Transcription
Principal Threat ResearcherEvangelist20 years in InfoSec—CISSP, GLEGPresident and founder of theSeattle chapter of InfraGard27 years in ITr.pompon@F5.com@dunsanySpecialist inCompliance/Audit,Web App Security, andNetwork SecurityAuthor and Speaker
APPLICATIONS AREThe reason peopleuse the InternetThe businessThe gatewayto DATAthe target
What do Apps mean to Public Sector Orgs?App Security survey of 3,135 IT sec prosUS, Canada, United Kingdom, Brazil, China, Germany, IndiaAcross 14 industries
AppsImportancePublicSector32% 6809.32Average34%9.93of web appsconsideredmission critical760web appsin use in anorganizationweb appenvironments/frameworksin use
Communication apps80%Remote access58%Doc management and collaboration57%Office suites69%Backup and storage58%Social apps35%Financial apps19%Developer toolsProject managementF5 Ponemon Survey16%7%
What HappensWhen Apps AreAttacked?
Cross-site request forgeryCross-site scriptingApp servicesMan-in-the-browserAPI attacksSession hijackingMalwareCross-site scriptingInjectionClientCross-site request forgeryMalwareMan-in-the-middleDDoSDNSAbuse of functionalityMan-in-the-middleDNS cache poisoningCredential theftDNS spoofingCredential stuffingDNS hijackingSession hijackingDictionary attacksBrute forceDDoSDDoSEavesdroppingProtocol abuseMan-in-the-middleNetworkDDoSPhishingKey disclosureAccessProtocol abuseSession hijackingCertificate spoofingTLS
Cross-site request forgeryCross-site scriptingApp servicesMan-in-the-browserAPI attacksSession hijackingMalwareCross-site scriptingInjectionClientCross-site request forgeryMalwareMan-in-the-middleDDoSDNSAbuse of functionalityMan-in-the-middleDNS cache poisoningCredential theftDNS spoofingCredential stuffingDNS hijackingSession hijackingDictionary attacksBrute forceDDoSDDoSEavesdroppingProtocol abuseMan-in-the-middleNetworkDDoSPhishingKey disclosureAccessProtocol abuseSession hijackingCertificate spoofingTLS
Top 20 targeted 459008291754759028080251398545ServiceSIPSMBSSH &Rockwell ICSHTTPSRDPSQL ServerSSHHTTPMySQLTelnetSecure SIPVNCMikroTikTR069VNC-2HTTPSMTPNetbiosJSONRussian IPs targeting SIPSSH port and/or Rockwell ICS targeting distributed across lots of IPs and inaCanadaSouth KoreaUkraine
Injection PHP & ents4%ExchwebSQLPHP6%56%58%
2018 ApplicationAttacksInjection ents2%Admin3%SQLPHP8%81%
2019 ApplicationAttacksInjection Web code injection and form jackingattacks like Magecart RCE vulnerabilities in ThinkPHP CVE-2018-10225 Oracle Web Logic CVE-201710271 ElasticSearch CVE-2014-3120 Jenkins CLI SignedObjectDeserialization CVE-2017-1000353 Network Weathermap cacti plug-inCVE-2013-3739 Oracle WebLogic WLS SecurityComponent CVE-2017-10271
IndustryWeb(mostlyinjection)Access(mostlyphishing andemail)
Physical theft9%Malware/Ransomware9%Access-related (Phishing, email)23%Accidents/Misconfig23%Web Breaches36%
2019Feb 2019 - RequestBinOct 2018 – GithubAttack1. Mobile Apps2. Direct APIsBasic Security Fails1. Authentication2. Injection3. Permissions2018Oct 2018 – QuoineOct 2018 – Girl Scouts2017Sep 2018 – British AirwaysSep 2018 – FacebookSep 2018 – Apple MDM2016Aug 2018 – SalesForceAug 2018 – T-Mobile2015July 2018 – VenmoApr 2018 – RSA Conference App2014Mar 2018 – BinanceMar 2018 – Google2013Jan 2018 – TinderNov 2017 – Nov 2018: US Postal Service2012Aug 2017 – InstagramFeb 2017 – WordPressMar 2015 – Tinder2011Sep 2011 – Westfield
20192018Basic Security Control Failures1. Exposed DB with weak/no auth2. Weak Access Control3. Configuration Error2017201620152014201320122011Dow Jones High Risk watchlist DBChina surveillance program DBKremlin DBsAscension DBOklahoma FBI files DBHadoopGuardzilla records DBTelsa AWS acctAlteryx DBAggregate IQ DBVerizon customer DBRobotics manufacture for cars DBGoDaddy architectureIPv6 ISP DBTea Party DBBooze Allen and Pentagon DBJC PennyStein Mart DBTitle Nine Sports DBNorth American Power and Gas DBIntegrated Practice Solutions DBCapital Digestive Care DBRNC voter DBAccenture’s Cloud PlatformArmy Intelligence and Security Command DBDOD Surveillance DBCredit Repair Service DBViacom’s master controlsDow Jones/WSJ/Barrons customer DBWWE Fan DBUber Github accountMexican voter DBMicrosoft Business Productivity Online Suite
JanFebMarAprMayJunJulAugSepOctNovDec
Social Media Interests / interest groupsFriends, Family and relationship informationStyle of speakingWriting styleWork historyEducationComments on linksImportant life event datesPlaces visitedFavorite sites, movies, TV shows, books,quotesPhotographsHacked “Private” account dataPeople Search Engines Facebook informationEmail address (which leads to possibleusernames)Education, income / salary rangePhone numbersAge / Age rangeRaceHome addressMiddle name, maiden name, spouse andfamily namesCompany Research Who works thereTech infrastructureTypes of endpoints (PC/Mac/OSSEC filingsLawsuit filingsAggregator search tools forcorporations Individuals & departmentnames business partners & affiliates IP spaceWHOIS infoEmail addresses and formatMis configurations Server namesPrivate network addressesEmail addressesUsernamesDNS serversSelf-signed certsEmail headersWeb serversWeb cookiesWeb applications
APT’s / Nation-states That Phish10-19min2.5 hrs?10 hrsFor-profit cyber criminals4 hrs
3XPhishing emails are3 times more likelyto have a maliciouslink than a maliciousattachment.MALICIOUSLINKEmail sent from North Korean ATPin Sony compromise.MALICIOUSFILEEmail sent from North Korean APTrelated to Bangladesh Bank heist.
Encryption is an Attacker Disguise93%of phishing domainsuse HTTPS to appearmore legitimate
Majority of MalwareHides in Encryption70%of all Internettraffic is encrypted68%of malware phoneshome over port 443
since Mirai84% DiscoveredAffected DevicesCCTVDVRsSOHO routersiOSWAPsSet-Top BoxesMedia CenterICSAndroidIP CamerasWireless ChipsetsNVR SurveillanceVoIP DevicesCable ModemsBusybox PlatformsSmart TVs6BotsDeathOkaneAnarchy13Bots ngMantis3Bots7BotsSatori FamMasutaAmnesiaPureMasutaPersiraiHide ‘N SeekWickedVPNFilterDaddyL33tJoshoJenX TokyoOMG Extendo2BotBigBrother AnnieCrash overrideThanosUPnPProxy2BotsIRC ru / Saikin20185BotsVermelhoMioriIZIH9APEPSEFAYowai
Common IoT Set Up
Oct 2016: Cellular Gateway Discovered Investigating airport incident in Europe BASHLITE on a DVR digital signagesolution (same timeframe as Dyn DNSDDoS attack). Service and host managed by 3rd party 39 active threat actors Numerous log entries show incomingattacks Mirai, shellshock, brute force Sierra Wireless deviceNote: System owner sent drives to us for forensicanalysis and authorized scanning of their network.
Sierra Wireless Cellular GatewaysNO DEPENDENCYon any vulnerabilitywithin the hardwareor software.DEFAULTPASSWORD*****Bruteforceattack(s) areunnecessary.WAN IP166.139.19.193PUBLIC GPS COORDINATES40 49’ 51.5” N47 26’ 03.5” W
SierraWireless.com Case StudiesSt John Ambulance, Western AustraliaCalifornia Highway Patrol, CaliforniaVentura County Fire Department,CaliforniaSouth Bay Regional PublicCommunications Authority (SBRPCA),CaliforniaWest Metro Fire Protection District,ColoradoEast Baton Rouge Parish EmergencyMedical Services (EMS), LouisianaMississippi Highway Safety PatrolGem Ambulance, New JerseyCity of Charlotte, North CarolinaDickinson Police Department (DPD),TexasFairfax's Urban Search and RescueTeam, VirginiaWestminster Police Department,ColoradoSouth Wales Police, WalesDanish National Police, DenmarkCity of Yakima, WashingtonAcadian Ambulance Service, Louisiana& TexasSeattle Fire Department, Washington
Fleet / Vehicle TrackingGPS Data Logging(TAIP)TRACCAR – Open Source Fleet Software
SIERRAWIRELESS LS300WeakAuthenticationSIERRAWIRELESS GX450WeakAuthenticationSIERRAWIRELESS ES440WeakAuthenticationMOXA ONCELLG3xxxNoAuthenticationDIGI TRANSPORTWR44WeakAuthenticationCradlePointHard coded techsupport back doorDISCLOSED10/16/2018
{ " id" : { "protocol" : "http", "timestamp" : { " date" : "2018-07-19T20:31:04.000-0700" }, "source ip" :"185.112.249.24", "session http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent","Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source port" : 56946, "destination port" : 80, }{ " id" : { "protocol" : "http", "timestamp" : { " date" : "2018-07-23T12:16:41.000-0700" }, "source ip" :"185.112.249.24", "session http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent","Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source port" : 49180, "destination port" : 80, }{ " id" : { "protocol" : "http", "timestamp" : { " date" : "2018-07-25T10:04:52.000-0700" }, "source ip" :"185.112.249.24", "session http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent","Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source port" : 40755, "destination port" : 80, }{ " id" : { "protocol" : "http", "timestamp" : { " date" : "2018-07-25T10:14:46.000-0700" }, "source ip" :"185.112.249.24", "session http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent","Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source port" : 40755, "destination port" : 80, }{ " id" : {"protocol" : "http", "timestamp" : { " date" : "2018-07-28T06:29:53.000-0700" }, "source ip" :"185.112.249.28", "session http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent","Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source port" : 50225, "destination port" : 80, }Variousdynamic /privatesource ports49152 - 65535RFC2324:Hyper TextCoffee PotControlProtocol
Shifting to multipurposeThingbot Attack TypeDNS HijackCrypto-minerDDoSPDoSProxy ServersUnknown Rent-a-botCredential CollectorInstall-a-botMulti-purpose BotFraud trojanICS protocol monitoringTor NodeSniffer13BotsDeathSORA OkaneOWARI Anarchy4Bots2BotsHajimeTrickbotWireXIRC 02011201220133BotsUPnPProxy ToriiOMNI Yasaku7BotsJenXSatori ther1Bot20152016WickedPureMasutaJoshoHide ‘N SeekTokyoDoubleDoorExtendoHakaiKatrinaAkiru / SaikinRediation Brickerbot2014Roaming ThanosMantisOMG VPNFilterMasuta riIZIH9APEPSEFAYowai
Public SectorAverage5.07DoS of App7.199.64Tampering with App8.544.05Leakage of PII6.578.77Leakage Confid InfoF5 Ponemon Survey9.08024681012
78%Credential TheftDDoS52%Web Fraud39%Cross-site Scripting26%SQL InjectionClickjackCross-site Request ForgeryF5 Ponemon Survey25%22%18%
CISO’S#1 MISSIONEVERYONE’S#1 nvironment
CIO or CTO31%Business Units (LOB)18%No One Person or Department18%Head of Application Development17%CISO or CSO11%Compliance OfficerHead of Quality Assurance4%0%0%F5 Ponemon Survey5%10%15%20%25%30%
Sub domains hostingother versions of the mainapplication siteWeb servicemethodsServer-side features such assearchCookies/state trackingmechanisms2ReduceYour AttackSurfaceAPIsData entry formsWeb pagesand directoriesDynamic webpage generatorsAdministrative and monitoringstubsand toolsEvents of theapplication—triggeredserver-side codeShells,Perl/PHPData/active content pools—the datathat populates anddrives pagesHTTP headersand cookiesBackend connections throughthe server (injection)Admin interfacesApps/files linkedto the appHelper appson client(java, flash)
Average Days BetweenVulnerability ReleasesVuln released1.7Applicable?1.4Test9-120.9hours0.8Apply & gh2018Firewall whatyou can’t fixContinuousimprovement
3Prioritize DefensesBased on AttacksFocus OpEx &CapEx spend
Web App Firewall (WAF)29%Application Scanning19%Penetration Testing22%Anti-Malware Software8%Anti-DDoS7%Intrusion Prevention System (IPS)6%Web Fraud DetectionNext-Generation FirewallTraditional Network FirewallF5 Ponemon Survey4%2%4%
33%Phishing successwithout training.13%Phishing successwith training.
taAppsPhonesAccounting%71of phishing impersonates10 organizations
Direct APIs Basic Security Fails 1. Authentication 2. Injection 3. Permissions 2011 2018 2019 . Guardzilla records DB Telsa AWS acct Alteryx DB Aggregate IQ DB Verizon customer DB Robotics manufacture for cars DB . analysis and authorized scanning of their network. Sierra Wireless Cellular Gateways WAN IP
