Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf ·...
Transcript of Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf ·...
![Page 1: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/1.jpg)
Challenges of Coordinated
Linux & Android Intrusions
IMF 2014
Eoghan Casey
May 12, 2014
![Page 2: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/2.jpg)
Arctic Cyclone
Coordinated attacks against Linux
Advances in Android malware
Convergence of Linux threats
Forensics and security implications
![Page 3: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/3.jpg)
Coordinated Linux Intrusions
2008 - Present
![Page 4: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/4.jpg)
Android Malware
• Undermine the OS
• Steal information
• Download other malware
• DroidDream, DKFBootkit
• Added potentialo Conversation eavesdropping
o Geolocation tracking
o Video surveillance
![Page 5: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/5.jpg)
Example: DroidDream
• Targeting legitimate application developers
o Embed malicious code within their applications
• Broad capabilitieso Root the operating system
o Exfiltrate IMEI and IMSI
o Download additional malware
![Page 6: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/6.jpg)
Advanced and Persistent...
Attacker's modus operandi
• Repository of stolen SSH credentials
• Privilege escalation
• LKM rootkits with port knocking backdoor
• Trojanized SSH daemon
• Resilient C2 and exfiltration
• Destroy digital evidence
![Page 7: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/7.jpg)
Stolen Credentials & Getting Root
• Rely on users re-using keys/passwords
o Try stolen credentials on other Linux systems
o Intruders have returned years after initial breach
• Escalate privileges
o Weak passwords (zero day exploits only if needed)
• Rinse and repeato Grab SSH related information for all users on host
known_hosts, authorized_keys, .bash_history
usernames, hostnames, IP, passwords, keys
o Stolen information added to attacker repository
o Use stolen information to attack other Linux systems
![Page 8: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/8.jpg)
Advanced Rootkits and Backdoors
Phalanx2
• Injects or loads into the memory and hides
• Disables audit subsystems
• Uses port knocking backdoor
• Sniffs TTY sessions for passwords
o Interesting interception technique
![Page 9: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/9.jpg)
Trojanized SSH and Exfiltration
• Stores captures SSH credentials in RAM
• Automatically sends stolen data to C2 node
• Provides backdoor access
o Secret handshake to access backdoor
o Bypasses logging
• Has backup C2/exfiltration method
o In case default is blocked
o Falls back to crazy DNS lookup scheme
![Page 10: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/10.jpg)
Quick Containment?
• Current recommendation:
When an incident has been detected and analyzed, it is
important to contain it before the spread of the
incident overwhelms resources or the damage increases.
Most incidents require containment, so it is
important to consider it early in the course of handling each
incident.
- NIST SP800-61 Rev. 1, page 3-19
![Page 11: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/11.jpg)
Managing a data breach effectively
![Page 12: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/12.jpg)
Effective Eradication of Intruders
![Page 13: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/13.jpg)
Common Incident Response Mistakes
1) Underestimating the adversaryo Too quick to containment
2) Lack of evidenceoNo centralized logging or backup infrastructure
3) Improper evidence handlingoUpdate antivirus & scan compromised systems
![Page 14: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/14.jpg)
Linux/Android Incident Response
• Linux & Android incident response process
o Collect volatile data
o Forensic examination of Linux memory
o Forensic examination of EXT file system
o Malware forensics
• Linux & Android Memory Extraction• Johannes Stüttgen (LMAP)
• Joe Sylve (LiME)
# insmod /sdcard/lime.ko path=tcp:6666
OR
# insmod /sdcard/lime.ko path=/sdcard
![Page 15: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/15.jpg)
Know the Adversary
• Initial intrusions not necessarily sophisticated
o Spear phishing or vulnerable servers
• Once inside, they spread virulently
• Inside out attacks circumvent egress filtering
• Undermine security monitoringo File system tampering
o Multiple malware versions with custom packing
o Blend in with normal traffic
o Encrypt command, control and exfiltration
![Page 16: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/16.jpg)
Linux Memory Forensics
• Volatility and Rekall
o Malware detection modules
o Extracts memory structures
% python vol.py –f Phlananx2 linux_check_syscall
Table Name Index Address Symbol
---------- ------------------ ------------------ -----------------------
64bit 0x0 0xffffffffa0059000 HOOKED
64bit 0x1 0xffffffffa0062000 HOOKED
64bit 0x2 0xffffffffa0035000 HOOKED
64bit 0x3 0xffffffff81115351 sys_close
64bit 0x4 0xffffffffa00cb000 HOOKED
64bit 0x5 0xffffffff8111aa73 sys_newfstat
64bit 0x6 0xffffffffa00b5000 HOOKED
64bit 0x7 0xffffffff81126170 sys_poll
<edited for length>
![Page 17: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/17.jpg)
Linux Memory Forensics
• SecondLook
o Alerts on unknown kernel modules
o Extracts memory structures
![Page 18: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/18.jpg)
Android Memory Forensics
• Examination of Android physical memoryo Volatility plugin for Android memory
![Page 19: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/19.jpg)
Android File System Forensics
![Page 20: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/20.jpg)
COTS Android File System Forensics
![Page 21: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/21.jpg)
File System Acquisition of Android
• Smartphone forensics
o Bootloaders to bypass locked devices
o JTAG to access hardware
• Rooted devices can be acquired natively
mre$ ./adb shell
$ su
# dd if=/dev/block/userdata bs=1024 |
/system/bin/busybox nc 192.168.2.2 755
7028736+0 records in
7028736+0 records out
7197425664 bytes transferred in 24211.203 secs
![Page 22: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/22.jpg)
Remote Android Acquisition
• F-Responseo ARM agent
o On SDcard
• GRR…?
![Page 23: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/23.jpg)
Android Malware Analysis
• DroidDreamo Root exploit
o Data theft
o Updates
![Page 24: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/24.jpg)
Cross Border Information Sharing
Same attackers targeting
all EU member states >
• Consolidate adversary knowledge
• Trust between government and industry
• Confidentiality agreements
• More information to examine the better
• Sanitize what is shared to protect victims
![Page 25: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/25.jpg)
Information Exchange Standards
STIX – Structured Threat Information eXpression
STIX Whitepaper - makingsecuritymeasurable.mitre.org/docs/STIX-Whitepaper.pdf
![Page 26: Challenges of Coordinated Linux & Android Intrusions › imf2014 › docs › Casey-IMF2014.pdf · Stolen Credentials & Getting Root • Rely on users re-using keys/passwords o Try](https://reader033.fdocuments.us/reader033/viewer/2022053009/5f0d09027e708231d4385b24/html5/thumbnails/26.jpg)
Looking Ahead
• Linux and Android forensics R&D
o Current tools are limited
• Linux and Android malware IOCso Organizations don’t know what to look for (detect)
• Linux and Android forensic analysts
o Current expertise is lacking in this area
• Managing complexity
o Web applications, databases, distributed storage
• Expand information exchangeo EU-CERT, Europol, GRID