Principal Threat Researcher Evangelist

20+ years in InfoSec— CISSP, GLEG

President and founder of the Seattle chapter of InfraGard

27 years in IT

Specialist in Compliance/Audit, [email protected] Web App Security, and @dunsany Network Security

Author and Speaker APPLICATIONS ARE The reason people use the Internet

The business the target

The gateway to DATA What do Apps mean to Public Sector Orgs?

App Security survey of 3,135 IT sec pros US, Canada, United Kingdom, Brazil, China, Germany, India Across 14 industries Apps Importance Public Sector 32% 680 9.32

Average 34% 760 9.93

of web apps web apps web app considered in use in an environments/ mission critical organization frameworks in use Communication apps 80%

Remote access 58%

Doc management and collaboration 57%

Office suites 69%

Backup and storage 58%

Social apps 35%

Financial apps 19%

Developer tools 16%

Project management 7% F5 Ponemon Survey What Happens When Apps Are Attacked? Cross-site request forgery

Cross-site scripting

Man-in-the-browser App services API attacks Session hijacking Cross-site scripting Injection Malware Client Cross-site request forgery Malware Man-in-the-middle DNS DDoS Abuse of functionality Man-in-the-middle DNS cache poisoning Credential theft DNS spoofing Credential stuffing DNS hijacking Session hijacking Dictionary attacks DDoS Brute force

DDoS Phishing DDoS Key disclosure Access Eavesdropping Protocol abuse

Protocol abuse Session hijacking Man-in-the-middle Certificate spoofing TLS Network Cross-site request forgery

Cross-site scripting

Man-in-the-browser App services API attacks Session hijacking Cross-site scripting Injection Malware Client Cross-site request forgery Malware Man-in-the-middle DNS DDoS Abuse of functionality Man-in-the-middle DNS cache poisoning Credential theft DNS spoofing Credential stuffing DNS hijacking Session hijacking Dictionary attacks DDoS Brute force

DDoS Phishing DDoS Key disclosure Access Eavesdropping Protocol abuse

Protocol abuse Session hijacking Man-in-the-middle Certificate spoofing TLS Network Top 20 targeted ports:

Port Service 5060 SIP 445 SMB SSH & 2222 Rockwell ICS 443 HTTPS 3389 RDP 1433 SQL Server Country 22 SSH Estonia 80 HTTP Netherlands 3306 MySQL US 23 Telnet France 5061 Secure SIP Russia 54184 China 5900 VNC Canada 8291 MikroTik South Korea 7547 TR069 Ukraine 5902 VNC-2 8080 HTTP 25 SMTP 139 Netbios 8545 JSON

Russian IPs targeting SIP SSH port and/or Rockwell ICS targeting distributed across lots of IPs and countries Injection → PHP & SQL

Login 1% Affiliates 1% Admin 2% Betablock 2% Cart 3% Comments 4% Exchweb 6% SQL 56% PHP 58% 2018 Application Attacks Injection → PHP

Affiliates 0% Betablock 0% Cart 0% Exchweb 0% ASP 1% Comments 2% Admin 3% SQL 8% PHP 81% 2019 Application Attacks Injection

• Web code injection and form jacking attacks like Magecart • RCE vulnerabilities in • ThinkPHP CVE-2018-10225 • Oracle Web Logic CVE-2017- 10271 • ElasticSearch CVE-2014-3120 • Jenkins CLI SignedObject Deserialization CVE-2017-1000353 • Network Weathermap cacti plug-in CVE-2013-3739 • Oracle WebLogic WLS Security Component CVE-2017-10271 Industry

Web (mostly injection)

Access (mostly phishing and email) Physical theft 9%

Malware/Ransomware 9%

Access-related (Phishing, email) 23%

Accidents/Misconfig 23%

Web Breaches 36% 2019 Feb 2019 - RequestBin Oct 2018 – Github 2018 Oct 2018 – Quoine Attack Oct 2018 – Girl Scouts 1. Mobile Apps Sep 2018 – British Airways 2. Direct APIs 2017 Sep 2018 – Facebook Basic Security Fails Sep 2018 – Apple MDM 1. Authentication 2016 Aug 2018 – SalesForce 2. Injection Aug 2018 – T-Mobile 3. Permissions 2015 July 2018 – Venmo Apr 2018 – RSA Conference App 2014 Mar 2018 – Binance Mar 2018 – Google 2013 Jan 2018 – Tinder Nov 2017 – Nov 2018: US Postal Service Aug 2017 – Instagram 2012 Feb 2017 – WordPress Mar 2015 – Tinder 2011 Sep 2011 – Westfield Dow Jones High Risk watchlist DB China surveillance program DB 2019 Kremlin DBs Ascension DB Oklahoma FBI files DB Hadoop 2018 Guardzilla records DB Telsa AWS acct Alteryx DB 2017 Aggregate IQ DB Basic Security Control Failures Verizon customer DB 1. Exposed DB with weak/no auth Robotics manufacture for cars DB GoDaddy architecture 2. Weak Access Control 2016 IPv6 ISP DB 3. Configuration Error Tea Party DB Booze Allen and Pentagon DB 2015 JC Penny Stein Mart DB Title Nine Sports DB North American Power and Gas DB 2014 Integrated Practice Solutions DB Capital Digestive Care DB RNC voter DB 2013 Accenture’s Cloud Platform Army Intelligence and Security Command DB DOD Surveillance DB Credit Repair Service DB 2012 Viacom’s master controls Dow Jones/WSJ/Barrons customer DB WWE Fan DB 2011 Uber Github account Mexican voter DB Microsoft Business Productivity Online Suite Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Social Media Company Research • Interests / interest groups • Who works there • Friends, Family and relationship information • Tech infrastructure • Style of speaking • Types of endpoints (PC/Mac/OS • Writing style • SEC filings • Work history • Lawsuit filings • Education • Aggregator search tools for • Comments on links corporations • Important life event dates • Individuals & department • Places visited names • Favorite sites, movies, TV shows, books, • business partners & affiliates quotes • IP space • Photographs • WHOIS info • Hacked “Private” account data • Email addresses and format

People Search Engines Mis configurations • Facebook information • Server names • Email address (which leads to possible • Private network addresses usernames) • Email addresses • Education, income / salary range • Usernames • Phone numbers • DNS servers • Age / Age range • Self-signed certs • Race • Email headers • Home address • Web servers • Middle name, maiden name, spouse and • Web cookies family names • Web applications APT’s / Nation-states That Phish

10-19 min

2.5 hrs ? 4 hrs 10 hrs For-profit cyber criminals 3X Phishing emails are MALICIOUS MALICIOUS 3 times more likely LINK FILE to have a malicious link than a malicious attachment. Email sent from North Korean ATP Email sent from North Korean APT in Sony compromise. related to Bangladesh Bank heist. Encryption is an Attacker Disguise

93% of phishing domains use HTTPS to appear more legitimate Majority of Malware Hides in Encryption

of all Internet 70% traffic is encrypted

of malware phones 68% home over port 443

Discovered Affected Devices 84% since Mirai

CCTV DVRs SOHO routers iOS WAPs Set-Top Boxes Media Center ICS Android 6Bots IP Cameras Death Wireless Chipsets Okane NVR Surveillance VoIP Devices Anarchy Cable Modems 13Bots Torii Busybox Platforms 4Bots SORA Yasaku Smart TVs OWARI Hajime Thanos 2Bots UPnPProxy Trickbot WireX OMNI IRC Telnet Reaper RoamingMantis Annie 7Bots Wicked 1Bot 3Bots 5Bots Masuta VPNFilter Crash override Satori Fam Vermelho PureMasuta DaddyL33t 1Bot 1Bot Amnesia Miori 1Bot Hide ‘N Seek Josho Psyb0t Moon 3Bots Persirai IZIH9 Remaiten JenX Tokyo Mirai 2Bot APEP 1Bot 1Bot 2Bots 1Bot OMG Extendo BigBrother Brickerbot SEFA Hydra Aidra Darlloz Gafgyt DoubleDoor Hakai Radiation Yowai Marcher Family Gr1n Katrina Akiru / Saikin

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Common IoT Set Up Oct 2016: Cellular Gateway Discovered

• Investigating airport incident in Europe + BASHLITE on a DVR digital signage solution (same timeframe as Dyn DNS DDoS attack). • Service and host managed by 3rd party • 39 active threat actors • Numerous log entries show incoming attacks • Mirai, shellshock, brute force • Sierra Wireless device

Note: System owner sent drives to us for forensic analysis and authorized scanning of their network. Sierra Wireless Cellular Gateways

NO DEPENDENCY on any vulnerability within the hardware or software. DEFAULT PASSWORD *****

WAN IP Bruteforce 166.139.19.193 attack(s) are unnecessary. PUBLIC GPS COORDINATES 40° 49’ 51.5” N 47° 26’ 03.5” W SierraWireless.com Case Studies

St John Ambulance, Western Australia East Baton Rouge Parish Emergency Medical Services (EMS), Louisiana California Highway Patrol, California Mississippi Highway Safety Patrol Ventura County Fire Department, California Gem Ambulance, New Jersey South Bay Regional Public City of Charlotte, North Carolina Communications Authority (SBRPCA), California Dickinson Police Department (DPD), Texas West Metro Fire Protection District, Colorado Fairfax's Urban Search and Rescue Team, Virginia Westminster Police Department, Colorado South Wales Police, Wales Danish National Police, Denmark City of Yakima, Washington Acadian Ambulance Service, Louisiana Seattle Fire Department, Washington & Texas Fleet / Vehicle Tracking

GPS Data Logging (TAIP) TRACCAR – Open Source Fleet Software SIERRA SIERRA SIERRA MOXA ONCELL DIGI TRANSPORT CradlePoint WIRELESS LS300 WIRELESS GX450 WIRELESS ES440 G3xxx WR44 Hard coded tech Weak Weak Weak No Weak support back door Authentication Authentication Authentication Authentication Authentication DISCLOSED 10/16/2018 { "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-19T20:31:04.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 56946, "destination_port" : 80, } Various { "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-23T12:16:41.000-0700" }, "source_ip" : dynamic / "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 49180, "destination_port" : 80, } private source ports { "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:04:52.000-0700" }, "source_ip" : 49152 - 65535 "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, } RFC2324: { "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:14:46.000-0700" }, "source_ip" : Hyper Text "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", Coffee Pot "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, } Control { "_id" : {"protocol" : "http", "timestamp" : { "$date" : "2018-07-28T06:29:53.000-0700" }, "source_ip" : Protocol "185.112.249.28", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 50225, "destination_port" : 80, } Shifting to multi- Thingbot Attack Type purpose

DNS Hijack Crypto-miner DDoS PDoS Proxy Servers Unknown… Rent-a-bot Credential Collector Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring 6Bots 13Bots Tor Node Death Sniffer SORA Okane 4Bots OWARI Anarchy Hajime 2Bots UPnPProxy Torii Trickbot WireX OMNI Yasaku IRC Telnet Reaper Roaming Thanos 7Bots Mantis 1Bot Annie 3Bots JenX Wicked 6Bots Crash Satori Fam OMG VPNFilter override Amnesia Vermelho 1Bot Masuta DaddyL33t 1Bot Persirai Miori Psyb0t 1Bot Josho Moon 3Bots PureMasuta IZIH9 Remaiten Hide ‘N Seek Tokyo Mirai APEP 1Bot 1Bot 2Bots 1Bot DoubleDoor Extendo BigBrother 1Bot SEFA Hydra Aidra Darlloz Gafgyt Hakai Katrina Yowai Marcher Family Rediation Brickerbot Akiru / Saikin

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Public Sector Average

5.07 DoS of App 7.19

9.64 Tampering with App 8.54

4.05 Leakage of PII 6.57

8.77 Leakage Confid Info 9.08

F5 Ponemon Survey 0 2 4 6 8 10 12 Credential Theft 78%

DDoS 52%

Web Fraud 39%

Cross-site Scripting 26%

SQL Injection 25%

Clickjack 22%

Cross-site Request Forgery 18%

F5 Ponemon Survey CISO’S EVERYONE’S #1 MISSION #1 CHALLENGE 1 Understand Your Environment Prevent Visibility Downtime CIO or CTO 31% Business Units (LOB) 18%

No One Person or Department 18%

Head of Application Development 17%

CISO or CSO 11%

Compliance Officer 4%

Head of Quality Assurance 0%

0% 5% 10% 15% 20% 25% 30% F5 Ponemon Survey Sub domains hosting other versions of the main application site

Web service methods Server-side features such as search

Cookies/state tracking mechanisms

APIs

Data entry forms Web pages Dynamic web and directories page generators 2 Administrative and monitoring stubs and tools

Reduce Events of the Shells, application—triggered Perl/PHP Your Attack server-side code HTTP headers Data/active content pools—the data and cookies that populates and Surface drives pages

Backend connections through the server (injection)

Admin interfaces Apps/files linked to the app

Helper apps on client (java, flash) Average Days Between Vuln released Vulnerability Releases 1.7 Applicable?

1.4 Test 0.9 9-12 hours Apply & Retest 0.8 0.6 0.5 0.4 0.5 0.3 Firewall what you can’t fix 0.2

2014 2015 2016 2017 2018 Continuous Critical High improvement 3 Prioritize Defenses Based on Attacks Focus OpEx & CapEx spend Web App Firewall (WAF) 29%

Application Scanning 19%

Penetration Testing 22%

Anti-Malware Software 8%

Anti-DDoS 7%

Intrusion Prevention System (IPS) 6%

Web Fraud Detection 4%

Next-Generation Firewall 2%

Traditional Network Firewall 4%

F5 Ponemon Survey Phishing success 33% without training.

Phishing success 13% with training. Sys Admins

Desktops Laptops % Identities Execs IP Money HR 71 Data Apps of phishing impersonates Phones 10 organizations

Accounting