next gen mirai
play

Next-Gen Mirai Balthasar Martin <balthasar@srlabs.de> Fabian - PowerPoint PPT Presentation

Nov 23, 2022 •46 likes •306 views

Next-Gen Mirai Balthasar Martin <balthasar@srlabs.de> Fabian Brunlein <fabian@srlabs.de> SRLabs Template v12 Mirai and IoT Reaper botnets exploited open Telnet and other known vulnerabilities Mirai botnet Reaper botnet Known

  1. Next-Gen Mirai Balthasar Martin <balthasar@srlabs.de> Fabian Bräunlein <fabian@srlabs.de> SRLabs Template v12

  2. Mirai and IoT Reaper botnets exploited open Telnet and other known vulnerabilities Mirai botnet Reaper botnet ▪ Known vulnerabilities in web interfaces ▪ Open Telnet with default credentials Reaper Probing random IP ▪ 24k devices [1] against Krebs on Security ▪ 20k devices [3] , but way more vulnerable addresses for ▪ Up to 100k [2] devices in attack on Dyn exposed devices Not actively used yet DDoS against Akamai (Gbps) Regions affected by attack on Dyn 500 620 363 0 Biggest attack Mirai attack before Mirai in 09/2016 [1] https://krebsonsecurity.com/2016/11/akamai-on-the-record-krebsonsecurity-attack/ [2] https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/ 2 [3] https://www.arbornetworks.com/blog/asert/reaper-madness/

  3. Most users thankfully do not expose their home devices to the Internet ▪ We got an IP camera that can be controlled via App ▪ Sricam is one of many brands based on Gwell firmwares ▪ Various vendors sell these devices under their own brands ▪ Available apps include: Sricam, APcam, Yoosee, 2CU, … Video and bidirectional sound Open telnet Remote access from everywhere (Easy) command injection Easy firmware updates Web interface ▪ Most users will not expose their devices to the internet anyways We are able to send packets to millions of devices in private networks and control 800,000 of them remotely – How this was done is the topic of this talk 3

  4. Penetrating private networks is sold as a feature Vendor marketing video: 4

  5. Proprietary cloud protocols bypass firewalls and allow for remote connections into private networks Problem: Router firewalls do not allow incoming connections Lan1 Lan2 5

  6. Proprietary cloud protocols bypass firewalls and allow for remote connections into private networks Backend 2 Lan1 Lan2 1 3 1 IP camera sends UDP packets to keep the NAT- table entry alive Let‘s take a look at: 2 Backend server can reach the device when ▪ videoipcamera.com / videoipcamera.cn needed ▪ cloud-links.net / cloudlinks.cn Control packets from app are forwarded by the 3 backend* 6 *for transmitting video feeds, the backend negotiates a direct connection to the device

  7. For building a botnet, we need connection, authentication and remote code execution Connection Authentication (-bypass) Remote code execution 7

  8. The backend acts as a contact storage HTTP requests containing contact details Logging in Adding a device to an account App Backend App Backend GET LoginCheck.ashx POST AddFriend.ashx [user, md5(pw)] [name, device_id, e(pw)] SessionID OK GET GetFriendList.ashx [name1, device_id1, e(pw1)] [name2, device_id2, e(pw2)] In a secure world… … … this would be the only way to check device credentials … requests would be monitored and rate limited 8

  9. In reality, all valid device IDs can be easily retrieved from the backend UDP packet to check which devices are online 28 00 04 00 00 00 00 00 b8 65 6d b7 66 d4 a1 ae 57 cd 73 ca 03 00 00 00 06 00 00 00 00 00 00 00 Request Request 0f 00 00 00 00 00 00 00 XX XX 0a 00 XX XX 0c 00 XX XX 09 00 29 00 00 00 03 00 00 00 06 00 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 XX XX 0a 00 00 00 00 00 Response 01 00 00 00 00 00 00 07 XX XX 0c 00 00 00 00 00 00 00 00 00 00 00 00 07 XX XX 09 00 00 00 00 00 01 00 00 00 00 00 00 07 Header No. devices Device IDs Online status ▪ Does not require authentication Backend Dev. ID length Collected IDs ▪ 62 device IDs in one UDP packet videoipcam 6 digits 140,741 ▪ No rate limiting cloudlinks 7 digits 3,277,280 ▪ Check all possible IDs in 1 hour 9

  10. The backend forwards command packets based on the device ID App Server Device CMD CMD RES RES Set network settings command Header Account ID Device ID Command ID Auth. values Cloud part 10 03 60 00 54 b1 07 80 XX XX 0c 00 19 41 15 a4 74 8e 86 3d 45 97 54 59 60 01 00 00 78 e6 00 00 1c 00 00 00 37 35 04 f0 cc 63 0c c1 68 01 00 00 Local part 66 01 a8 c0 00 ff ff ff 01 01 a8 c0 01 01 a8 c0 IP (192.168.1.102) Gateway DNS server Subnet mask ▪ Some types of commands are forwarded to the device just based on device ID ▪ Potential for pre-auth RCE  exploiting all devices in just hours 10

  11. We have found a large number of devices – now we need to authenticate ▪ Low entropy device IDs allow for efficient enumeration Connection ▪ Packets are forwarded to devices just based on device ID Authentication (-bypass) Remote code execution 11

  12. Device passwords can be efficiently enumerated Account ID Device ID Auth. values Command ID Password correct Request Response 10 03 60 64 54 b1 07 80 XX XX 0c 00 4e 05 5b f4 10 07 61 00 XX XX 0c 00 54 b1 07 80 5d db 83 98 1f 89 f2 92 2e 90 20 f6 60 01 00 00 3d 4a 00 00 f5 3a 00 00 00 00 00 00 61 00 00 00 3d 4a 00 00 0c 00 00 00 f8 97 56 1b c5 23 8c cc 00 00 00 00 00 00 00 00 00 00 00 00 … forward send replay respond CANCEL_DEVICE_UPDATE: 0x6d60 - 0x7148 CHECK_DEVICE_PASSWORD: 0x4a38 - 0x4e20 0x4a38 - 0x4e20 CHECK_DEVICE_UPDATE: 0x6978 - 0x6d60 … ▪ When accessing device settings via app, a check-password UDP packet is sent ▪ It can be captured and replayed with a different device ID to check it for the same password ▪ The device does not have to be added to the account and no rate limiting is employed 12

  13. Enumerating weak and default passwords yields access to large numbers of devices ▪ Devices are using different default passwords: 888888, 123, ... ▪ Users will choose bad passwords anyway: 123456, ABCDEF, … ▪ On videoipcamera, we encountered no rate limiting ▪ For cloudlinks, the app presented us a client side CAPTCHA ▪ We did not test the limits and checked 140,000 devices in 6 hours Backend Password No. devices Videoipcam 888888 63,029 Incredibly tempting button Videoipcam 123456 1,454 * Cloudlinks 123 703,000 ▪ View camera feeds, turn devices, hear and send audio * Cloudlinks 123456 46,600 ▪ Get WiFi credentials, near network names, mail credentials * Total 814,083 ▪ Access and change device settings *estimates based on a random 1,000 devices sample 13

  14. Demo: Enumerating device IDs and passwords 14

  15. We can access a large number of devices – now we need to execute commands on them ▪ Low entropy device IDs allow for efficient enumeration Connection ▪ Packets are forwarded to devices just based on device ID ▪ Passwords can be enumerated without rate limiting Authentication (-bypass) ▪ Default passwords yield high numbers of devices Remote code execution 15

  16. The filesystem in the firmware can be manipulated to add a backdoor $ binwalk npcupg_14.00.00.52.bin _14.00.00.52. DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 32 0x20 JFFS2 filesystem, little endian 2943372 0x2CE98C ELF, 32-bit LSB executable, ARM, version 1 (SYSV) 0x2CE98C $ xxd -l 64 npcupg_14.00.00.52.bin FW header JFFS2 filesystem 6ce9 2c00 211b 0000 00000000: 0000 0000 6ce9 2c00 211b 0000 397c abbf 397c abbf ....l.,.!...9|.. ├── dhcp.script 00000010: 372a 856a a618 2c6b 0cbc f1a8 3400 000e 372a 856a a618 2c6b 0cbc f1a8 3400 000e 7*.j..,k....4... ├── gwellipc 00000020: 8519 01e0 3300 0000 9611 8be8 0100 0000 8519 01e0 3300 0000 9611 8be8 0100 0000 ....3........... ├── minihttpd.conf 00000030: 0000 0000 0200 0000 3e6d 0644 0b08 0000 0000 0000 0200 0000 3e6d 0644 0b08 0000 ........>m.D.... ├── npc ├── upgfile_ok On boot, dhcp.script is executed  add malware or open telnet ├── version.txt └── [...] 32-bit ELF binary When installing a modified firmware, “MD5 err!” is printed on serial output 16

  17. Patching the main camera binary allows for printing the expected firmware checksum Byte-wise comparison of expected and given hash Serial output when installing a firmware ▪ Modified file system Start Seq = 00000d4b Md5 err! ▪ Original file system Start Seq = 00000a99 57 124 171 191 55 42 133 106 166 24 44 107 12 188 241 168 Newst version ! fgCheckUpgFile over! 17

  18. Patching the main camera binary allows for printing the expected firmware checksum Byte-wise comparison of expected and given hash Serial output when installing a firmware ▪ Modified file system Start Seq = 00000d4b Md5 err! ▪ Original file system Start Seq = 00000a99 57 124 171 191 55 42 133 106 166 24 44 107 12 188 241 168 Newst version ! fgCheckUpgFile over! Patch main binary to print expected hash kill -9 [process_number] printf '\x50' | dd bs=1 seek=172469 of=/npc/npc … printf '\x02' | dd bs=1 seek=172488 of=/npc/npc … printf '\x05' | dd bs=1 seek=172536 of=/npc/npc … 18

  19. Mass-scale remote installation of malicious firmwares possible by redirecting camera to attacker‘s update server Remember the network settings packet? Initiate firmware update and deliver malware Attacker Camera CMD get network settings network settings CMD set DNS to Attacker IP CMD do firmware update 3 DNS upg.videoipcamera.cn ▪ Two different kinds of firmwares: Attacker IP – 14.00.00.XX GET Version, GET update – 21.00.00.XX ▪ Current version in update request Newer version, malicious update ▪ Fully automatable procedure 19

  20. Demo: Installing a malicious firmware remotely via terminal 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by

Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by

Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by Mirai https://krebsonsecurity.com/wp-content/uploads/2016/10/IoTbadpass-Sheet1.pdf loader/src/headers/includes.h loader/src/headers/binary.h

835 views • 17 slides
Mirai and IoT Botnet Analysis Robert Graham http://blog.erratasec.com @ErrataRob #RSAC What

Mirai and IoT Botnet Analysis Robert Graham http://blog.erratasec.com @ErrataRob #RSAC What

#RSAC SESSION ID: SESSION ID: HTA-W10 Mirai and IoT Botnet Analysis Robert Graham http://blog.erratasec.com @ErrataRob #RSAC What this talk will cover? Brief overview of Mirai The cameras themselves Step by step from infection to attacks

962 views • 63 slides
Present status of the MIRAI Program; towards a persistent 1.3 GHz NMR and DC feeder cables H.

Present status of the MIRAI Program; towards a persistent 1.3 GHz NMR and DC feeder cables H.

IEEE CSC &amp; ESAS SUPERCONDUCTIVITY NEWS FORUM (global edition), February 2020. Plenary presentation PT-4 given at ACASC/Asian-ICMC/CSSJ Joint Conference, 6-9 January 2020, Okinawa, Japan. Present status of the MIRAI Program; towards a

910 views • 45 slides
Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey , Matthew Bernhard , Elie Bursztein Jaime Cochran , Zakir Durumeric , J. Alex Halderman , Luca Invernizzi Michalis Kallitsis ,

709 views • 35 slides
Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey , Matthew Bernhard , Elie Bursztein Jaime Cochran , Michalis Kallitsis , Damian Menscher , Zakir Durumeric Deepak Kumar , Chad

628 views • 34 slides
Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of Thousands of Internet Businesses and Millions of Users in October 2016 William Favre Slater, III, M.S. MBA, PMP, CISSP, CISA Sr. Cybersecurity

1.36k views • 53 slides
IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

SPAWAR S YSTEMS C ENTER P ACIFIC IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai Malware and IoT-Based Botnets 24-26 April, 2017 Presented at the 2 nd International Conference Presented by Roger

654 views • 20 slides
FY2015 Third Quarter Financial Results MIRAI Toyota Motor Corporation February 4, 2015

FY2015 Third Quarter Financial Results MIRAI Toyota Motor Corporation February 4, 2015

FY2015 Third Quarter Financial Results MIRAI Toyota Motor Corporation February 4, 2015 Cautionary Statement with Respect to Forward-Looking Statements This presentation contains forward-looking statements that reflect Toyotas plans and

963 views • 24 slides
Look Into The Future - Analyzing Mirai botnet - Mauritius 2016 FIRST TC Minoru Kobayashi

Look Into The Future - Analyzing Mirai botnet - Mauritius 2016 FIRST TC Minoru Kobayashi

Look Into The Future - Analyzing Mirai botnet - Mauritius 2016 FIRST TC Minoru Kobayashi Internet Initiative Japan Inc. Who am I ? Minoru Kobayashi I work for Internet Initiative Japan Inc.. IIJ is a Japanese ISP (We are the

418 views • 19 slides
Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

508 views • 33 slides
Atomic level material processing and characterization for nanoscale CMOS transistors Toshihiko

Atomic level material processing and characterization for nanoscale CMOS transistors Toshihiko

JST - DFG Joint Workshop January 21, 2009 Atomic level material processing and characterization for nanoscale CMOS transistors Toshihiko Kanayama Nanodevice Innovation Research Center, AIST, Japan MIRAI project 1 New Materials and Structures

264 views • 24 slides
WAMOS 2018 Common Attack Vectors of IoT Devices 09.08.2018 Alexios Karagiozidis Motivation

WAMOS 2018 Common Attack Vectors of IoT Devices 09.08.2018 Alexios Karagiozidis Motivation

WAMOS 2018 Common Attack Vectors of IoT Devices 09.08.2018 Alexios Karagiozidis Motivation Botnetworks and Internet attacks increased rapidly Examples of security issues: Mirai-Bot-Network CVE-2018-10967, bufferoverflow via

848 views • 27 slides
Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018 https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html www.tugraz.at Large IoT Incidents September 21, 2016 &gt; 600 Gbps on Brian Krebs

1.19k views • 71 slides
Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect Mender.io Session overview Case-studies of 3 botnets Mirai (August 2016) Hajime (October 2016) BrickerBot (March 2017) Common security

902 views • 28 slides
SIEM 101 Workshop Optimize IT with Security Information and Event Management Alex Dow Chief

SIEM 101 Workshop Optimize IT with Security Information and Event Management Alex Dow Chief

SIEM 101 Workshop Optimize IT with Security Information and Event Management Alex Dow Chief Research Officer Mirai Security Inc. Alex.Dow@miraisecurity.com GCIH|SCF|CISSP|OPST https://www.miraisecurity.com Agenda What is SIEM? Why

807 views • 25 slides
NREN SIEM Deployment Project Speakers: Alex Dow, Barb Carra, Jill Kowalchuk, Todd Williams and

NREN SIEM Deployment Project Speakers: Alex Dow, Barb Carra, Jill Kowalchuk, Todd Williams and

Conference 2018 Conference 2018 NREN SIEM Deployment Project Speakers: Alex Dow, Barb Carra, Jill Kowalchuk, Todd Williams and Ivor MacKay Speakers Alex Dow, Consultant Mirai Security Barb Carra, Chief Operating Officer Cybera Jill

292 views • 18 slides
Apache Security - I m proving the security of your w eb server by breaking into it Sebastian

Apache Security - I m proving the security of your w eb server by breaking into it Sebastian

Risk Advisory Services Apache Security - I m proving the security of your w eb server by breaking into it Sebastian Wolfgarten, 21C3, December 2004 sebastian.wolfgarten@de.ey.com 1 Berlin, Germany - 29.12.2004 Agenda Preface

697 views • 41 slides
EGI-InSPIRE Building an OpenNebula Cloud Compliant with EGI FedCloud Boris Park, CESNET

EGI-InSPIRE Building an OpenNebula Cloud Compliant with EGI FedCloud Boris Park, CESNET

EGI-InSPIRE Building an OpenNebula Cloud Compliant with EGI FedCloud Boris Park, CESNET 2014-05-23, EGI Community Forum 2014, Helsinki 1 EGI-InSPIRE RI-261323 www.egi.eu Agenda OpenNebula in the EGI Federated Cloud Introduction

356 views • 17 slides
LAMP CC ICT-SUD Setting up and integrate Apache, MySQL and PHP on a Linux system Installation

LAMP CC ICT-SUD Setting up and integrate Apache, MySQL and PHP on a Linux system Installation

LAMP CC ICT-SUD Setting up and integrate Apache, MySQL and PHP on a Linux system Installation Simple Alternative (for development/testing only): Xampp I will assume MySQL is already installed and configured (see related presentation)

619 views • 30 slides
Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP

Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP

Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP Address Required for HTTPS The 'Host' Header Mass Virtual Hosting? HTTPD's Default configuration doesn't deal well with thousands of

967 views • 20 slides
kdbus in Tizen 3.0 Hyungjun Choi Karol Lewandowski Samsung Electronics Agenda Agenda D-Bus

kdbus in Tizen 3.0 Hyungjun Choi Karol Lewandowski Samsung Electronics Agenda Agenda D-Bus

kdbus in Tizen 3.0 Hyungjun Choi Karol Lewandowski Samsung Electronics Agenda Agenda D-Bus vs kdbus Motivation and project goals First attempts kdbus in Tizen 3.0 Challenges 3 D-Bus vs kdbus D-Bus Message bus system

370 views • 33 slides
PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency

PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency

PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency Application mixing Free your Audio Interoperability with arbitrary protocols More testing of the PulseAudio code Yet another

604 views • 23 slides
Kali Linux's Experience By Raphal Hertzog &lt;hertzog@debian.org&gt; &lt;buxy@kali.org&gt;

Kali Linux's Experience By Raphal Hertzog &lt;hertzog@debian.org&gt; &lt;buxy@kali.org&gt;

Kali Linux's Experience By Raphal Hertzog &lt;hertzog@debian.org&gt; &lt;buxy@kali.org&gt; DebConf 16 2016-07-05 Cape Town Plan Presentation of Kali Linux My role in Kali Linux Hardware and software infrastructure Structure

761 views • 26 slides
Timelines @ Twitter QCon London 2012 Arya Asemanfar Thursday, March 8, 2012 Poll-based Timeline

Timelines @ Twitter QCon London 2012 Arya Asemanfar Thursday, March 8, 2012 Poll-based Timeline

Timelines @ Twitter QCon London 2012 Arya Asemanfar Thursday, March 8, 2012 Poll-based Timeline Thursday, March 8, 2012 Poll-based Timeline Thursday, March 8, 2012 Search Thursday, March 8, 2012 Streaming (aka Push) Thursday, March 8,

2.46k views • 168 slides

More recommend