Bad Bots Hacker Tools Attacks Started with Botnets Source: Globaldots Bot Report Source: Verizon Bots by Industry

OWASP London July 2019 Advanced Bots and Security Evasion Techniques

PRESENTED BY: David Warburton, Snr Threat Research Evangelist F5 Labs Who Am I? David Warburton

• Senior Threat Research Evangelist F5 Labs • Royal Holloway MSc Information Security (Distinction) • AppSec, Identity & Auth, Cryptography & PKI

@warburtr0n

2 Advanced Bot Detecting and What are bots? Techniques mitigating Bots Bot Breakdown

1.2% 24.3% Monitoring Bots 48.2% Impersonators 2.9% Humans 1.7% 77% Commercial Crawlers Scrapers

6.6% 0.3% Search Engine Bots Spammers

12.2% 22.9% 28.9% 2.6% Web app Feed Fetchers Good Bots Bad Bots Hacker Tools attacks started with botnets Source: GlobalDots Bot Report Source: Verizon Bots by Industry

Travel (no Airlines) 4.50%3.46% 92.04% Real Estate 12.44% 37.21% 50.35% Insurance 12.88% 18.65% 68.47% Adult Entertainment 17.57% 0.47% 81.96% Travel (incl. Airlines 19.24% 2.51% 78.25% Ecommerce 21.45% 16.49% 62.06% Tickets 22.97% 7.82% 69.21% Healthcare 24.37% 57.59% 18.04% Financial 24.66% 4.35% 70.99% Airlines 43.90% 0.93% 55.17% Gambling 53.10% 0.09% 46.81% % of Traffic

Bad Bots Good Bots Human

Source: GlobalDots Bad Bot Report 2018 • Crawler Good Bad • DOS Tool • E-Mail collector • Exploit tool • Headless browser • HTTP library • Network Scanner • RSS Reader • Search bot • Search engine • Service agent • Site monitor • Social media agent • Spam bot • Spyware Performance/scale Abuse functionality Commit fraud • Vulnerability scanner Automate a process Prevent access Earn some $$$ • Web downloader • Web spider • Webserver stress tool Good Bots

User-agent: * Disallow: /template/ Disallow: /secret/ Bad Bots – OWASP Automated Threats

DoS / Resource Content Other Attacks Hoarding Theft OAT-003 Ad Fraud OAT-009 CAPTCHA Defeat OAT-015 Denial of Service OAT-011 Scraping OAT-016 Skewing OAT-005 Scalping OAT-017 Spamming OAT-021 Denial of Inventory USERNAME OAT-002 Token Cracking OAT-013 Sniping OAT-006 Expediting

Account Payment Card Vulnerability Takeover Data Scanning OAT-007 Credential Cracking OAT-010 Card Cracking OAT-014 Vulnerability OAT-008 Credential Stuffing OAT-001 Carding Scanning OAT-019 Account Creation OAT-012 Cashing Out OAT-004 Fingerprinting OAT-020 Account Aggregation OAT-018 Footprinting OAT-011 Scraping

def create_json_oneway(self, dump_list): for i in range(len(dump_list)): temp = '{ "airline" : "' + dump_list[i]['le'][0]['an'] + '"' temp = temp + ', "price" : "' + str(dump_list[i]['af']) + '"' temp = temp + ', "total_time" : "' + str(dump_list[i]['td']) + '"' temp = temp + ', "depart_date" : "' + str(dump_list[i]['le'][0]['fd']) + '"' temp = temp + ', "depart_time" : "' + str(dump_list[i]['le'][0]['fdt']) + '"' temp_dump_list = dump_list[i]['le'] for x in range(len(temp_dump_list)): if x == (len(temp_dump_list)-1): temp = temp + ', "arrival_date" : "'+str(temp_dump_list[x]['fa'])+'"' temp = temp + ', "arrival_time" : self.trip_json.append(temp) return json.dumps(self.trip_json) OAT-011 Scraping-as-a-Service Copping, Scalping and Sniping OAT-005, OAT-013, OAT-021

Shoe Size Follow Twitter

Nike Account OAT-008 Credential Stuffing

USERNAME Healthcare Credentials from Data Previous Breaches

USERNAME USERNAME

USERNAME Credit Card USERNAME USERNAME Data

USERNAME USERNAME

USERNAME Financial USERNAME USERNAME Data

USERNAME USERNAME

USERNAME Passport USERNAME USERNAME Data

USERNAME USERNAME USERNAME Intellectual Property

OAT-019 New Account Creation Attacks

USERNAME Healthcare Personal Data Site Previous Breaches

USERNAME USERNAME

USERNAME E-Commerce USERNAME USERNAME Site

USERNAME USERNAME

USERNAME Finance USERNAME USERNAME Site

USERNAME USERNAME

USERNAME Services USERNAME USERNAME Site

USERNAME USERNAME USERNAME Other Sites OAT-019 New Account Creation Attacks (FSI 2017) Attack rate per Transaction Type Volume per Transaction Type 6.00%

4.50%

3.00%

1.50%

Payments 0.00% Account logins Payments Account logins New account creations Source: threatmetrix.comNew account creations OAT-014 Scanning Top 10 Attacked Ports Globally 2018 Q1 2019

HTTPS: 443 MS SMB: 445 MS SMB: 445 SIP: 5060 SSH: 22 Alt HTTPS?, ICS?: 1443 Alt HTTPS?, ICS?: 1443 SSH: 22 Port 11684 HTTP: 80 SIP: 5060 Alt SSH?, ICS?: 2222 HTTP: 80 HTTPS: 443 4.5x Port 51413 MySQL: 3306 Port 23810 Telnet: 23 Telnet: 23 Port 3128

SOURCE: F5 Labs & Baffin Bay Networks 8.4B 1T DEVICES DEVICES

Gartner SoftBank

2017 2035

*Excludes smartphones, tablets, and computers Thingbots

Discovered Affected Devices 84% since Mirai

CCTV DVRs SOHO routers iOS WAPs Set-Top Boxes Media Center ICS Android 6Bots IP Cameras Wireless Chipsets Death NVR Surveillance Okane VoIP Devices Anarchy Cable Modems Torii Busybox Platforms 13Bots 4Bots Yasaku Smart TVs SORA Hajime OWARI Thanos 2Bots Trickbot UPnPProxy WireX IRC Telnet OMNI Annie Reaper 7Bots RoamingMantis 1Bot 3Bots Wicked Masuta 5Bots Crash override Satori Fam VPNFilter PureMasuta Vermelho 1Bot 1Bot Amnesia DaddyL33t Hide ‘N Seek Miori Psyb0t Moon 1Bot Persirai Josho JenX IZIH9 Remaiten 3Bots Tokyo OMG APEP 1Bot 1Bot 2Bots 1Bot Mirai 2Bot Extendo BigBrother DoubleDoor SEFA Hydra Aidra Darlloz Gafgyt Brickerbot Hakai Katrina Yowai Marcher Family Radiation Gr1n Akiru / Saikin

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Thingbots

Shifting from primarily Thingbot Attack Type DDoS to multi-purpose

DNS Hijack Crypto-miner DDoS PDoS Proxy Servers Unknown… Rent-a-bot Credential Collector Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer 4Bots Hajime Trickbot IRC Telnet 2Bots Annie WireX 1Bot Reaper 7Bots Crash 6Bots override 3Bots SORA Masuta 1Bot 1Bot Satori Fam OWARI PureMasuta Psyb0t Moon 1Bot Amnesia UPnPProxy 3Bots Hide ‘N Seek Remaiten Persirai OMNI 1Bot 1Bot 2Bots 1Bot Mirai JenX RoamingMantis BigBrother 1Bot OMG Hydra Aidra Darlloz Gafgyt Wicked Marcher Family Radiation Brickerbot DoubleDoor VPNFilter

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Mirai (SOHO Routers, DVRs, IP Cameras - Oct 2018) • 20,000 devices in less than 24 hours

• Peak of over 600,000 devices

• Conducted over 15,000 attacks as of early 2017

• Has spun-off at least 10 variants since source code went public • ‘Wicked’ installs rentable bots

• Effective • Efficient internet-wide scanning • Simple cross-platform architecture • Default credentials How “Things” Are Compromised

Broader scope of attack Service Attacked To Infect IoT Device methods + CVEs

TCP Telnet HNAP IEC 101, 104, OPC TR-064, TR 069 SOAP UPnP HTTP CVE Specific

4Bots Hajime Trickbot IRC Telnet 2Bots Annie WireX 1Bot Reaper 7Bots Crash 6Bots override 3Bots SORA Masuta 1Bot 1Bot Satori Fam OWARI PureMasuta Psyb0t Moon 1Bot Amnesia UPnPProxy 3Bots Hide ‘N Seek Remaiten Persirai OMNI 1Bot 1Bot 2Bots 1Bot Mirai JenX RoamingMantis BigBrother 1Bot OMG Hydra Aidra Darlloz Gafgyt Wicked Marcher Family Radiation Brickerbot DoubleDoor VPNFilter

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 F5 Labs discovers cellular gateway vulns F5 Labs discovers cellular gateway vulns “Exploiting” the Vulnerability

NO DEPENDENCY on any vulnerability within the hardware or software. DEFAULT PASSWORD ***** WAN IP 166.139.19.193 Bruteforce PUBLIC GPS COORDINATES attack(s) are 40° 49’ 51.5” N unnecessary. 47° 26’ 03.5” W

https://www.f5.com/labs/articles/threat-intelligence/breaking-down-the-door-to-emergency-services-through-cellular-io Username Password Username Password Username Password Username Password root root ts ts manager manager123 plcmspip plcmspip Top 100 admin admin bot bot teamspeak3 teamspeak3 weblogic weblogic user user deploy deploy nobody nobody redhat redhat123456 Admin test test monitor monitor csgoserver csgoserver developer developer Creds Used ubuntu ubuntu administrator administrator test2 test2 public public ubnt ubnt bin bin demo demo student student in SSH support support default nopass 0 webmaster webmaster oracle oracle adm adm a a osmc osmc Brute Force pi raspberry vagrant vagrant minecraft minecraft c c Attacks guest guest anonymous any@ alex q1w2e3r4t5 server server postgres postgres uucp uucp postfix postfix supervisor supervisor ftpuser asteriskftp www www glassfish glassfish 22 backup usuario usuario jenkins jenkins jboss jboss hdfs hdfs nagios nagios apache apache master master linux linux H1 2019 1234 1234 sshd sshd ghost ghost postmaster postmaster ftp ftp PlcmSpIp PlcmSpIp vnc vnc csserver csserver operator operator cisco cisco info info prueba prueba git git sinusbot sinusbot 111111 856149100 matt matt hadoop hadoop user1 user1 debian debian vyatta vyatta ts3 ts3 backup backup centos centos hduser hduser teamspeak teamspeak Management TestingR2 testuser testuser nexus nexus mysql mysql steam steam system sytem ethos live tomcat tomcat mother fucker www-data www-data Admin Admin service service dev dev test1 test1 mc mc butter xuelp123 zabbix zabbix upload upload telnet telnet Source: F5 Labs Mirai Attack Types Application DDoS Attacks (F5 SIRT vs SOC) Application targeted DDoS attacks are a large portion of the attack types that get escalated to our SIRT for assistance.

71% 65%

38% 32% 25% 27%

2% 5% 3% 2% 2% 2% 2017 2018 SOC-Mitigated SIRT-Mitigated IPs Attacking UK (last 90 days as of 3/1/2019) Top 20 targeted ports: Port Service 5060 SIP 2222 SSH & Rockwell 22 SSH 445 SMB 80 HTTP 1433 MS SQL 23 Telnet Country 8291 MikroTik Netherlands 7547 TR069 China 3306 MySQL US 25 SMTP 3389 RDP Canada 1723 PPTP France 5061 Secure SIP Russia 61137 UK 4433 HTTPS 443 HTTPS South Korea 12555 Brazil 8545 JSON India 139 NetBios Ukraine Shifting Sources Thanks to proxies & IoT devices

100% 80%

Previously Previously unseen IP unseen addresses networks (ASN) User-agent • 1,080,598 user-agents • 3,999 of which are bots • Fake GoogleBot: 13,037 IP’s in June 2019 alone • e.g. 38.124.xxx.xx • MikroTik device - lots of known vulns • Combat with reverse DNS lookups Combating Bots with Client-side Challenge

WAFFirst timeresponds request with to Injectedweb server JS:No challenge response from bots Request is not passed to the ValidBots response are dropped is sent to the server server

JS JS

Customer Internet WAF Server WAF verifies response authenticity Cookie is signed, time stamped, and fingerprinted Headless Browsers

• Command line and scriptable execution of browsers • Chrome without the chrome! • Able to render HTML and execute JavaScript & AJAX • Often Selenium based Headless Chrome

Rendering JavaScript Common Headless Browser Website Other Notes Engine Engine Browsers PhantomJS http://phantomjs.org/ QtWebKit JavascriptCore Safari http://qt-project.org/wiki/QtWebKit http://docs.slimerjs.org/0.8/differences- with-phantomjs.html SlimerJS http://slimerjs.org/ Gecko SpiderMonkey Firefox https://developer.mozilla.org/en-US/docs/ Mozilla/Projects/SpiderMonkey

http://sahi.co.in/w/configuring-sahi-with- Sahi http://sahi.co.in/ Any Any Any xvbf http://code.google.com/p/ Possibly some limitations in mobile Google WebDriver (Selenium) Any Any Any selenium/ devices (also in Sahi) http://zombie.labnotes.org/guts Zombie.js http://zombie.labnotes.org/ Non Standard V8 (Node.js) None https://github.com/aredridel/html5 https://github.com/tmpvar/jsdom Selenium Scriptable Browser as-a-Service

• Detect headless browsers via extensions and browser flags CAPTCHA CAPTCHA Solvers – Browser Extensions

Rumola AntiCaptcha

.PNG

?captcha=morning%20overlooks UID=12345

• Bot detects that a CAPTCHA is existing on the page • Bot saves CAPTCHA into an image file • Bot uploads the saved image file to the solver servers • The solver will respond with a CAPTCHA ID • Bot polls the solver API using the CAPTCHA ID it received until the status of the CAPTCHA id is changed to solved • Bot sends solution to the scraped website and continues attack process ReCaptcha v3 Solvers

POST g-recaptcha-response 03AHJ_Vuve5Asa4koK3KSMyUkCq0vUFCR5Im4CwB7PzO3dCx Io11i53epErauBO5mVm2XRikL8iKOWr0aG50sCuej9bXx5qc viUGSm4iK4NC_Q88flavWhaTXSh0VxoihBwBjXxwXuJZWGN5 Sy4dtUl2wbpMqAj8Zwup1vyCaQJWFvRjYGWJ_TQBKTXNB5CC OgncqLetmJ6B6Cos7qoQyaB8ZzBOTGf5KSP6K9niYs772f53 Oof6aJeSUDNjiKG9gN3FTrdwKwdnAwEYXF37sI…

• ReCaptcha v3 uses ‘scores’ from 0.1 to 0.9 to rate the client • Typically, a user score will be the same/similar across sites 0.2 0.1 0.9 • ReCaptcha v3 solver monitors scores of workers • Selected the worker with the highest score to solve the Captcha 0.4 0.3 0.3

0.5 0.7 0.2 https://2captcha.com/2captcha-api#solving_recaptchav3 Simulated Mouse Events

• Fake mouse movements can lack cursor positioning Bots Attacking Mobile APIs

Mobile API Gateway

Browsers

Attackers Mobile bots?

Bots Behavioural Analysis and Fingerprinting

Detect GET flood attacks against Fingerprint client Heavy URIs capabilities Strong authentication Operating system Browser • Screen size and colour depth Identify non- • Plugin details human surfing • Time zone patterns • HTTP_ACCEPT headers • Language • System fonts • Touch support • Extensions • TLS handshake AI and Future Bots