Saturday, November 24, 2012

Red Sky Weekly - Anatomy of an Attack

Thanksgiving and Black Friday mark the start of the holiday season --bringing not only scrums for $97 televisions at Walmart, but also exponential increases in online activity. During the next several weeks, lasting until roughly the second week in January, more retail dollars will flow than any other time of the year. What’s this mean to you? Willie Sutton once said when asked why he robbed banks “That’s where the money is”. Why will hackers be out in force? Now is when the money flows.

What do these attacks look like? This week, a report detailing an incident at a state government victim was posted (leaked?) to the Internet. While there is no evidence (that I can see) of APT activity (bad guys paid by a government to steal information), this is clearly a targeted event carried out with purpose over the course of several weeks using multiple accesses ranging from backdoors to legitimate (but stolen) credentialed accounts. The organization owning the victim network moves a lot of money, and is responsible for protecting privacy information for millions of people.

In this case, the victim had been notified by a law enforcement agency that the privacy information (PII) of at least three people had been identified as stolen (this is probably the most common way of finding out about breaches such as this --someone else usually tells the victim).  A consultant was called in to identify the extent of losses, figure out if it was ongoing, and create remediation plans.

According to the report, the attack went something like this:

  1. The initial attack vector was confirmed as phishing emails, delivered on August 13, 2012. At least one user clicked, rendering the network compromised and likely, first credentials captured.
  2. Fourteen days later (8/27), the attacker entered the network, logging into a Citrix server (remote access) using credentials obtained (probably) during the initial August 13th breach.
  3. On the 29th, the attacker reentered the network, releasing tools designed to capture other user credentials on six additional servers.
  4. Between September 1st and the 4th, the attacker executed additional tools to capture Windows credentials. Additional tools were used to create ‘backdoor’ capabilities. The attacker uses new-found bounty to perform reconnaissance on other parts of the network.
  5. After roughly a week, the attacker performed additional reconnaissance on the network, until finally...
  6. Over the course of three days in mid-September, the attacker copied database backup files to a staging area, where they were encrypted into 15 encrypted 7-zip files. The files were then moved to another server (presumably their own) before deleting the files from the staging server.

The attack resulted in compromises of at least 44 systems. (One member claims the cost of fixing each server is roughly $10,000. At that price per machine, this incident cost, at a minimum, $440,000, but likely significantly more. This is a very public breach.)

  • One had a ‘backdoor’ loaded, three had database backups or files stolen
  • One server was used to remove data from the network, but 39 systems were accessed by the attacker during reconnaissance or password captures
  • Roughly 75 GB of data were compressed into fifteen 8.2 GB 7-zip files and (presumably, although not confirmed) removed from the network (we must assume these files contained information related to revenue generation and capture in the state, although the report does not mention losses of any privacy information)

  • Fourteen of the files contained 23 database backups, one contained roughly 1200 files related to the encrypted version of the data encryption key

Over the past months, you’ve read about Fusion Reports. The Fusion Report is a compilation of all information known about the attack --taken from one victim or multiple victims in the Red Sky Alliance, or externally when data is available. The Fusion Report is a two part report

Part one is authored in prose; intended to show our work and tell the story of the attack(s), much like shown above.

Part two is mitigation. Red Sky Analysts author snort, yara, etc., signatures when we can. Artifacts --file names with full directory structures, including file hash values and other meta data are included, and “Kill Chain” Formatted indicators are presented in a final tabular format. A sample is shown below. the idea is, Alliance members should be able to take information from any of our reports and cut/paste information distilled from reporting into highly actionable information that any member can act on today.

In this case, the kill chain information might look like
Table 1. (Completely fictitious. Please do not attempt to use):
Table 1: Sample Fusion Report indicator list
So here’s the deal. Remember Willie Sutton? There will be more retail transactions in the next few weeks than any other time during the year. Retailers will lose money as a result of cyber shenanigans. In addition to retail losses, the added noise on the networks will create opportunities for others to steal information from non-retailers, and to top it off, kids all over the world are home for the holidays, so the kiddie scripters will be active too (they always are over Christmas vacation!). Wouldn’t it be nice to be getting fusion reports, each containing hundreds of indicators from the Alliance --before you are attacked? The only way you can is to join.

Red Sky = private
Corporate members only

Beadwindow = Private | Public
Many of our private corporate members + government members

Drop us a note. Join us now.

Until next time, have a great week!
Post a Comment