Larry W. Cashdollar, SIRT · •Crypto Currency Mining •Data Exfiltration •DDoS Attacks...

Making the Internet fast, reliable and secureLarry W. Cashdollar, SIRT

©2017 AKAMAI | FASTER FORWARDTM

Who Am I

• Akamai Security Intelligence Response Team (SIRT)• Humble Vulnerability Researcher • 17 Years at Akamai• Discovered 200+ Vulnerabilities

Penetration Tester Back in Late


• Distributed cloud platform, on-demand scale• Delivering 15-30% of all daily web traffic• 2 trillion cloud interactions daily• 150M mobile apps delivered daily• Defending against attacks over 1Tbps• Enabling $300 billion in annual e-commerce• A single network hop from 85% of Internet users

ENTERPRISE HIGH TECH MEDIA PUBLIC SECTORCOMMERCE

10 of the Top 10 World Banks

10 of the Top 12 Security Software Companies

All of the Top 30 Media Companies

All branches of U.S. Military

97 of the Top 100 Retailers

What does Akamai Do?


Akamai SIRT: What We Do

Security Intelligence Response Team (SIRT):• Incident Response for Akamai customers• HTTP(s), DNS, and the infrastructure• Threat Research• SOTI

We collect and provide information:• OSINT• Coordination with peer CERT/SIRT/SOC• Threat intelligence • Discussions with policy-makers• Customer outreach (internal and direct)


Topics

• Advanced Persistent Threats• Adversarial thinking• IoT Proxies• Crypto Currency Mining• Data Exfiltration• DDoS Attacks• Spectre & Meltdown


Advanced Persistent Threats


APTs


• Atos provided IT support for Winter Olympics• Attackers had detailed knowledge of Atos internal network• Olympic Destroyer Malware• Various Atos accounts compromised

• What Might have Happened?• What Might have Helped?

Winter Olympics 2018


DDoS for Ransom


DDoS for Ransom - Then

• DD4BTC DDoS for Bitcoin

• DDoS with booter sites or IoT botnet like Mirai Variant

• Started up again recently• PhantomSquad

• Threatening at Random

• Lot of Copycats• Lizard Squad

• Armada Collective

• mirai guy


Typical Extortion Attempt

Extortion occurs in two phases:

• Attack• The attacker will hit the target with a medium to large DDOS (3-6Gbps)

• Demand• The attacker demands payment to stop the attack and threatens additional attacks

• Rise of bitcoin has enabled these attack as it allows for quick, anonymous payment.

Demands are usually in bitcoins.

• Some attackers are CDN aware and will launch direct-to-origin DDOS attacks,

bypassing some defenses


Ransom Email


• Memcached• “short term memory” for your web Applications• Stores information in RAM vs pulling from database• The software contains a design flaw:• Can be abused to reflect and amplify requests at a target

Attack Details•Protocol:

•User Datagram Packet•UDP Reflection and Amplification

DDoS for Monero - Now


UDP Reflection and Amplification

AttackerVulnerable Server

Victim

xx.xx.xx.xxd.d.d.b

v.v.v.v

xx.xx.xx.xy

UDP queryIP headersrc: v.v.v.vdst: d.d.d.b

UDP responseIP headersrc: d.d.d.bdst: v.v.v.v

UDP Responses


• Attackers Abused Memcached Servers to target github• Generated a 1.3Tbps DDoS attack*• How?

• A 15-byte request results in a 750kB response• The payload in the UDP packets contained a ransom note

* Akamai’s Prolexic solution stopped the attack in less than 8 minutes

GitHub


IoT Proxies


• IoT devices being used as proxies for• Web application attacks• Brute force login attempts• Fraud• Advanced adversaries are chaining proxies to mask their activity• Also, attempting to exploit internal networks

IoT Proxies


Data Exfiltration


Data Exfiltration

• Phishing / Spear-Phishing• Stolen Credentials• RAT

• SQL Injection• Misconfiguration• RDP / Weak Credentials• Open AWS S3 Bucket

• Other Application Vulnerability• Apache Tomcat (Equifax)


Spotlight on Equifax

• 143 Million Records • Name • Social Security Number• Birthdate• Address

Breach vector: A vulnerability in Apache Tomcat CVE-2017-5638.


Data Breach Fallout

Primary• Lack of consumer trust• Lawsuits

Secondary• Fuel for Credential stuffing attacks*• Leaked data sold on dark web

* 40% of all login attempts are mailicous


IoT and Mobile Botnets


IoT and Mobile device botnets

• Mobile Devices (WireX)• Android devices• Malware embedded in application• 3rd party marketplace

• IoT botnet (Mirai)• Innocuous internet connected devices

• Web Cameras• Routers• Tea Kettles!


CryptoMining


• Adversaries Monetizing your CPU cycles• IoT Devices

• CVE-2017-17562 GoAhead Web Server• Enterprise

• Getting access to your web and application servers• Easily exploitable remote code execution bugs in enterprise systems

• Example: Oracle’s Weblogic Server (CVE-2017-10271)• Desktop

• Malware• Web Browser

Crypto Currency Mining


Spectre & Meltdown


• Hardware level vulnerabilities• Spectre• Allow a malicious actor to read cache

• Meltdown• Allow a malicious actor to read memory

Risks• Attackers are integrating these vulnerabilities into malware• Cloud Infrastructure• Virtual Environments

Spectre & Meltdown


Weaponization of AI


• Machine Learning being used in• Threat Identification• Threat Mitigation• Threat Modeling

• Adversaries will also utilize AI• Spear Phishing

• AI can now craft convincing fake messages enmasse

The Weaponization of AI


Evolving Attacks

• RansomWare• -> Cryto Currency Mining

• Malware• -> Utilizing Spectre & Meltdown

• Mobile & IoT device Botnets• -> Utilized for Attacks and Crypto Currency

• Credential Stuffing• -> Will increase with Large Data Breeches

• DDoS Attacks• -> Increase in UDP Amplification Attacks


Questions?

• Email: [email protected]• Twitter: @_larry0

Thank You!

Larry W. Cashdollar, SIRT · •Crypto Currency Mining •Data Exfiltration •DDoS Attacks...

Documents

Transcript of Larry W. Cashdollar, SIRT · •Crypto Currency Mining •Data Exfiltration •DDoS Attacks...