CERT

Report
http://www.grnet.gr
GRNET CERT 2012
by Alex Zaharis
Website: http://cert.grnet.gr
Email: [email protected]
Team: GRNET-CERT
Phone: +30 210 7475718
Overview
•
•
•
•
•
•
•
•
GRNET-CERT Info & Deliverables
GRNET-CERT Services
Workload Statistics
Case 1: Phishing Attack
Case 2: SQL Injection Attack
Case 3: Malware Analysis
Case 4: Anon
Tools of the Trade
Ημερομηνία
Τίτλος παρουσίασης
2
GNET-CERT AT A GLANCE
• Created in 2002.
• National Point of contact for all Educational &
Research Institutes.
• Protecting the Greek Critical Internet
Infrastructure.
• Participating on National Cyber Defense
Committee
Other Greek CERTs:
• GR-NCERT
• FORTHCERT
• AUTH-CERT
30/2/2012
GRNET-CERT
3
GRNET-CERT Deliverables
• Create an Overview of the risks the use of
Internet poses in GREECE.
• Through Communication with other CERTs
create a CYBER DEFENCE Coordination Team
that can handle any kind of Cyber / Electronic
attack.
• Participated/Co-ordinated the National Cyber
Defense Exercise 2011.
• TF–CERT members
30/2/2012
GRNET-CERT
4
CERT Cooperation Plan
incidents
incidents
GRNET
CERT
X
CERT
incidents
Y
CERT
incidents
CERT
Law Enforcement
Knowledge Pool
CERT
National Cyber Defense Committee
National Cyber Space
22/5/2012
Foreign Cyber Space
GRNET-CERT
5
GRNET-CERT SERVICES
Proactive Services
Reactive Services
1. Issue Alerts & Warnings
2. Incident Handling
1. Security Announcements
2. Technology Watch
3. Security Audits & Assessments
4. Development of Security Tools
5. Intrusion Detection Services
-Incident Analysis
-Incident Response Coordination
3. Vulnerability Handling
-Vulnerability Analysis
4. Artifact Handling
-Artifact Analysis
5. Forensics
30/2/2012
GRNET-CERT
6
Ημερομηνία
Τίτλος παρουσίασης
7
Τίτλος παρουσίασης
8
Some Statistics
• For 2012 (5 months)
-900+ Various Abuse Reports Mitigated
Various Abuse Reports
-500+ Infringement Notices Handled
-397 Network Scans
-22 DOS Attacks
-20 DDOS Attacks
-Over 20 Cases of Phishing / Defacing etc.
-2 Malware Analysis (Trojan, Scareware)
-1 Anonymous Attack
-Vulnerability (SQLi,XSS)
Warning issued for:
http://eclass.aspete.gr
Infridgment Notice
DOS
DDOS
Network/Port Scan,
Bruteforce
• For 2011 (last 3 months)
-600+ Abuse Reports Mitigated
-350+ Infringement Notices Handled
-Vulnerability (SQLi,XSS)
Warning issued for:
http://labs.opengov.gr
http://www.presidency.gr/
22/5/2012
SPAM MAIL
SSH Brute Force
REGBOT
BADBOT
GRNET -CERT
9
Website
Ημερομηνία
Τίτλος παρουσίασης
10
Cases
Ημερομηνία
Τίτλος παρουσίασης
11
ΙΚΑ Phishing
Type Of Attack: Phishing
• Scam email Received.
• Attack Site detected & scanned.
• Original Phishing Forms along with contact info
recovered. (emails used by attackers)
• Police Authorities Informed.
22/5/2012
GRNET-CERT
12
High Profile Warning issued
Type Of Attack: SQLi
• Labs.opengov.gr SQLi on facebook module
22/5/2012
GRNET -CERT
13
Malware Analysis
Type Of Attack: Scareware \ Malware
CONTACTING IP: 91.232.29.95 (Ukraine)
http://91.232.29.95/?0bbccd2979886358e559cd8ebc45985d
Ημερομηνία
Τίτλος παρουσίασης
14
Anonymous Attack
Type Of Attack: Reflective Amplified DNS Spoofing Attack
•
•
•
•
•
•
DNS requests (ANY) για το isc.org
Source IP = Spoofed IPs., PORT 80
Destination Ips = Ips του φοιτητικού DSL,PORT 53 (UDP).
Φοιτητικά DSL modems με ανοιχτό recursive nameserver
(dnsmasq) και forwarders αυτούς που έλαβαν από το PPP,
δηλ. τους rns0.grnet.gr & rns1.grnet.gr
Προωθούν το ίδιο query στους rns μας. Οι rns μας απαντούν
στα modems, και κατόπιν οι dnsmasq των modems απαντούν
στον αρχικό (spoofed) προορισμό.
Η ιδιαιτερότητα εδώ είναι ότι το isc.org είναι από τις πρώτες
DNSSEC-signed ζώνες, που σημαίνει πως η απάντηση στο
αρχικό DNS query είναι μεγάλη (> 512 bytes), οπότε σύμφωνα
με το πρωτόκολλο, κάνει upgrade σε EDNS, που είναι TCP.
Αποτέλεσμα είναι, ότι όλες αυτές οι χιλιάδες διευθύνσεις του
φοιτητικού, ανοίγουν TCP connection στην port 80 (HTTP) στα
targeted hosts (δηλ. στις spoofed αυτές διευθύνσεις) και κατά
συνέπεια κάνουν DoS
22/5/2012
GRNET -CERT
15
Tools
• Websites:
–
–
–
–
–
–
–
–
–
https://apps.db.ripe.net/search/query.html#resultsAnchor
http://cqcounter.com/whois/
http://projecthoneypot.org/
http://www.phishtank.com/
http://www.exploit-db.com/
https://www.virustotal.com/
http://anubis.iseclab.org
http://www.iptrackeronline.com/header.php
http://www.liveipmap.com/
• Tools:
–
–
–
–
–
–
–
–
22/5/2012
Netsparker, Acunetix, Metasploit
Wireshark, Burp Suite
Nmap, Zenmap
BackTrack (Various Tools)
Sqlmap, Havij
Vmware Workstation
Sysintelnals
FTK
GRNET -CERT
16
Questions?
Personal Info:
Name: Alex Zaharis
Email: [email protected]
Team: GRNET-CERT
Phone: +30 210 7475718
22/5/2012
GRNET-CERT
17

similar documents