Opening Pandora’s Box

Abstract

The amount of people and devices connected through the Internet has been growing at a rapid pace; as of June 2019 58,8% of the world’s population and billions of devices are joined by this vast network of information resources and services. Not every Internet user however has benign intentions. Cybercriminals use this technology for their own personal gain, by creating malicious software with the objective to compromise and even control the devices of unsuspecting victims. After devices have been infected with malicious software, they will be controlled by a central networking infrastructure, or Command and Control (C&C). Numerous studies have developed detection methods to find the commanding servers behind these attacks – which is important for locally implemented anti-virus software – but the infrastructures behind these attacks is only uncovered after these malicious servers have been taken down. We have collaborated with one of the largest Tier 1 Internet Service Providers and have collected ~4Tb of global NetFlow traffic consisting of daily connections made worldwide, giving us the possibility to analyze malicious infrastructures from a new perspective. This dataset allowed us to evaluate one of the most promising data sources to uncover and analyze adversarial C&C infrastructures; open source cyber threat intelligence. After having introduced a taxonomy to evaluate this intelligence, and having assessed the defensive advantages users will gain when adopting these information feeds, we came to the conclusion that – even though advertised differently – this intelligence only provides a small fragment of the total picture. For this reason we have decomposed Internet networking infrastructures into three categories in which Internet devices can be divided, computer clients, Internet of Things (or IoT ) and routers, and use a machine learning driven methodology to paint the threat landscape of the tactics, techniques and procedures adversaries employ within these three categories. When looking into infections on clients, a numerous amount of different structures can be observed which cybercriminals use to hide their infrastructure like round-robin DNS or interesting server hopping sequences. When learning these patterns, we successfully use a combination of machine learning and statistical functions to complement threat intelligence feeds. Where these feeds during the course of 2018 only show 1,105 malicious servers, we find that there are more than 188,000 malicious servers in our dataset. A more recent addition to the Internet are smart, or IoT, devices like surveillance cameras, which have proven to be incredibly vulnerable. In an analysis we report on the scale and impact of the first IoT based malware, Mirai, and its variants during the start of 2018. 1 in every 2,345 scanned and brute forced devices is successfully infected with a Mirai variant. This poses a great attack vector, taking into account that there are about 7 billion IoT devices as of 2019. For our last analysis we have focused on a firmware vulnerability towards MikroTik routers which cybercriminals have exploited to rewrite outgoing user traffic and embed cryptomining code in every outgoing connection. Accordingly, for every web page visited they can use the computation power of the victims computer to mine for the cryptocurrency Monero. We report on the tactics, techniques and procedures, and coordinating infrastructure of the adversaries, which had control of up to 1.4M routers over a period of 10 months, which is approximately 70% of all global MikroTik devices. Our work shows that an entire world of possibilities emerge in terms of network security when able to analyze NetFlow data. In the ongoing battle against cybercrime, anti-virus companies try to outsmart adversaries by using novel device based detection techniques. This is an evident rat-race between defenders and attackers. We have shown that ISP providers could play a big role in this, by analyzing NetFlow data flowing through their routers to perform detection of malicious behavior based on previous misuse and cyber threat intelligence.