GRNET CERT 2012 by Alex Zaharis Website: http://cert.grnet.gr Email: cert@grnet.gr Team: GRNET-CERT Phone: +30 210 7475718
Overview GRNET-CERT Info & Deliverables GRNET-CERT Services Workload Statistics Case 1: Phishing Attack Case 2: SQL Injection Attack Case 3: Malware Analysis Case 4: Anon Tools of the Trade Ημερομηνία Τίτλος παρουσίασης
GNET-CERT AT A GLANCE Created in 2002. National Point of contact for all Educational & Research Institutes. Protecting the Greek Critical Internet Infrastructure. Participating on National Cyber Defense Committee Other Greek CERTs: GR-NCERT FORTHCERT AUTH-CERT 30/2/2012 GRNET-CERT
GRNET-CERT Deliverables Create an Overview of the risks the use of Internet poses in GREECE. Through Communication with other CERTs create a CYBER DEFENCE Coordination Team that can handle any kind of Cyber / Electronic attack. Participated/Co-ordinated the National Cyber Defense Exercise 2011. TF–CERT members 30/2/2012 GRNET-CERT
National Cyber Defense Committee CERT Cooperation Plan incidents incidents incidents incidents GRNET CERT X CERT Y CERT incidents CERT Law Enforcement CERT Knowledge Pool National Cyber Defense Committee National Cyber Space Foreign Cyber Space 22/5/2012 GRNET-CERT 5
GRNET-CERT SERVICES Proactive Services Reactive Services 1. Security Announcements 2. Technology Watch 3. Security Audits & Assessments 4. Development of Security Tools 5. Intrusion Detection Services Proactive Services 1. Issue Alerts & Warnings 2. Incident Handling -Incident Analysis -Incident Response Coordination 3. Vulnerability Handling -Vulnerability Analysis 4. Artifact Handling -Artifact Analysis 5. Forensics Reactive Services 30/2/2012 GRNET-CERT
Ημερομηνία Τίτλος παρουσίασης
Τίτλος παρουσίασης
Some Statistics For 2012 (5 months) For 2011 (last 3 months) -900+ Various Abuse Reports Mitigated -500+ Infringement Notices Handled -397 Network Scans -22 DOS Attacks -20 DDOS Attacks -Over 20 Cases of Phishing / Defacing etc. -2 Malware Analysis (Trojan, Scareware) -1 Anonymous Attack -Vulnerability (SQLi,XSS) Warning issued for: http://eclass.aspete.gr For 2011 (last 3 months) -600+ Abuse Reports Mitigated -350+ Infringement Notices Handled http://labs.opengov.gr http://www.presidency.gr/ 22/5/2012 GRNET -CERT
Website Ημερομηνία Τίτλος παρουσίασης
Cases Ημερομηνία Τίτλος παρουσίασης
ΙΚΑ Phishing Scam email Received. Attack Site detected & scanned. Type Of Attack: Phishing Scam email Received. Attack Site detected & scanned. Original Phishing Forms along with contact info recovered. (emails used by attackers) Police Authorities Informed. 22/5/2012 GRNET-CERT
High Profile Warning issued Type Of Attack: SQLi Labs.opengov.gr SQLi on facebook module 22/5/2012 GRNET -CERT
Malware Analysis Type Of Attack: Scareware \ Malware CONTACTING IP: 91.232.29.95 (Ukraine) http://91.232.29.95/?0bbccd2979886358e559cd8ebc45985d Ημερομηνία Τίτλος παρουσίασης
Anonymous Attack Type Of Attack: Reflective Amplified DNS Spoofing Attack DNS requests (ANY) για το isc.org Source IP = Spoofed IPs., PORT 80 Destination Ips = Ips του φοιτητικού DSL,PORT 53 (UDP). Φοιτητικά DSL modems με ανοιχτό recursive nameserver (dnsmasq) και forwarders αυτούς που έλαβαν από το PPP, δηλ. τους rns0.grnet.gr & rns1.grnet.gr Προωθούν το ίδιο query στους rns μας. Οι rns μας απαντούν στα modems, και κατόπιν οι dnsmasq των modems απαντούν στον αρχικό (spoofed) προορισμό. Η ιδιαιτερότητα εδώ είναι ότι το isc.org είναι από τις πρώτες DNSSEC-signed ζώνες, που σημαίνει πως η απάντηση στο αρχικό DNS query είναι μεγάλη (> 512 bytes), οπότε σύμφωνα με το πρωτόκολλο, κάνει upgrade σε EDNS, που είναι TCP. Αποτέλεσμα είναι, ότι όλες αυτές οι χιλιάδες διευθύνσεις του φοιτητικού, ανοίγουν TCP connection στην port 80 (HTTP) στα targeted hosts (δηλ. στις spoofed αυτές διευθύνσεις) και κατά συνέπεια κάνουν DoS 22/5/2012 GRNET -CERT
Tools Websites: Tools: Netsparker, Acunetix, Metasploit https://apps.db.ripe.net/search/query.html#resultsAnchor http://cqcounter.com/whois/ http://projecthoneypot.org/ http://www.phishtank.com/ http://www.exploit-db.com/ https://www.virustotal.com/ http://anubis.iseclab.org http://www.iptrackeronline.com/header.php http://www.liveipmap.com/ Tools: Netsparker, Acunetix, Metasploit Wireshark, Burp Suite Nmap, Zenmap BackTrack (Various Tools) Sqlmap, Havij Vmware Workstation Sysintelnals FTK 22/5/2012 GRNET -CERT
Questions? Personal Info: Name: Alex Zaharis Email: azaharis@admin.grnet.gr Team: GRNET-CERT Phone: +30 210 7475718 22/5/2012 GRNET-CERT