r.pompon@F5.com

@dunsany

Principal Threat Researcher Evangelist

20+ years in InfoSec—CISSP, GLEG

President and founder of the Seattle chapter of InfraGard

27 years in IT

Specialist in Compliance/Audit, Web App Security, and Network Security

Author and Speaker

The business

The reason people

use the Internet

The gateway

to DATA

the target

APPLICATIONS ARE

What do Apps mean to Public Sector Orgs?

App Security survey of 3,135 IT sec pros

US, Canada, United Kingdom, Brazil, China, Germany, India

Across 14 industries

of web apps

considered

mission critical

Apps Importance

34% 760 9.93web apps

in use in an

organization

web app

environments/

frameworks

in use

Average

32% 680 9.32PublicSector

7%

16%

19%

35%

58%

69%

57%

58%

80%

Project management

Developer tools

Financial apps

Social apps

Backup and storage

Office suites

Doc management and collaboration

Remote access

Communication apps

F5 Ponemon Survey

What Happens When Apps Are Attacked?

TLS

Access

Man-in-the-browser

Client

Session hijacking

Malware

Cross-site request forgery

Abuse of functionality

Man-in-the-middleDDoS

Malware

API attacks

InjectionCross-site scripting

Cross-site request forgery

Certificate spoofing

Protocol abuse

Session hijacking

Key disclosure

DNS hijacking

DDoS

DNS spoofing

DNS cache poisoning

Man-in-the-middle

App services

DNS

DDoS

Eavesdropping

Protocol abuse

Man-in-the-middle

Credential theft

Credential stuffing

Session hijacking

Brute force

Phishing

Network

DDoS

Cross-site scripting

Dictionary attacks

TLSCertificate spoofing

Protocol abuse

Session hijacking

Key disclosure

DDoS

Man-in-the-browser

Client

Session hijacking

Malware

Cross-site request forgery

Cross-site scripting

DNS

DNS hijacking

DDoS

DNS spoofing

DNS cache poisoning

Man-in-the-middle

DDoS

Eavesdropping

Protocol abuse

Man-in-the-middle

Network

Dictionary attacks

Abuse of functionality

Man-in-the-middleDDoS

Malware

API attacks

InjectionCross-site scripting

Cross-site request forgery

App services

Access

Credential theft

Credential stuffing

Session hijacking

Brute force

Phishing

Top 20 targeted ports:

Russian IPs targeting SIPSSH port and/or Rockwell ICS targeting distributed across lots of IPs and countries

Port Service

5060 SIP

445 SMB

2222SSH & Rockwell ICS

443 HTTPS

3389 RDP

1433 SQL Server

22 SSH

80 HTTP

3306 MySQL

23 Telnet

5061 Secure SIP

54184

5900 VNC

8291 MikroTik

7547 TR069

5902 VNC-2

8080 HTTP

25 SMTP

139 Netbios

8545 JSON

Country

Estonia

Netherlands

US

France

Russia

China

Canada

South Korea

Ukraine

58%

56%

6%

4%

3%

2%

2%

1%

1%

PHP

SQL

Exchweb

Comments

Cart

Betablock

Admin

Affiliates

Login

Injection → PHP & SQL

81%

8%

3%

2%

1%

0%

0%

0%

0%

PHP

SQL

Admin

Comments

ASP

Exchweb

Cart

Betablock

Affiliates

2018 Application Attacks Injection → PHP

2019 Application Attacks Injection

• Web code injection and form jacking attacks like Magecart

• RCE vulnerabilities in • ThinkPHP CVE-2018-10225 • Oracle Web Logic CVE-2017-

10271• ElasticSearch CVE-2014-3120

• Jenkins CLI SignedObject Deserialization CVE-2017-1000353

• Network Weathermap cacti plug-in CVE-2013-3739

• Oracle WebLogic WLS Security Component CVE-2017-10271

Access(mostly

phishing and email)

Web(mostly

injection)

Industry

36%

23%

23%

9%

9%

Web Breaches

Accidents/Misconfig

Access-related (Phishing, email)

Malware/Ransomware

Physical theft

Attack

1. Mobile Apps

2. Direct APIs

Basic Security Fails

1. Authentication

2. Injection

3. Permissions

2011

2018

2019

Aug 2018 – SalesForce

Mar 2018 – Google

Mar 2018 – Binance

Apr 2018 – RSA Conference App

Aug 2018 – T-Mobile

Sep 2018 – Apple MDM

Sep 2018 – British Airways

Oct 2018 – Girl Scouts

Oct 2018 – Quoine

Nov 2017 – Nov 2018: US Postal Service

Oct 2018 – Github

Jan 2018 – Tinder

Sep 2018 – Facebook

Aug 2017 – Instagram

Mar 2015 – Tinder

July 2018 – Venmo

Feb 2017 – WordPress

Feb 2019 - RequestBin

2017

2016

2015

Sep 2011 – Westfield

2012

2013

2014

Basic Security Control Failures

1. Exposed DB with weak/no auth

2. Weak Access Control

3. Configuration Error

2011

2018

2019

Dow Jones High Risk watchlist DB

China surveillance program DB

Kremlin DBs

Ascension DB

Oklahoma FBI files DB

2017

2016

2015

2012

2013

2014

Hadoop

Guardzilla records DB

Telsa AWS acct

Alteryx DB

Aggregate IQ DB

Verizon customer DB

Robotics manufacture for cars DB

GoDaddy architecture

IPv6 ISP DB

Tea Party DB

Booze Allen and Pentagon DB

JC Penny

Stein Mart DB

Title Nine Sports DB

North American Power and Gas DB

Integrated Practice Solutions DB

Capital Digestive Care DB

RNC voter DB

Accenture’s Cloud Platform

Army Intelligence and Security Command DB

DOD Surveillance DB

Credit Repair Service DB

Viacom’s master controls

Dow Jones/WSJ/Barrons customer DB

WWE Fan DB

Uber Github account

Mexican voter DB

Microsoft Business Productivity Online Suite

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Social Media• Interests / interest groups

• Friends, Family and relationship information

• Style of speaking

• Writing style

• Work history

• Education

• Comments on links

• Important life event dates

• Places visited

• Favorite sites, movies, TV shows, books,

quotes

• Photographs

• Hacked “Private” account data

People Search Engines • Facebook information

• Email address (which leads to possible

usernames)

• Education, income / salary range

• Phone numbers

• Age / Age range

• Race

• Home address

• Middle name, maiden name, spouse and

family names

Company Research• Who works there

• Tech infrastructure

• Types of endpoints (PC/Mac/OS

• SEC filings

• Lawsuit filings

• Aggregator search tools for

corporations

• Individuals & department

names

• business partners & affiliates

• IP space

• WHOIS info

• Email addresses and format

Mis configurations• Server names

• Private network addresses

• Email addresses

• Usernames

• DNS servers

• Self-signed certs

• Email headers

• Web servers

• Web cookies

• Web applications

APT’s / Nation-states That Phish

?

2.5 hrs

4 hrs

10-19 min

For-profit cyber criminals

10 hrs

Email sent from North Korean APT related to Bangladesh Bank heist.

Email sent from North Korean ATP in Sony compromise.

Phishing emails are 3 times more likely to have a malicious link than a malicious attachment.

3XMALICIOUS

LINK

MALICIOUS

FILE

Encryption is an Attacker Disguise

of phishing domains use HTTPS to appear more legitimate

93%

Majority of Malware Hides in Encryption

of all Internet traffic is encrypted70%

of malware phones home over port 44368%

Affected Devices

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

13Bots

SORA

OWARI

UPnPProxy

OMNI

RoamingMantis

Wicked

VPNFilter

DaddyL33t

Josho

Tokyo

Extendo

Hakai

Akiru / Saikin

2Bot

Brickerbot

Gr1n

2Bots

WireX

Reaper

3Bots

Mirai

BigBrother

Radiation

1Bot

Remaiten

1BotMoon

1Bot

Aidra

1Bot

Hydra

3BotsSatori Fam

Amnesia

Persirai

7BotsMasuta

PureMasuta

Hide ‘N Seek

JenX

OMG

DoubleDoor

Katrina

1BotCrash override

1BotGafgyt

Family

2BotsDarlloz

Marcher

1BotPsyb0t

4BotsHajime

Trickbot

IRC Telnet

Annie

CCTVDVRs

WAPsSet-Top BoxesMedia Center

Android

Wireless ChipsetsNVR Surveillance

Busybox Platforms

Smart TVs

VoIP DevicesCable Modems

ICS

84% Discoveredsince Mirai

SOHO routersiOS

IP Cameras

6Bots

Death

Okane

Anarchy

Torii

Yasaku

Thanos

5Bots

Vermelho

Miori

IZIH9

APEP

SEFA

Yowai

Common IoT Set Up

• Investigating airport incident in Europe +

BASHLITE on a DVR digital signage

solution (same timeframe as Dyn DNS

DDoS attack).

• Service and host managed by 3rd party

• 39 active threat actors

• Numerous log entries show incoming

attacks

• Mirai, shellshock, brute force

• Sierra Wireless device

Oct 2016: Cellular Gateway Discovered

Note: System owner sent drives to us for forensic

analysis and authorized scanning of their network.

Sierra Wireless Cellular Gateways

WAN IP

166.139.19.193

PUBLIC GPS COORDINATES

40° 49’ 51.5” N

47° 26’ 03.5” W

DEFAULT

PASSWORD

*****

NO DEPENDENCY

on any vulnerability

within the hardware

or software.

Bruteforce

attack(s) are

unnecessary.

SierraWireless.com Case Studies

St John Ambulance, Western Australia

California Highway Patrol, California

Ventura County Fire Department,

California

South Bay Regional Public

Communications Authority (SBRPCA),

California

West Metro Fire Protection District,

Colorado

Westminster Police Department,

Colorado

Danish National Police, Denmark

Acadian Ambulance Service, Louisiana

& Texas

East Baton Rouge Parish Emergency

Medical Services (EMS), Louisiana

Mississippi Highway Safety Patrol

Gem Ambulance, New Jersey

City of Charlotte, North Carolina

Dickinson Police Department (DPD),

Texas

Fairfax's Urban Search and Rescue

Team, Virginia

South Wales Police, Wales

City of Yakima, Washington

Seattle Fire Department, Washington

GPS Data Logging (TAIP) TRACCAR – Open Source Fleet Software

Fleet / Vehicle Tracking

DISCLOSED 10/16/2018

SIERRA

WIRELESS LS300

Weak

Authentication

SIERRA

WIRELESS GX450

Weak

Authentication

SIERRA

WIRELESS ES440

Weak

Authentication

MOXA ONCELL

G3xxx

No

Authentication

DIGI TRANSPORT

WR44

Weak

Authentication

CradlePoint

Hard coded tech

support back door

RFC2324:

Hyper Text Coffee Pot

Control Protocol

{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-19T20:31:04.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 56946, "destination_port" : 80, }

{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-23T12:16:41.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 49180, "destination_port" : 80, }

{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:04:52.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, }

{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:14:46.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, }

{ "_id" : {"protocol" : "http", "timestamp" : { "$date" : "2018-07-28T06:29:53.000-0700" }, "source_ip" : "185.112.249.28", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 50225, "destination_port" : 80, }

Various

dynamic /

private

source ports

49152 - 65535

Thingbot Attack Type

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

1Bot

Brickerbot

2Bots

WireX

Reaper

3Bots

Mirai

BigBrother

Rediation

1Bot

Remaiten

1BotMoon

1Bot

Aidra

1Bot

Hydra

3Bots

Satori Fam

Amnesia

Persirai

1Bot

Crash

override

1Bot

Gafgyt

Family

2Bots

Darlloz

Marcher

1Bot

Psyb0t

4Bots

Hajime

Trickbot

IRC Telnet

Annie

DNS Hijack

DDoSPDoS

Proxy ServersUnknown…Rent-a-bot

Install-a-botMulti-purpose BotFraud trojanICS protocol monitoring

Tor NodeSniffer

Credential Collector

Shifting to multi-purpose

Crypto-miner

13Bots

SORA

OWARI

UPnPProxy

OMNI

Roaming

Mantis

Wicked

VPNFilter

DaddyL33t

Josho

Tokyo

Extendo

Hakai

Akiru / Saikin

7BotsJenX

OMG

Masuta

PureMasuta

Hide ‘N Seek

DoubleDoor

Katrina

6Bots

Death

Okane

Anarchy

Torii

Yasaku

Thanos

6Bots

Vermelho

Miori

IZIH9

APEP

SEFA

Yowai

Public Sector Average

F5 Ponemon Survey

9.08

6.57

8.54

7.19

8.77

4.05

9.64

5.07

0 2 4 6 8 10 12

Leakage Confid Info

Leakage of PII

Tampering with App

DoS of App

18%

22%

25%

26%

39%

52%

Cross-site Request Forgery

Clickjack

SQL Injection

Cross-site Scripting

Web Fraud

DDoS

Credential Theft

F5 Ponemon Survey

78%

1UnderstandYourEnvironment

CISO’S #1 MISSION

PreventDowntime

EVERYONE’S #1 CHALLENGE

Visibility

0%

4%

11%

17%

18%

18%

0% 5% 10% 15% 20% 25% 30%

Head of Quality Assurance

Compliance Officer

CISO or CSO

Head of Application Development

No One Person or Department

Business Units (LOB)

CIO or CTO

F5 Ponemon Survey

31%

Reduce Your Attack Surface

2

Sub domains hosting other versions of the main

application site

Dynamic web page generators

HTTP headersand cookies

Admin interfacesApps/files linked

to the app

Web service methods

Helper apps on client

(java, flash)

Server-side features such as search

Web pages and directories

Shells, Perl/PHP

Data entry forms

Administrative and monitoring stubs

and tools

Events of the application—triggered

server-side code

Backend connections through the server (injection)

APIs

Cookies/state tracking mechanisms

Data/active content pools—the data that populates and

drives pages

Vuln released

Continuous improvement

Firewall what you can’t fix

Applicable?

Test

Apply & Retest

1.7

0.8

0.5

0.40.5

1.4

0.9

0.6

0.2

0.3

2014 2015 2016 2017 2018

Average Days Between Vulnerability Releases

Critical High

9-12 hours

Prioritize Defenses Based on Attacks

3

Focus OpEx & CapEx spend

4%

2%

4%

6%

7%

8%

22%

19%

29%

Traditional Network Firewall

Next-Generation Firewall

Web Fraud Detection

Intrusion Prevention System (IPS)

Anti-DDoS

Anti-Malware Software

Penetration Testing

Application Scanning

Web App Firewall (WAF)

F5 Ponemon Survey

Phishing success without training.33%

Phishing success with training.13%

Sys Admins

Execs

Identities

Desktops

HR

Accounting

Laptops

Phones

Data

Apps

MoneyIP71%of phishing impersonates 10 organizations