Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 § , Phuong M. Cao 1 § , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National Center for Supercomputing Applications (NCSA) § Joint first authors
Key Findings Implications • Over 70% are persistent attackers • Discerning global coordination efforts in SSH key exploitation and client version spoofing • Identification of 7 SSH keys related to outdated vulnerabilities • Alerting cloud providers and IoT vendors regarding stolen SSH keys • Globally distributed IPs massively spoofed over one million fake client • Deterring large-scale evasion techniques versions using anomaly detectors or rate limiters • Discovery of human-supervised • Preparing for resourceful and strategic versus fully automated botnets human-supervised attacks 2
Analysis Workflow 3
Exploitation, Coordination, and Evasion - Leaked SSH Keys • We identified 7 keys related to outdated vulnerabilities – indicating some devices still unpatched Attackers had adequate details (i.e., credentials) about relevant vulnerabilities that were related with these 7 keys, when plotting the targeted attacks 4
Exploitation, Coordination, and Evasion - Leaked SSH Keys: Attack Origins • Attackers leveraged Google LLC (Google), Charter Communications, and Portlane to exploit the 7 identified leaked keys • Attackers from Google-registered IPs attempted all 7 keys with four other unknown keys on the same day Speculation: Attackers were rapidly switching ASes to evade detection, and possibly switching targets 5
Exploitation, Coordination, and Evasion - Key-based Collaboration • An SSH key was exploited by 20 countries • The globally coordinated botnet exploited a single SSH key 90 times within only 4 days • The last key was persistently used one single country for 2,700 times spanning 5 months The globally coordinated bot wrapped up its fruitless attacks and shifted targets 50× faster than the persistent, single-country botnet 6
Exploitation, Coordination, and Evasion - Client Version-based Collaboration and Evasion • More than 1.7 million new client versions 7000x 1.0000 were spoofed in August alone max previous months 0.9998 • Only several hundred globally- distributed IPs were spoofing 0.9996 cdf (e.g. SSH-2.0-OpenSSH_+qLfH) 0.9994 Aug • Yet 90% IPs used only 1 client version 0.9992 Sep Oct 0.9990 • The top-spoofing IP advertised 400,000 10 1 10 2 10 3 10 4 10 5 # Unique client versions per IP unique client versions during its 200- hour attack campaign A globally-coordinated botnets were involved in forging a million permutations of client versions at high frequencies Voids signature-based detectors 7
Analysis Workflow 8
Human-supervised Attack Techniques - Data-driven Methodology Purpose: identify evidence of human attackers • Time zone and duration selection 0.4 µ + 3 σ µ • Ratio: average weekday to weekend attempt pmf 0.2 computation for each IP 0.0 • Tail analysis of ratio distribution 10 0 10 1 10 2 0 ratio • All IPs in the tail present similar activity patterns; used the same group of credentials; came from 10 7 the same /8 subnet Attempts 10 5 10 3 • Periodic variations with decreasing activities 10 1 1 3 5 7 2 4 6 1 3 5 7 2 4 6 1 3 5 7 2 4 6 1 3 5 7 2 4 Day of week on weekends (especially Sundays) 9
Human-supervised versus Fully Automated Bots Human-supervised botnet is more resourceful, ambitious, and strategic than full automated one 10
Conclusions Future • Investigated a broad scope of • Landscape of unidentified, SSH attack strategies unknown SSH keys • Discovered large-scale, • Resourceful attackers with persistent, and evasion attacks relatively large number of legitimate client versions • Contributed a scientific data- driven approach to differentiate • Threat intelligence sharing between human-supervised across peer sites with and fully automated botnet preservation of privacy 11
Thank you! 12
Acknowledgements • SDAIA: https://wiki.ncsa.illinois.edu/display/cybersec/SDAIA • NSF Grant: CICI: Secure Data Architecture: Shared Intelligence Platform for Protecting our National Cyberinfrastructure. Award Number: 1547249 • NSF Grant: SI2-SSE: AttackTagger: Early Threat Detection for Scientific Cyberinfrastructure. Award Number: 1535070 • DEPEND group Symphony Cluster 13
References • “Ssh bad keys,” 2017, https://github.com/rapid7/ssh-badkeys. • “Packet storm,” 2019, https://packetstormsecurity.com/. 14
Recommend
More recommend
