DeepSec 2016 Talk: Where Should I Host My Malware? – Attila Marosi

The growth of IoT devices continues to raise questions about their role and impact on cybersecurity. Badly or poorly configured devices are easy targets for malicious actors. At first glance launching an attack against IoT devices seems challenging due to the diversity of their ecosystem, but actually an attack is very easy to execute. In his talk Attila Marosi will explain why the IoT is a cybercriminal’s paradise:

“In our SophosLabs research, we focused on a very generic attack scenario that would affect almost any device using FTP services – Your router or network-attached storage (NAS) for example. These attacks typically exploit the level of trust people place on any content hosted on internal network shares. A successful attacker would abuse or compromise a default FTP guest account, place a “Trojan horse” in a visible file share and rely on human curiosity for the rest to happen. In many cases, root folders for FTP and WWW services are the same, a fact which makes it even easier for the attacker. Since many of the IoT devices publicly expose FTP services world-wide, this fairly unsophisticated attack can result in a large number of infected “things” and provide great value to cybercriminals.

To assist our research, we developed an IoT scanning framework (“ScanR”) which is able to perform large scale network probes to assess the state of open FTP services and identify how many of them have been compromised . In our latest test, we utilized ScanR against 3 million open FTP servers to determine the type of the device and the state of its security. The results are far worse than we’d expected.

Over 90% of the unprotected devices were found to be infected with at least one Malware threat or exhibiting the signs of an attack. In this talk, we’ll reveal the results of the research, exposing the number of vulnerable devices and gigabytes of storage now freely available to attackers.
We’ll also share the technical results of the malware analysis.

In summary, this talk will provide an insight into how very old Internet protocols are being exploited via modern internet connected “things”, explain the risks for home and corporate users and suggest recommendations on how businesses and private users could better protect themselves  against these unsophisticated, but dangerous and highly successful attack scenarios.

attila-marosiAttila Marosi has always been working in the information security field since he started to work in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher in the Emerging Thread Team to provide novel solutions to the newest threats.

Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading trade journals and does some teaching on different levels; on the top level he teaches white hat hackers. He has given talks at many security conferences including hack.lu, DeepSEC, AusCERT, Hacktivity, Troopers, HackerHalted and NullCon.

Tags: , , , , ,

Comments are closed.