WEBVTT 00:00.000 --> 00:18.000 All right, my name is Alex, and I'm a principal security engineer at Dramasum 00:18.000 --> 00:20.000 The Services. 00:20.000 --> 00:24.000 This is about us slide pretty much. 00:24.000 --> 00:28.000 Also, here is Martin, who is not here. 00:28.000 --> 00:37.000 Martin is my colleague, who is taking part in security research on databases. 00:37.000 --> 00:42.000 Again, I don't have an additional slide for the introduction. 00:42.000 --> 00:45.000 So again, my name is Alex. 00:45.000 --> 00:48.000 My background is my SKL. 00:48.000 --> 00:53.000 I have been working with my SKL more than 20 years. 00:53.000 --> 01:00.000 I think at this point, and I joined my SKL AB in 2006. 01:00.000 --> 01:08.000 I worked at Sun Microsystems Oracle, Percona, and then four years ago I joined Amazon 01:08.000 --> 01:16.000 Pub Services, and I created the new team, which is called Red Team. 01:16.000 --> 01:22.000 And this is, this talk is called Atomic Honeypot. 01:22.000 --> 01:32.000 And this is the result of our database research against security research against my SKL. 01:32.000 --> 01:34.000 So let's start. 01:34.000 --> 01:38.000 So this is our agenda for the day. 01:38.000 --> 01:47.000 First of all, we will start by creating a high interaction my SKL Honeypot. 01:47.000 --> 01:55.000 And then I will explain why it's important, why we need a high interaction my SKL Honeypot. 01:55.000 --> 02:00.000 When we have a Honeypot, the next step is going Atomic. 02:00.000 --> 02:04.000 So what does it really mean? 02:04.000 --> 02:12.000 Over the years, we have been finding the security issues in my SKL client. 02:12.000 --> 02:19.000 And we did a presentation recently, which is called my SKL server, Kinatek You. 02:19.000 --> 02:26.000 It actually, unusual thing, many people don't realize that it's possible. 02:26.000 --> 02:35.000 The my SKL protocol is designed that way that actually a rogue server can tell the client what to do. 02:35.000 --> 02:38.000 It can tell the client to load a plugin. 02:38.000 --> 02:43.000 And we found this in 2023. 02:43.000 --> 02:52.000 And in 2024, we also found another my SKL client issue, which affects my SKL dump. 02:52.000 --> 03:00.000 And then today, I will be doing some demo in providing the details how it works. 03:00.000 --> 03:11.000 And then finally step 3, we were thinking of how we can actually use all that stuff for good. 03:11.000 --> 03:19.000 And then we realized that there are lots of bots attacking the databases. 03:19.000 --> 03:27.000 And what we really wanted to do is to understand how that attacks are executed. 03:27.000 --> 03:33.000 We wanted to see what's the code, what's the methodology, and stuff like that. 03:33.000 --> 03:40.000 So we created the Atomic Honeypot, which actually strikes back. 03:40.000 --> 03:44.000 And I explained what that means and how it works. 03:44.000 --> 03:46.000 All right, let's start with this. 03:46.000 --> 03:55.000 If you don't know, bots are everywhere, and my SKL server, and you, my SKL server, is under attack. 03:55.000 --> 04:00.000 So they're scanning the network, they're scanning known ports. 04:00.000 --> 04:04.000 And they're doing it very fast. 04:04.000 --> 04:09.000 And database server is obviously a big target. 04:09.000 --> 04:17.000 All right, a bot will try to find the server, try to use an old CVE, and try to do bad things. 04:17.000 --> 04:24.000 So we wanted to understand what kind of attacks we're talking about, what they're doing. 04:24.000 --> 04:30.000 So this is our original design. 04:30.000 --> 04:32.000 Very simple. 04:32.000 --> 04:35.000 We put a MySQL Honeypot server. 04:35.000 --> 04:41.000 We open it from the internet, listening on port 336. 04:41.000 --> 04:50.000 And then when you do that, you realize that immediately, almost immediately, someone will try to connect. 04:50.000 --> 04:56.000 Now, let's go back and talk about MySQL protocol. 04:56.000 --> 05:00.000 MySQL protocol is server initiated. 05:00.000 --> 05:12.000 So if you just started a listener, a TCP listener, and then we'll be hoping that someone will connect, it will not happen. 05:12.000 --> 05:18.000 MySQL client will not connect to just TCP, it needs this prompt. 05:18.000 --> 05:36.000 So this prompt actually, this prompt will give you the version, the salt for the MySQL authentication and the plugin. 05:36.000 --> 05:43.000 So basically, just creating a listener is not enough. 05:43.000 --> 05:50.000 If you want to do the Honeypot, you need to implement MySQL protocol. 05:50.000 --> 05:57.000 And the good news is there are lots of implementations of MySQL protocols. 05:57.000 --> 06:00.000 One of them is in Python. 06:00.000 --> 06:04.000 So this is a library in Python. 06:04.000 --> 06:11.000 It can implement a fake MySQL server with MySQL protocol embedded in it. 06:11.000 --> 06:14.000 So it's very, very simple. 06:14.000 --> 06:23.000 So I created a prototype of high interaction MySQL Honeypot. 06:23.000 --> 06:30.000 And then we started this Honeypot, and then we started seeing interesting things. 06:30.000 --> 06:34.000 Connections are coming in, attacks are going. 06:34.000 --> 06:42.000 And then this is the very interesting stuff that MySQL protocol supports called connection attributes. 06:42.000 --> 06:45.000 Similar to HTTP user agent. 06:45.000 --> 06:55.000 You can see the platform, client version, operating system, and even the program name from that. 06:55.000 --> 07:03.000 So this is how MySQL defining those attributes in the documentation. 07:03.000 --> 07:07.000 And this is something that we started collecting. 07:07.000 --> 07:09.000 This is from the real attacks. 07:09.000 --> 07:13.000 And then we can see that they're using a different client names. 07:13.000 --> 07:16.000 They're using different client versions. 07:16.000 --> 07:19.000 They're using different operating systems. 07:19.000 --> 07:23.000 And also we can immediately see the client name. 07:23.000 --> 07:28.000 So lots of useful info from that address. 07:28.000 --> 07:35.000 And then we have identified two major attacks on MySQL. 07:35.000 --> 07:39.000 Now if you run the Honeypot, you see everything. 07:39.000 --> 07:40.000 You see the queries. 07:40.000 --> 07:42.000 You see the connection attributes. 07:42.000 --> 07:46.000 You see basically we started collecting fingerprints. 07:46.000 --> 07:51.000 And this is one of the fingerprints that we collected from this of them. 07:51.000 --> 08:02.000 So what this attack is doing is it tries to connect to the server and tries to install a malware on that server. 08:02.000 --> 08:03.000 Right on Linux. 08:03.000 --> 08:05.000 And on Windows as well. 08:05.000 --> 08:13.000 So it's actually trying to write to a shared library plugin to put the file in there. 08:13.000 --> 08:15.000 And we traced all that stuff. 08:15.000 --> 08:23.000 Now this is less interesting because it's only works on a really, really old MySQL server. 08:23.000 --> 08:27.000 The second attack is a completely different attack. 08:27.000 --> 08:29.000 This is a ransomware attack. 08:29.000 --> 08:31.000 This actually happened. 08:31.000 --> 08:35.000 And this is many people actually been affected by this one. 08:35.000 --> 08:44.000 So basically if you expose your MySQL server to the internet, 08:44.000 --> 08:48.000 especially on ports 3606, you will get those guys. 08:48.000 --> 08:52.000 And they will try and to brute force the passwords. 08:52.000 --> 08:54.000 Connect to the database. 08:54.000 --> 08:59.000 And then they will try to download your database. 08:59.000 --> 09:05.000 And then remove the database and put the ransomware note. 09:05.000 --> 09:08.000 Basically pay me something I'll give you. 09:08.000 --> 09:10.000 I'll give you the database back. 09:10.000 --> 09:14.000 And this is one of the attacks that we want to know about. 09:14.000 --> 09:16.000 I want to trace and see what they're doing. 09:16.000 --> 09:19.000 Here's what is interesting here. 09:19.000 --> 09:22.000 See, there's a MySQL dump here. 09:22.000 --> 09:24.000 We know that this is MySQL dump. 09:24.000 --> 09:26.000 In this attack. Remember this. 09:26.000 --> 09:28.000 All right. 09:28.000 --> 09:32.000 So now, at this point, we were thinking, 09:32.000 --> 09:36.000 Well, how do we actually create an atomic honeypot? 09:36.000 --> 09:42.000 All right. Now, atomic honeypot will strike back. 09:42.000 --> 09:46.000 So we again, we want to interact with the attackers, 09:46.000 --> 09:49.000 and we want to download the code. 09:49.000 --> 09:53.000 And then we started thinking, how we can do that. 09:53.000 --> 09:56.000 And we started juggling with the CDs. 09:56.000 --> 10:00.000 There are three CDs that we can potentially use here. 10:00.000 --> 10:04.000 The first is called MySQL client arbitrary file. 10:04.000 --> 10:09.000 It's very old, very old, from 2020. 10:09.000 --> 10:13.000 The second one is the MySQL client RCE. 10:13.000 --> 10:17.000 We actually found the modification of that. 10:17.000 --> 10:24.000 In 2023 presented, this is basically this is the MySQL server 10:24.000 --> 10:27.000 attacks you presentation. 10:27.000 --> 10:33.000 And then finally, in 2024 we found an issue in MySQL dump. 10:34.000 --> 10:39.000 So let me, this is probably one of the most important slides here. 10:39.000 --> 10:44.000 And I will try to explain and real quick how those two things works. 10:44.000 --> 10:47.000 MySQL client arbitrary read. 10:47.000 --> 10:50.000 Basically, it's a server protocol. 10:50.000 --> 10:53.000 MySQL server protocol issue. 10:53.000 --> 10:55.000 It's very well known. 10:55.000 --> 10:57.000 You can read this book post. 10:57.000 --> 11:04.000 Basically a server can request a file and arbitrary file 11:04.000 --> 11:10.000 from the client using load data in file. 11:10.000 --> 11:15.000 The second one is actually more interesting. 11:15.000 --> 11:19.000 This is less known in the community. 11:19.000 --> 11:25.000 And the idea is that MySQL protocol 11:26.000 --> 11:30.000 works with a plugable authentication. 11:30.000 --> 11:34.000 You can write your plugin authentication plugin. 11:34.000 --> 11:39.000 But the consequences of that is that the MySQL server and the client 11:39.000 --> 11:45.000 will need to communicate which plugin they will be using. 11:45.000 --> 11:54.000 So MySQL client will ask the server which plugin you want. 11:54.000 --> 11:57.000 And the server will say, I want this plugin. 11:57.000 --> 12:03.000 Then MySQL client will try to load a shared library. 12:03.000 --> 12:07.000 So the plugin is actually a shared library name. 12:07.000 --> 12:09.000 So this is how it works. 12:09.000 --> 12:15.000 So if we have an ability to somehow upload an arbitrary file, 12:15.000 --> 12:21.000 a shared library to the client, then during this communication, 12:22.000 --> 12:26.000 between the server and the client, 12:26.000 --> 12:34.000 server can push the arbitrary plugin name. 12:34.000 --> 12:38.000 And then we found there is a directory traversal in it. 12:38.000 --> 12:40.000 So this has been fixed. 12:40.000 --> 12:42.000 You can read this. 12:42.000 --> 12:43.000 You can look at the slides. 12:43.000 --> 12:49.000 We presented a hitby conference in 2023. 12:49.000 --> 12:53.000 So we have been looking at those and trying to figure out 12:53.000 --> 13:01.000 how we can actually use that to do the atomic kind of thing. 13:01.000 --> 13:06.000 And then finally, this is, I will be talking into details 13:06.000 --> 13:10.000 about the MySQL dump one. 13:10.000 --> 13:15.000 This is the RCE that we found in 2024. 13:16.000 --> 13:20.000 So MySQL dump database backup program. 13:20.000 --> 13:23.000 Everyone is using it. 13:23.000 --> 13:31.000 And then MySQL dump will connect to a server and receive the SQL statements. 13:31.000 --> 13:36.000 Now this is from the MySQL documentation webpage. 13:36.000 --> 13:41.000 This is how you copy one database to another database. 13:41.000 --> 13:46.000 You do MySQL dump on a server, 13:46.000 --> 13:48.000 on your client machine, maybe on a web server, 13:48.000 --> 13:50.000 I don't know, connect to one server, 13:50.000 --> 13:54.000 then you pipe whatever you're getting from the MySQL dump 13:54.000 --> 13:59.000 to MySQL client, which connects to another server. 13:59.000 --> 14:01.000 What can happen here? 14:01.000 --> 14:05.000 The thing is, MySQL, 14:06.000 --> 14:10.000 common client have that ability to execute a command. 14:10.000 --> 14:13.000 It can do file rights also. 14:13.000 --> 14:17.000 But this is the same system, right? 14:17.000 --> 14:21.000 If you put backslash exclamation mark, 14:21.000 --> 14:24.000 followed by the OS command, 14:24.000 --> 14:28.000 and then you put it into MySQL client, 14:28.000 --> 14:31.000 then you execute this command. 14:32.000 --> 14:36.000 So this is one of the simplest command execution 14:36.000 --> 14:39.000 attacking the client. 14:39.000 --> 14:43.000 So MySQL dump can connect to a server. 14:43.000 --> 14:46.000 It's a rogue server, it's my server that I control, 14:46.000 --> 14:48.000 and then I can push whatever there. 14:48.000 --> 14:51.000 Now, what's the limitations? 14:51.000 --> 14:54.000 Usually, MySQL dump do a very good job 14:54.000 --> 14:57.000 on escaping this. 14:57.000 --> 15:00.000 If you have a backtick around this, 15:00.000 --> 15:04.000 that will not be interpreted as a system. 15:04.000 --> 15:10.000 But we found a super simple way to exploit it, 15:10.000 --> 15:13.000 really simple, right? 15:13.000 --> 15:18.000 So this is the MySQL dump source code before the effects. 15:18.000 --> 15:25.000 What it's doing, it reading the connection 15:26.000 --> 15:28.000 from the server. 15:28.000 --> 15:33.000 And then putting it as this is the output, right? 15:33.000 --> 15:38.000 So if we control the server, we control everything. 15:38.000 --> 15:41.000 We can change the version number, 15:41.000 --> 15:46.000 and put end of line there in our command system command. 15:46.000 --> 15:49.000 So this is one of the, 15:49.000 --> 15:54.000 I would say, simplest change to the source code, 15:54.000 --> 15:59.000 one line change can make this a rogue server. 15:59.000 --> 16:02.000 Right? You put a server version here, 16:02.000 --> 16:07.000 you see there's an end of line, and then a system command. 16:07.000 --> 16:10.000 And then I connect, I compile this server, 16:10.000 --> 16:15.000 and I connect it with a Telnet, and this is what they see. 16:15.000 --> 16:18.000 And then we have MySQL dump, 16:18.000 --> 16:22.000 we connect in to the server. 16:22.000 --> 16:26.000 Yeah, this is MySQL dumps 57, 16:26.000 --> 16:31.000 but before the effects in 80 was the same thing. 16:31.000 --> 16:34.000 Right? You connect to the server, 16:34.000 --> 16:37.000 and then this is what it will produce. 16:37.000 --> 16:41.000 Now you pipe it to the MySQL command line, 16:41.000 --> 16:45.000 and then we have a arbitrary code execution. 16:46.000 --> 16:48.000 It's on the client, keep in mind, right? 16:48.000 --> 16:49.000 It's on the client. 16:49.000 --> 16:53.000 So basically people ask me about the risk. 16:53.000 --> 16:57.000 What's the risk? You don't connect to an uncasted server, right? 16:57.000 --> 16:59.000 But think about this. 16:59.000 --> 17:02.000 Maybe your database has been hacked. 17:02.000 --> 17:07.000 Maybe someone found an SQL injection in your database. 17:07.000 --> 17:10.000 Now the good news is you have backup. 17:10.000 --> 17:13.000 So you do this. 17:14.000 --> 17:17.000 Now your backup is poisoned. 17:17.000 --> 17:22.000 Your client connection is hacked. 17:22.000 --> 17:24.000 Right? This is pretty bad. 17:24.000 --> 17:26.000 There's a big risk here. 17:26.000 --> 17:29.000 Right? So that has been fixed in all versions. 17:29.000 --> 17:31.000 MySQL server has been fixed. 17:31.000 --> 17:34.000 And my RGB server has been fixed. 17:34.000 --> 17:37.000 So two things, first of all, 17:37.000 --> 17:39.000 you need to upgrade if you didn't. 17:39.000 --> 17:42.000 And second is, don't do this. 17:42.000 --> 17:47.000 All right, going back to the offensive stuff. 17:47.000 --> 17:49.000 We created this, 17:49.000 --> 17:52.000 Honeypot, MySQL, 17:52.000 --> 17:55.000 and implemented those two things. 17:55.000 --> 17:59.000 So now this Honeypot can stride back. 17:59.000 --> 18:02.000 It can use the connection string. 18:02.000 --> 18:05.000 Basically you can pass the payload. 18:05.000 --> 18:08.000 Whatever command you want to execute, 18:08.000 --> 18:10.000 it will generate the version string. 18:10.000 --> 18:13.000 And you can also use this plugin name, 18:13.000 --> 18:16.000 which I talked about. 18:16.000 --> 18:21.000 Now back to the atomic honeypot. 18:21.000 --> 18:26.000 So here's the demo of how mySQL dump works 18:26.000 --> 18:33.000 with the atomic honeypot. 18:33.000 --> 18:39.000 So we have created this Windows payload. 18:39.000 --> 18:42.000 Just for fun. 18:42.000 --> 18:46.000 And then we run this Honeypot 18:46.000 --> 18:52.000 with a version string payload. 18:52.000 --> 18:58.000 This payload will allow you to download this payload 18:58.000 --> 19:02.000 from our own HTTP server and then execute it. 19:02.000 --> 19:05.000 Right? And then basically to demonstrate, 19:05.000 --> 19:10.000 it will just show Windows you have been formed. 19:10.000 --> 19:12.000 All right? 19:12.000 --> 19:16.000 So next, 19:16.000 --> 19:18.000 again this is the payload. 19:18.000 --> 19:23.000 We will start the HTTP server to be able to download this payload. 19:23.000 --> 19:26.000 Then we check the version. 19:26.000 --> 19:31.000 Then we use mySQL dump to connect to our atomic honeypot. 19:31.000 --> 19:32.000 There we go. 19:32.000 --> 19:36.000 So basically mySQL dump downloaded this 19:36.000 --> 19:42.000 and executed the arbitrary code. 19:42.000 --> 19:52.000 So now let's see how we can actually do the counter attacks. 19:52.000 --> 19:57.000 So basically the attack number one 19:57.000 --> 20:07.000 is trying to take over your MySQL server. 20:07.000 --> 20:11.000 And this is the fingerprints that we can see. 20:11.000 --> 20:14.000 Here's the fingerprints that we can see. 20:14.000 --> 20:17.000 First of all, we can see that it's running on Windows. 20:17.000 --> 20:19.000 Second, we know the version. 20:19.000 --> 20:21.000 It's a really old version. 20:21.000 --> 20:26.000 So we actually don't know if it has the RCE in a plugin or not. 20:26.000 --> 20:29.000 And then we don't see mySQL dump. 20:29.000 --> 20:31.000 Right? If we would see mySQL dump, 20:31.000 --> 20:34.000 we'll see the program name. 20:34.000 --> 20:39.000 So we can use this client arbitrary file read. 20:39.000 --> 20:45.000 And we can actually see how it works. 20:45.000 --> 20:48.000 This is a quick demo here. 20:48.000 --> 20:53.000 All right? So basically anyone can do that. 20:53.000 --> 20:59.000 You just download this rogue SQL Python script. 20:59.000 --> 21:00.000 Run it. 21:00.000 --> 21:04.000 And then specify which file you want to copy. 21:04.000 --> 21:10.000 And then in this case, I connect with mySQL. 21:10.000 --> 21:12.000 I connect to mySQL. 21:12.000 --> 21:14.000 And there we go. 21:14.000 --> 21:19.000 The password file from the client has been downloaded. 21:20.000 --> 21:24.000 And then I can see this file. 21:24.000 --> 21:27.000 All right? So we wanted to do the same. 21:27.000 --> 21:30.000 And we wanted to download. 21:30.000 --> 21:35.000 So now we wanted first of all to understand which version of Windows is it. 21:35.000 --> 21:44.000 How do you do that? When there are lots of a number of files you can download and see what this version of Windows. 21:44.000 --> 21:49.000 And actually we figured out that this is a really old server. 21:49.000 --> 21:53.000 Like Windows Server 2003. 21:53.000 --> 21:56.000 Maybe it's a HP. I don't know. 21:56.000 --> 22:04.000 So this is how you can get the file from the remote server. 22:04.000 --> 22:10.000 Another thing that we were trying to do is we were trying to use this RCEB plugin. 22:10.000 --> 22:15.000 And this is where we sort of failed. 22:15.000 --> 22:20.000 So the question is, how do you push the GGL file to that attack aside? 22:20.000 --> 22:23.000 This is the main, like if it's on Windows. 22:23.000 --> 22:26.000 This is the main limitation of this, exploit. 22:26.000 --> 22:35.000 The main limitation of this exploit is that you need to have something to trigger to do a GL open or load library. 22:35.000 --> 22:41.000 So we were thinking maybe we can somehow upload this file. 22:41.000 --> 22:52.000 And then we started collecting the, we started collecting the fingerprints from the server. 22:52.000 --> 22:54.000 And this is what we found. 22:54.000 --> 22:57.000 So this is the part of the attack. 22:57.000 --> 23:01.000 This is what those guys are trying to do. 23:01.000 --> 23:10.000 Right? They are trying to upload the, they're trying to upload the shell. 23:10.000 --> 23:14.000 And they're using their own FTP server to do that. 23:14.000 --> 23:16.000 Right? So they open the port. 23:16.000 --> 23:29.000 So in theory, what we could have done is we can, we could have upload our file using that FTP server. 23:29.000 --> 23:34.000 Right? And we know the port, we know the port, we know the username, we know the password. 23:34.000 --> 23:39.000 Right? And this is the plan. 23:39.000 --> 23:44.000 We upload the GGL to public location of FTP server. 23:44.000 --> 23:52.000 Then we run the atomic honeypot and trigger the GGL load and then we'll get shell. 23:52.000 --> 23:55.000 Actually, we did it as a simulation. 23:55.000 --> 24:00.000 And here's how it would have worked if we would use that. 24:00.000 --> 24:04.000 So this is a demo of the simulation. 24:04.000 --> 24:07.000 So let's imagine that we have an FTP server there. 24:07.000 --> 24:12.000 Right? A username, password, whatever. 24:12.000 --> 24:17.000 Then we put this Eval DLL to that server. 24:17.000 --> 24:23.000 Right? And then we start our honeypot. 24:23.000 --> 24:26.000 We start our atomic honeypot. 24:26.000 --> 24:36.000 And then we'll wait until the attackers will connect. 24:36.000 --> 24:43.000 Right? We assume here that the public download is user's public download. 24:43.000 --> 24:50.000 Right? And then we do the traversal directory traversal. 24:50.000 --> 24:54.000 And we specify the directory traversal to that path. 24:54.000 --> 25:02.000 Assuming that this is the path that we uploaded the file in. 25:02.000 --> 25:07.000 And let's see, this is the launch. 25:07.000 --> 25:12.000 Now we will wait until they will connect. 25:12.000 --> 25:25.000 And this is our DLL. We compile this DLL to basically create, like, start a window. 25:25.000 --> 25:30.000 And let's see how it will work. 25:30.000 --> 25:34.000 We have this Maya's Kiel. All the version of Maya's Kiel here. 25:34.000 --> 25:37.000 Maya's Kiel client. Maya's Kiel come and learn client. 25:37.000 --> 25:43.000 So we connect to that toast with the honeypot. Yep? Five minutes. 25:43.000 --> 25:48.000 And you have been calling. 25:48.000 --> 25:55.000 Right? So we successfully did a simulation of how we would have done that. 25:55.000 --> 26:03.000 All right. So we have successfully downloaded our retail file. 26:03.000 --> 26:10.000 And then we have done the RCE via plugin as a simulation. 26:10.000 --> 26:15.000 And then this is actually more interesting stuff. 26:15.000 --> 26:23.000 So we collected this fingerprint from the ransomware attack. 26:23.000 --> 26:29.000 And then we see that this is a new version of Maya's Kiel. 26:29.000 --> 26:34.000 Maria's Kiel client. So there is no arbitrary file read. 26:34.000 --> 26:37.000 There is no RCE via plugin. 26:37.000 --> 26:40.000 But we can actually see Maya's Kiel dump here. 26:40.000 --> 26:48.000 Right? So our hope was that we can actually create a Maya's Kiel dump payload 26:48.000 --> 26:52.000 and execute something. 26:52.000 --> 27:00.000 So we have been then trying to see first what they're doing. 27:00.000 --> 27:03.000 Right? Why Maya's Kiel dump? 27:03.000 --> 27:05.000 And this is the queries that we can see. 27:05.000 --> 27:12.000 This is clearly the fingerprint of the Maya's Kiel dump command. 27:12.000 --> 27:17.000 Right? And then this is what they're doing. 27:17.000 --> 27:20.000 They're doing select from transactions. 27:20.000 --> 27:25.000 Consection is the table that I generated in the Honeyboard, just the fake name. 27:25.000 --> 27:28.000 Right? And then they're doing a backup. 27:28.000 --> 27:36.000 What they're trying to do is they're trying to backup 10 records out of each table. 27:36.000 --> 27:46.000 And the reason for that is that imagine that you being hacked by ransomware 27:46.000 --> 27:53.000 and say give me whatever thousand dollars and they will bring your database back. 27:53.000 --> 27:58.000 Now how do I trust them? 27:58.000 --> 28:03.000 Right? And then what they're doing is that downloading only 10 records 28:03.000 --> 28:08.000 and they will show you here the 10 records of your database. 28:08.000 --> 28:10.000 We have everything, right? 28:10.000 --> 28:13.000 But we clearly see they never download the whole thing. 28:13.000 --> 28:16.000 It will be really hard, right? 28:16.000 --> 28:21.000 To download the terabytes of data stored somewhere, right? 28:21.000 --> 28:25.000 It's not logical. This is all wood. 28:25.000 --> 28:28.000 There's no real people there I guess. 28:28.000 --> 28:33.000 All wood. So they download 10 records. 28:33.000 --> 28:37.000 And they drop the database. They will drop your database. 28:37.000 --> 28:42.000 Basically scanning all that database as they will drop the database 28:42.000 --> 28:48.000 and they replace it with this, read me out, and with that database name. 28:48.000 --> 28:52.000 Right? So don't pay. 28:52.000 --> 28:54.000 It's useless. 10 records. 28:54.000 --> 28:58.000 Unless you want to turn records back. 28:58.000 --> 29:02.000 All right. So we have been started brainstorming. 29:02.000 --> 29:04.000 How we can do that? 29:04.000 --> 29:08.000 We can not download arbitrary file. We can not execute it via plugin. 29:09.000 --> 29:11.000 And then this Maya scale dump thing. 29:11.000 --> 29:16.000 We have started thinking how this has been designed. 29:16.000 --> 29:21.000 So from the fingerprints, we see this path. 29:21.000 --> 29:24.000 First, it uses my read to be connector. 29:24.000 --> 29:27.000 So it's probably some application. 29:27.000 --> 29:33.000 Then suddenly, Maya scale dump is connecting to our server. 29:33.000 --> 29:36.000 Then back to the my read to be connector. 29:36.000 --> 29:44.000 So we also see that they're sending our table names 29:44.000 --> 29:48.000 and database names back to us. 29:48.000 --> 29:53.000 So maybe we can do some different thing. 29:53.000 --> 29:56.000 Maybe we can, if we can throw the database name, 29:56.000 --> 29:59.000 we can throw the table name. Can we use it? 29:59.000 --> 30:04.000 So we're thinking, is there really a command injection there? 30:04.000 --> 30:08.000 And it was exactly that. It was a command injection. 30:08.000 --> 30:12.000 So basically, whatever you put in the schema name, in a table name 30:12.000 --> 30:14.000 and you control everything, of course. 30:14.000 --> 30:18.000 Go to that, inject it as a command, 30:18.000 --> 30:21.000 and you will receive it back. 30:21.000 --> 30:25.000 So this is one of the way how you can download stuff 30:25.000 --> 30:29.000 without really executing the code, without the reward shell. 30:30.000 --> 30:36.000 So you do base 64, you get it back, you base 64 decode, 30:36.000 --> 30:38.000 and then you get it. 30:38.000 --> 30:41.000 So it's a command injection. 30:41.000 --> 30:44.000 We downloaded the code. 30:44.000 --> 30:47.000 This is the part of the code. 30:47.000 --> 30:53.000 What we know is, what we know is they are doing a math scan 30:53.000 --> 31:01.000 to find all your servers, connect to the servers, do this. 31:01.000 --> 31:05.000 MySQL dump, and the open, all that stuff. 31:05.000 --> 31:07.000 They're also doing one good example. 31:07.000 --> 31:10.000 It's actually eventually it's all attacked. 31:10.000 --> 31:11.000 Yeah, I'm always done. 31:11.000 --> 31:14.000 So, last slide, how to try it at home. 31:14.000 --> 31:18.000 You don't even need the honeypot. 31:18.000 --> 31:21.000 You start a normal mySQL server, 31:21.000 --> 31:23.000 any version, read only password. 31:23.000 --> 31:25.000 You can, you create a database. 31:25.000 --> 31:27.000 You put the command injection there. 31:27.000 --> 31:28.000 That's it. 31:28.000 --> 31:31.000 I haven't tried that for a year ago. 31:31.000 --> 31:32.000 They make a fix that. 31:32.000 --> 31:33.000 I don't know. 31:33.000 --> 31:34.000 All right. 31:34.000 --> 31:35.000 That's it. 31:35.000 --> 31:37.000 Thank you very much. 31:37.000 --> 31:39.000 Atomicsanipot.com. 31:43.000 --> 31:44.000 Do we have questions? 31:44.000 --> 31:45.000 Okay. 31:45.000 --> 31:48.000 One question, one minute of questions. 31:48.000 --> 31:50.000 Any questions? 31:50.000 --> 31:51.000 Yes. 31:51.000 --> 31:55.000 So, you're attacked by assuming day and hour scale injection 31:55.000 --> 31:56.000 as well. 31:56.000 --> 31:57.000 Command injection. 31:57.000 --> 32:00.000 You know, they will fix the escalation. 32:00.000 --> 32:05.000 How many such roles do you think you're doing? 32:05.000 --> 32:06.000 I don't know. 32:06.000 --> 32:09.000 It's ideas. 32:09.000 --> 32:14.000 Initially, when we looked at the code, it was like everywhere. 32:14.000 --> 32:18.000 It was like database name, 32:18.000 --> 32:20.000 command injection, schema name, command injection. 32:20.000 --> 32:21.000 Everywhere. 32:21.000 --> 32:22.000 Everywhere. 32:22.000 --> 32:25.000 But we come and check that after that. 32:25.000 --> 32:27.000 Thank you very much. 32:27.000 --> 32:28.000 All right. 32:28.000 --> 32:29.000 Thank you.