BSides Cairo 2019: Mitigating New Entry Points To The Jewels - Denis Makrushin

you

hello dear Italy before I start my presentation please little bit instead of cup of coffee uploads again I like this video this this is a really interesting stuff but before I start my presentation I just want to ask you the one question did you play in the game raise your hand who play in the watchdog's Wow it's must really wanting motivated audience if you don't know what is that if you don't play if you have known any playstation xbox or pc if your grandmother or grandfather this is a game when you are hero with the main super ability you can hack anything you can just tap hack button on your phone and steal his data from his phone

you just can't up hack button on your phone and you could turn the traffic lights you just can't tap hack button and the ATM we drove the cash from the ATM machine this is a terrible game because it's not realistic right the terrible game but anyway the main conception that was planted by developers of the game it's a perfect illustration of current situation with IOT devices my name is Dennis McLuhan and I'm formerly I'm a security researcher global research analysis team at Kaspersky currently I'm head of blue team in the large organization I'm a just a security researcher Steele and I try to show you how our smart today's cities smart thinks i OT smart cars smart hospitals

we can steal it and this is a perfect the message from my opinion the message is a perfect illustration of current situation with IOT the short version of the message is something like that guys the CVE you know of course what is the CV easy huge database of vulnerabilities the mess the short message is something like guys security researchers please stop to send us a lot of requests about vulnerabilities in IOT you have no any resources to proceed all of your requests so we just we can imagine that we are living in in the game like watchdogs right we are like a super heroes from the game because we're living in smart houses with a lot of io T's around us we are

working in smart cities like I don't know I'm not sure about Cairo but I'm pretty sure about Dubai Singapore and bashing tonne etcetera is a totally smart cities and of course we some sometimes we have to visit the smart hospitals so but we are not in the game is the real life and you can tell me that Robo well then is I have known something smart it's not actual for me it's probably actual for the blockbuster scenario or for the videogames is not actual for me I'm not affected by vulnerabilities and not affected but I Ortiz but do you have some I think you have something smart in your city or you have something smart either you have in

your flat for example do you have the IP camera raise your hand if you have or if you have seen that of course do you have smart coffee machine for example in our offices we have some smart coffee machines or have you seen the smart coffee machine so I think probably you are vulnerable because for example already you can start to search something like using the showdown or senses you can find some cameras IP cameras that open it for everyone and if you open the showdown right now you will see a lot of relevant videos from the industry objects probably from personal apartments from the houses and probably you see some videos from the IOT

babysitter there's a special device for babies this is a terrible or the story my keys when I walk through my office I've seen that my coffee machine shares the Wi-Fi this interesting when I start to intercept the traffic between my mobile application and this coffee machine I've seen the password of my Wi-Fi point in plain text so you can tell me that it's not serious it's just vulnerability in coffee machine and that's it but what is your just provide any interesting scenario from your side what the attacker can do with the vulnerable smart coffee machine effect yeah he could compromise other parts of your network the first scenario the second scenario any ideas using as a botnet trivial

interesting scenario another ideas yeah the most interesting case for example if it's a targeted attacks against famous person like politician person or superstar rock star for example act like a cooper this is this is a this is interesting scenario the targeted attack if the person is affected or if it has the diabetic and ooh with that you can add some additional portions of sugar and this person was affected and it's little bit dangerous for his health okay so it's still actual but of course it's full black bastard scenarios but if you want to change the world you know the sentence if you were to change the world if you know to say if you want to save

the world start from yourself so I started from myself I have no any coffee machines but I have some devices in my local humm network the router the provided by my ISP provider during the contract so I've not by this router I just get it from my internet provider and Chinese DVR system I don't know wooden and the name of this DVR but it works it's okay so and I start from the roller and my first impressions was that interface interface of the roller is pretty simple there are only one input feel for the user and I've tried to input JavaScript like cross-site scripting and that's it it's vulnerable what one field in this affected by vulnerability okay I'm just

inspired to look inside of the router and I've seen that it has something interesting like a pink feature each router probably you can check your router it has the pink ability to you can check your settings after you're set up something you can use this system utility pink through the deb interface to check your internet connection but you can also if it's affected you can also add some additional parameters like the additional part of comment like please pink this resources and please extract the password from a TC password so it was affected by operating system come on injection so you can extract the sensitive data when I've struck this data I've seen that there's a login name

of my provider okay I've asked them like guys probably have the back doors not the back doors do have some credentials for your support purposes there they told me not it's not ours but it's your lucky name no no idea ok he's not yours but also I was inspired by these vulnerabilities nitrites reverse make some reverse engineering off of binaries inside of course I've searched for the binary the firmer and I've seen on the website of my provider I've seen the binary extracted it it's typical Linux system and by the Linux system is busybox and if you know what is busybox it's special toolbox for a better system you can extract all binaries that related to

visit box to set but if you try to compare the md5 of original binaries and five of wineries of this firmer you will see some difference an HTTP server the some kind of difference different amplify hmm interesting the next stage I've just extracted the strings from this binary so probably modified binary modified by I don't know by winter I've extracted and I've seen this drink anonymous its string or a miss it in original binary so I've tried to look deeper where's this drink is applied and I've seen the function that it has the branch if you input anonymous and the password come in if you input your credentials come in so this is a kind of

not a back there but credential for support purposes the second inspiration using this vulnerabilities that I've described before you can extract the config file the temporary config file with a lot of credentials there my credentials for internet accounts my credentials for routers account for red dashboard accounts etcetera etcetera cetera and as we enter say it's not a critical because you have to have to have the privileges to extract the binary extract this config file so it's not a serious okay I'm agree but part of this temporary file config file depart store it in JavaScript variable that available for uncertificated user so you can just open the dashboard you don't need the login you can extract this file from the web

page this is a serious because I've checked this file and I found the credential with a login name of support again I have asked the vendor like what is that what is that he he asked me that okay it's just for supporting proposes huh thanks captain but it's still the back door and that's official it's a vendor that's spread it around the world his stuff and he spread this routers during the contracts for Internet connections so a lot of users is affected is a shirt statistics how many users and affected in Russia knowledge so because it's the provider that quite popular in Russia that's it okay let's look at another another part of my home network its DVR system

digital video recording from China and just to start we will just just mention the vulnerability you have the login form you just switch just change the login dot HTM to DVR Dutch HTM and that's it you can extract the video stream okay okay okay but then of course you can find it you can find the firmware you can find the firmware using that non official official resources of the vendor you can easily extract it without any encryption keys developing apps application you can extract the system the file system and then you can see the password and an unencrypted password and then you can try to scan for this for these credentials using the showdowns and you

will see that there are a lot of devices that affected by this password so this is opportunity for for the bad guys for the badness and of course and try to connect using these credentials to my to my DVR system and it's okay and using this credentials you can extract all passwords of all users of all systems like web dashboard video streams vector accounts that's it so in worldwide affected a lot of stuff is vulnerable so the bad guys can build that's a trivial thing for Chinese devices yeah for might label a Chinese devices anyone using this vulnerable stuff could build a huge botnet like a Mirai of course you heard about me right but anyway you can

tell me that mmm Dennis it's a trivial situation with the current cyber security state of IOT of customers are using it for industrial coyote but it's not so serious I think okay we have seen the me right that's it DDoS attacks who cares right but I think we have something something critical that we should protect firstly and from this part of my presentation I want to start for with a hot topic this is a smart medicine and before I start this topic I want to ask you the question about your ideas what do you think how many people die annually during the medical errors due during the doctors mears mistake how many people die annually during the doctors mistake what

do you think I will provide an answer and if you agree with the answer please raise your hand two people in a year 100 people in the year you agree yeah two persons agree 1000 people in the month in a month more people agree with the numbers 1000 people in a year annually 1100 in thousand people in a year 100,000 people in a year 300,000 people in a year Yuri yeah you're almost sellin two persons you're right according the public information of medical Ripert's almost 300,000 people die annually during the doctor's mistake and that is it this is a second reason of death in the United States only not a word worldwide in the United States only so

try to imagine the numbers worldwide in the sad news that this numbers always increasing and low qualification of doctors is not the main reason for that the main reason is the wrong diagnostic procedures the second reason of death is long - ranked arapeta Capri seizures and only third reason is the doctors mistake is the doctors qualification and that becomes possible because or internet or medicine connected to the Internet and two years ago five three years ago we are predicted that medical infrastructure will be a teeth beat for attackers for the cybercrime and this year is not an exception we have seen a lot of breaches medical briefs and medical leakages we have seen how they

try to encrypt the medical infrastructure - waiting for the ransom payment how they try to accelerate the musical date data from the medical networks how to compromise the medical infrastructure to extract the sensitive data about sensitive patients like were super stars rock stars like a cooper and politician persons so there are a lot of news you've seen that and we've seen - and it becomes bigger because or me the scene is connected what I mean connected medicine the huge machines like MRI machines CT machines the agonistic big huge machines connected to the networks to the classic tcp/ip network or if they're old-school machines they're connected to the PCs that connected to the internet or connected to the TCP IP

networks and they're connected to the park systems back system is something like an ass storages in your harm router Nass network-attached attached storages you know what is that and if this is something like Nass but for mythical pictures it's for DICOM image special image for medical purposes and DICOM is a special protocol Smith the medical data between medical devices so if you try to open this you're done of course this is the devices are connected to the internet most of them and if you try to to prove the idea you can open the show them you can just use this sentence and you will see that there are a lot of interesting stuff and Egypt in the rating in the

last place but still in the rating almost the 1000 medical devices available for everyone there's the cell and also you can use the classic request for the shorten for the census to extract medical information and extract sensitive information about medical facilities like topology of the network then you can use it for targeted attacks for example you can bring your laptop to the facility you can plug it to the Wi-Fi and already you have the same topology what kinds of pcs is most interesting for you what kinds of pcs you should to bypass and you can extract you can organise it's useful information to organize the targeted attack but it's not necessary to bring your laptop

anymore and connect it to Wi-Fi you can use the special web applications with a classic web vulnerabilities it's medical applications for doctors if you are doctor you don't need to be a medical facility to proceed your patient you just can open your browser you can input your login name and the password and you can make some diagnostic procedures using the DICOM image there and there are lots of interesting web applications available for everyone and you can find it in using the internet using the show done and for example this is a vulnerable web application where is the vulnerability your idea you don't need to be a vet hacker to find this vulnerability where is the logname

waster password this is Asterix is a special web portal with the medical data for the doctors if you're a doctor you can tap the logout button and that's it you're inside of your medical infrastructure with a lot of data with about patients you can proceed the pictures the personal medical data you can proceed the DICOM image you can extract it you can change it and if your attacker you can steal it you can spoof this data we were wrong diagnostic right and this is example of the pictures of real patient and this is terrible but the most terrible thing is that doctors doesn't understand doctor don't understand the landscape doesn't understand he's not doesn't care about

cybersecurity for example I did some penetration tests some security assessment for the medical facility and I found a lot of computers the doctors computers has now non-real even the software for business for medical business for example half-life engine now it's serious it's just scan of one doctors computer and we ask the doctor or what do you need it half-life I have a lunch I need to play during lunch okay and there was from this questions from the findings I've stirred so I tried to create some read landscape the entry point that actual for each medical applications right now the most actual for that for for medical facilities and I start to I try to extract from ripe

database extract all IPS for all organizations that have keywords clinic medical surgery health care in their name of organization I've extract all IPS then I start the scanning procedure like two weeks of scan then I proceed all scanning records and build a statistics about OpenNet words for medical organization and of course there are a lot of three Bell devices Oh in three trivial services like HTTP server DNS mail server but this is a chief of iceberg the most interesting part is in bottom there are a lot of non non-trivial words that I've tried to tag and to extract banners from the sports and create a statistic right behind the sports and I've seen that there's

something embedded a lot of device marks like embedded devices and what is that a lot of interesting stuff like building of dimension systems printers kettles cameras so let's look what is that and first of all they're a building affirmation system a lot of building automation system in hospitals and if you don't know what is that is just rather the big and huge router for the building it communicates it collects or system in the building like tcp/ip network light system conditioner system water system in one big machine it's like a router for this kind of technologies and I've tried to scan this networks the medical networks for for this protocol so building management system and have seen

that nobody cares about patch management because all of all these findings of this software was outdated with the critical exploits available for everyone one entry point for attacker the next interesting entry point is a printers classic printers without any end to identification so you can open the printer you can see the printing pool you can extract sensitive documents you can print something using the printer or the interesting scenario if the printer has the Wi-Fi you can use the printer for lateral moving through the medical network or another example the strange port mm it's quite popular in the United States quite popular in healthcare organization surgery organization clinic organization there have any idea what is it behind the sport no idea it's okay

it's just a kettle if you look what is it what is that you will see that kettle has public of our abilities public available information that allows you to connect using the Bluetooth SIG zero password then you can extract Wi-Fi access point password in plain text strange or look on this devices this is official portable medical devices we call it we call it electro written ographers electro written or graffia it's I don't know what is that but I think it's something like poor to scan the retina of the patient and then to proceed some diagnostic some diagnosed for the purpose purported passion and but it has public vulnerable t2 for example you can find the fervor of this

with electro read st. now graph then you can extract the firmware and you will see the binary that responsible for scanning and the if you are doctor what you are doing you scan the retina then you scan the special barcode on the patient's paper history and then this device prepared the PDF wrapper to you based on the diagnostic and based on the personal information that extracted from the barcode but if we look deeper if we find some functions that precede the barcode we will see that anyone can create can build the bar code with the vulnerable with a special sentence like with the comment and you can create the malicious PDF wrapper it's a little bit

difficult to exploit but anyway it's possible scenario or look at these devices and qtt protocol yeah we will discuss it later and QT protocol what is imputed see do you know what is that not this is a protocol for communication between IOT to IOT you don't need the person to communicate for example you can create this scenario smart bulb and smart blue blood pressure you can create the scenario blood pressure is my pressure is too low please turn off the light for and we found that there are a lot of spiral matters it's correct s-parameters blood pressures and even a lot of refrigerators in morgues no idea for what they are connected to the internet

but according to show done it is and okay this is a possible entry points to the threat landscape for attacker how to get in but the next stage its what already happens in the medical networks right now nowadays and I've started using the expertise of because Persky I've started to dig into the statistics about the malware that already in active mode in the medical facilities and this is a typical statistics for for the medical organization medical and pharmaceutical I will explain for what type divided this two terms an almost 10 percent of computers users computers was affected by the malware this is this is a general numbers or most of thirty persons of computers was affected by

special hack tools you know what is that is a classic metal bretter classic tools that available for everyone it means two points probably first point that medical organization understand the problem and they invest money for the red teaming or paint red pen testers to make some security assessment use this tool or to point someone using the github or using the meta spot create the malware and affect the medical organization and I think the second one is more actual or this is a general statistic related to the general malware like banking Trojans something trivial no apts and we can see that medical organization is still interesting like 70 percent of the organization was affected by the malware

let us I said statistics because if you try to map the stats only using the country using the map we will see that this look looks like this one first first point of first the I think the main priority for attackers Philippines Minister Ella Thailand and white looks like I just tried to google and use the Google and I've seen that it depends on how many budgets the country spends for cybersecurity Philippines no budget for cyber security a lot of incidents the three-wheel statistic or if you look in the same situation but with pharmaceutical organizations it was a medical organization then it's pharmaceutical it will be a little bit different situation and it depends on

GDP of their of the country and how many pills and how many drugs this country prepared for the expert and you will see that Bangladesh Indonesia Morocco this is the top of the countries who is the main exporter worldwide for the pills it means that for attacker the pharmaceutical organization is still interesting point is a titbit why because pharmaceutical it means pills it means a lot of intellectual properties it means you know that a lot of scandals around sports and doping so it it's interesting point for them and we have tried to look for targeted attacks not for trivial malware but for targeted attacks and we have seen that there exist against the medical organization the attackers

chinese-speaking attackers use the vulnerable web servers to penetrate into medical in the pharmaceutical medical pharmaceutical organizations just to observe observe for what first of all they are looking for intellectual properties for drugs for abuse their business plans to release new products and that's interesting for them and if you look what kind of malvern was it was the plagues was related to China speaking actors see the river in the internet about the smaller but anyway the targeted the use this payload to penetrate it the mythical network targeting so after this information your Lila I hope you have all offensive security researchers defensive security researchers what is your recommendation for defenders let's think not like a pensive expert but like

defensive expert what the main recommendation for the founders for system administrators in medical facility what we have to do with this information provide any recommendations from your side guys any ideas what we have to do is that exactly isolation isolation of the medical devices isolation of critical data and separate networks good one

read this read the standards yep correct correct so the conclusion read the standards use the best practices use the NIST standards but FDA you can use the FDA recommendations there are a lot of interesting useful recommendation for the medical organization if you want to protect your data any other other as yes security awareness amazing that's my favorite no policies don't mention the policies security awareness to educate people indicate people know it's better to use not policies but probably it's better to use the education using the real techniques like like trainings like meetups like besides for medical organizations etc but anyway almost you were right guys you were right this is a basic recommendations for the

organizations but anyway for is a tree a lot of trivial things like please use ids/ips another s antiviruses so use it use it because it's available for everyone even an open-source but if somebody ask me what what's your recommendation after that I think the honey pots honey Boston's most interesting stuff it's really interesting things that we could use right now at SU additional additional layer for for existing protection system honey pots and threat intelligence and when I mean threat intelligence I mean not like intelligent not only intelligence rappers from organizations it could be offensive threat intelligence too but I think it's another part of another presentation but anyway I've decided to create some platform for the security researchers

who really love honey pots and really love to scan the internet for the for the interesting vulnerable devices to exchange the in created indicators of compromise for them and exchange this representing each other so it's just like kind of why not let's try to do that let's try to build a community not a community but probably the solution not the solution but probably the platform who cares don't want any terms but anyway you can register there using the invite code and after that some I don't know when and how but I send you the message like invitation to to get in in this in this platform but anyway we have a lot of technologies like machine learning Big

Data artificial intelligence other buzzwords but sometimes it doesn't work because let me show you the video

[Applause]

we still have the vulnerability in our brains we have still have over a little bility in our DNA but where is the patch for this vulnerability how to mitigate it using security awareness using the education that's why we are here right thank you [Applause]