SESSION ID:SESSION ID:

#RSAC

Josh Shaul

The Internet of Attacking Things

SPO3-T10

Vice President Akamai Technologies

Or KatzPrincipal Security ResearcherAkamai Technologies@or_katz

#RSAC

The Year of Attacking Things

2016 2017OctSep Nov

#RSAC

“Things”

#RSAC

“Attacking Things” From Defensive Point of View

Unlimited attacking resources Good vs. Bad Fixing is complicated

Challange

#RSAC

Spotlight on Some of Those Challenges

How IoT devices are being exploited without being pwned

How compromised IoT devices empowers credentials abuse attacks (and why)

And finally, thoughts about how to fight it

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

TRILLIONInternet transactions each day3

When The Data Tell You A Story…

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

THOUSANDservers around the world220

When The Data Tell You A Story…

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

WAF rule triggers every hour

80 million

When The Data Tell You A Story…

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

600,000 log lines a second

When The Data Tell You A Story…

#RSAC

Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Data

new attack data daily

20 TB

When The Data Tell You A Story…

#RSAC

According to Akamai’s Threat Research Team

30% of the total login transactions are credential abuse attacks

#RSAC

The Credential Abuse Numbers

Malicious activity (Avg. per day):400K IP addresses

167 attack campaigns

Campaign: Average of 5K IPs and 100K email accounts

Largest Campaign: 200K IPs and 25M email accounts

IP is targeting the average Web site with 20 login attempts in 24 hours

#RSAC

The Credential Abuse Numbers

Data intelligence:Out of 400K IPs per day, ~25% of IPs as “single use” (no repeat activity)

Over 1 month, ~70% of the IPs only attacked 1 day

API login vs. Web login – API is targeted 3.7 times more than Web

#RSAC

The Story Behind the Numbers

Many attack campaigns?

Most attacking resources are sending few logins?

Many attacking resources?

API login interfaces are much more targeted?

How come so many attacking resources and why high % of “single use”? ?

#RSACMany Credential Abuse Source IPs Expose a Web Interface

CCTVs

Routers

Servers

Satellite Antennas(?!)

ADSL/Cable Modems

Hotspots

#RSAC

#RSAC

#RSAC

Search for ESTABLISHED TCP Connections

Seems like the SSH daemon is responsible for many active HTTP/HTTPS connections – some of which are to Akamai Edge Servers

#RSAC

Default “admin” User Cannot SSH Into the Machine

~# ssh admin@the.vulnerable.device

This account is currently not available

root:x:0:0:root:/root:/bin/bashnobody:x:99:99:Unprivileged User:/dev/null:/bin/falsesshd:x:50:50:sshd PrivSep:/var/lib/sshd:/bin/falseftp:x:45:45:anonymous_user:/home/ftp:/bin/falsemessagebus:x:18:18:D-BUS Message Daemon User:/dev/null:/bin/falseadmin:x:600:600::/var:/sbin/nologinlocaldisplay:x:700:700::/tmp:/sbin/nologin

/etc/passwd format:<username>:<encrypted password>:<uid>:<gid>:<Full Name>:<Home Dir>:<Shell>

#RSAC

What Do We Know So Far?

No active shell sessions seen – not under ”root” or “admin” users

The “admin” user (which has the default admin:admin credentials) has /sbin/nologin configured – so an attacker can’t SSH into the machine and run commands

Was SSHD tampered with and contains a backdoor? We checked - No...

#RSAC

SSH as SOCKS Proxy When the User has no SHELL access permissions

<AllowTcpForwarding yes> (default)

SSH(1) FreeBSD General Commands Manual SSH(1)

NAME ssh -- OpenSSH SSH client (remote login program)

-D [bind_address:]portSpecifies a local ''dynamic'' application-level port forwarding.This works by allocating a socket to listen to port on the localside, optionally bound to the specified bind_address. Whenever aconnection is made to this port, the connection is forwarded overthe secure channel, and the application protocol is then used todetermine where to connect to from the remote machine. Currentlythe SOCKS4 and SOCKS5 protocols are supported, and ssh will actas a SOCKS server. Only root can forward privileged ports.Dynamic port forwardings can also be specified in the configura-tion file.

-N Do not execute a remote command. This is useful for just forwarding ports.

#RSAC

Demo

Attacker

Vulnerable IoTDevice Target Web Server

SSH TUNNEL

/> ssh –D 8080 –N cctv_admin@iot.vuln (requires “default” account credentials)

/> curl --proxy socks5h://localhost:8080 http://target.site/

Malicious HTTP

SOCKS PROXY

#RSAC

And For My Next Trick...

SSH TUNNEL 1

SSH TUNNEL 2

SSH TUNNEL n

....

AttackerVulnerable IoT

Device

Target Web Server

#RSAC

Some of The Vulnerable Devices

Satellite Antennas

WiMax Routers

Ruckus HotSpot/Switch

Synology NAS Disk Station

#RSAC

And the Cherry on the Cake....Breaching Internal Networks

#RSACAttackers Can Use the SSH Tunnel to Access Machines on the Internal Network

IP of an internal machine Scanning the Internal Network

#RSAC

SSHownDowN

#RSAC

The Challenges That Are Ahead of Us

Abuse IoT devices to execute more behavioral attacks (that are harder to be detected)

More and more compromised devices will join the “game”

The scale of volumetric attacks is going to be increased

As more and more devices will get connected IPv6 adoption rate will increase, amplifying IPv6 issues

#RSAC

How To Fight It?

IoT Vendors should make sure they build devices that are:Safe

Secured

patchable

Anti Automation - differentiate Bots from humans

Threat Intelligence – with emphasis on infected IoT devices

Use crowd sourcing techniques to fight elusive attackers

Be prepared to fight off the new generation of volumetric attacks (>600Gbps)

#RSAC

Q&A