In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Mais conteúdo relacionado
Semelhante a [cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi
Semelhante a [cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi (20)
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
[cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi
1. CODE BLUE 2022
What I Learned from the Direct
Confrontation with the Adversaries
who Hid C&C Server Information in
the Blockchain
Tsuyoshi Taniguchi
Fujitsu System Integration Laboratories LTD.
October 27, 2022
Copy right 2022 Fujitsu System Integration Laboratories Limited
1
2. DNS Abuse vs Blockchain Abuse
Copy right 2022 Fujitsu System Integration Laboratories Limited
C&C server
C&C server
DNS
server
Blockchain
Detection of DNS abuse
Cyber Threat Intelligence, Passive
DNS, Active DNS, WHOIS history,
subdomain
CODE BLUE 2017 Day0
CODE BLUE 2018, 2020, 2021
Detection of blockchain abuse
Black Hat Asia 2021 Briefings
ACM ASIACCS 2021
International collaboration with Prof. Doerr
(Hasso Plattner Institute)
2
3. Tsuyoshi TANIGUCHI
⚫ Fujitsu System Integration Laboratories Researcher, Ph.D.
⚫Mar. 2008 - Hokkaido University Ph.D. (computer science)
⚫Apr. 2008 - Researcher, FUJITSU
⚫Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES LTD
⚫Speaker
⚫ CODE BLUE 2017 Day0 Special Track Counter Cyber Crime Track
⚫ CODE BLUE 2018, 2020, 2021
⚫ Black Hat Asia 2021, ACM ASIACCS 2021
⚫ International collaboration with Prof. Doerr (Hasso Plattner Institute)
Copy right 2022 Fujitsu System Integration Laboratories Limited
Please search ACM Tsuyoshi Taniguchi
-> The table of C&C server IP addresses (Table 5)
-> You can find malware samples from VirusTotal by searching the IP addresses
(There is a case where malware samples not related to this attack are found)
3
4. Timeline
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Fujitsu alone
Collaboration
start
International collaboration with HPI
4
5. Timeline
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Collaboration start
Fujitsu alone International collaboration with HPI
Takeover
led C&C communication
to our sinkhole server
Implementation of the
evasive mechanism within
around two weeks
5
6. Timeline
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Collaboration start
Fujitsu alone International collaboration with HPI
Takeover
Implementation of the
evasive mechanism
abandonment of the
attack infrastructure
Black Hat
Asia 2021
ASIACCS
2021
6
7. Today’s Presentation
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal Collaboration start
Fujitsu alone International collaboration with HPI
Takeover Implementation of the
evasive mechanism
abandonment of the
attack infrastructure
The essence in (pre-)analysis in order to succeed in taking over
For CODE BLUE
2022
7
8. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1.
2.
3.
4.
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
8
9. Overview of Our System and Division of Roles
Copy right 2022 Fujitsu System Integration Laboratories Limited
Defender
Bitcoin blockchain
Sinkhole
server
C&C server
Malware
(Pony)
Phishing
group
HPI: Analysis of
malware, sinkhole
server operation
Fujitsu:
Analysis of Bitcoin operation
Monitoring system
9
10. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2.
3.
4.
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
10
11. The Way of Hiding C&C Server Information
in the Blockchain
Copy right 2022 Fujitsu System Integration Laboratories Limited
C&C server
142.93.0.206
In recent two transactions related to
a particular Bitcoin address
11
12. The Principle of Takeover
-> Success on Aug. 14, 2020
⚫To send Bitcoin hidden the IP address of our sinkhole server
to the Bitcoin address controlled by the adversaries
Copy right 2022 Fujitsu System Integration Laboratories Limited
C&C
server
Ours
Ours
Sinkhole server
12
13. 1. Ethical Considerations: Exfiltrated Files
Copy right 2022 Fujitsu System Integration Laboratories Limited
Sinkhole
server
C&C server
⚫We must not download any exfiltrated files
Exfiltrated
files
13
14. Download DLL
Copy right 2022 Fujitsu System Integration Laboratories Limited
Sinkhole
server
C&C server
14
15. Deletion of Malware Itself by Self Protection
Mechanism
Copy right 2022 Fujitsu System Integration Laboratories Limited
Sinkhole
server
C&C server
⚫Extermination of the malware by our takeover
15
16. 1. Ethical Considerations
⚫Ethical considerations in cyber security
⚫Report to providers whose IP addresses abused by adversaries
⚫Report to software vendors whose products have vulnerabilities
⚫This case: exfiltrated files from infected clients
⚫If we download the exfiltrated files, we are colleagues of the
phishing group
⚫After takeover design, we had many considerations
⚫We realize both of disturbance of C&C communication and
extermination of malware
⚫Important point in order to protect ourselves from
ethical viewpoints
Copy right 2022 Fujitsu System Integration Laboratories Limited
16
17. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3.
4.
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
17
18. Back to the Initial Stage of Monitoring from
the Highlight of International Collaboration
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal Collaboration start
Fujitsu alone International collaboration with HPI
Takeover Implementation of the
evasive mechanism
abandonment of the
attack infrastructure
18
19. 2. The Importance of Hypothesis Verification
⚫A hypothesis verification in cyber security
⚫To anticipate vulnerabilities in an organization network, then verify the
ones by related tools
⚫To anticipate vulnerabilities of tools, then verify
⚫The hypothesis verification in this case
⚫Evasive behavior against our takeover
⚫Hypothesis: after identifying our takeover, the adversaries take an
evasive action
⚫Verification:
Copy right 2022 Fujitsu System Integration Laboratories Limited
19
20. The First Stage of Bitcoin Operation
⚫Three types of Bitcoin addresses
⚫Sender: disposable addresses through Bitcoin exchange services
⚫IP signal: static addresses made by the adversaries
⚫Collector
Copy right 2022 Fujitsu System Integration Laboratories Limited
Collector
Sender
IP signal
Sender
Sender
⋮
Sender
IP signal
20
21. Bitcoin Addresses for This Attack
⚫IP signal
⚫1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ: 1BkeG (Abbreviation)
⚫1CeLgFDu917tgtunhJZ6BA2YdR559Boy9Y: 1CeLg (Abbreviation)
⚫Collector
⚫1PFSS4kdTxvVhrti4fM3jK9FLhUt5zZf6i: 1PFSS (Abbreviation)
⚫Since transactions in the blockchain are open, you can verify
all transactions related to 1BkeG, 1CeLg, and 1PFSS
⚫Table1 in our ASIACCS paper
Copy right 2022 Fujitsu System Integration Laboratories Limited
21
22. My Hypothesis in the First Stage of Monitoring
⚫If the adversaries change IP signal, then I can detect the
changed IP signal in the circulation of Bitcoin operation
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal 1
Sender A Sender B
C&C
server
IP signal 2
Sender X Sender Y
Collector
22
23. Bitcoin Operation: Nov. 15 to 30, 2019
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
1CeLg
1PFSS
Gephi: https://gephi.org/ 23
24. Bitcoin Operation: Dec. 1 to 10, 2019
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
1CeLg
• The adversaries changed
the IP signal from 1BkeG
to 1CeLg
• I confirmed malware
samples which
communicated with 1CeLg
24
25. Bitcoin Operation: Dec. 10 to 12, 2019
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
1CeLg
1N94r
1PFSS
19hi8
Collected Bitcoin from 1BkeG and 1CeLg to 1PFSS
-> moved Bitcoin from 1PFSS to 1N94r
-> sent Bitcoin from 1N94r to 1BkeG and 19hi8
25
26. Newly Added Bitcoin Addresses
⚫IP signal
⚫19hi8BJ7HxKK45aLVdMbzE6oTSW5mGYC82: 19hi8 (Abbreviation)
⚫Collector
⚫1N94rYBBCZSnLoK56omRkAPRFrpr5t8C1y: 1N94r (Abbreviation)
Copy right 2022 Fujitsu System Integration Laboratories Limited
26
27. Bitcoin Operation in the Final Stage
⚫The functions of sender and collector were aggregated:
1N94r
⚫Back to 1BkeG from 1CeLg for IP signal
Copy right 2022 Fujitsu System Integration Laboratories Limited
1N94r
1BkeG
19hi8
27
28. The Design Mistake for Hiding C&C IP
Addresses in the Blockchain
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal
Sender Our sender
Anybody could
send Bitcoin
hidden any IP
addresses
The adversaries
sent Bitcoin
hidden C&C IP
address
Malware did not
check where the
incoming Bitcoin
come from
28
29. Takeover Evasive Mechanism
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal
Sender
Implementation of the takeover evasive mechanism within around
two weeks
Our sender
Accessed transactions
related to the sender
We could send Bitcoin
29
31. Against Takeover Evasive Mechanism
⚫ To send Bitcoin hidden our sinkhole server IP address to 1N94r
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
1N94r
1BkeG
1N94r
Our sender
Our sender
1N94r
1N94r
1N94r
31
32. Detection Evasion by Changing Bitcoin Address
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal
Sender
IP signal
Refuge
I detected IP signal change in
Dec. 2019
-> technically possible, but
the adversaries did not
change IP signal after evading
our takeover 32
33. 2. The Importance of Hypothesis Verification
⚫Hypothesis: detection evasion by changing IP signal
⚫Verification: the adversaries changed IP signal in Dec. 2019,
but did not change after evading our takeover
⚫Notice
⚫IP signal change: technically possible, much cost for synchronizing
malware implementation and changing Bitcoin addresses?
⚫In the process of the verification, I identified the issue from
adversary’s side
⚫The hypothesis verification process itself is important
Copy right 2022 Fujitsu System Integration Laboratories Limited
33
34. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks
and the Worldwide Event
4.
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
34
35. C&C Server Update Time Change
Copy right 2022 Fujitsu System Integration Laboratories Limited
Aug. 2019 May 2020
Aug. 2020
Jan. 2021
Mar. 2020
Daytime -> midnight (UTC)
Fee soar influenced by the
Bitcoin halving
Metabase: https://www.metabase.com/
35
36. 3. Consciousness of the Relation Between
the Cyberattacks and the Worldwide Event
⚫C&C server update time (Bitcoin trade time) in May 2020
⚫Daytime -> midnight (UTC)
⚫After conducting in-depth analysis from various viewpoints, I found fee
soar
⚫Examination regarding fee setting
⚫I identified the Bitcoin halving
⚫May 11, 2020 (UTC): 630, 000 blocks
⚫Fees tend to be low during midnight since the number of trades
decrease
⚫It is important to broaden your horizons including the
relation between cyberattacks and worldwide events
Copy right 2022 Fujitsu System Integration Laboratories Limited
36
37. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind Tactics, Techniques, and
Procedures (TTPs) Evolution
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
37
38. 4. Adversary’s Intention Behind TTPs Evolution
⚫Behind TTPs evolution
⚫To improve methods
⚫To cope with troubles
⚫Change of trading time in May 2020
⚫To save fees of transactions for miners for avoiding the influence by the
Bitcoin halving
⚫Change of the strategy of selecting blocks in Jul. 2020
⚫The second case study in our Black Hat Asia 2021 presentation
⚫To explore the way of controlling the order of confirmations of two
transactions
Copy right 2022 Fujitsu System Integration Laboratories Limited
38
39. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind TTPs Evolution
5. Operational Error by the Adversaries
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
39
40. Mistakenly Send Bitcoin
⚫ Three transactions: change of Bitcoin addresses in Dec. 2019 (test?)
⚫ Others: mistakenly send Bitcoin
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
Date Bitcoin IP Octet
5:33:19, Dec. 11, 2019 31,683 195.123
8:39:45, Jul. 24, 2020 10,818 66.42
19hi8
Date Bitcoin IP Octet
5:22:28, Dec. 11, 2019 31,683 195.123
9:39:13, Apr. 22, 2020 15,573 213.60
3:11:43, Jul. 22, 2020 27,052 172.105
1CeLg
Date Bitcoin IP Octet
12:9:19, Dec. 10, 2019 19,508 52.76
Test?
Test?
Test?
40
41. Mistakenly Send Bitcoin
Copy right 2022 Fujitsu System Integration Laboratories Limited
2020/7/24 5:46 31,366 Satoshi -> 134.122
2020/7/24 5:55 64,792 Satoshi -> 24.253
2020/7/24 8:39 10,818 Satoshi -> 66.42
2020/7/24 8:58 31,366 Satoshi -> 134.122
2020/7/24 9:02 64,792 Satoshi -> 24.253
134.122.24.253
-> Samples in
VirusTotal
66.42.134.122
-> No samples
⚫ Adversary’s side: no influence
⚫Soon after mistakenly sending Bitcoin, they sent correct two transactions again
⚫ Defender’s side: big influence
⚫When I traced back through the transactions, these wrong transactions were
no pair of any transactions
41
42. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind TTPs Evolution
5. Operational Error by the Adversaries
6. Long Term Data Collection
Copy right 2022 Fujitsu System Integration Laboratories Limited
42
43. 6. Long Term Data Collection
⚫C&C IP address update: around 200 times from Sep. 2019 to
Aug. 2020
⚫My data collection: from Sep. 2019 to Jan. 2021
⚫Design of the data collection
⚫Consideration of the limit of the number of transactions by blockchain
API
⚫Ex. 50 transactions
⚫Dealing with wrong transactions
⚫My implementation: skip reading wrong transactions
Copy right 2022 Fujitsu System Integration Laboratories Limited
43
44. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind TTPs Evolution
5. Operational Error by the Adversaries
6. Long Term Data Collection
Copy right 2022 Fujitsu System Integration Laboratories Limited
44
45. 3. Consciousness of the Relation Between
the Cyberattacks and the Worldwide Event
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal
Sender
1,000,000 Satoshi 100,000 Satoshi
Sender
870,000 Satoshi
Fee
30,000 Satoshi -> 60,000 Satoshi
Fee soar influenced by
the Bitcoin halving
30,000 Satoshi: around $3 (as of Aug. 2020, 1BTC = $10,000)
-> around $18 (as of Mar. 2021, 1BTC = $60,000)
Bitcoin soar
-> abandonment of the attack infrastructure
970,000 Satoshi
45
46. Copy right 2022 Fujitsu System Integration Laboratories Limited
Thank you