7.42
you are in here for cloud Botts harvesting crypto coins like a botnet farmer and i am it’s my pleasure to turn it over to the very well-dressed Rob Reagan and .
Oscar Salazar welcome and thank you everyone for joining us this morning .
I’m Rob Reagan and this is my best friend .
Oscar Salazar we are penetration testers for Bishop Fox and we want to tell you today about some of our latest research and some really exciting project we’ve been working on for the last year where we were able to build a botnet with freely available cloud services but a few main topics that we really want to make sure that everyone walks away with after this is really exploring like is it possible and is it possible to build a cloud bot or a botnet with cloud based services the answer is undoubtedly yes but it’s one thing to know it’s possible and it’s another thing to see how it’s done and we want to show everyone here how it’s done we also want to explore the question will we see the rise of more botnets of this type we also think the answer is undoubtedly yes we’re certainly.
Not the only ones doing this .
I think we are some of the few that are actually publicly talking about it and explaining the steps that we that we took with with our particular our particular process and we want to share that so that everyone in here that is a security researcher or penetration tester can learn from these techniques and help build upon them and help organizations understand this threat better and better and we really ask the question why we were doing this research is insufficient anti automation of an overlooked risk or is it on the scale with the .
OW.
ASP top 10 for applications security risks will we see.
Not just in cloud-based services a increase in automated attacks over the years over the.
Next few years or will we see all online services be more and more affected by automated attacks and how can organizations prepare for that so that’s something else that we hope everyone takes away from from this research so what are we talking about when we talk about cloud-based services cloud based services provide a.
--*--
Number of different features some are processing power some provide you have placed a host code some priority with storage some provide you with ideas or development environments but essentially these are services that help developers and engineers more easily create applications and get get going on applications right sorry these are platforms as a service organ infrastructure as a service maybe some folks in here that are developers use these it’s really designed to make it as easy as possible to stand up a web server and stand up an application and then manage it using a.
Nice interface it’s cutting out all of the legwork and all the time doing that manually because these services have built a.
Nice user interface around getting a.
New Linux virtual machine giving you SSH access and really letting you build an application as quickly and easily as possible and this is a commodity that’s in high demand we’re seeing more and more services start up and offer this more more startups more large companies getting into this market because anything that really makes a life easier for a developer can help .
--*--
IT make an organization more money and we realized if it’s making it the life of a developer easier to stand up an application wouldn’t it also make a malicious attacker make their lives easier make it easier for them to exploit these resources if it’s why wouldn’t they take advantage of it and that’s exactly what we explored as we investigated the possibility of building a botnet using these services so there’s a lot of services that provide free resources online so here’s actually a list that contains 150 services the cloud services cloud-based services that cover all kinds of languages all kinds of platforms all kinds of processes and storage yeah the link at the bottom of this slide will actually take you to this shared Google spreadsheet developed by cloud core and this was one of the one of the lists that we used as the basis for our research we went through these and we analyzed which technologies they use which provide SSH access to a Linux virtual machine which of these are really and we also analyzed what types of anti automation they had in place and we’ll talk a little bit more about that but we also were able to really leverage a lot of them that that aren’t.
--*--
Necessarily in that list that are also integrated development environments in the browser yeah those those integrated development environments .
--*--
I one of the key takeaways .
I think to understand there is we actually develop this entire proof-of-concept without storing any code or using any tools on our laptops all that’s really.
--*--
Needed to do this is something like a low-end laptop that is has internet access and a browser a lot of these these services that are available.
Now their whole mentality is you can even do pair programming and shared programming in an .
ID.
--*--
E that’s in the browser and at that point.
--*--
Nothing actually lives on a hard drive everything lives in cloud storage there’s.
No trace of any attack tools or scripts on any attackers hard drive anywhere all right so the basically the process that we went to to get a botnet or to generate a botanist was automating scripts right so the idea is to automate the process from start to finish of signing up for an account setting up that account and then like managing those accounts so when we were looking at signing up for.
New free tier services some of the hurdles that we found or the anti admission that was in place had to do with email address confirmation C.
APTCH.
--*--
As SMS and credit card verifications and so we found that a large portion around 66% of the ones that we looked at only used email confirmation as their sole means of anti automation yeah and there are certainly entire areas of research that cover how to bypass C.
APTCH.
As how to subvert SMS and phone verification mechanisms how to subvert credit card verification mechanisms and especially if hackers willing to cross the line into doing illegal activities using stolen credit card.
Numbers is a certainly an easy way to do that but we we decided for the focus of this research even though we’re collecting resources and sharing resources on how to bypass other means of ants automation we focused on that email confirmation step because two-thirds of the other resources we looked at only used email authentication and confirmation as their means of identifying a user and we really realized that there still is this.
Notion with a lot of online services that one email address equals one person and that’s a very antiquated concept that’s like maybe thirty years ago one person only had one email address but .
--*--
I don’t know anyone.
None of my friends .
I know .
Oscar has like 16 different email addresses and every time he gives me once we to send him something .
I have to pick a different one and basically.
No one has one email address anymore and this concept of using that to tether and an account to a service provider.
Needs to change if especially if the service is protecting something valuable or offering up something valuable for free we’re gonna demonstrate how we abuse the email confirmation process to really access those services and exploit them for with unlimited unique email address accounts all right so this research actually all kind of started from a pen test that we were working on where there was an online sweepstakes as part of the penetration test and we decided that we wanted to enter in hundreds of thousands of applications to the sweepstakes and so in order to do that we.
--*--
Needed to have a unique email address and the ability to make the requests required to sign up for the sweepstakes so in order to do that we actually started using Google .
App .
Engine and Google .
App .
--*--
Engine actually has something call an inbound mail handler which allows you to receive an email and internally it forwards it to your application as a post request with just all contents of the email so what it allows is for a wild card local part of your email address or your user.
Name portion and then they have a fixed domain for you from that we were able to extract information from the email from the subject extract activation and actually make the request of the activation links directly from within Google .
App .
Engine to automate the whole process so just quickly for a recap the anatomy of an email address you have a local part which is usually your user.
--*--
Name that sign and then a domain dot top-level domain and that’s typically what you see in that we’ll be talking about those kind of as we go through their presentation so that spark that original penetration test where the organization we were targeting offered up this Sweepstakes they had a really valuable grand prize we wanted to ensure that we won the contest this was something they were concerned about could this be abused and the answer is of course always if there’s anything offered for a value online someone is going to come after it someone is going to try to abuse it there’s probably some folks in here in this room that have maybe automated an online poll or automated a sweepstakes to maybe increase their chances of winning or whatever they’re voting for when to win the the online poll and we realized if we could harness the power of Google .
--*--
App .
Engine harness the power of this inbound mail processor we could certainly control more entries in the sweepstakes yeah so the one issue that we ran to ran into while using the .
App .
Engine inbound mantle mail handler is that the domain portion was always the same right so we could generate different application.
Names which is the cloud bot mail portion but in at the end of the day it would be your application.
Named app spot mail comm and then some portion of the beginning and so that’s easy to identify it’s a very identifiable pattern right a lot of if you read a lot of research on organizations like Twitter or Facebook and what and they see a lot of attackers trying to generate fraudulent accounts because there’s value and having more twitter followers or value and having more Facebook followers or likes or other or other click fraud attacks that can occur on those types of services they look for these types of patterns a very common defense technique is is there any pattern in the local part of the email address or is there any pattern in the domains can we do some post processing to filter those out as fraud another penetration test we did for an online poll that they actually expected a certain amount of abuse they would allow each email address to cast 50 votes and then they would just weed out every vote from that email after 50 and so they would basically do an analysis of their database afterwards and say let’s throw out all the extra votes from this account the attacker may think that they got extra votes in and the online poll but due to that fraud detection which is actually a very good defensive technique built that didn’t work yes if you received a hundred thousand sweepstakes entries all that said at cloud bought manhole spot milcom you’d be suspicious right that what’s super fishy and so a lot of attackers might stop here they might be like well .
I used this service .
I casted a hundred thousand votes from all from the same domain maybe those got there maybe they didn’t but we we weren’t satisfied with just this we’re like we.
Need to take it a step further we.
Need to figure out a way to generate unique domains and our initial thought on this actually was that we were gonna leverage some free cloud services to generate a cryptocurrency and then by three dollar domains on Namecheap that was actually our original plan but we realized that would take a lot of time and the economies of scale would just we would hit a limit we would hit a wall and and how quickly we could grow this system so we ended up going a different route what we really wanted was email addresses that were unique that look like this and so here’s the list of 100 email addresses that have very random data and they’re look realistic but you know don’t have a very identifiable pattern and the idea is to be knocking blocks.
Not get caught yeah.
Now get caught beat like Generic enough be random enough and be human enough to pass a test and so how do we generate this list let’s walk you through with the steps so the first part that we wanted to have.
No discernible pattern in was the local part and that’s where it’s maybe kitten lover one two three at hotmail.com kitten lover one two three is the local part and so in order to generate that section of of the email address we actually scraped real email addresses from online dumps there’s.
No shortage of online dumps in the.
News every week we’re reading about another one there’s like Russian attackers fight stealing 1.2 billion identities just this week and email addresses and credentials those will eventually link to the internet or what an unlimited basically list of real email addresses to pull from and use that to generate the local part in our system yeah so those are email addresses that were generated by millions of people we scraped just the local portion of the email address out and then we use the.
Next portion which was gaining the ability to get a custom domain this was really exciting when we got to this step we’re like wow we don’t don’t.
Need to go to Namecheap anymore we don’t.
Need to generate $3 at a time in cryptocurrency mining to buy more domains we actually found this service first and then many more like it this is a free DNS afraid org which is actually a pool of donated domains and anyone can go to this site create a free account and then they have access to a giant there’s a there’s a pool of $100,000 them last time we checked are freely available for you for anyone to register a subdomain on and in particular you can also you can register MX records the DNS entry for managing email and so that’s exactly what we did we actually so this step of the process we took one of the three domains from from this service or one of one from the many dozen services like this we registered a.
New sub domain on it and then pointed our MX record to our back-end mail inbound mail processing system yeah and so one of the problems with Google .
App .
Engine when we were originally looking at that as a solution was that Google .
App .
Engine does.
Not allow custom domains for their email handler you have to use their app spot mail com.
No redirect to your own sub domain yeah so we had to find a solution to get around that so.
Now we had the ability to register domains and we had local parts in spades but we didn’t have the ability to process the mail at that point and so these are some services that essentially allow you to receive inbound mail it converts the email into a JS.
ON format or in h2 HTML post format and then post that data to a specific .
.
URL that you provide and so this was kind of tying it back into Google .
App .
Engine or whatever service you wanted to have that allowed you to create a post request or receive a post request and we’re actually maintaining as part of our project page if you wanna go the.
--*--
Next slide we actually have a spreadsheet of services like this because this is an ongoing we’ll continue to keep this up the data as we come across more and as we use these in our penetration testing efforts we’ll keep this list up to date and you can go to the the link at the bottom of this slide and we’ve tried to keep stats on what the free trial limitations are and how this can be integrated into if you wanted to set up your own platform for unlimited email processing yeah so.
--*--
Now we have an email that’s in a post request that we’re sending to a .
.
URL that .
.
URL can be hosted anywhere there’s that huge list of cloud services you can write this in any language so that essentially what happens.
Now is we receive that email in that JS.
ON format we extract any activation links we submit those activation links and automatically register for the account and so this whole process is essentially you sign up for an account with an email address with for a domain that you own and after that process is completed your account is automatically activated in the background without any further.
--*--
No human interaction this is yeah that that step was also kind of quintessential to getting as many accounts pop as quickly as possible was automatically grepping through the confirmation email or the reply to this to make sure that you are identified as the owner of this email address we can just scrape those out and automatically submit that request and so what we end up with is essentially this list of domain.
Names that we have access to with random local parts so very very hard to identify a pattern and these 100 emails that we generated all right so just to kind of get a better understanding on how this work we’ll do a little demo of signing up to a service and some of the problems that we would run into if we were using another service or didn’t have this exact set up so .
I don’t know how many of you are familiar with mail an .
--*--
AT.
AR but mail an .
AT.
AR is essentially kind of what we built the ability to register a random local part at Melony and then go check your email afterwards yeah but a lot of sites that are on to that game so a lot of sites won’t even let you register with a mail Nader accountant this for example this is one of them will actually say this domain is.
Not allowed this is on a blacklist and we won’t let we know that that’s.
Not a legitimate email address we want only legitimate users even for our free trials where we’re giving away ten gigabytes of free space and so in order to subvert that this is why we build our own inbound mail processing platform and so some of the like kind of the same issue that we would have run into if we used that appspot mail com have spot me .
--*--
I have been flagged as a domain that is.
Not trusted so that’s what we were trying to avoid so essentially at this point we.
Now try to register a domain or an account with the domain that we don’t own and the idea behind this is if you try to do that you.
Never receive the activation link and you can.
Never use your account they’re still using that authenticate the user by their email address mentality and that’s the only form of anti automation other than blacklisting some of the services like malonate err that give temporary unlimited email addresses and so what we do here instead.
Now is use one of the domains that we set up for for the exact same process you go to the signup page you type in your username your password you type in an account anything at your custom domain comm and once you submit that request form the backend mail processing for is it to Google .
--*--
App .
Engine and Google .
App .
Engine actually clicks on the activation for it for you and so as we refresh we’ll see that the account automatically gets activated yeah we didn’t have to go to Gmail or any other inbox and click that that confirmation we’re just able to log in.
Now and so in the backend this is kind of the the logs that we receive in Google .
App .
Engine saying that the account has been activated we scraped this activation link out and we made that request and so that’s kind of one step of the process right so once we’re able to do that portion we’re able to automate the rest of the signup process more easily so on the on the top over here we see basically the process that we go to automate the rest of the functionality so once we have a mail processing handled we say alright first we’re gonna generate an user.
Name and an email address with a unique email we’re going to submit that registration form in the backend like we saw in the video our back-end mail processing will activate the account once the account is activated we can continue our script that we were writing to finish the process of targeting the signup logging into the application and setting up whatever we.
Need to set up for that specific instance to add it to the botnet as one of the instances once we’re done with all that we add information to a MongoDB database this is actually part of our how we manage all of the accounts that we’ve registered we’re actually also using cloud services that provide free MongoDB in a free trial account to keep track of every username that we’ve registered every like all the statistics on if it’s a cloud service what CP.
.
U level we have how much processing power memory how what port we connect to whenever we ssh to it if it’s a cloud storage service we can keep track of the disk space that we have and all the stipulations of the free trial so we can kinda this is basically what an attacker would use to build a dashboard of their botnet this is all the information and stats that you would.
--*--
Need to know which accounts are under your control yeah some of them expire after a certain.
Number of days so you could to added you know information about when they expire when they’re.
No longer valid when you can remove them from the database yeah and the idea being that there are tons of free MongoDB services and we’re coming online all the time we can actually use more than one of those to distribute this type of cloud bot that doesn’t just rely on one back-end service in case one were to become unavailable week we have redundancy so.
Now.
--*--
Now we actually have the step of registering all these accounts and we actually have a botnet what can we do with it how this is where we get into some of the fun parts we can do things like and we really focused on what would we want as for our penetration testing activities what would make us more efficient and be able to save time during our penetration tests which coincidentally also aligned with things that a lot of computer criminals might want to do but being able to simulate these attacks and actually as penetration testers have a botnet within our control was our goal so doing distributed.
--*--
Network scanning if we have really large .
IP address ranges to scan distributing that job with a distributed and map across all of those unique .
IP addresses coming from perhaps all over the world helps protect from against getting caught or flagged by an .
IPS or .
IDs also just saves time and distributing the workload we explored the possibility of distributed password cracking but we really focused on only using free tier if we were using stolen credit cards and buying GP.
.
Us that might have been a bit more effective but since we were only focusing on free tiers it really wasn’t effective to try to do distributed password cracking with those with the weaker CP.
.
Us doing distributed in our service we actually have clients coming to us and asking us maybe then the fund their in the financial industry or an industry that’s actively being targeted by distributed knowledge services acts and to be able to arrange for a specific time window where they want to test a DDoS against particular functionality in their app and they want to do it in a controlled environment and in a controlled timeframe we wanted to be able to have that ability and actually be able to come from many unique key but .
IP addresses from around the world click fraud with something that we we can explore us if we want to test to see if some of our our targets do add tracking and they want to see if we can abuse that system using this cloud bot and cryptocurrency mining certainly very interesting this is where we actually are seeing a lot of activity and as well as data stored getting lots of free storage is also very valuable and so for forgetting large amounts of free storage there’s a lot of referral programs that actually assume that you have a specific set of one to one email address the one friend correlation and so if you’re able to generate an unlimited.
Number of email it just email there’s a slash frnd they’re very popular guys .
I’m limited on the minute friend yeah then you’re able to sometimes kind of cheat the system and get addition like a lot more stores than you.
Normally get so here’s an instance of Dropbox yeah some services have actually capped.
Number of friends that you can recommend and they’ve capped the amount of space you can get but others haven’t done that so we actually came across the service where we were recommending friends and we got a terabyte of space for free on this service which was actually more than you could pay for in their paid tier but due to having unlimited friends we could have gone further we just stopped at a terabyte but like well that’s probably enough yeah that’s good for.
Now but again all the friends had unique email addresses on different domains very hard to identify and very hard to track that kind of thing so putting controls in place to protect your company against that kind of attack makes a lot of sense yeah and so.
Now we had all these systems and we wanted to come up a way for command and control we actually used a Python framework called fabric that’s designed for system administrators to be able to distribute commands across their data center or their internal.
Network really quickly and easily if they have SSH access to a Linux box they can then write us a small script and tap into the powers of this framework to distribute that command asynchronously and so there’s what we actually see a couple of commands there may be like fab check hosts do it across 20 threads in parallel give me give me stats back on all the hosts that .
I have SSH access to or you can customize it with commands and so that’s that’s exactly what we did we actually here’s some output of kicking off a job to curl .
I Can Has .
IP comm and just see the unique .
IP addresses and actually all of those .
IP addresses are .
Amazon ec2 boxes they were getting back when we were running this command across a subset of a few different free cloud providers and we’re able to then rapidly command and control that from any machine that has the private sshd so there doesn’t.
Necessarily have to be a central point of command and control like in a lot of of botnets we see that spread through malware there doesn’t have to be an .
IRC channel that all of the bots or zombie computers connect back into this is a we were managing all of this with SSH private keys and we could kind of wherever we wanted to hop through to to perform that SSH tunnel was where we could distribute commands from all right so making money if you guys know anything about crypto currencies essentially it’s the ability to generate money using processing power when it all kind of boils down to that proof of work typically hash cracking or some form of effort that was quantified into the this proof of work for this user or this wallet yeah and so since we are using only free tiers we’re essentially getting money out of.
Nothing right getting money from from.
Nothing so what we did is we created a command that essentially connected to the each bot then downloaded the Bitcoin mining or the like coin mining software review which we use because that works better with CP.
.
Us bitcoins typically work better with GP.
.
Us which we didn’t have access to in this free tier and as like .
Oscar said we’re really generating this from.
Nothing because it’s we’re.
Not getting an electric bill at the end of the day whereas if we were doing this on a computer in our house that really tends to first of all make it really hot in your spare bedroom but also really increases your electric bill and this is someone else is getting the bill at this point this is why this is very attractive to attackers yeah and so we didn’t want to get caught and we made this complex command to kind of hide our activities yeah so it goes and pulls down the mining the mining pool script it unzips it renames the mining file to bash and then creates the screen starts the mining process and then actually deletes the file off the filesystem and so if you were to shut down the the instance there would be.
No files on the filesystem left to track down to see what was going on and so one.
Night 5:00 in the morning yeah silly a Saturday.
Night the weekend we were working on this proof-of-concept we kicked off that command across our all of our B.
OTS ok go let’s see what happens and so we start live moment two we were like yes all right see it work yeah and so when you start looking through the logs and start doing some monitor and we start.
Noticing that a lot of the services that we were targeting looked like they were sharing resources with other users so like oh we don’t want to cause like financial loss for anybody you’re causing a denial service attack for anybody let’s shut it down and we were like crap we didn’t code the shutdown functionality we only go to the kick-off functionality it says 5:00 in the morning we’re exhausted really good with Lee huh frantically trying to figure out how we’re gonna shut this thing .
I could.
Never get away from us yeah .
I think we eventually came up with we could just go back and kill all those screen sessions that we started to rapidly shut it down but yeah we didn’t actually want to be malicious with this so a lot of people have been asking us like how much money did you make and the answer is we won’t tell you but.
Now the answer is we didn’t actually want to be malicious and so we just wanted to make this as a proof of concept and show how it’s done and what the steps look like and so at our peak we had like a Killa hash rate that was generating about 25 cents per day based on the current value of like coins for our account and multiply that another peak we had a thousand our goal is to reach a thousand.
Nodes or a thousand B.
OTS in our cloud bot and so you multiply 25 cents by a thousand and you get about two hundred and fifty dollars a day from and that that’s just where we we stopped that could scale up even more to fell tens of thousands of B.
OTS and we’ve actually heard of some cases of people making a lot of money in a really short period of time doing this yeah and so we basically kicked it all off and then left a couple running in the background just to make sure that we weren’t gonna get detected and we let it for a couple weeks and we didn’t.
No one.
Never found out that we were doing it so yeah yeah the couple that we left running for a couple weeks they just we did eventually shut them down .
I think it was me we just kind of what those free trials expire it wasn’t really a matter of did we get caught or did we get shut down it was more of like we pulled the plug on it because we realized that those shared environments may actually be hurting someone’s experience and may act and we didn’t actually want to generate a high electric bill for any of these cloud services so cloud breakout so one of the protection mechanisms that we saw or one of the anti automation systems that we saw for trial accounts was the ability to only create inbound connections to it to a device or one of the you can SSH in but you couldn’t get internet out that was their free trial you got 180 hours on actually some really.
Nice boxes yeah they had GP.
.
Us some of them were Windows VMs that had graphics and and they were really high value targets and so we were like okay well you know this is gonna take a little bit of extra work but the payoff is potentially greater so we spent a little bit of time essentially creating a way to use SSH tunnel that we had in test to stage all the traffic or tunnel all the traffic out through this h tunnel in in order to essentially do the botnet mining as well so just keep in mind that even if you try to put additional steps in place to protect yourself if it’s a high-value target people will spend the time to automate the process and take advantage of it since we could SSH in we could SSH back out through a gateway server and reroute our internet traffic through that SSH tunnel and still connect to an external mining pool that basically bypassing the restriction of.
No internet we’ve heard stories of other cloud providers where they’ve had this type of attack happen they’ve had that the cryptocurrency miners come in and start taking over and start using the CP.
.
Us and running the electric bill up and that was their defense mechanism it was like okay well let’s try to find the binary that they’re using and get rid of that okay the attacker just did it a different way.
Now let’s try to blackhole all of their outbound connections to the mining pools there’s actually you can go on Wikipedia and or some of the litecoin and Bitcoin sites and find a list of all the popular mining pools and try to basically blacklist that lit that those could outbound connections that won’t.
Necessarily work either the way that we bypass that was essentially through this SSH tunnel out to another gateway server and then to the mining pool and so that was all part of avoiding detection and.
Not getting caught and so this goes back to the whole concept of a cloud bot and how this differs from a traditional botnet that is based on malware we we had this concept of if someone tried to detect this and start shutting these down how what was our disaster recovery plan as but as cloud bought herders and so we actually coined the phrase armadillo ax is where we would just take all of the backups of all of our code and all of our scripts and just roll it over to the.
Next service that what did the same thing or had the same functionality like we said we had we started out using one MongoDB service but we had backups of all of the registration accounts and all the JS.
ON data in that MongoDB backed up in another MongoDB database that we weren’t actively utilizing we took all of our SSH keys and all of our scripts to manage and use fabric to kick off commands and we just could roll that package up and move it on to another service and so this kind of lives in this hybrid state of working across multiple platypuses multiple platforms multiple infrastructures and it’s very easy to migrate the code to any other service right any other provider which is a lot different than the typical botnet that is on the laptop that a.
New .
AV signature maybe wipes out a bunch of the.
Nodes and the the botnet herder has to go and develop a.
New iteration of their malware and keep spreading that so it works a little bit differently and .
I can actually see some appeal because we did like the majority of this proof of concept in one weekend so someone that that is a skilled coder could actively do this relatively easily and that was sometimes something we wanted to raise awareness of because we do think that we will see more of this type of botnet as unless these services take more precautions so while we were doing our research we actually started seeing that we weren’t the only ones doing this kind of activity so we started seeing a lot of this yeah so a lot of trials being temporarily disabled on some services requiring credit card or additional forms of verification and.
Not just email and if you’re an attacker that’s actively doing penetration tests or doing activities for organizations that provide an online service we hope were or maybe you’re responsible for defending an online service and it doesn’t.
Necessarily just have to be a free cloud hosting service anything that’s doing credit card processing or payment processing or any giving away any free trial maybe it’s free storage maybe it’s or something completely unrelated to anything we mentioned here it’s something of value we we want to raise awareness of this so that you don’t find yourself in this situation or your clients don’t find yourself in this situation this is reactive and this actually hurts your business right if you have to stop your signup process in order to revamp it and add.
New protections you’re you’re basically cutting off revenue at that point until you fix this year yeah we actually have more and more clients coming to us with this problem and they’re having to shut down their registration or shut down their their credit card processing until they put more defensive controls in place .
I’m more fraud detection and that’s what you want to avoid because we actually work we even saw some of them here’s a free VPS provider that literally said right on their registration page that they had to shut down due to botnet cryptocurrency mining and it’s.
Not us.
No that was.
Not us we were gonna try to attack that one for a proof of concept but someone beat us to it but this certainly is without a doubt a rising trend we actually in June some researchers at Dell SecureWorks in in .
Atlanta they found this threat that an attacker actually had was exploiting a popular Nass and they were getting a code execution and it discovering more of these that were exposed online and then using them for cryptocurrency mining and actually generated about $600,000 worth of dogecoins in two months and that’s running a script very similar to the one that we like showed the proof of concept up there where you essentially just deploy to each one of these services or each one of these.
Nice boxes and it just sits there in mines for you and so they went through and started trying to identify this attacker to prosecute them because that is actually very malicious activity using these these.
Network storage devices that don’t belong to them but this is just one example we’ve also seen just just a couple weeks ago or last week some examples in the.
News of cloud services being abused for distributed analysis attacks so we without a doubt see this being more and more of a trend and want to talk about how.
Now to protect an online service from these types of attacks and so we originally said when we started this discussion that we focused on sites that we’re only using email confirmation so we can certainly see that that is inadequate it’s an antiquated mentality that one user equals one email address and .
I know that a lot of startups and organizations want to get as many users as quickly as possible and they don’t want to cause any annoyances or any hindrance to that we’ve heard developers grumble and say like we wanted to add a C.
APTCH.
A to the registration form but the business wouldn’t let us and the answer to that is .
I think there’s always some compromise between usability and security and finding that compromise and communicating that to the business is the key step that.
Needs to happen there.
Needs to be someone that’s the arbiter of that conversation and so we want to gather a list of ideas and things and perhaps opportunities to provide alternate anti automation security controls having anything that you deem in your online service that should only be done by a human there are lots of ways beyond squiggly lines and.
Numbers to identify that and there’s even a lot of ways that it can be done seamlessly without annoying the user like .
I know like .
I’ve had conversations with .
Oscars mom she hates C.
APTCH.
As she doesn’t understand why you would want to do that but like we understand why but it’s.
Not her job to care why yeah she feels like she’s being punished or everybody like feels like they’re being punished when they sign up for the thing like oh man .
I knew put this caption sometimes you can’t even read it it’s like.
Not even human readable so it’s like okay let me try it again like deletes your password you type in your password again is very cumbersome to use C.
APTCH.
As in most cases and .
I know that .
I like said my mom and iPad for Mother’s Day and she still hasn’t installed any apps because she doesn’t want to put her credit card.
Number in she doesn’t trust .
Apple .
Apple Store she’s like why do .
I.
Need to install apps .
I can just Google buy everything .
I’m like you’re really under using your iPad but the the idea being there there are all these opportunities .
I really like the concept of having building in both traffic policies and security policies and there are even a lot of services that will allow help organizations that have a legacy .
AP.
I or have a legacy web service put up a see in front of that service that helps implement some of these traffic policies and security policies doing things like rate limiting or time delays or tracking users even anonymous users by their session .
ID and their .
IP address and then saying okay the expected behavior on this registration form is that we’re gonna see one submission every 10 seconds and maybe they watched typing in their phone.
Number or they watch typing in some required field and they have to go back in 10 seconds later put in and try again but if we see a hundred requests come in a second that’s a violation of our policy and we maybe we didn’t prompt them for a capture right away because that annoys it user and why would we want to punish every user because there’s these attackers that are trying to automate our service let’s wait until we hit a threshold and have a bit of a logic in our policy but after ten automated requests in a certain time span then we’re gonna prompt for a C.
APTCH.
A and .
I like this concept of.
Not punishing everyone but instead only detecting anomalies in behavior or getting heuristics and analytics from the application of something abnormal is happening.
Now let’s adjust the requirements let’s.
Now require the C.
APTCH.
A or let’s.
Now require the the credit card verification because we’re seeing abuse from this .
IP space and we’re seeing abuse from this session .
ID and .
I think that’s how we can strike the balance between usability and security yeah like another example would be someone you’re seeing a bunch of post requests going to your server without any get requests or your this the .
IP address that is requesting these things isn’t requesting any other JavaScript or any of the images on the page as well so it’s just the post request post request post requests because that’s the part that’s been out automated so that kind of thing can also be identified and like attitude heuristics right and .
I think a lot of organizations can know that.
Normal behavior is that a user signs up and then they go read the documentation for whatever service it is for ten minutes before they actually go and register a.
New server in their environment.
Not go register an account and then three seconds later they have ten.
New servers registered that’s very odd behavior .
I’m so depending on the service there are things like .
I do feel like there is value in adding C.
APTCH.
As and phone verification and credit card verification .
I just have to gauge what that usability and security trade-off is and find those opportunities maybe the service maybe your online service could take advantage of something like a federated .
Identity Manager like blog while your users to log in through Facebook or allowing users to log in through Twitter some advantages to that of course there’s pros and cons but like for example if you’re a bank.
No one’s gonna want to log into their bank with Facebook but a startup may want to allow Facebook users to just identify themselves with their Facebook accounts that are creating a.
New account because Facebook actually does a lot of this stuff in the background they look for bank accounts and they try to keep the all of that down to the minimum right if you’re looking for like that.
Next cutting-edge technique for an to automation look to what some of those organizations have done because they are huge targets for abuse Facebook actually has something called the Facebook immune system and they have a lot that goes into analyzing what.
Normal behavior is like they actually have heuristics on does this account that was just created have friends what’s the rate that they’re adding friends does this look like.
Normal behavior and then they can gauge whether or.
Not they want to ban that account for abuse and .
I think on some scale some organizations may want to look into building a sensor into their application to do something just like that there’s a.
No loss project called .
O.
Auth app sensor it’s actually designed to be something like that where you integrate that into your code rather than having a laugh or a proxy or something that’s trying to detect incoming abuse or detecting it abuse at abuse time rather than deterring it before it happens there there’s the ability to build in and have really good analytics on the logs and each maybe you really want to focus in on the the credit card payment step and you want to say it whenever we see someone hitting this and testing it with hundreds of thousands of credit cards a day we know that that’s probably someone that’s active in the Carter market that has some stolen.
Numbers that they want to test and see if they’re valid and we want to prevent that type of activity from occurring because that’s the illegitimate use of that functionality and so .
I think that there there’s.
No actual silver bullet on how to to do this kind of this protection right and you kind of have to gauge what you’re providing with your service what the benefit to an attacker would be if you’re providing something that’s highly beneficial than coming together coming for you and you.
Need to add maybe more security controls than that scenario if the thing that you’re providing doesn’t have many applications for exploitation then maybe you can lower the requirements and lower the yeah yeah and so .
I maybe make that a goal for the.
Next penetration test through the.
Next assessment to focus on that most critical functionality and see how it can be automated and then plan to remediate that or mitigate that with with some of the security controls and some of these more advanced techniques and that’s that was really what we hope that everyone took away so thank you for again for attending and if there’s any questions please step up to the microphone here in the aisle and so that everyone can hear you as this is being recorded yeah we’ve also actually released the code oh yeah through some of this if you go to our github page Bishop Fox on github the code for our inbound mail processing proof-of-concept is available as of this morning so please check that out and give us feedback and let us know if you’d like to contribute thank you yeah .
I’m curious sista what .
I P addresses you were using when you were registering on all these .
I so you had mentioned .
IP blacklisting as a potential defense mechanism and .
I figure if somebody were going to use this for true you know deeply malicious purpose they would be using tor or VPN or proxy we we started out with tor and VPN and then we would SSH into a free trial account and then launch attacks from one of the cloud providers themselves so it was.
Never it was always coming it was basically just it looked like cloud providers sending commands to other cloud providers okay so in other words these services like that you would use tor and they didn’t consider tor suspicious or.
No okay yeah for the actual account registration and stuff like that we used cloud services so we would sign up for one cloud service and then SSH through that cloud service .
I have that one be the one that deployed all the code okay yeah and then we kind of just hop it all over the place if it’s coming from .
Amazon or Google or Microsoft or one of these legitimate organizations and that actually it’s a whole.
Nother interesting concept up whenever you have a denial of service attack or some Google like.
No one’s walking all about Google’s .
IP space or.
No one’s blocking all the .
Amazon’s Google .
IP space because there’s legitimate business happening .
I know okay thank you .
I know that in online games and other use cases there’s pretty commonly and in but automation so instead of just having the post request it would actually open up a web browser finding a confirmation link in the email click that the web browser loads it would be what do the mitigation mechanisms you you have recommend to be able to handle this alternate use case .
I think.
Not only relying on that confirmation like is the key step here having some other requirements other than going to that email and clicking that confirmation like some other action that only a human can perform is the best solution Thanks.
Now the big question is did you win of course okay this is a situation very resembles the scrapping of web content which is that there are many ways to cope with that web application firewalls usually have right yeah and we actually looked a lot to the S.
E.
O community and a lot to the web scraping community and that’s a topic that we’ve both been interested in for a very long time and they actually have a lot of techniques that .
I think the computer criminal and malicious attacker community could learn a lot from because they’ve been doing web scraping for a profit for a very long time and and yeah .
I think that that’s a lot of organizations are trying to protect their intellectual property from being scraped and so these anti automation techniques can be applied for defensive techniques against maybe that’s the threat that an organization must protect against like Google for example they don’t want other resources S.
E.
O agents or other search engines scraping their results because they consider that their intellectual property so they actually have a threshold of how long they will keep an .
IP address blacklisted in memory in its last .
I checked 14 minutes after you hit the threshold of abuse and they say they detected you as a bot and you’re.
Now blacklisted for a period of time which costs them resources to blacklist you but it’s more than the resources you were causing on spiking their traffic by scraping their results and so that’s what they’ve come to some trade off of what they’re willing to do to defend against scrapers as as a threat how many users .
Izzy resister .
I’m sorry how many users did you register how many accounts were you were able to register so we kind of work our goal was to create a thousand accounts just to across multiple different services and we were able to do that like a hundred thousand there’s thousands.
No 1000 just did 1000 as a proof of concept yet but that’s really just scale of economy of how much more time you want to spend finding more services yeah .
I think it’s probably the last question we have awesome did you guys happen to look into SMS verification and do you do you believe that SMS verification is a pretty good blocking the road or is it just as easy to bypass we actually did a little bit of looking into that it wasn’t our main focus but will actually be updating a spreadsheet that we have with techniques of how to bypass phone and SMS verification we did things like leveraging Google Voice and scraping things out of legitimate Google Voice accounts there’s an app called phone burner that lets you generate temporary Vo.
IP accounts and basically get more than one phone.
Number per user because that still goes back to the concept of does the user only have one phone.
Number and there are a lot of services online that will give you temporary free SMS .
I think there’s actually one called free SMS online.com that if you go and it basically it gives each day.
New Vo.
IP.
Numbers in different countries and then it prints back out to everyone in the world to see what was received at that.
Number and if you go and look at that a lot of it’s like google verification SMS or microsoft azure cloud SMS verification and so we actually leverage that as a proof of concept to see if we could bypass some services that were relying on SMS but we decided to shift focus to just the services that we’re using email because they were the easiest targets Thanks thanks Jeff for any additional questions please feel free to come up yes if you want to come up and get a business card or contact information.
Now feel free