t103 1100 CrimeOps of the KashmirBlack Botnet



Title: CrimeOps of the KashmirBlack Botnet
Presenters: Ofir Shaty and Sarit Yerushalmi
Track: In The Weeds
Time: 1100
Virtual BSides San Antonio 2021
June 12th, San Antonio, Texas

Abstract:
We’ll expose the KashmirBlack botnet that infected CMS platforms, using Plug&Play infrastructure to deploy its malicious code, expand and stay undetected. We will take you down the rabbit hole into our journey where we went undercover, deployed a honeypot and participated in the botnet, resulting in the exposure of the Indonesian hacker crew ‘PhantomGhost’.
Explore the DevOps behind the botnet, discuss its purpose and go deep into the bits-and-bytes of the operation and the infection technique

In this session we will expose the “KashmirBlack” botnet that infected hundreds of thousands of CMS platforms victims. It uses Plug&Play infrastructure which makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.

We will take you down the rabbit hole into our journey where we went undercover, deployed a honeypot and participated in the botnet, resulting in the exposure of the Indonesian hacker crew ‘PhantomGhost’.
By infiltrating into the botnet’s operation, we got a rare opportunity to witness its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay.

Explore the DevOps behind the botnet, discuss its purpose and go deep into the bits-and-bytes of the entities, the operation and the infection technique.

The KashmirBlack botnet utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.

Speaker Bios:
ofir shaty
Security Researcher at Imperva for the last 3 years & 2 years as a database security & compliance expert.
Experience with web application vulnerability research & analysis,
Database Security & Web Application Security,
Data & Information Security, Compliance and Regulations,
Risk Management, Vulnerability Assessments and Scanning.

Sarit Yerushalmi
Security researcher at Imperva for the last 5 years in web application and cloud data security and for 5 years as a security analyst.
Analyse CVEs and threats in web applications and cloud environments.
Develop algorithms to detect and protect against attacks.

source