iot, cybercriminal’s paradise - usenix › sites › default › files › conference › ... ·...
TRANSCRIPT
![Page 1: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/1.jpg)
IoT,Cybercriminal’sparadise
A6laMarosiSeniorThreatResearcherOSCE,OSCP,ECSA,CEHa6la.marosi@{sophos.com|gmail.com}
PGPID:3782A65APGPFP.:
4D491447A4E1F016F8338700885360A73782A65A
![Page 2: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/2.jpg)
IfIwereacriminal…alazyone
2
• Iwouldliketoearngoodmoney
• Iwouldnotwanttoworkalot
• IwouldhidemyselfasmuchasIcould
![Page 3: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/3.jpg)
Whatarethetopstoriesrecently
![Page 4: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/4.jpg)
Carnaproject
4
2012,420Kinfecteddevices
![Page 5: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/5.jpg)
ReinCarna(aProsumWare)
5
# telnet 73.xxx.xxx.210 Trying 73.xxx.xxx.210... REINCARNA / Linux.Wifatch Your device has been infected by REINCARNA / Linux.Wifatch. We have no intent of damaging your device or harm your privacy in any way. Telnet and other backdoors have been closed to avoid further infection of this device. Please disable telnet, change root/admin passwords, and/or update the firmware. This software can be removed by rebooting your device, but unless you take steps to secure it, it will be infected again by REINCARNA, or more harmful software. This remote disinfection bot is free software. The source code is currently available at https://gitlab.com/rav7teif/linux.wifatch Team White <[email protected]>
![Page 6: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/6.jpg)
KrebsOnSecurityhitwithrecordDDoS
6
![Page 7: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/7.jpg)
DynwasaQackedbyMiraibotnet
7
• TwiKer• SoundCloud• SpoNfy
![Page 8: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/8.jpg)
Thesearetoocomplexformostofthecriminals...
8
• Carna,Reincarna,Mirai...thesearecomplexmalwareandtheyhadneededknowledgetobedeveloped
• weneedlesscomplexsoluNonbecausewearelazy
![Page 9: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/9.jpg)
Workingacoupleofdaysforhalfamillionofdollar!?
9
![Page 10: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/10.jpg)
SeagateCentral
10
![Page 11: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/11.jpg)
Design flaw: - The default (anonymous)
user cannot be deac=vated! - If the device is enabled for
remote access, all the accounts will be available on the device, including the anonymous user.
SeagateCentral
11
![Page 12: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/12.jpg)
383 * 2 TB = 766 TB (free cloud) SeagateCentral
12
![Page 13: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/13.jpg)
:~# ftp 90.xxx.xx.4 Connected to 90.xxx.xxx.4. 220 Welcome to Seagate Central Shared Storage FTP service. Name (90.xxx.xxx.4:root): anonymous ftp> dir drwxrwsrwx 5 65534 65534 65536 Mar 14 19:29 Public ftp> cd Public ftp> dir 150 Here comes the directory listing. -rw-r--r-- 1 0 65534 46 Mar 14 18:52 Seagate Centra[…].url drwxrwsrwx 3 65534 65534 65536 Feb 25 16:35 Music -rwxrwxrwx 1 65534 65534 1578496 Feb 25 16:35 Photo.scr drwxrwsrwx 2 65534 65534 65536 Feb 18 18:49 Photos drwxrwsrwx 2 65534 65534 65536 Mar 10 22:21 Videos
Mal/Miner-C
SeagateCentral
![Page 14: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/14.jpg)
MAL/MINER-C
CryptoCoinminer
![Page 15: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/15.jpg)
Monero
15
• Monero (XMR) is an open source cryptocurrency
• created in April 2014 • focuses on privacy, • decentralisa=on and scalability.
• Unlike many cryptocurrencies that are deriva=ves of Bitcoin, Monero is based on the CryptoNote protocol and possesses significant algorithmic differences rela=ng to blockchain obfusca=on. (Wikipedia)
![Page 16: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/16.jpg)
66b965d1ee4013c80f7e0e27725e43f3d316325a NsGpuCNMiner.exe fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107 NsCpuCNMiner32.exe ce1fbf382e89146ea5a22ae551b68198c45f40e4 NsCpuCNMiner64.exe (https://bitcointalk.org/index.php?topic=647251.0)
Mal/Miner-C
16
Iconofthemalware
Stockcomponent,freelyavailable
Componentsofthemalware
![Page 17: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/17.jpg)
Mal/Miner-C(Ztp.exe)
17
1. GeneraNngrandomIPaddresses
2. OpenFTPconnecNontotheserver
3. CopyinganinstanceofMal/Miner-Ctoallofthefoldercanbeaccess
![Page 18: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/18.jpg)
NAT
Mappeddrivers
Open/writableFTP
Mal/Miner-C(spreadingviaZtp.exe)
18
TCP/21
![Page 19: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/19.jpg)
A[er deobfuscated by ROT47 with a custom character set:
Mal/Miner-C(moneropool)
19
hKp://staYest.ru/test.html
![Page 20: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/20.jpg)
Let'sspeakaboutmoney
![Page 21: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/21.jpg)
stratum+tcp://mine.moneropool.com:3333 stratum+tcp://xmr.hashinvest.net:1111 stratum+tcp://monero.crypto-pool.fr:3333 stratum+tcp://mine.cryptoescrow.eu:3333
Mal/Miner-C(moneropool.com)
21
![Page 22: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/22.jpg)
Mal/Miner-C(moneropool.com)
22
![Page 23: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/23.jpg)
Mal/Miner-C(profitcalcula^on)
23
![Page 24: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/24.jpg)
TotalpaidbyMoneroPoolis:
73.240XMR=
US$1.2M
![Page 25: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/25.jpg)
WorldFTPscan
Theresultofthescan
![Page 26: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/26.jpg)
FTPtest
26
1. TriestologinwithAnonymoususeronTCPport21
2. Check,dowehavewriteaccessonthedevicesornot?
![Page 27: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/27.jpg)
FTPscan-initdataset
• From censys.io we got 12.350.314 IP addresses
• And we have tested 3.426.381 IP addresses from this
12 million IP addresses
3,5 million IP addresses
27
![Page 28: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/28.jpg)
FTPscanresult(onethird-3,5Mdevices)
Restricted91%
Anonymous9% Writeaccess0.4%
RestrictedAnonymousWriteaccess
28
![Page 29: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/29.jpg)
FTP scan (one third) 10K(10337)FTPserver
whereyoucanhostyourmalware
![Page 30: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/30.jpg)
Theresults(extrapola^onfor12M)
~ 37K (37.050)
Using this ra=o for 12 million of IP addresses means that:
30
FTP server can be used to host malware!
![Page 31: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/31.jpg)
FTPscan(onethird–anonymouswithrwaccess)
31
68%
9%
23%
InfectedMal/Miner-Cnottouchedbyhackerstouchedbyhackers
![Page 32: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/32.jpg)
Finalthoughts
32
• EvenwiththislazymalwarecriminalscouldearnmorethanUS$1million
• noneedtodevelopagoodmalwaretoearngoodmoney
• vicNmswouldhavebeenprotectedfollowingbasicsecuritysteps
• usingFTPservicewithrightse_ngwouldpreventthespreadingofthismalwaretotally
![Page 33: IoT, Cybercriminal’s paradise - USENIX › sites › default › files › conference › ... · 2019-12-18 · IoT, Cybercriminal’s paradise Ala Marosi Senior Threat Researcher](https://reader035.vdocuments.us/reader035/viewer/2022070820/5f1e4f95df63a051d67b9c89/html5/thumbnails/33.jpg)
Questions?
[email protected] PGP ID: 3782A65A PGP FP.: 4D49 1447 A4E1 F016 F833 8700 8853 60A7 3782 A65A