Fancy Bear by the FBI 9 Nationstate Iot Attacks

2020 Network & Application Threat Landscape

Pascal Geenens, Radware EMEA Security Evangelist @geenensp

PAR-2995 2020 Threat Landscape

Industry Trends Motivation Opportunities Tools Digitalization Cryptocurrency Cloud Migration Vulnerable IoT Ransom (-ware + Bots Zero Trust Credential Stuffing DDoS + Cloud Botnets Cloud Native Online Advertising hostage) Malware Dark Data Click Fraud Infrastructure Abuse Living of the Land 5G Watering hole poisoning Automated Threats Virtual Skimmers Edge Cloud Cloud (mis)configuration Nation States AI / Automation Quantum Computing (Web App) Vulnerabilities Mis/Dis-information Deepfakes Open Source (Tools & Watering Hole Poisoning) 3 IoT Botnets

• IoT is (still very much) the birthplace for new type of bots and malwares. • Unsophisticated, yet very efficient and lethal.

Mirai Hajime BrickerBot

4 Satori Jen-X DemonBot MIRAI, KAYE aka “BESTBUY” MTS vs CELLCOM

“THERE IS NO SUGGESTION THAT CELLCOM KNEW WHAT THE EMPLOYEE WAS DOING - BUT THE INDIVIDUAL OFFERED KAYE UP TO $10,000 (£7,800) A MONTH TO USE HIS SKILLS TO DO AS MUCH AS POSSIBLE TO DESTROY LONESTAR'S SERVICE AND REPUTATION.”

5 Evolution of IoT Bot Attack Payloads

6 IoT Botnets – Living of the Land (LoL) • Oct 2019: Palo Alto Unit42 discovers Gafgyt variant infecting IoT Devices • Botnet very similar to JenX botnet discovered by Radware in Feb 2018 • Botnet targeting SOHO Routers • CVE-2017-18368 – ZYXEL P660HN-T1A : ‘new’ (?!:-) in this variant • CVE-2017-17215 – Huawei HG532 : present in JenX • CVE-2014-8361 – Realtek RTL81XX Chipset : present in JenX • Objective: DDoS Attacks on Gaming Industry

7 GhostDNS – SOHO Router DNS Hijacking • Reported by Radware in August 2018, DNS Hijacking attacks targeting Brazilian financial institutions to steal website login credentials • More than 180,000 routers in Brazil had their DNS changed in Q1.2019* • DNSChanger module: 70+ routers/firmware support • 50+ domain names: Banco de Brazil, Netflix, Citibank.br, etc. 8.8.8.8 x.x.x.x DN S

v.v.v.v DNS: 8.8.8.8

DNS: 8.8.8.8

DNS: DN a.a.a.a S

a.a.a.a

8 http://v.v.v.v/dnscfg.cgi?dnsPrimary=a.a.a.a&dnsSecondary=a.a.a.a&dnsDynamic=0&dnsRefresh=1 Nationstate Sophistication Botnet

• Persistent Stage 1 • Stage 2 download • Download IP encoded in GPS Coordinates EXIF metadata • If fails, waiting for trigger packet from malicious agents with IP information encoded • Modular Stage 2 Malware • Up to 11 stage 3 plug-in modules discovered by Talos • VPNFilter capabilities: – map private networks (monitor SCADA protocols, HTTP basic auth) – exploit endpoint systems connected to compromised devices (JS injection in HTTP) – identify new victims for both lateral movement within private networks as well as spreading across public networks – obfuscate and/or encrypt traffic to conceal exfiltrated data or command and control communications (Tor, RC4) – distributed network of proxies that can be leveraged for concealing targeted attacks (port forwarding, Shadowsocks) – Erase and Self-destruct (corrupt flash, wipe root, reboot) • VPNFilter malware was also attributed to Fancy Bear by the FBI 9 Nationstate IoT Attacks

• April 2019 by Microsoft Threat Intelligence Center • Attempts by actor to compromise IoT devices • VOIP phones, Office Printers, and a Video Decoder • Devices used to gain access to corporate network • Lateral movement + Privilege Escalation • Attributed to APT28 (Fancy Bear)

APT28 APT28 – Fancy Bear | Russia Fancy Bear Nation-state adversary group known to be operating since 2008, represents constant threat to wide variety of organizations. Targets government, military and security organizations, especially Transcaucasian and NATO-aligned states Associated with the Russian Military intelligence agency GRU, sponsored by Russian Government Thought to be responsible for attacks on German Parliament, French television station TV5Monde, the White House, NATO, the DNC, and French Presidential candidate Emmanuel Macron 10 Hiding in IoT

• UPnP IGD – dynamic port forwarding rules • ip_tables – persistent port forwarding rules • SOCKS5 – proxy servers

• Inception Framework: UPnP (*) • VPNfilter: ShadowSocks • OMG: Mirai enhanced with 3proxy • ProxyM: SOCKS5 and Spam Mail • on average 400 emails per bot per day • 10,000 bots = 4 million messages per day • 40,000 attacks per day • targeting game servers, forums, Russian website • Methods including Cross-Site Scripting, SQL injection, Local File Inclusion 11 12 (Oct + Nov 2019) ‘Fancy Bear’ Ransom DDoS Campaign

• Global campaign • Targeting financial institutions • Group poses as ‘Fancy Bear’ (APT28) • Some Asian campaign letters surfaced signed by ‘Cozy Bear’ (APT29) • ₿ 2 (± 19,000 usd at time) • Reboot from a previous campaign that ran around the same time in 2017

13 (2018) Memcached – an Old Classic turned Cloud

• Cloud services designed for internal use that were exposed to the public.

• Whatever you expose, if it can be abused, at some point it WILL be abused

10,000x up to 52,000x amplification 15B request --> 750kB response

14 (Oct + Nov 2019) TCP Reflection & Amplification

• Targeting gaming (gambling) and financial industry • TCP SYN reflection and amplification • Internet-as-a-Reflector

ASN1

Oct 28th: over 50,000 SYN hits on ASN2 one single home digital subscriber line

ASN3

ASN4

15 Evasion Technique Carpet Bombing Spread attack traffic randomly across all IP in victim AS

Targeted DDoS Carpet Bombing DDoS

Victim IP Victim ASN

600 600

500 500 10 400 400 8

300 300 6 200 detection 200 4 100 100 2

0 0

0 1

18 35 52 69 86

103 120 137 154 171 188 205 222 239

12 23 34 45 56 67 78 89

23 34 45 56 67 78 89

16 12

100 111 122 133 144 155 166 177 188 199 210 221 232 243

100 111 122 133 144 155 166 177 188 199 210 221 232 243 Hadoop YARN – (IoT) Malware’s Migration to the Cloud

• Xbash: crypto mining malware • Dr.Who XMRig mining campaign 60k+ USD to date • DemonBot: DDoS botnet • Jan 2020: new Crypto Mining campaign targeting Alibaba (Tolisec) 1000+ exposed YARN servers Over 1M attempts per day!

17 DemonBot DDoS Console MIGRATING TO THE CLOUD

18 DATA BREACH

19 CLOUD INFRASTRUCTURE ABUSE Mining in the cloud

20 CLOUD INFRASTRUCTURE ABUSE Hostage & Ransom

21 When ‘TRUST OR NOT TRUST ?’ is the question ZERO TRUST is the answer !

1 APP Hacker sending malicious crafted request to app

3 2 App Returning Temporary AWS Metadata Service Credentials to Hacker App retrieving Temporary Credentials from AWS Meta-data Service 4 Hacker Using Temporary Credentials to Access S3 Buckets and Download PII Data

22 PROMISCUOUS PERMISSIONS ARE #1 THREAT TO CLOUD

Cloud environments create new attack surfaces not known in premise-based computing YOUR PERMISSIONS = YOUR ATTACK SURFACE

23 AUTOMATED THREATS

24 AUTOMATED THREATS a.k.a. ‘BAD BOTS’

25 CREDENTIAL STUFFING In 2019 Microsoft scanned MS and Azure AD accounts using a list of three billion credentials leaked at third party services. It said it found more than 44 million users were reusing passwords, putting their respective accounts at risk of being hijacked via a credential stuffing.

26 https://www.microsoft.com/securityinsights/Identity AUTOMATED THREAT LANDSCAPE

4 in 5 Humans Bad Bots Good Bots organizations cannot 48% 26% 26% distinguish between ‘good’ & ‘bad’ bots

27 4th GENERATION

BOT-ATTACK MITIGATION BOTS

SCRIPT BOT HEADLESS BROWSER BOT HUMAN-LIKE BOT DISTRIBUTED BOT

BLACKLISTS DEVICE/BROWSER INTERACTION (SHALLOW) INTENT (DEEP) IP, User Agent Cookie, JS, Fingerprinting Mouse movement & keystrokes anomalies Correlation in intent signatures across devices

USER BEHAVIORAL ANALYSIS TECHNOLOGY

28 NEED FOR ADVANCED MACHINE LEARNING

UNSUPERVISED SUPERVISED MACHINE-LEARNING MACHINE-LEARNING

Clustering by commonalities Guided classification based on history No direction on good vs bad New data samples create noise

SEMI-SUPERVISED: Best of both approaches Detect anomalies + Leverage big data

29 Complete your online session • Please complete your session survey survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt.

• All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.

Demos in the Walk-In Labs Cisco Showcase

Meet the Engineer Related sessions 1:1 meetings