--- title: Attack Mining subtitle: How to use distributed sensors to identify and take down adversaries link: https://events.ccc.de/congress/2024/hub/en/event/attack-mining-how-to-use-distributed-sensors-to-identify-and-take-down-adversaries/ speaker: Lars König tags: 38c3, security --- *These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times* ## A honeypot This was a pretty cool talk from somebody who found out that a lot of connections to openssh server were going on, and wanted to know more. So he made some changes in the openssh server to deny and log all the attempts, did some more investigation based on it and was able to take control of a botnet. On the system, replace the openssh system with an Attack pot It's putting the data in a database. Because it's a docker container, it's possible to scale. He deployed 250 sensors in 25 different countries, and found something like 12,5/million attacks/day. ## Analysing the data The users tried are: - Admin accounts ("root", or admin or ubuntu) - the domain as username. - Default applications acounts (ftp, accounts that are usually used for applications) The passwords that were tried are really common, - 123456, 123, password. Probably these are real passwords, used in the wild, which is always a bit frustrating. ## Fingerprinting the users He used IP, username, password as a fingerprint. Filtered-off all the common username/password combination, and then did some feature extraction using TF-IDF vectorization, and stored the data in a vector DB. Then, he clusterizes everything, and then created a visualisation. 450 million attacks (40 days), removed the common ones (320 milion attacks). And out of it he got 530 clusters. ## Analysing a cluster Each IP used 169 username and password combinations. Looking at the geo info, it's actually coming from everywhere, so it's hard to make assumptions based on the geo info. Most of the IPs are used by residential ISPs. He also did some OS fingerprinting, and found raspbian, ubuntu, Linux, ASUWRT He found some specific information in the password/username combination (in this case, some words in spanish). Some passwords were used. ## Access to one machine used for attacks He managed to get access to the device, by just asking to one operator who put his contact info on a website that was running on the default HTTP port. From there: `netstat -apn` to see all the internet connections open. `pstree -a` shows all the process running on the system. He found hundreds of `apcid` processes. He found that the processes were started by root. By looking in the `/root/.bash_history`, found that some commands were used. One of them was `su pi`, to connect as the `pi` user, which is kind of strange as usually you connect as `pi` and then elevate privilege. He then used `stat` to know when the file was last used, which got him an approximate date of connection. Looking in the `/var/log/authlog`, he found the login and IP adress of the attacker. They added a ssh public key. Because he was able to time when this was done, found out it was very fast, and assumed it's probably automated. ## IP of the attacker Virus Total was saying that the IP adress was a Tor exit node. ## What's the malware used? Apparently the hash of the binary that was used there wasn't already reported (they usually hash the binaries to report them, in order to not leak the fact that they uncovered something). He then found 6 "dead drops" systems, to which multiple "nodes" were reporting to. Every time a new device is infected, they write a line in there. To authenticate to the deadrops, it was using private keys that were direclty encoded in the binaries. And these keys were also the keys of the root account there (!!) He found 8654 infected systems in the end, all reporting to deaddrops. ## How to stop the attacker? With the IP adresses, he turned to the ISPs, and some of them were actually responding to emails. Because it was a lot of emails to send, he wanted to automate it. He found all the atacks from the same IP, then identifies the ISP and send abuse, monitores the answers and automates the answer with LLMS (LLAMA3) [XARF](https://github.com/abusix/xarf) is a format to handle the reports. (eXtensible Abuse Reporting Format). After looking as the AS: - China Telecom doesn't answer to the mails at all - Digital Ocean: supports XARF and takedown requests - Tencent answers but say they don't process them. ## Data The data is public and available at https://github.com/NetWatch-team Contact them at data@netwatch.team ## QA Q: Do the ISP want to join the network? Yes, a really big one in the US. Q: Do you know what happened by the ISP? it depends. They send an email / mail, etc; or, if the ISP are hosting themselves, they take the VSP offline. They do verification to ensure it's legit. Q: Lowering of the attacks ? Overall we see an increase in attacks because we have more sensors.