Network and Incident monitoring

August, 2013 Network and Incident monitoring Koichiro (Sparky) Komiyama Sam Sasaki JPCERT Coordination Center, Japan

Agenda 1. Introduction of TSUBAME 2. Recent Observation cases 2

1. INTRODUCTION OF TSUBAME 3

1. Introduction of TSUBAME TSUBAME : Japanese word for swallow - Seen in Asia Pacific and migrate from region to region - Look down at the ground from the sky - Eat insect pests 4

1. Introduction of TSUBAME TSUBAME: Packet traffic monitoring system to observe suspicious scanning activities in the Asia Pacific region, headed by JPCERT/CC 5

1. Introduction of TSUBAME Internet Scan Data Acquisition System (ISDAS) - From 2003 - JPCERT/CC s internal project - Sensors were put only in Japan - Data was for JPCERT/CC only TSUBAME - From 2007 - Sensors put in Asia-Pacific region - Common data and platform shared among JPCERT/CC and other CSIRTs in Asia Pacific region 6

1. Introduction of TSUBAME History of TSUBAME 2007 TSUBAME Project Starts Basic Specification 2008 2009 2010 2011 2012 Sensor and Central System implementation Member teams joined Distribution of sensors in AP region Member teams joined Data analysis & Function Improvement The 1 st TSUBAME WS in Phuket Member teams joined The 2 nd TSUBAME WS in Jeju Member teams joined The 3 rd TSUBAME WS in Bali 7

1. Introduction of TSUBAME Members (as of August, 2013) Australia, Bangladesh, Brunei, Cambodia, China, India, Hong Kong, Indonesia, Japan, Korea, Myanmar, Makao, Malaysia, Mongolia, Pacific islands, Philippines, Singapore, Sri Lanka, Chinese Taipei, Thailand 23 teams from 20 economies 8

1. Introduction of TSUBAME Features of TSUBAME Common platform for CSIRTs in the AP region Data can be utilized for CSIRT operation* *Reports can be publicly released under the condition that sensitive information, such as IP addresses, are not included. Common data shared among member teams Data obtained from all sensors is available for all member teams Findings and analysis report being shared through a mailing list and annual workshop Sensors are put on the live network (cf. dark network) Visualization of data

1. Introduction of TSUBAME Visualization Portal Site 2D Graphic diagram 3D Visualization Map Analysis Portal site

1. Introduction of TSUBAME Visualization

1. Introduction of TSUBAME Low level visualization 12

1. Introduction of TSUBAME Mid level visualization 13

1. Introduction of TSUBAME High level visualization 14

2. RECENT OBSERVATION CASES 15

Typical observation Port 23 Telnet Bot Port 5060/UDP Steal SIP Server account Synflood attacking? Or other attack 16

Important points of network monitoring What Target software, To server? To Client? To specific User? When Special pattern, Time zone (all-day daytime night), seasons Why Vulnerability, Attack tools, Historical event (like end of war) (To)Where Source of attack, Destination of attack, ISPs, Organizations Who Bot, Malware, Attacker(manual) How Tools, Full Manual 17

Important points of network monitoring For further analysis Public information (usually on website) is useful to understand the situation Vulnerability information (software or hardware) Malware trend Attack tool Attacking activity etc. etc. etc.

PORT 23/TCP ROUTER BOTNET UPDATE 19

Scan Counts of PORT 23/TCP

Scan Counts of PORT 23/TCP, classified by the source region

Scan Counts of PORT 23/TCP, classified by the destination region

Scan Counts of PORT 23/TCP, observed by each country s sensor 23

Scan Counts of PORT 23/TCP, observed by each country s sensor (cont d) 24

Status of observed packets from regional perspective Huge differences by region Japan Korea Received many packets from China Received many packets from Turkey Hong Kong India Received many packets unexpectedly from Pakistan Received many packets from the US 25

Trend of threats on Port23/TCP Source of the packets (features of the source) A number of services are running Telnet Sometimes filtered (IPTables) WebServer, etc Devices IPTV,Router,Network device, etc Source regions Many regions, and also rise/fall by regions Destination regions Bias by regions Vulnerabilities Last vulnerabilities were found in BSD implementation, in Dec 2011 No further vulnerabilities have been found since then Exploit kits No further kits have been found Making use of Aidra series? 26

CVE-2011-4862 telnetd code execution vulnerability 27

Ongoing the Aidra attacks? Review of analysis by KrCERT/CC last year System affected Embedded Linux System with vulnerable password, such as VoIP modem, IPTV settop-box Embedded Linux Systems both that open port23/tcp and that have simple, easy, or no password Spread Scan neighborhood IP with the similar and vulnerable password install malware(irc Bot) at the password-hacked IP, malware downloaded from below-mentioned URL using telnet. insert additional 5 types of malicious codes into the IRC Bot after installing malware. C&C commands DDoS attack, remote control, network scan to bot systems. 28

Reference: lightaidra 29

Key points to find out Telnet Worm Purpose: Login to the Telnet server and execute Bots Destination Port 23/TCP Features in source port by devices Port 1024 5000 are often used in some devices Caused by resource No, or vulnerable password password, root etc Few packets from the same source IP Seems target of scan range is defined for each devices 30

Affected Devices?

Sharing the analysis info of JPCERT/CC Shared the observation results to India and Hong Kong Analysis of packets increase Change of number of packets and hosts Bias of the source of the packets Whole area, ISP, etc Specified the source devices 32

PORT 5060/UDP STEAL SIP SERVER ACCOUNT 33

Scans targeting SIP servers Points Scan had been observed several TSUBAME member economies. Spike at the beginning of July. Then decreasing gradually.

Scans targeting SIP servers Points Scan had been observed several TSUBAME member economies. Spike at the beginning of July. Then decreasing gradually.

Scans targeting SIP servers Points Scan had been observed several TSUBAME member economies. Spike at the beginning of July. Then decreasing gradually.

Dispersion of the source ports 5085 5083 5084 54790 5081 5082 5080 55708 5079 5078 5076 5074 5077 5073 5075 5071 5072 5070 5069 5087 5068 5067 5066 Other 5065 5064 5063 5062 5060 5061 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5072 5073 5074 5075 5077 5076 5078 37

SipVicious packet (1) 38

SipVicious packet (2) 39

Mal SIPvicious

SIPVicious: the original SIPVicious Auditing/testing tool for VoIP system Require Python 2.4 or later URL: http://blog.sipvicious.org/(code: http://code.google.com/p/sipvicious/) Major functions of SIPVicious name svmap svwar svcrack svreport svcrash explanation Scan SIP. Make list of SIP server s with specific IP range Locate PBX Password cracker tool for SIP PBX Session management and reporting Stop svwar and scan by svcrash 41

SIPVicious: customized one Few changes with svwar os.system calls svcrack.py to execute Original Attack tool Modified to conduct SIP scan with referencing parole.txt Snip from parole.txt 42

SIPVicious: customized one They also added doit.sh Scan by svmap.py(sip server scanner program) Use svmap.py to scan IP addr range which is defined in clase.txt. Then output the result to svmap.out Remove results.txt doit.sh Part of svmap.out Scan with clase.txt Output to svmap.out Sample clase.txt 43

SIPVicious: customized one They also added ip.sh svcrack.py calls this shell script Send out resut (results.txt) to specified e-mail address. ip.sh Get location data Sample results.txt Use mail command and send mail to the address in mail_to.txt Conclusion: Attacker obtain SIP server list by e-mail. 44

Attack scenario Use the SIP server 6 Get the list of IP/Hosts Next step attacker Customized SIPVicious Gmail Victims 1 Penetrate 2 Install custom SIPVicious 3 Scan SIP servers, then output to svmap.out ユーザシステム Custom SIPVicious internet 5 ip.sh makes results.txt and send it via email Scanning system Output results.txt Output svmap.out 4 Based on svmap.out, conduct dictionary attack with svcrack.py 45

Key points to detect the SIPVisious packets Purposes: detection of SIPServers, and stealing credentials Destination Port: 5060/UDP Source Port: 5060 ~ 5099/UDP are frequently used Packet size: about 450byte UDP payload contains the text SipVisious 46

Lessons learned from this threat Where is SIP server installed? Is this attack aim to make free call? Some SIP devices are shipped with weak password by default or vulnerable password. Linux/UNIX servers remain unpatched or using vulnerable password authentication. Telephone and Internet is no longer separated Attacker in the internet, trying to reach innocent phone users ex. Phishing of SIP Service providers, Bank Fraud 47

Case example of SIP incidents in Japan - Fusion- 48

Case example of SIP incidents in Japan -ODN- 49

Case example of SIP incidents in Japan - JAIPA- 50

BACKSCATTER PACKET STATISTICS BUREAU OF MIC IN JAPAN 51

The web site running on 219.101.173.10

Back scatter packets from 219.101.173.10 All packets were not SYN+ACK, nor from port 80

Key points to detect the back scatter packets Detecting the SYN+ACK packets Sequence of SYN -> SYN+ACK Pay attention to the port number of the source, to be consistent with SYN+ACK packet 54

Thank you for your kind attention 55