The Internet of Attacking Things ID: #RSAC Josh Shaul The Internet of Attacking Things SPO3-T10 Vice President Akamai Technologies Or Katz Principal …
Post on 25-May-2018
218 Views
Preview:
Transcript
SESSION ID:SESSION ID:
#RSAC
Josh Shaul
The Internet of Attacking Things
SPO3-T10
Vice President Akamai Technologies
Or KatzPrincipal Security ResearcherAkamai Technologies@or_katz
#RSAC
The Year of Attacking Things
2016 2017OctSep Nov
#RSAC
“Things”
#RSAC
“Attacking Things” From Defensive Point of View
Unlimited attacking resources Good vs. Bad Fixing is complicated
Challange
#RSAC
Spotlight on Some of Those Challenges
How IoT devices are being exploited without being pwned
How compromised IoT devices empowers credentials abuse attacks (and why)
And finally, thoughts about how to fight it
#RSAC
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Data
TRILLIONInternet transactions each day3
When The Data Tell You A Story…
#RSAC
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Data
THOUSANDservers around the world220
When The Data Tell You A Story…
#RSAC
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Data
WAF rule triggers every hour
80 million
When The Data Tell You A Story…
#RSAC
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Data
600,000 log lines a second
When The Data Tell You A Story…
#RSAC
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Data
new attack data daily
20 TB
When The Data Tell You A Story…
#RSAC
According to Akamai’s Threat Research Team
30% of the total login transactions are credential abuse attacks
#RSAC
The Credential Abuse Numbers
Malicious activity (Avg. per day):400K IP addresses
167 attack campaigns
Campaign: Average of 5K IPs and 100K email accounts
Largest Campaign: 200K IPs and 25M email accounts
IP is targeting the average Web site with 20 login attempts in 24 hours
#RSAC
The Credential Abuse Numbers
Data intelligence:Out of 400K IPs per day, ~25% of IPs as “single use” (no repeat activity)
Over 1 month, ~70% of the IPs only attacked 1 day
API login vs. Web login – API is targeted 3.7 times more than Web
#RSAC
The Story Behind the Numbers
Many attack campaigns?
Most attacking resources are sending few logins?
Many attacking resources?
API login interfaces are much more targeted?
How come so many attacking resources and why high % of “single use”? ?
#RSACMany Credential Abuse Source IPs Expose a Web Interface
CCTVs
Routers
Servers
Satellite Antennas(?!)
ADSL/Cable Modems
Hotspots
#RSAC
#RSAC
#RSAC
Search for ESTABLISHED TCP Connections
Seems like the SSH daemon is responsible for many active HTTP/HTTPS connections – some of which are to Akamai Edge Servers
#RSAC
Default “admin” User Cannot SSH Into the Machine
~# ssh admin@the.vulnerable.device
This account is currently not available
root:x:0:0:root:/root:/bin/bashnobody:x:99:99:Unprivileged User:/dev/null:/bin/falsesshd:x:50:50:sshd PrivSep:/var/lib/sshd:/bin/falseftp:x:45:45:anonymous_user:/home/ftp:/bin/falsemessagebus:x:18:18:D-BUS Message Daemon User:/dev/null:/bin/falseadmin:x:600:600::/var:/sbin/nologinlocaldisplay:x:700:700::/tmp:/sbin/nologin
/etc/passwd format:<username>:<encrypted password>:<uid>:<gid>:<Full Name>:<Home Dir>:<Shell>
#RSAC
What Do We Know So Far?
No active shell sessions seen – not under ”root” or “admin” users
The “admin” user (which has the default admin:admin credentials) has /sbin/nologin configured – so an attacker can’t SSH into the machine and run commands
Was SSHD tampered with and contains a backdoor? We checked - No...
#RSAC
SSH as SOCKS Proxy When the User has no SHELL access permissions
<AllowTcpForwarding yes> (default)
SSH(1) FreeBSD General Commands Manual SSH(1)
NAME ssh -- OpenSSH SSH client (remote login program)
-D [bind_address:]portSpecifies a local ''dynamic'' application-level port forwarding.This works by allocating a socket to listen to port on the localside, optionally bound to the specified bind_address. Whenever aconnection is made to this port, the connection is forwarded overthe secure channel, and the application protocol is then used todetermine where to connect to from the remote machine. Currentlythe SOCKS4 and SOCKS5 protocols are supported, and ssh will actas a SOCKS server. Only root can forward privileged ports.Dynamic port forwardings can also be specified in the configura-tion file.
-N Do not execute a remote command. This is useful for just forwarding ports.
#RSAC
Demo
Attacker
Vulnerable IoTDevice Target Web Server
SSH TUNNEL
/> ssh –D 8080 –N cctv_admin@iot.vuln (requires “default” account credentials)
/> curl --proxy socks5h://localhost:8080 http://target.site/
Malicious HTTP
SOCKS PROXY
#RSAC
And For My Next Trick...
SSH TUNNEL 1
SSH TUNNEL 2
SSH TUNNEL n
....
AttackerVulnerable IoT
Device
Target Web Server
#RSAC
Some of The Vulnerable Devices
Satellite Antennas
WiMax Routers
Ruckus HotSpot/Switch
Synology NAS Disk Station
#RSAC
And the Cherry on the Cake....Breaching Internal Networks
#RSACAttackers Can Use the SSH Tunnel to Access Machines on the Internal Network
IP of an internal machine Scanning the Internal Network
#RSAC
SSHownDowN
#RSAC
The Challenges That Are Ahead of Us
Abuse IoT devices to execute more behavioral attacks (that are harder to be detected)
More and more compromised devices will join the “game”
The scale of volumetric attacks is going to be increased
As more and more devices will get connected IPv6 adoption rate will increase, amplifying IPv6 issues
#RSAC
How To Fight It?
IoT Vendors should make sure they build devices that are:Safe
Secured
patchable
Anti Automation - differentiate Bots from humans
Threat Intelligence – with emphasis on infected IoT devices
Use crowd sourcing techniques to fight elusive attackers
Be prepared to fight off the new generation of volumetric attacks (>600Gbps)
#RSAC
Q&A
top related