Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
2 likes160 views
The document outlines a presentation by Brian Hileman on securing cloud servers, particularly focusing on the vulnerabilities of open Remote Desktop Protocol (RDP) access. It details an experiment where an AWS server was exposed, resulting in over 43,000 login attempts and the installation of suspicious applications, leading to a catfishing scheme. Key recommendations include enforcing strong passwords, maintaining visibility and control, and developing a response plan for cloud security incidents.
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
- 1. Are your cloud servers under attack?
- 2. Brian Hileman Creator / Owner @ DLPtest.com Past Sales Engineer @ OverWatchID Past Professional Services @ InteliSecure 2 Sales Engineer @
- 3. PRESENTATION TOPICS 1. Monitor Exit and Entry Points 2. Maintain Visibility and Control 3. Investigation 4. Recommendations 5. Q & A 3
- 4. LAYING THE GOUND WORK 4 Deployed AWS Lab Laid the Bait Installed DG Agent
- 5. Monitor Exit and Entry Points 5 1
- 6. MONITOR EXIT AND ENTRY POINTS ▰ RDP (Remote Desktop Protocol) ▻ Within AWS the default security setting will not allow incoming RDP traffic. The suggested setting is to keep RDP locked down to specific IP Addresses. ▻ For convenience many people open RDP to all external IP Address. ▰ How widespread is open RDP ? ▻ There are over 3 million identified IP addresses with RDP available on the Internet, 900,000 of which are located in the United States. ▻ Source: https://www.darkreading.com/endpoint/the-risks-of-remote-desktop-access-are- far-from-remote/a/d-id/1331820 6
- 7. HOW BAD COULD OPEN RDP BE? Opened RDP for 10 Days and had over 43,000 login attempts 7
- 8. WHO WAS TRYING TO LOG IN? Top 5 IP Address 1. PT Pascal – Indonesia 2. A Small Orange – USA 3. Choopa – Netherlands 4. Sparky GmbH – Germany 5. Petersburg Internet Network – Netherlands 8
- 9. EXTRA INDICATORS USER AND ENTITY BEHAVIOR ANALYTICS (UEBA) 9
- 10. WHAT HAPPENS IF A WEAK PASSWORD IS USED? ▰ On the AWS Server with RDP now opened externally, I created a local account called "admin" and set the password to "P@ssw0rd!” ▰ After the password was changed around noon, someone had compromised the account within 9 Hours! ▰ Admin account was used 6 times from different IP Addresses over 4 days 10
- 12. MAINTAIN VISIBILITY AND CONTROL System Events Based on what happens outside of user intervention. Initiated at the OS level. User Events Focus on what each individual is actively doing. This includes command line, copy and paste, the use of applications. Data Events File level including moving files from one location to another via email, uploading or downloading files, or USB usage. 12
- 13. SYSTEM EVENTS Review: Who and When 13
- 14. USER EVENTS Review: Network Traffic 14
- 15. ADDITIONAL USER EVENTS Found: Some rules started to trigger, including some Advanced Threat Alarms 15
- 16. APPLICATION REVIEW Found: Applications were installed 16 Table Part 1 Table Part 2
- 17. REVIEW : TIMELINE OF EVENTS 17
- 18. SUSPICIOUS APPLICATIONS Found 3 of the newly installed applications came back as suspicious from VirusTotal 18
- 19. RECAP ▰ We have an AWS open to the internet ▰ Someone used the Admin account to gain access into the AWS server ▰ Someone installed Chrome and did some internet browsing ▰ The login events also show someone started using the Administrator account ▰ Someone installed 3 suspicious applications which are used for network scanning ▰ One item I didn’t share is that I am now locked out of my server since the person using the Admin account changed all the passwords 19
- 21. STARTING THE INVESTIGATION ▰ Locked down RDP ▰ Regained access to the server using the DG agent to run a PowerShell script to create a new admin account ▻ Reset all the passwords ▰ Pulled back the forensics ▻ Windows Event Logs ▻ MFT ▻ Registry ▻ Web History 21
- 22. DIVING INTO THE WEB HISTORY 22 Within the first hour of using Chrome they went to 120 different URLs, so wasting no time
- 23. WELL MAYBE WASTING A LITTLE BIT OF TIME 23 Watched 2 YouTube Videos
- 24. WEB HISTORY DEEP DIVE ▰ Signs into zoosk.com using Twitter SSO reveals two accounts: david101 and pickyman1954@gmail.com ▰ Signs into Gmail and elitesingles.com using salsadance1956@gmail.com ▰ Uses Google SSO to sign into LOVOO, C-Date, SeniorBlackPeopleMeet.com, Badoo, BlackPeopleMeet.com ▰ Signs into Yahoo mail using mary.jo15@yahoo.com ▻ Web history also showed a password recovery for this account ▰ Chats with 148 people on Meetmindful.com 24
- 25. AND MORE WEB HISTORY 25 Signs into a seniorfriendfinder.com account that is open
- 26. AND EVEN MORE WEB HISTORY 26 Signs into Badoo.com which again shows the profile info
- 27. GOOGLE 27 Started with a Google search for “pickyman1954@gmail.com” and got a hit! Re: pickyman1954@gmail.com Postby firefly » Thu Dec 27, 2018 6:27 pm Additional email addresses reported online for being used in romance scams with stolen pictures from the same gallery: - Waynell3194@gmail.com - dan.burdell@gmail.com, danburdell@gmail.com - he was active on eHarmony. There is a plethora of fake profile on various dating sites using the same stolen pictures or stolen pictures of the same person.
- 28. DRAWING A CONCLUSION ▰ Seems like strange activity for a server, but this points to “catfishing” ▻ The attacker is scamming a ton of woman via these online dating sites ▻ Email addresses and images found in web history all point to dating scams ▻ With the Mary Jo Yahoo account, they got her personal info including her phone number and then leveraged it to get into her Yahoo email account ▰ But why use an AWS Server ▻ Clean IP Address ▻ Not from a VPN which some dating sites may block 28
- 29. Catfishing? 29
- 30. Understanding Catfishing ▰ The term itself comes from Catfish, a 2010 movie that featured a man meeting a woman online before growing concerned about her true identity ▰ Definition is a fake or stolen online identity created or used for the purposes of beginning a deceptive relationship ▰ According to the FBI’s Internet Crime Complaint Center (IC3) romance scams result in the highest amount of financial losses to victims when compared to other online crimes ▻ In 2016, almost 15,000 complaints categorized as romance scams were reported to IC3 (nearly 2,500 more than the previous year), and the losses associated with those complaints exceeded $230 million 30
- 32. STRONG PASSWORDS ▰ Enforce strong passwords ▻ There are many applications that still use local accounts so make sure they have the same requirements ▰ Password Dictionary ▻ If haveibeenpwned.com currently has a database of 551,509,767 passwords then so do the bots that are running brute force attacks ▻ Run your users passwords against a database to make sure these passwords are not being used 32
- 33. GOLDEN IMAGE ▰ Most cloud providers make it easy to create and maintain images ▻ The Amazon Machine Image service allows creation of reusable templates every time you spin up an EC2 instance ▰ Deploying a standard golden image allows for custom security controls and company applications to be installed, including security products ▻ Knowing what comes installed by default allows for differential reporting 33
- 34. OTHER RECOMMENDATIONS ▰ Keep RDP and SSH locked down ▰ Make sure that you are collecting events either with a third party tool or with cloud monitoring tools ▰ Once an incident occurs make sure there is a response plan and third party tools can help speed up gathering evidence 34
- 35. CLOSING REMARKS ▰ All that sensitive data that I loaded on the server was not touched ▻ Not all bad actors are trying to steal data ▻ In my case I got a scammer that just wanted a clean work space ▰ Next time I might try to make the lab look more like a valuable target ▻ I also took back control of my server pretty quickly, so it would have been interesting to leave them alone longer to see what they would have tried next 35
- 36. 36 THANKS! Any Question? You can find me at https://www.linkedin.com/in/brianhileman/