claimed to come • from the US, yet every request had Accept-language header value equal to “ru-RU” Attack tools were responsible for every large • spike in traffic, resulting in massive infrastructure overprovisioning.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk Kang , Virgil D. Gligor CyLab, Carnegie Mellon University * Qualcomm Dec. 12, 2013 Large Scale Link-Flooding Attacks Massive DDoS attacks against

487 views • 27 slides
Automated Detection of Guessing and Denial of Service Attacks in Security Protocols Marius Minea

Automated Detection of Guessing and Denial of Service Attacks in Security Protocols Marius Minea

Automated Detection of Guessing and Denial of Service Attacks in Security Protocols Marius Minea Politehnica University of Timi soara CMACS seminar, CMU, 18 March 2010 In this talk Formalizing attacks on protocols denial of service by

732 views • 45 slides
Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu,

Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu,

Fakultt fr Informatik T echnische Universitt Mnchen Dagstuhl Seminar 17281 Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu, BMW Group Outline 1 Introduction 2 Obfuscation in Theory 3

815 views • 69 slides
Is the Future Almost Here? Large-Scale Completely Automated Vowel

Is the Future Almost Here? Large-Scale Completely Automated Vowel

Is the Future Almost Here? Large-Scale Completely Automated Vowel Extrac8on of Free Speech Sravana Reddy and James N. Stanford Dartmouth College

563 views • 31 slides
What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera , Paul van Oorschot 1 Secure Shell (SSH) Protocol to enable remote logins and network services over an unsecured network. Typically used for

537 views • 27 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
VetTag: improving automated veterinary diagnosis coding via large-scale language modeling

VetTag: improving automated veterinary diagnosis coding via large-scale language modeling

VetTag: improving automated veterinary diagnosis coding via large-scale language modeling Published in npj (Nature) Digital Medicine Yuhui Zhang, Allen Nie, James Zou Introduction Large-scale veterinary clinical records can become a powerful

529 views • 14 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
Evaluation of Amplification attacks in large-scale networks to improve detection performance

Evaluation of Amplification attacks in large-scale networks to improve detection performance

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation of Amplification attacks in large-scale networks to improve detection performance Michael Kpferl Interdisciplinary Project Final

517 views • 49 slides
Automated Iterative Partitioning for Cooperatively Coevolving Particle Swarms in Large Scale

Automated Iterative Partitioning for Cooperatively Coevolving Particle Swarms in Large Scale

CCPSO2 Proposed Approach Experimental Results Conclusion Automated Iterative Partitioning for Cooperatively Coevolving Particle Swarms in Large Scale Optimization Peter Frank Perroni 1 Daniel Weingaertner 1 Myriam Regattieri Delgado 2 1

319 views • 21 slides
Inject the future Process technologies and automated production cells for large-scale

Inject the future Process technologies and automated production cells for large-scale

Inject the future Process technologies and automated production cells for large-scale manufacturing of lightw eight thermoplastic composites for automotive applications Georg Steinbichler ENGEL AUSTRIA GmbH | EU Technology transfer

487 views • 11 slides
Developing Automated Scoring for Large-scale Assessments of Three-dimensional Learning Jay Thomas

Developing Automated Scoring for Large-scale Assessments of Three-dimensional Learning Jay Thomas

Developing Automated Scoring for Large-scale Assessments of Three-dimensional Learning Jay Thomas 1 , Ellen Holste 2 , Karen Draney 3 , Shruti Bathia 3 , and Charles W. Anderson 2 1. ACT, Inc. Michigan State University 2. UC Berkeley, BEAR

473 views • 14 slides
Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

421 views • 14 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
Automated Data Curation at Scale Bernhard Bicher (CEO) Dr. Noah S. Bieler

Automated Data Curation at Scale Bernhard Bicher (CEO) Dr. Noah S. Bieler

Automated Data Curation at Scale Bernhard Bicher (CEO) Dr. Noah S. Bieler (Principal Data Scientist) Winterthur, 12 th of June 2015 Data Preparation Today Data Scientists spend up to 80% of

496 views • 14 slides
Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation

Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation

Large Scale Simulation of Tor: Stream Correlation Attacks Gavin O Gorman Anonymous Networks Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation Attacks Simulation Results Attacks Gavin O

328 views • 20 slides
Hollywood Science Hollywood Science Week 6: Future Fiction/Future Fact Intertextuality?

Hollywood Science Hollywood Science Week 6: Future Fiction/Future Fact Intertextuality?

Hollywood Science Hollywood Science Week 6: Future Fiction/Future Fact Intertextuality? Intertextuality? 2 Hollywood Science Week 6 Leon van Wissen Faculty of Humanities Transhumanism Transhumanism A belief that the human race

1.02k views • 57 slides
ICT &amp; D Digital gital Update e Corporate orate ICT St Strategy egy 6 m months s in

ICT &amp; D Digital gital Update e Corporate orate ICT St Strategy egy 6 m months s in

ICT &amp; D Digital gital Update e Corporate orate ICT St Strategy egy 6 m months s in Paul Ward Head of ICT &amp; Digital Finance and Corporate Services Scrutiny Board 18 th March 2020 The new strategy, approved October 2019 has

204 views • 17 slides
Inline Evaluation of Hybrid Knowledge Bases Guohui Xiao Vienna PhD School of Informatics

Inline Evaluation of Hybrid Knowledge Bases Guohui Xiao Vienna PhD School of Informatics

Inline Evaluation of Hybrid Knowledge Bases Guohui Xiao Vienna PhD School of Informatics Institute of Information Systems Vienna University of Technology January 23, 2014 1/71 Inline Evaluation of Hybrid KBs Hybrid Knowledge Bases Hybrid

1.78k views • 145 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Supervisor - Task Given Process model, P Specification, K K Calculate supervisor S

Supervisor - Task Given Process model, P Specification, K K Calculate supervisor S

Department of Signals and Systems Supervisor - Task Given Process model, P Specification, K K Calculate supervisor S Within the spec ( ) ( ) L P S L P K P || S = S Non-blocking ( ) ( ) L P S L

598 views • 35 slides
Machine learning for bounce calculation Ryusuke Jinno (IBS-CTPU) Based on 1805.12153 2018/12/10 @

Machine learning for bounce calculation Ryusuke Jinno (IBS-CTPU) Based on 1805.12153 2018/12/10 @

Machine learning for bounce calculation Ryusuke Jinno (IBS-CTPU) Based on 1805.12153 2018/12/10 @ ICTP workshop on machine learning landscape 01 / 29 SELF INTRODUCTION Ryusuke ( ) Jinno ( ) - 2016/3 : Ph.D. @ Univ. of Tokyo -

787 views • 65 slides
Modeling, Analysis and Control Radu Grosu Vienna University of Technology Lecture 6 Continuous AND

Modeling, Analysis and Control Radu Grosu Vienna University of Technology Lecture 6 Continuous AND

Hybrid Systems Modeling, Analysis and Control Radu Grosu Vienna University of Technology Lecture 6 Continuous AND Discrete Systems Control Theory Computer Science Continuous systems Discrete systems approximation, stability abstraction,

586 views • 17 slides
Real-Time Indirect Illumination Jeppe Revall Frisvad PhD student Informatics and Mathematical

Real-Time Indirect Illumination Jeppe Revall Frisvad PhD student Informatics and Mathematical

Real-Time Indirect Illumination Jeppe Revall Frisvad PhD student Informatics and Mathematical Modelling Technical University of Denmark Agenda Agenda Introduction Related work Concept Method Demo Conclusion June 2005

482 views • 24 slides

More recommend