iot: new threat horizons - risk conference · 2019-11-28 · mirai retrospective 620 gbps attack...
TRANSCRIPT
![Page 1: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/1.jpg)
IoT: New Threat HorizonsIoT: New Threat HorizonsCarl HerbergerCarl Herberger
Global VP Security SolutionsGlobal VP Security Solutions
Copyright © 2018 Radware. All rights reserved.
![Page 2: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/2.jpg)
2
IoT Has Changed The Threat LandscapeIoT Has Changed The Threat Landscape
Here’s how…
• Unsophisticated droppers• Factory default credentials• Backdoors• Disclosed vulnerabilities• 0-days
Here’s how…
• Unsophisticated droppers• Factory default credentials• Backdoors• Disclosed vulnerabilities• 0-days
Copyright © 2018 Radware. All rights reserved.
![Page 3: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/3.jpg)
3
IoT Mean Time Between Compromise
Aug 24th, 2017 - SANS Technology Institute: 2 minutesNov 30th, 2016 – Rob Graham @ErrataRob: 98 seconds
< 2 minutes
Copyright © 2018 Radware. All rights reserved.
![Page 4: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/4.jpg)
4
IoT Botnets – The Ultimate Weaponry
• Not directly associated with the attacker• Automated• Geographically distributed • Ultimately disposable • Flexible • Wide range of nefarious activities• Growing in size• Larger botnets and smarter devices = more
sophisticated attacks
25,000 100,000
400,000
900,000
0
200,000
400,000
600,000
800,000
1,000,000
CCTV Botnet attack
(Jun-16)
Dyn attack (Oct-16)
Jabber campaign:DDoS-for-hire offer
(Nov-16)
Failed DTtakeover attempt
(EoNov-16)
Copyright © 2018 Radware. All rights reserved.
![Page 5: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/5.jpg)
5
IoT-Based Botnets
• IoT is the birthplace for new types of bots and malwares. • Unsophisticated, yet very efficient and lethal.
Mirai Hajime
IoT_Reaper/IoTroop/
Satori
BrickerBot JenX
BashliteLinux.Aidra
RouterBotnet
Copyright © 2018 Radware. All rights reserved.
![Page 6: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/6.jpg)
6
Mirai Retrospective
620 Gbps attack GRE in payload, No amplification,
No reflection
Sept 20, 2016
~ 1 Tbps in volume SYN and ACK floods Over 140,000 unique IPs
Sept 21, 2016
Mirai Source Code ReleasedHackforums.com
Anna-Senpai
Sept 30, 2016
DNS Water Torture attack with other vectors. Some comprised of Mirai 100k
end-points reported
Oct 21, 2016
DT Router Takeover AttemptMirai w/ TR-064 Exploit
900,000 consumer’s internet connection affected
Nov 27, 2016
Mirai authors Paras Jha & Josiah White
(ProTraf Solutions LLC)plead guilty
Dec, 2017
Copyright © 2018 Radware. All rights reserved.
![Page 7: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/7.jpg)
7
01/17 Satori continues01/25 Masuta02/03 ADB.miner02/08 JenX02/15 DoubleDoor02/21 OMG
2017 20182016
01/30 Linux.Proxy.1002/22 Mirai turns to Windows02/22 ‘BestBuy’ arrested in UK
10/19 Hajime10/21 DYN10/29 IRCTelnet (new Aidra)
11/23 400k+ Mirai botnet for rent by ‘BestBuy’11/27 DT, TalkTalk, Post Office UK – TR069 Exploit12/21 Leet botnet: 650Gbps/150Mpps DDoS attack
Oct 2016
12/13 Mirai authors plead guilty
08/30 WireX09/14 RouteX09/26 Linux.ProxyM10/23 Reaper11/23 Satori
03/13 Imeij04/07 Amnesia04/10 BrickerBot05/09 Persirai
2015 Moose2014 MrBlack2014 TheMoon2014 Bashlite
2012 Aidra
08/2016 Mirai08/2016 Rakos
Krebs 09/20OVH 09/21
Mirai source leaked 09/30
![Page 8: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/8.jpg)
8
Factory Default Credentials
Copyright © 2018 Radware. All rights reserved.
![Page 9: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/9.jpg)
9
The Cast
• Mirai: “The Weapon”• Hajime: “The Good Bot?!”• Reaper: “The Evolution”• BrickerBot: “The Exterminator”• The Janit0r: “BrickerBot author”
Copyright © 2018 Radware. All rights reserved.
![Page 10: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/10.jpg)
10
Mirai: The Weapon
Copyright © 2018 Radware. All rights reserved.
![Page 11: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/11.jpg)
11
Hajime: Friend or Foe?
• Allegedly a vigilante protecting devices from Mirai• Discovered by Rapidity Networks• 300K devices; No attack to date• Removes previous malware and “immunes” device against
infections• Keeps a back door / communication channel (also for software
updates)• Uses brute force to infect• Propagates via Bit Torrent• Most sophisticated
Copyright © 2018 Radware. All rights reserved.
![Page 12: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/12.jpg)
12
IoT_Reaper/IoTroop, Santori: The Evolution
• Reaper exploits 9 known vulnerabilities in consumer-grade devices
• Uses HTTP-based exploits, rather than telnet brute force• Appear to be Mirai variants with some similarities• Distributed scanning• Central loader• Bots themselves don’t infect
• Virustotal.com detects it as Mirai• Satori leverages a vulnerability in Huawei HG532 routers
Copyright © 2018 Radware. All rights reserved.
![Page 13: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/13.jpg)
13
BrickerBotBrickerBot
Janit0r’s“Internet Chemotherapy”
Project
Janit0r’s“Internet Chemotherapy”
ProjectCopyright © 2018 Radware. All rights reserved.
![Page 14: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/14.jpg)
14
PDoS: Permanent Denial of Service
A DoS attack that damages a system so badly that it requires replacement or reinstallation of hardware or software• (D)DoS – Victim resumes normal service after attack finishes• PDOS – leaves victim in nonfunctioning state after attack, requiring
intervention to restore operations
Copyright © 2018 Radware. All rights reserved.
![Page 15: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/15.jpg)
15
BrickerBot
• First autonomous PDoS botnet• Prevents devices to take part in botnets
by destroying them• Remote execution of destructive
sequence• No malware loaded on the victim• Limited # of bots in a “sensor network”• Does not attack unless provoked
Copyright © 2018 Radware. All rights reserved.
![Page 16: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/16.jpg)
16 a) cam unreachable from WAN,
can still ping on LAN
b) unreachable, also from LAN
+ Factory reset button useless
c) No serial/USB/removable media to restore firmware
back to manufacturer or recycler
VS IoT
Copyright © 2018 Radware. All rights reserved.
![Page 17: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/17.jpg)
17
“It’s time for me to move on.”
-Janit0r
“It’s time for me to move on.”
-Janit0r
Copyright © 2018 Radware. All rights reserved.
![Page 18: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/18.jpg)
18
How You Can Protect Your Devices
• Protecting against known IoT threats such as Mirai, Hajime, and BrickerBot• Block telnet access• Whitelist access to necessary management protocols (TR-
064/TR-069, etc.)• Change factory default credentials for CLI access• Check and upgrade firmware often
• When you are infected• To clean your device from infection: REBOOT• But… without additional measures, your devices will be re-
infected within minutes
Copyright © 2018 Radware. All rights reserved.
![Page 19: IoT: New Threat Horizons - RISK conference · 2019-11-28 · Mirai Retrospective 620 Gbps attack GRE in payload, No amplification, No reflection Sept 20, 2016 ~ 1 Tbps in volume SYN](https://reader033.vdocuments.us/reader033/viewer/2022041706/5e45230863e3f648ef07b772/html5/thumbnails/19.jpg)
Thank You
radware.comblog.radware.com
@ronwinward
Copyright © 2018 Radware. All rights reserved.