[nsp-sec] Large mirai-variant - null routing and cleanup requested

Krista Hickey Krista.Hickey at cogeco.com
Wed Dec 6 11:47:12 EST 2017 

+1 to Damian's remarks

I set up monitoring early yesterday for this C2 and saw zero hits so didn't feel any null route was necessary when I saw this thread last night. And while I did see the scanning events on our network, a cursory look at traffic on the two identified ports seems to indicate possible collateral damage so any such filtering would be a last resort from my perspective.

I think where possible null routes and port filtering should be the last line of defense and not the initial reaction.

Krista




Ce courriel provient de Krista.Hickey at cogeco.com . Pour assurer la livraison de futurs envois, veuillez inclure la presente adresse courriel a votre carnet
d'adresses ou votre liste d'expediteurs autorises.
Si vous ne souhaitez plus recevoir de messages promotionnels de la part de Cogeco, veuillez transf?rer ce courriel a desabonnement at cogeco.com. Merci!
Politique en matiere de protection des renseignements personnels de Cogeco et Engagement en matiere d'anti-spam - Contactez-nous
Cogeco Cable Canada, 5 Place Ville-Marie, Bureau 1700, Montreal, Quebec, H3B 0B3
--
This email is from Krista.Hickey at cogeco.com . To ensure the delivery of future emails, please add the current email address to your address book or safe senders list.
If you no longer wish to receive promotional emails from Cogeco, please forward this message to unsubscribe at cogeco.com. Thank you!
Privacy Policy and Anti-spam Commitment - Contact us
Cogeco Cable Canada, 5 Place Ville-Marie, Suite 1700, Montreal, Quebec, H3B 0B3

-----Original Message-----
From: nsp-security [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Damian Menscher
Sent: Wednesday, December 06, 2017 11:30 AM
To: Benjamin, Mike <Mike.Benjamin at centurylink.com>
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Large mirai-variant - null routing and cleanup requested

----------- nsp-security Confidential --------

I think it's a bit of an overreaction to null-route a C2 IP before even asking the hosting provider nicely.  In this case, Leaseweb has been contacted and has disabled that IP.  So everyone can remove their blocks now.  (Note this may become more of an issue if the C2 moves to bulletproof
hosting.)

I also think blocking two ports long-term is best avoided, as it can cause collateral damage to legitimate use.  It seems better to monitor sources and notify the worst-affected ISPs so they can fix their CPE (or implement local blocks if they deem that necessary).

Damian

On Tue, Dec 5, 2017 at 4:52 PM, Benjamin, Mike < Mike.Benjamin at centurylink.com> wrote:

> ----------- nsp-security Confidential --------
>
>
> I'm sure you are all aware of the large attacks that the mirai malware
> was used to launch in the latter part of 2016.  Since then a few
> occurrences of large instances have been built, but most have been
> kept under relative control and then ultimately removed.
>
>
> Over the last 48 hours the Internet has seen a massive uptick in the
> growth of an instance that is causing concern.
>
>
> An overview has been made public by the netlab 360 team here:
>
>
> http://blog.netlab.360.com/warning-satori-a-new-mirai-
> variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/
>
>
> Scanning for the two vulnerabilities in question can be seen through
> our port usage graphs from 3356 netflow:
>
>
> [cid:5a8970b9-9ae0-488a-874c-9c642c56407f]
> [cid:bc81c943-07c1-4f94-84c8-be22f64a6473]
>
>
> Through multiple groups working together we've confirmed that a botnet
> size over 500k nodes may be a reasonable estimate of infected size.
> This is obviously not good.
>
>
> Due to the swift nature this botnet was built and its large size we've
> decided to pre-emptively null route the C2 hosted at 95.211.123[.]69.
> This null route is active in AS3356, 209 and 3549.  We'd encourage any
> other operators to assist as well.  Multiple groups have requested a
> takedown of the VM through LeaseWeb, and we're awaiting their
> assistance to complete the takedown.
>
>
> This is unfortunately a temporary measure, and we expect the actor
> will simply stand up new infrastructure and start over.  To ensure
> they are less effective the next time we are working with our
> downstream customers (and some of the larger offenders who are not
> customers) that exhibit the scanning behavior for these ports.  Our goal is to:
>
>
> 1) Work with them to filter the traffic entirely through blocking
> packets with the SYN flag set towards these ports in both directions
> at their network edge.  Blocking other tcp flags has a risk of
> breaking things as these are ephemeral ports and should be avoided where possible.
>
> 2) Encourage them to work with their equipment vendors to patch the
> vulnerabilities in question or at least close these management ports.
>
>
> For those with the ability to do so, I suggest you take a look at your
> data to look for customers that may have the same risk open to the
> Internet.  This can be done by looking for the very loud scanning for
> TCP port 37215 or 52869 across wide ranges of IP space.  Beware this
> variant continues to utilize the other well known mirai infection
> methods, so every device scanning may not actually be vulnerable to
> the new Huawei exploit or the older Realtek exploit.
>
>
> If there are any questions please let us know, we appreciate the
> support with helping to minimize this threat's impact.
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the
> sender by reply e-mail and destroy all copies of the communication and
> any attachments.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list