KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... ·...

54
KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute forcing malware landscape Cognitive Threat Analytics @AnnaBandicoot Anna Shirokova Veronica Valeros Cognitive Threat Analytics @verovaleros

Transcript of KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... ·...

Page 1: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN

AND GET IN! An overview of the CMS brute forcing malware

landscape

Cognitive Threat Analytics@AnnaBandicoot

Anna Shirokova Veronica ValerosCognitive Threat Analytics

@verovaleros

Page 2: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

EMOTIONAL UPS AND DOWNS

OF DOING RESEARCH

Page 3: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

WHO WE ARE

VERONICAANNA

• Threat Researcher Cognitive Threat Analytics, Prague, Czechia• Co-founder of MatesLab

Hackerspace in Argentina• Core member of Security

Without Borders (@swborders)

• Threat Researcher Cognitive Threat Analytics, Prague, Czechia

Page 4: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

WHAT DO WE DO?

Page 5: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

LOOKING AT DATA ALL DAY LONG

Page 6: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

ACKNOWLEDGEMENT

Sebastian García:

Jindrich Karasek:

http://ar.linkedin.com/in/sebagarcia https://www.researchgate.net/profile/Sebastian_Garcia6

https://stratosphereips.org/category/dataset.html 

@eldracote

https://4n6strider.it

https://www.linkedin.com/in/jindrichkarasek/ @4n6strider

Page 7: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

WHAT THIS TALK IS ABOUT?

Page 8: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

WHAT THIS TALK IS NOT ABOUT?

Page 9: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

AUTHENTICATION METHOD

/wp-login.php/xmlrpc.php

/?q=user /?q=user/login/xmlrpc.php

/administrator/index.php` ?option=com login

Page 10: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

BRUTE FORCING MALWARE OVERVIEW

Page 11: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

https://isc.sans.edu/diary/Distributed+Wordpress+admin+account+cracking/7663

WHAT HAPPENED IN 2009?

Page 12: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

FortDisco2013

https://www.arbornetworks.com/blog/asert/fort-disco-bruteforce-campaign/

Page 13: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

FortDisco2013

https://www.arbornetworks.com/blog/asert/fort-disco-bruteforce-campaign/

FortDisco

Blackhole EK Styx EK

Stealrat botnet

Page 14: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

Mayhem

2014 Mayhem

FortDisco

https://www.virusbulletin.com/uploads/pdf/magazine/2014/vb201407-Mayhem.pdf

Page 15: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

WHAT ELSE HAPPENED IN 2014?

https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.htmlhttps://blog.sucuri.net/2014/10/wordpress-websites-continue-to-get-hacked-via-mailpoet-plugin-vulnerability.html https://labsblog.f-secure.com/2015/11/25/the-case-of-a-flash-redirector-from-a-brute-force-password-attack/

Page 16: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

GET /wp-login.phpPOST /xmlrpc.php+ + +

?

2015 Aethra

https://www.wordfence.com/blog/2015/12/aethera-botnet-attacks-wordpress-sites/

Page 17: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

CMS Catcher2015

https://www.researchgate.net/publication/299585015_Make_It_Count_an_Analysis_of_a_Brute-forcing_Botnet

Page 18: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

2015Troldesh

https://securelist.com/the-shade-encryptor-a-double-threat/72087/

Page 19: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

WHAT HAPPENED IN 2016?

https://www.bleepingcomputer.com/news/security/ukrainian-isp-behind-over-1-65mil-daily-brute-force-attacks-on-wordpress-sites/

https://www.wordfence.com/blog/2017/01/wordpress-botnet-monetization/

Page 20: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

2017Stantinko

https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf

Page 21: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

SIMPLE AUTOMATED

WORKS

Page 22: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

SATHURBOT

Page 23: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute
Page 24: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

MODULAR BOTNET

• backdoor • downloader • web crawler • brute forcer

Page 25: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

HTTP://DOMAIN/?BASE64=BASE64

URL PATTERN OF THE INFECTED TORRENTS

Page 26: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

INFECTION

Page 27: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

CRAWLER MODULE

Page 28: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

SEARCH ENGINES QUERY

http://www.bing.com/search?q=makers%20manage%20manual

Page 29: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute
Page 30: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute
Page 31: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

p,k,c,a

g,g,k,o

n,q,j,i

p,p,o,c

p,l,b,b

g,g,k,q

o,l,i,g

t,c,g,p

c,g,h,d

f,c,m,t

k,o,j,l

l,l,j,l

r,c,s,h

l,h,t,b

j,f,h,m

d,k,l,m

e,k,o,e

e,q,d,i

t,e,d,o

k,n,q,b

e,k,s,m

f,h,b,s

o,i,k,e

d,j,b,a

g,i,o,l

j,s,j,i

g,e,n,t

r,j,g,q

d,p,b,r

g,d,j,e

o,c,l,l

q,i,d,t

d,d,g,p

g,q,b,t

n,t,m,k

r,i,e,b

Page 32: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

 http://[domain_name]/wp-login.php

WORDPRESS FRAMEWORK CHECK

Page 33: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

BRUTE FORCE MODULE

Page 34: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

POST /xmlrpc.php HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1Content-Length: 231Host: www.venuscursos[REDACTED].com.br

<?xml version="1.0" encoding="iso-8859-1"?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>venuscursos[REDACTED]</value></param> <param><value>magic</value></param> </params></methodCall>

ATTACK WITH XML-RPC

Page 35: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

POST /wp-login.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1Content-Length: 232Host: www.sanat[REDACTED].org

log=sanat[REDACTED]&pwd=magic&wp-submit=Log+In&testcookie=1

STANDARD CREDENTIAL’S COMBOUser name[domain_name]Password

Page 36: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

POST /xmlrpc.php HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1Content-Length: 227Host: www.vodokanal[REDACTED].ru

<?xml version="1.0" encoding="iso-8859-1"?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>vdknl2017admin</value></param> <param><value>swimming</value></param> </params></methodCall>

NOT STANDARD CREDENTIAL’S COMBOUser name[special_name]Password

Page 37: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

POST /xmlrpc.php HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1Content-Length: 226Host: www.raduapostol[REDACTED].ro

<?xml version="1.0" encoding="iso-8859-1"?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>raduapostol[REDACTED]</value></param> <param><value>mokito</value></param> </params></methodCall>

POST /xmlrpc.php HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1Content-Length: 226Host: www.raduapostol[REDACTED].ro

<?xml version="1.0" encoding="iso-8859-1"?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>raduapostol[REDACTED]</value></param> <param><value>system</value></param> </params></methodCall>

TIME:02:17:11.265496 TIME:06:15:32.848090

MORE THAN ONE TRY&PASSWORD

Page 38: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute
Page 39: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

TOP 20 PASSWORDS TRIED

Page 40: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

QUORA: GET     http://www.quora.com/wp-login.php       GIPHY:

GET     http://giphy.com/wp-login.php  SNAPCHAT:

GET     http://snapchat.com/wp-login.php TWITTER:

GET     http://twitter.com/wp-login.php SOUNDCLOUD:

GET     http://soundcloud.com/wp-login.php SHOPIFY:

GET     http://www.shopify.com/wp-login.php  

TRIES TO BRUTE FORCE

http://www.quora.com/
http://giphy.com/
http://snapchat.com/
http://twitter.com/
http://soundcloud.com/
http://www.shopify.com/
Page 41: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

gTLDcom 1552601 org 139582 net 102798 info 23288 xyz 16076 eu 14732

ccTLDde 68078 uk 59681 nl 45528 cc 45419 cn 36527 au 35410 it 32400 br 28158 pl 26216 fr 25319 ca 24766 ru 21802 es 17372 se 14284

MOST COMMON TLDS TARGETED

Page 42: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

INFRASTRUCTURE

Page 43: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

SHA-256: 28f1cb771de05473b0c1cc2c21f3c437dc50cc6ab3c4c15ceefb21ea6e6b95fa

2015

URL: asdas2qw2aswasasdasd.in/wordpress.php?g=4bc87ed0379a11e5acf3080027535333&b=0&v=1

URL:  forcedsharetraktor.live/cocos/driver.php?g=e71847216cbc11e7b4e0080027e1e38a&v=3

2017 SHA-256:

20ae9e5f8f26635c627afce5eaeeb749af459f55138c80f29da9d787ecc38f92

2016SHA-256: -URL: edasdfdfwedzsczxczxcawaw1.xyz/wordpress.php?g=5f64c9690c7911e68d7c00155d0a1117&b=0&v=1

FROM V.1 TO V.3

Page 44: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

URL: asdas2qw2aswasasdasd.in/wordpress.php?g=4bc87ed0379a11e5acf3080027535333&b=0&v=1

LINKED EMAIL

Page 45: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

google.com

uromatalieslave.space

Connectivity check

1st C&C megafreecontentdelivery.clubforcedsharetraktor.live

zeusgreekmaster.xyzDNS TXT Record

3rd C&C

CONNECTION SEQUENCE

2nd C&C

4th C&C

CrawlingBrute forcing

217.23.6.215 217.23.6.155

Page 46: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

SLAVE

uromatalieslave.spacemrslavelemmiwinkstwo.xyz artemisoslave.xyzcrazyfuckingslavemudak.xyz

FORCE

asdkjnasdiu3kadsomiljsdforce.xyzforcedsharedtraktor.livenewforceddomainsherenow.clubjustanotherforceddomain.xyz

MASTER

zeusgreekmaster.xyz apollogreekmaster.xyz jhasdkjanskdjnahsnmaster.xyzjhasdkjanskdjnahsnmaster.info

BOOM

boomboomboomway.xyzbadaboommail.xyzbadaboomsharetracker.xyz

DOMAINS

Page 47: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

edasdfdfwedzsczxczxcawaw1.xyzmozilladownloadsharespace.xyzjhkabmasdjm2asdu7gjaysgddasd.xyzasxdq2saxadsdawdq2sasaddfsdfsf4ssfuckk.xyz asxdq2saxadsdawdq2sasaddfsdfsf4ssfuck.xyzkjaskdhkaudhsnkq3uhaksjndkud3asds.xyz updateservicesharedspace.xyzadq3asdasda3adfkunssssss.spacekhkhasd89u8ojaodsijdkjaksd.linkkjhaskdjhkuhk2qwskjakjshdkjh123kjs2.inasdas2qw2aswasasdasd.inkjanskduhi8asdaskjdkn.in

TORRENT TRACKERS

megafreecontentdelivery.commegafreesharetracker.clubblablablablablatraffic.xyzwebdatasourcetraffic.xyzhappynewyeartraffic.xyzwebtrafficsuccess.xyzfreemplemediatracker.xyzsharetorrentsonlinetracker.xyzcoolfastcheaptracker.linkcoolfastcheaptracker.xyzmeganewblablablan.in

OTHER

DOMAINS

Page 48: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

A D

B

C

Page 49: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

DETECTION

IDS

SIEM

Behavioural Analytics

Page 50: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

WHY SHOULD YOU CARE?

Page 51: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

WHAT DID WE LEARN?

CMS are being brute forced since their beginning

Still successful due the weak passwords used

Important component in malware ecosystem

Brute force attacks are not well researched

Brute forcing methodology is the same across malware

Hard to measure the successful rate of this type of attacks

Page 52: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

FUTURE WORK

Measure the success rate

How often the password changedFollow the hack

Page 53: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

QUESTIONS?

Veronica Valeros [email protected] @verovaleros

Anna Shirokova [email protected]

@AnnaBandicoot

SATHURBOT PCAP https://stratosphereips.org/category/dataset.html

mailto:[email protected]
mailto:[email protected]
Page 54: KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

THANK YOU!


Who's Who - Who's Who in Business

Who's Who - Who's Who in Business

Knock Knock - Who's There?

Knock Knock - Who's There?

Who's Who - 2015 Who's Who in Business

Who's Who - 2015 Who's Who in Business

Knock knock who are you?

Knock knock who are you?

WHO'S HOT AND WHO'S NOT

WHO'S HOT AND WHO'S NOT

Knock knock…

Knock knock…

Knock knock Magazine

Knock knock Magazine

Knock knock Who's there?

Knock knock Who's there?

K NOCK KNOCK NATURE READING LISTknockknockmuseum.org/wp-content/uploads/2018/06/Knock-Knock-Nature.pdfK NOCK KNOCK NATURE READING LIST Knock Knock Children’s Museum (KKCM) is a community

K NOCK KNOCK NATURE READING LISTknockknockmuseum.org/wp-content/uploads/2018/06/Knock-Knock-Nature.pdfK NOCK KNOCK NATURE READING LIST Knock Knock Children’s Museum (KKCM) is a community

Knock Knock Issue 3

Knock Knock Issue 3

Bright Pebbles 09: Knock, Knock

Bright Pebbles 09: Knock, Knock

WHO's WHO's

WHO's WHO's

Knock Knock, Who's There? Membership Inference on ......Knock Knock, Who’s There? Membership Inference on Aggregate Location Data NDSS 2018 Apostolos Pyrgelis 1, Carmela Troncoso

Knock Knock, Who's There? Membership Inference on ......Knock Knock, Who’s There? Membership Inference on Aggregate Location Data NDSS 2018 Apostolos Pyrgelis 1, Carmela Troncoso

DemandBase - Knock Knock

DemandBase - Knock Knock

Knock, Knock! - Australian Broadcasting Corporation · 2014. 12. 17. · Knock, Knock, Knock Composer: Colin Buchanan Publisher: Rondor (Australia) Dragon Song Composer: Don Spencer

Knock, Knock! - Australian Broadcasting Corporation · 2014. 12. 17. · Knock, Knock, Knock Composer: Colin Buchanan Publisher: Rondor (Australia) Dragon Song Composer: Don Spencer

dett.cps.edudett.cps.edu/uploads/8/5/8/3/85835240/coronavirus_regular.pdf · joke page OHA Knock, Knock. Who's there ? Cough. Cough who ? Cough my favorite drink. Coffee March 30,

dett.cps.edudett.cps.edu/uploads/8/5/8/3/85835240/coronavirus_regular.pdf · joke page OHA Knock, Knock. Who's there ? Cough. Cough who ? Cough my favorite drink. Coffee March 30,

KNOCK, KNOCK WHO’S THERE? ISLAM.

KNOCK, KNOCK WHO’S THERE? ISLAM.

WHO'S HOT? & WHO'S NOT! "Freeway" Rick Ross Accepts WHO'S HOT? Award

WHO'S HOT? & WHO'S NOT! "Freeway" Rick Ross Accepts WHO'S HOT? Award

Affiliate Publisher Trends - Who's Growing? Who's Not?

Affiliate Publisher Trends - Who's Growing? Who's Not?

Knock knock! – Who's there? – The Law! Open up! 2... · Centrul pentru Studiul Criminalitatii Informatice :: Cybercrime Research Centre – Romania Paperwork & Evidence Bullet

Knock knock! – Who's there? – The Law! Open up! 2... · Centrul pentru Studiul Criminalitatii Informatice :: Cybercrime Research Centre – Romania Paperwork & Evidence Bullet