SIP-enabled devices have gained widespread use in recent times. With more and more VoIP applications that use SIP as their signalling protocol being developed these days, the industry should put greater emphasis on safeguarding SIP assets against undesirable exploitations that may either degrade the quality of VoIP services or promote cyber-crime.
As DDoS attacks grow more frequent, more powerful, and more sophisticated, many organizations turn to DDoS mitigation providers to protect themselves against attacks.
However, DDoS protection is not a one-size-fits-all fixed menu; rather, it is an a-la-carte buffet of multiple choices. Each option has its unique advantages and drawbacks, and it is up to the customer to select the optimal solution that best fits their needs, threats, and budget.
This blog series explores the various options for DDoS protection deployments and discusses the considerations, advantages and drawbacks of each approach, and who it is usually best suited for.
On February 8th, 2018, Radware’s Deception Network detected a significant increase in malicious activity over port 8080. Further investigation uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 – Dasan Unauthenticated Remote Code Execution. Referred to as “Satori.Dasan,” it’s been rapidly expanding with a high success rate. The C2/Exploit server for this botnet is 185.62.188.88 (AS49349 – BlazingFast LLC, Ukraine)
It is not clear what is the purpose of this new botnet, as we were unable to find specific attack vectors in the binary.
Our analysis suggests that Satori is looking to take over 40,000 IoT devices to join its growing family of cryptocurrency miners, as we saw here, and here. This would make the Satori.dasan malware a stage #1 infection, responsible for rapidly scanning the internet looking for vulnerable devices.
Over the past two days Radware has detected over 2000 malicious Unique IPs daily, almost 10 times higher than the daily average in the weeks prior.
The majority of the traffic came from Vietnam originating almost entirely from an ISP named ‘Viettel.’
A significant percentage of those malicious bots were also listening themselves on port 8080.
By sampling roughly 1000 IPs and querying their server headers, Radware revealed that 95% identified themselves as running “Dasan Network Solution.”
A quick Shodan search revealed about 40,000 devices listening on port 8080, with over half located in Vietnam, and not surprisingly an ISP named ‘Viettell Corporation.’
The infected bots will perform aggressive scanning of random IP addresses, exclusively targeting port 8080. Once it finds a suitable target, it notifies a C2 server which immediately attempts to infect it.
See the following sequence captured at one of Radware’s sensors (10.0.0.70):
The infected bot sends a half-open stealth-scan SYN request to port 8080. Instead of Ack, a TCP Reset is sent. Typical to Mirai code, the initial TCP SYN packet contains a sequence number identical to the 32bit value of the target victim.
After 4 seconds, the bot establishes a 3-way TCP handshake to port 8080
The following 113 bytes payload is sent:
Note that this is not the actual exploitation attempt, but rather a screening process to find vulnerable hosts.
Radware’s Deception Network sensor is answering the probe with the following response:
The bot closes the connection.
Now comes the interesting part.
Notice the timestamp – it is just 106 milliseconds after the last packet and we suddenly get an exploitation attempt from a completely different IP address. This IP belongs to a central exploitation server running on 185.62.188.88
The exploit server sends the following payload over HTTPS port 8080:
The threat actors who operate this C2 Crime Server are responsible for numerous attacks that were recently covered by different security vendors, including Fortinet, 360netlab, SANS.
With some scanning, fuzzing and Open-Source Intelligence (OSINT0) we found some interesting details.
As with previous incidents, the domain rippr.me is used to point to the C2 server.
The following entries have an associated TXT record:
As we saw in the exploit payload, the server is listening on port 7777. Connecting to it brings the following download code:
So let’s get the file and check the contents:
It looks like a downloader that will be running on an infected device. The script downloads several versions of the binary and tries to execute it. If it fails (due to wrong CPU architecture), it will just go over to the next one.
Let’s grab the binaries (and guess some additional ones, like the x86_64). They look quite fresh according to server timestamps:
At the moment, VirusTotal already knows about the C2 address and shows that less than five antivirus products detect the files as malicious. Not very promising right now, but this should improve.
We will use this opportunity to submit some of the binaries that are missing in VT.
The Satori.Dasan variant is a rapidly growing botnet which utilizes a worm-like scanning mechanism, where every infected host looks for more hosts to infect. In addition, it also has a central C2 server that handles the exploitation itself once the scanners detect a new victim.
President Obama’s mention of cyber-security in last night’s State of the Union Address came as no surprise. The Obama camp implemented a novel approach this year of “previewing” the President’s main agenda items through a series of speeches in the week preceding the SOTU. But even without the preview, the comments on cyber-security were rather predictable (and brief).
David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
Let’s face it. DDoS are the big, fat, scary bully of the Internet. When organizations have sufficiently tight security or a would-be attacker doesn’t have the skills to overcome a target’s security, he or she can buy capacity on a bot-net or other delivery vehicle and slam packets from all over the world at the target’s site and application(s).
Over the past week Radware’s Emergency Response Team (ERT) detected a new type of SYN flood which is believed to be specially designed to overcome most of today’s security defenses with a TCP-based volume attack. Within a 48-hour period two different targets in two different continents were targeted with this new technique and have experienced very high attack volumes.
Online criminality has become a big business and new faces of social engineering and fraud are sweeping the globe. News articles regularly report on major breaches and outages, but rarely, if ever, do we see the underlying ransom demands that are presented before a business is attacked. The stand that organizations often take is that they do not negotiate with terrorists or pirates. But this approach, while noble, can become costly to a business, some may lose everything.
David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
DDoS attacks have become commonplace these days. The offending attackers may be hacktivists, cyber-criminals, and nation states or just about anyone else with an Internet grudge and a PayPal or Bitcoin account. These attacks themselves often require no technical skill. Someone with a bone to pick can simply purchase the use of any number of nodes on one or more botnets for an hourly fee (long term rate discounts available); use a Graphical User Interface (GUI) to organize the attack and then launch it.
A few weeks ago, news agencies shared reports on the Energetic Bear attack. This cyber-attack, or rather virus, was reportedly introduced by a Russian hacking group and it targeted oil, gas, power, and energy investment companies. The threatening malware had the ability to shut down major power grids, oil pipelines, gas, and energy traders. Analysts speculate that the attack motive was to gain competitive advantage in state-sponsored espionage against global oil and energy producers.
As companies accelerate their adoption of cloud technologies – like infrastructure as a service (IaaS) or software as a service (SaaS) – the need for solutions that provide secure access and reliable operations in the cloud increase in importance. Since your data will now reside in several different facilities, with different providers or partners, you now have a new “security perimeter” to monitor and defend. As such, the need to closely evaluate how cloud-based data is protected should be part of the overall security strategy. A top area of concern is defending applications from distributed-denial-of-service (DDoS) attacks.
