Trend of Cyber Attacks and Introduction of Cyber Security … 1 - Keynote 1... · 2016-09-28 · Search Engines Upload malicious contents SNS Fake Priv Message to Friends of Victims

Copyright© 2016 ICT-ISAC Japan. All Rights Reserved.

Trend of Cyber Attacks and Introduction of Cyber Security Activities in ICT-ISAC Japan

September 12, 2016

Koji Nakao

ICT-ISAC - Japan Executive Board Member,

Distinguished Researcher - NICT,

Advisor - KDDI

Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.

Botnets: Core of problems...

Remote

Exploits

Web

Exploits

Malware

Download

Servers

DDoS

http:// welcome

www

Exploit Sites

$

SPAM Fake SNS

Search Engines

Upload malicious

contents

SNS

Fake Priv Message

to Friends of Victims

www

Web Admin

Login

Blackhat SEO

Access

Search

C&C Infra C&C Infra

$ $

shellcode shellcode

infected

Virus

mail

shellcode

Drive-

by-DL

id/

password

infected

Phishing

mail

id/

password

DNS

Pay-Per-Click

Advertisement

＄

Search

Engine

Users


SCANs behavior by ATLAS-NICT


Contents for Today

1. Overview of ICT-ISAC

2. PRACTICE project (in relation to ISAC)

3. ACTIVE project (in relation to ISAC)

4. CAE WG (Cyber Attack Defense Exercise)

5. New area for IoT security

6. Views from ICT-ISAC

4


Overview of

“ICT-ISAC Japan”

(previously called as

“Telecom-ISAC Japan”)


● Telecom-ISAC Japan (predecessor) was Launched in July 2002 as Japan’s first ISAC; ● After 14 years, ICT-ISAC was expansively established in July 1, 2016 as predecessor of Telecom-

ISAC Japan; ● Members of the new ISAC are settled to extensively cover not only Telecom-Orgnizations but also

Broadcasters, SI Vendors and Security Vendors; ● Objective is to collaboratively protect ICT infrastructures such as Internet and Broadcasting

system against cyber threats in global cyberspace; ● Encourage partnerships and mutual assistance among ICT industry members so as to stand

together against large-scale cyber threats which individual corporations cannot face alone; ● Structure of WGs and SiGs is still under considerations, however the WGs conducted under the

previous Telecom-ISAC Japan will be basically continued.

Overview of ICT-ISAC Japan

President: Tadao SAITO Executive Board Member: Hiromichi SHINOHARA (NTT Corp.), Koji NAKAO (KDDI Corp.) Member corporations Telecom/Mobile/ISP: NTT, KDDI, NTT Communications, Internet Initiative Japan, NTT DoCoMo, K-Opticom, SONY Network Communications, Softbank, NTT West, NIFTY, NTT East, BIGLOBE, Internet Multifeed, NTT DATA INTELLILINK, KDDI R&D Labs Broadcaster: NHK, TBS, tv asahi, TV TOKYO, FUJI TV, NIPPON TV SI Vendor: NEC, Hitachi, Oki Electric Industry, Fujitsu Security Vendor: FFRI, NRI SecureTechnologies, NTT Com Security Observers: Ministry of Internal Affairs and Communications (MIC), National Institute of Information and Communications Technology (NICT), JAPAN INTERNET PROVIDERS ASSOCIATION (JAIPA),TELECOM SERVICES ASSOCIATION, Telecommunications Carriers Association (TCA), Japan Data Communications Association(JDCA), The Japan Commercial Broadcasters Association(JBA)


Structure of ICT-ISAC Japan membership

Telecom-ISAC

・Telecom carriers

・ＩＳＰs

Scope of ICT-ISAC members

・Broadcasters

・IoT Vendors

・CATV operators

・関連団体

・Router Vendors

・AVS Vendors

＜Broadcaster＞

＜Security Vendor＞

・Security Consulting firms

＜SIer/Vendor＞

＋・FW/NAT Vendors

・Consumer Electronics Manufacturers

7

＋・SIers

・Network Equipment Manufacturers

・Mobile operators


ICT-ISAC Japan’s Activities

1) Working Groups (WGs) activities to share and analyze (discuss) ICT industry’s issues about Cybersecurity

MIC R&D of Cyber-Attack Prediction and Rapid Response Technology Through International Partnership, etc.

Overseas institutions ICT Corps, ISAC Security-related institutions

Domestic institutions ICT Corps (non-ISAC members) Security-related institutions

NISC CEOPTAR Council

3) Collaboration and cooperation with security institutions in Japan and overseas with partnerships (Ministry of Internal Affairs and Communications (MIC), National center of

Incident readiness and Strategy for Cybersecurity (NISC), CEPTOAR Council , JPCERT/CC, IPA et al.)

4) Works for MIC’s (governmental) projects against cyber attacks *) ACTIVE has launched since Nov. 2013, PRACTICE since Apr. 2011

2) Holding workshops, cyber-attack exercise and seminars, etc.

5) Others (propagation and advancement of security technologies, and contribution to the educational activities)

8


Categories of WG Activities

※ SONAR: Society of Network Abuse Response WG activities are still under considerations.


List of WGs’ activities (in Previous ISAC)


Detection of Symptoms

of Attacks:

PRACTICE Project

Proactive Response Against Cyber-attacks

Through International Collaborative Exchange


• PRACTICE project

– Proactive Response Against Cyber-attacks Thorough International Collaborative Exchange

– Launched in 2011 by MIC Japan

• Objectives

– To construct a world-wide threats monitoring system

– To detect symptoms of cyber-attacks and respond against cyber-attacks proactively in early stage

Outline of PRACTICE

12


Organizations for PRACTICE

Implementing Organizations Supporting Organization

• Technical support

based on NICTER

collective

expertise

• Providing data

which has been

stored by NICT’s

technology.

R&D of technologies which help to forecast cyber

attack trends.

and partners

• Yokohama National University

• Institute of Systems, Information

Technologies and Nanotechnologies

• SecureBrain Corporation

• KDDI R&D Laboratories

• Japan Datacom Co., Ltd.

Field trial of the technologies and quick response.

13


Darknet traffic statistics

2015/10/20 6th APT Cybersecurity Forum 14


Monitor data through Dark-Net

• Dark-Net: Unassigned IP addresses space and they are not connected to the Real Servers/PCs.

• Types of Packets arrived to the Dark-Net: – Scans by means of Malwares;

– Malwares infection behaviors;

– DDoS attacks by Backscatter;

– Miss configurations/mistakes

• It is very useful to Observe the serious attacks behavior over the Internet.

Darknet

15


ATLAS - Darknet visualization

16


International Darknet Sensors

• Sensors in 10 countries (as collaborative partners) in 2015

FY 2013

Indonesia

Maldives

Philippine

Singapore

FY 2011 FY 2012 FY 2013 FY 2014 FY 2015

FY 2012

Malaysia

Thailand

FY 2014

India

Netherlands

France

17

FY 2015

US


Darknet Statistics (1)



Darknet Statistics (2)

Seeking vulnerability for embedded devices (Linux)

• 23/TCP scans on Darknet have been increasing

Wireless Router Solid State Recorder

Web Content Load Balancer

19


20

Comparison among countries

Top 15 Source Country Count

cn 533,262

us 232,590

tw 66,337

nl 48,768

hk 30,854

kr 23,333

fr 23,000

de 22,388

jp 17,043

ru 15,589

pl 12,804

ca 11,515

br 8,615

se 7,873

ua 7,453

Top 15 Source Country Count

cn 3,079,777

us 725,992

pl 173,928

nl 119,774

hk 74,305

th 69,901

tw 69,679

kr 65,420

fr 63,913

de 57,347

ru 47,186

jp 31,156

ca 28,904

br 24,063

ua 19,670

Country J Country T

• Source countries of hosts observed by "Country J" and "Country T".


Early Detection of DR-DoS attack and its alerting



DRDoS Attack

1. Bots send reflectors a lot of queries whose source IP addresses are spoofed to TARGET.

2. Reflectors reply the amplified responses to the TARGET.

3. The communication bandwidth of the TARGET is flooded with the amplified packets.

Amplified response

Query whose source IP address is spoofed

TARGET

Reflectors

Botnet


Protocols that can be used for DRDoS Attacks

[1] Christian Rossow: "Amplification Hell: Revisiting Network Protocols for DDoS Abuse," In the Proceedings of Network and Distributed System Security Symposium (NDSS), 2014. [2] Marc Kuhrer, Thomas Hupperich, Christian Rossow, Thorsten Holz: "Exit from Hell? Reducing the Impact of Amplification DDoS Attacks," In the Proceedings of Usenix Security Symposium (2014).


Reflectors distribution on world map

24


DR-DoS honeypots

Response

Queries spoofed to be from host x.y.z.w

DDoS Target

botnet

x.y.z.w

watch!

DRDoS Honeypots

STOP

Open Servers (Reflectors)

PRACTICE setup (open but bandwidth-controlled) servers to monitor DR-DOS attacks

25


DR-DoS detection statistics

DNS-Amp attacks are increasing

26


0

10000

20000

30000

40000

50000

60000

70000

Date

bitstress.com Queries YLAB-DNS

MKT-DNS

Darknet

DOS Alert at Backbone

Honeypot

Darknet

Honeypot1

Honeypot2

Darknet (65536IP)

Early collection of malicious domains-1

6 days

Domains with maliciously large response are observed by honeypot before used for actual attacks (Attackers test their domain before using it for attack)


Over 50% of the malicious domains prepared for DNS AMP attacks are collected by honeypot/darknet two days or more before the actual attacks.

Days prior to attacks #domains

0 day 4 (12.1%)

within 1 day 5 (15.2%)

2～7 days 7 (21.2%)

8～30 days 6 (18.2%)

31～ days 4 (12.1%)

After the attacks 3 ( 9.1%)

Not detected 4 (12.1%)

Early collection of malicious domains-2


• DR-DoS alert sample (e-mail)

Utilization of DR-DoS alert

START of DR-DoS attack [Target IP] XXX.XXX.XXX.XXX [Detection time] 2014-11-13 23:57:37 [Protocl] DNS : port 53 [DRDoS Honeypot detail datea] AS num : "AS2516 KDDI KDDI CORPORATION" country : "Japan" pps(MAX) : 2.2 pps(AVG) : 1.1416666666666666 [Domain] "wradish.com ANY IN":137

END of DR-DoS attack [Target IP] XXX.XXX.XXX.XXX [Detection time] 2014-11-13 23:57:37 [Protocol] DNS : port 53 [DRDoS Honeypot detail data] AS num : "AS2516 KDDI KDDI CORPORATION" country : "Japan" pps(MAX) : 2.2 pps(AVG) : 1.1416666666666666 [Domain] "wradish.com ANY IN":137

29


Activities against DDoS in Japan

DRDoS attacks (DNS, NTP, SSDP, CHARGEN, QOTD ,SNMP) detection

DR-DoS Alert

Victim host’s IP Detected time Protocol End time・・・

DDoS attackers Reflectors

Victim host

DDoS counter measuring system

Backbone

DRDoS Honeypot system

Counter measuring against DRDoS attacks using DRDoS Honeypot alerts

・DR-DoS alerts are delivered to Telecom-ISAC Japan (now ICT-ISAC).

・Network operators can manage and respond DRDoS through these alerts

⇒ 86% of alerts were notified earlier than those detected by existing DDoS counter measuring systems

⇒ Realize early response in about 2 minutes earlier than normal operation

Network operators of ISP

Send email alerts to ISP operators

30


Malware sandbox analysis and alerting



internet

Long-term analysis of malware activities

Sandbox

malicious traffic

Botnet type

malware

P2P type malware malware

data source

Malware analysis using sandbox

Financial malware

Malicious servers

1)Traffic monitoring

2) Malware detail analysis

・location of C&C servers

・location of manipulation servers

・location of DNS servers

・location of SMTP servers

・port number

・・・

1) Traffic monitoring

・plug-in information

・configuration information

・URL information

・malware bodies (hash value)

received from malicious servers

・・・

2) Malware detail analysis

Alerts will be sent by utilizing these information

Malware sandbox analysis

32


Example: Growing financial malware

33

National Police Agency (Japanese) https://www.npa.go.jp/cyber/pdf/H270903_banking.pdf

• Threats of financial malware, using MITB (man in the browser) method in order to steal money from online banking customers, are growing.

Banking Site

Web


Long-term analysis in Sandbox

34

• The project has monitored following financial malware continuously.

– Aibatook

– ZeuS (P2P)

– VAWTRAK

– Ice IX

– Citadel

– Chthonic

– Dyre

– Win32/Spy.Shiz

– Shifu

– WERDLOD

– Win32/Farfli.BTH

– Dridex

• Alerts are provided as outcomes of the analysis.


Behavior of VAWTRAK (an example of Banking Malware)

Access to the normal Banking server

Manipulated Content

Access

Malicious Script (attack) Illegal Access from VAWTRAK

Request Password (normal) Faked Password Req. Window

Input Password

Information Leakage (ID/Password, etc) Request for sending money

Progress Bar

Manipulation Server

User VAWTRAK (malware) Banking Server

(Normal) C&C Server

Execute

Access to C&C

Environmental information for malicious access to the bank

Normal Content

Observation

Blowsier initiation

Input Password


Alert by malware analysis

JSON alert (Sample) • Header part

- hash value - malware name

• Data part - C&C info - target URL - DNS info, etc.

36

The alerts are provided to

police, financial sectors, etc.


Summary

• Our awareness on ongoing botnet activities has improved with following approaches:

• Long-term sandbox analysis of bot samples reveals their microscopic behavior (e.g. characteristic DNS queries) for detecting infected hosts as well as understanding the details of threats (e.g. Spam, PPC).

• Multiple sensors (cache DNS, darknet, livenet, and honeypots) are complementary to each other enabling us to grasp macroscopic picture of various botnet activities.


ACTIVE Promotion-WG (Advanced Cyber Threats response InitiatiVE)


○ Public-Private Partnership project for around 30 million Internet users, which prevents malware infection and removes malware through the collaboration among ISPs.（ACTIVE: Advanced Cyber Threats response InitiatiVE）

○ Starting from November, 2013. There are now 12 companies participating. ○ World first challenge which implements comprehensive countermeasures against

malware infection, and eyes International collaboration in the future.

①Collection of URL

②Warning （End user）

③Warning （Administrator of Web site）

①Prevention of Malware Infection ②removal of Malware

①Detention

②Warning

③Removal

① Specification of individual users whose PCs are infected with malware

②Issue of warning statements to the users to take appropriate measures

③ Removal of malware in accordance with the warning statements

①Collection of malware embedded websites to be compiled into the list

② Issue of warning statements to users who are going to access malware-embedded websites

③Issue of warning statements to administrators of malware-embedded websites to remove malware form their websites

ACTIVE – Aim for Prevention of Malware Infection and Removal of Malware

39


Prevention of Malware Infection: Efforts

Total number of alerts issued

March 2015 ：84

Accumulated Total：22,867

Total number of times each ISP issued warnings (e.g., popping up a warning message by a tool)

Information of malicious sites (number of URLs)

March 2015： 13,351

Number of times information of malicious sites was provided to ISPs

★Number of URLs about which warnings were issued (duplicated URLs are counted as one URL)

March 2015 ： 66

Accumulated Total：4,843

Number of URLs about which warnings were issued. Duplicated URLs are not included.

Efforts for Prevention of Malware Infection

Prompting to remove malware on a site Malicious site

ISP business operator, etc.

Providing information of the malicious site to an ISP

Decoy machine (Crawling HoneyPot)

Issuing a warning statement using a tool to the Internet user accessing a malicious site

Internet user

40


External Organizations

Removal of Malware: Efforts

Efforts for Removal of Malware

Decoy machine (Standby HoneyPot)

Terminal infected with malware

Sending of a warning email ISP business operators

１

Infection logs

User whose terminal has been

infected with malware

２

３

Removal of malware ４

Number of users who received warnings (total number among all ISPs) March 2015

Accumulated Total：１,４１８

Number of users to whom warnings were issued

Number of warnings (total number among all ISPs)

March 2015 Accumulated Total：７,０１８

Total number of warnings issued by each ISP (Multiple warnings issued to a single user are counted as the multiple times)

Total number of collected samples March 2015 Accumulated Total：１,０９３,０９７ Total number of samples that were collected by the decoy machine

Number of identified samples (number of samples where duplicated samples are counted as one sample)

March 2015 Accumulated Total：１６,２２８

Number of samples where duplicated samples are counted as one, out of the total number of collected samples

Identification of users from the infection logs

Accessing the site that provides information for removing malware

Obtaining information needed for removing malware

Detection/capture of infection behaviors using HoneyPot

Web Server Infection logs

41


Take Down of Game Over Zeus

Take down of C&C Server and their proxy Monitor the C&C server activity and notify the user for infection.

(出典) http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted

(出典) http://www.npa.go.jp/cyber/goz/

Game over Zeus bots been use by ring of cybercriminal for steeling the internet banking As Game over Zeus (GoZ) is taking major role in cybercrime around the world, FBI and Europol has organize the large scale take down which involved a law enforcement agency around the world including the Japan. With this operation, goal is to confiscating the servers that is used by criminal and finding out PC that is infected by malware and notify the user.

Operational Detail

42


Participation to VAWTRAK Botnet Takedown Operation

Call for attention and request for disinfection to users using infected terminals

Incapacitation of VAWTRAK on the infected terminals

(Source)

http://www.keishicho.metro.tokyo.jp/

haiteku/haiteku/haiteku504.htm

Details of the operation

Infection of 44,000 terminals within Japan (82,000 globally) to "VAWTRAK" which is a malware for unauthorized money

transfer of internet banking was confirmed. It was judged that Japan was the main target from the number ratio of infected

terminals within Japan and configuration files of VAWTRAK.

As countermeasures, an internet banking virus incapacitation operation which was the first of such operation in Japan as a

large scale botnet takedown operation was deployed. The Ministry of Internal Affairs and Communications and Telecom-ISAC

Japan collaborated to call users’ attention and carry out disinfection operations together with member ISPs.

(Apr. 2015)

(Source) http://www.soumu.go.jp/menu_news/snews/

01ryutsu03_02000092.html

(Source) https://www.telecom-

isac.jp/news/news20150410.html

(Source)

http://www.active.go.jp/activ

e/news/release/entry-

231.html

43


US-CERT

Approach of each ISP through ACTIVE (T-ISAC-J)

44

Internet

System constructed

by FBI etc.

General flow of call for attention to malware infected terminals

GOZ infected

terminal user

ISPs participating in ACTIVE

the Metropolitan

Police Department

VAWTRAK infected

terminal user C & C server

(Remotely controlled by the

Metropolitan Police Department)

Unauthorized

communication

1 Capture infected

terminals

(1) Capture

infected terminals

2 Send information on

infected terminals

(2) Send information

on infected terminals

(3) Send information on infected terminals to each ISP

[Total number of list] 155,000 terminals (GOZ) 44,000 terminals (VAWTRAK)

(4) Prompt users using infected

terminals to disinfect the

malicious program

Call for attention

Telecom-ISAC Japan (ACTIVE project) provided contact person and arrangements of these projects through consultations

with the Metropolitan Police Department, the National Police Agency, and the Ministry of Internal Affairs and Communications.

Regarding calls for attention, Telecom-ISAC Japan first received information from related organizations (JPCERT/CC and the

Metropolitan Police Department) as a contact for both "GOZ" and "VAWTRAK" projects before sending the information to each

ISP utilizing delivery line of ACTIVE.

Each ISP called for attention and requested the disinfection of virus to users based on the received information on infected

terminals.

2014

Responding to

GOZ

2015

Responding to

VAWTRAK

Unauthorized

communication

Log investigation

and comparison

Contact to users

ISP

ACTIVE provides “infra” to reach the end-users through ISPs


Cyber Attack Defense Exercise-WG（CAE-WG）


Background and Purposes of the Exercise

Responses to attacks by one company are reaching its capacity limit due to the increase of threats

Provision of environment for prompt responses to incidents even when cooperating with other companies

Minimization of damage when receiving attacks

Shortage of personnel with sophisticated skills on the defense side

Shortage of opportunities for personnel development

Shortage of trainers for personnel development

Prompt responses even at incidents

Confirmation of contact point

To confirm if companies can cooperate at incidents, and, at the same time, to train how to cooperate

Personnel development

Experience through exercise what cannot be experienced with normal operations

Recognition of issues and improvement

Recognize the issues of own organization for improvements

Background

Purposes

46

To build relationship capable of responding to cyber attacks, Cyber Attack Exercise ( CAE ) –WG has been conducted since May 2009.


Image of the Exercise

ISP company A ISP company B

Evaluator

Player

Evaluator

Controller

Player

Discussion Discussion

Director

Inquiry

/ Answer

"Cannot access famous

sites"

Issuing event

Controller

Evaluation

Inquiry

and

Answer

Evaluation

Director

(Each theme:

(example) one person

for DNS, NW, Web,

etc.: examiner)

• Decisions and implementation of the start and end of the exercise

• Supervises the whole exercise and grasp the situations of each participating

group

• Distributes events to each group

Controller

(One person for each

team: advisor during

the exercise )

• Promotes the understanding of message from events and/or other

organizations, and given incidental information among the group players

• Promotes the discussions among players and help deciding actions

• If player asks for information outside the event or isolated results, answer

according to the "Controller material" which is distributed beforehand, or

escalate to director if necessary.

Players

(Executor of the

exercise)

• Participants who are the center of the exercise

• Make decisions and discuss in accordance with the post, role, and

experience of himself/herself in the situation given by the event. Decides the

actions of the organization as a result of the discussion within the group

• Declare the decided actions to the controller and evaluator

• Exchange messages with the players of other organizations when

necessary

Evaluator

(Coach, leader)

• Records the contents of discussions and decided actions • Writes a evaluation report at a later date after the exercise

MSEL

"Currently, access to famous

sites is not possible. As a result

of investigations,

communication is cut off within

your network. Can I ask for a

checkup?"

Request / inquiry

47


Cyber-Attack Exercise(CAE2015)

48

Date January 19, 2016

Location Ota City Industrial Plaza (Kamata, Tokyo Japan)

Participating Companies

Major ISPs, communications companies, etc.

Participants 218 participants


New area for IoT security (in relation to Investigating

Vulnerability-Network device-WG)


Scanning observation by nicter-Atlas

50

Atlas All view

Atlas only port23

Recently, “scanning to Port 23 (telenet)” is getting larger!!

•Capturing packets

through dark-net in

real time basis.

•Color indicates the

protocol types.

■UDP ■TCP SYN ■TCP SYN/ACK ■TCP Other ■ICMP

http://www.nicter.jp/nw_public/scripts/index.php#nicter


Telnet (23) attacks on Darknet have rocketed

51

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

60,000,000

70,000,000

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

400,000

Pac

ket

Co

un

t

Ho

st C

ou

nt

Time

# of UniqueHosts# of Packets


Attacking hosts are IoT devices

150,000 attacking

IPs

361 models

observed

in 4 months


Why IoT devices?

• 24/7 online

• No AV

• Weak/Default login passwords

• with global IP address and open

to Internet


We would like to know..

Malware Targets Monetization

• What kind of malware? • How many different kinds?

• What IoT devices are targeted? • What the attackers do after compromising these devices?

We propose the first honeypot for IoT


Challenges

Honeypot Sandbox: IoTBOX IoT malware of different CPU Architecture

IoT devices listening on Telnet

ARM

PPC

SUPERH

X86

MIPSEL

MIPS

• Emulating diverse IoT devices • Handling to capture malware of

different CPU architectures

• Handle to run malware of different CPU architectures


Emulating different devices

3-way handshake

(Options)

Welcome message & Login prompt

id/pass Authentication

Command

Response

.........

Do Echo, Do NAWS, Will Echo

ADSL Router login:

root 12345

cat /bin/sh

corresponding responses

Banner Interaction

Authentication

Command Interaction cat /bin/sh

ARM

MIPS

PPC

Response 2

Device Profile Different Banner

Interactions

Different User

ID/Pass

Different Responses

NAWS (Negotiate About Window Size) • Different Banner Interactions

• Scanning Internet on port 23 to get different banners

• Different User ID/Pass

• Obtain weak/default ID/Pass by web search

• Different Interactions/Responses

• Learn from actual devices

• System with general configuration for embedded devices (e.g. OpenWRT…)


IoTPOT results

0

50,000

100,000

150,000

200,000

250,000

Visit Login Download Malware

Un

iqu

e H

ost

Co

un

t

• During 122 days of operations [ April 01 to July 31 - 2015]

• 900,394 Malware Download Attempts • Malware of 11 different CPU architectures • 93% of downloaded binaries are new to Virus Total (2015/09)


Attack Example1: DNS Water Torture

attacks

Infected devices

Cache DNS server at ISP

9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? pujare.cc.zmr666.com? oiu4an.cc.zmr666.com?

Authoritative DNS for“zmr666.com”

9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? pujare.cc.zmr666.com? oiu4an.cc.zmr666.com?

Delayed

reply

No

resource


Attack Example-2: Click fraud

Infected Devices

Infected devices imitates user clicks to advertising

web sites


Attack Example-3: Stealing credential

from PPV

cred

enti

al Particular set top boxes are

being targeted (such as

dreambox)


Looking back on devices visiting IoTPOT

10734

4856

1391 787 430 411 337 206 206 174 60 20 19 15 11 10 10 9 6 6

0

2000

4000

6000

8000

10000

12000

Nu

mb

er

of

IP A

dd

ress

es

Device Types

More than 60 different types (361 models) of devices visit IoTPOT

• We scan back on port 23/TCP and 80/TCP • More than 60 type of devices visit us


Web interfaces of devices attacking

us


Categorizing IoT device types

• Surveillance Group • IP Camera • DVR

• Networking Related Devices • Router • Gateway • Modem • Bridge • Security Appliance

• Telephone System • VoIP Gateway • IP Phone • GSM Router • Analog Phone Adapter

• Infrastructure • Parking Management System • LED display control system

• Industrial Control System • Solid State Recorder • Internet Communication Module • Data Acquisition Server • BACnet I/O Module

• Personal • Web Camera • Personal Video Recorder • Home Automation Gateway

• Broadcasting Facility • Digital Video Broadcaster • Digital Video Scaler • Video Encoder/Decoder • Set Top Box

• Other • Heat Pump • Fire Alarm System • Disk Recording System • Optical Imaging Facility • Fingerprint Scanner


AS with more than 1,000 infected Devices

China

Turkey

Russia

Korea

India

USA

Brasil

HongKong

Vietnum

Taiwan

Mexico

MalaysiaArgen na

Phillipine

ThailandIsrael

Italy

France Colombia GermanyBritain

Libya UkraineSpain

Hong Kong


Smart+Connected City

Parking


Traffic


Lighting


Location Services

Our Target IoT Devices

Well-managed IoT devices controlled by IoT Services

Less-Controlled IoT devices (Nora-IoT) owned by Individuals

Our Target IoT devices


Security Controls for less-controlled IoT devices

1. Awareness for IoT device owner (individual) Use of appropriate ID and Password Guideline

2. IoT devices venders - Stop using Telenet (port 23)” in order to avoid infections of malwares for new purchase of IoT devices; - Implement module/function for updating software/firmware.

3. Less-controlled IoT devices already in use - Removing malwares from infected IoT, or stop activating malwares (deletion of registry, exe, or scheduler); - Providing remote software update functions.


Views from ICT-ISAC Japan


Views from ICT-ISAC Japan

1. Activities in ICT-ISAC Japan will be expanding to global ICT environment (not only for Telecom-Sector but also for Broadcasters, IT vendors, Security vendors);

2. Best Practices for Security Responses from the members should be collected and shared;

3. Through Working Groups in ICT-ISAC, knowledge and ideas should be investigated in order to provide security solutions in collaborative manner;

4. Common issues among all the members and Specific issues for the specific sector (members) should be clearly identified and properly managed;

5. International Collaboration should be actively promoted.

68


Thank you for your kind attention.

ICT-ISAC Japan

https://www.ict-isac.jp/ (in Japanese only)

https://www.ict-isac.jp/



Documents

Trend of Cyber Attacks and Introduction of Cyber Security … 1 - Keynote 1... · 2016-09-28 · Search Engines Upload malicious contents SNS Fake Priv Message to Friends of Victims