What do these attacks look like? This week, a report detailing an incident at a state government victim was posted (leaked?) to the Internet. While there is no evidence (that I can see) of APT activity (bad guys paid by a government to steal information), this is clearly a targeted event carried out with purpose over the course of several weeks using multiple accesses ranging from backdoors to legitimate (but stolen) credentialed accounts. The organization owning the victim network moves a lot of money, and is responsible for protecting privacy information for millions of people.
In this case, the victim had been notified by a law enforcement agency that the privacy information (PII) of at least three people had been identified as stolen (this is probably the most common way of finding out about breaches such as this --someone else usually tells the victim). A consultant was called in to identify the extent of losses, figure out if it was ongoing, and create remediation plans.
According to the report, the attack went something like this:
- The initial attack vector was confirmed as phishing emails, delivered on August 13, 2012. At least one user clicked, rendering the network compromised and likely, first credentials captured.
- Fourteen days later (8/27), the attacker entered the network, logging into a Citrix server (remote access) using credentials obtained (probably) during the initial August 13th breach.
- On the 29th, the attacker reentered the network, releasing tools designed to capture other user credentials on six additional servers.
- Between September 1st and the 4th, the attacker executed additional tools to capture Windows credentials. Additional tools were used to create ‘backdoor’ capabilities. The attacker uses new-found bounty to perform reconnaissance on other parts of the network.
- After roughly a week, the attacker performed additional reconnaissance on the network, until finally...
- Over the course of three days in mid-September, the attacker copied database backup files to a staging area, where they were encrypted into 15 encrypted 7-zip files. The files were then moved to another server (presumably their own) before deleting the files from the staging server.
The attack resulted in compromises of at least 44 systems. (One member claims the cost of fixing each server is roughly $10,000. At that price per machine, this incident cost, at a minimum, $440,000, but likely significantly more. This is a very public breach.)
- One had a ‘backdoor’ loaded, three had database backups or files stolen
- One server was used to remove data from the network, but 39 systems were accessed by the attacker during reconnaissance or password captures
- Roughly 75 GB of data were compressed into fifteen 8.2 GB 7-zip files and (presumably, although not confirmed) removed from the network (we must assume these files contained information related to revenue generation and capture in the state, although the report does not mention losses of any privacy information)
- Fourteen of the files contained 23 database backups, one contained roughly 1200 files related to the encrypted version of the data encryption key
Over the past months, you’ve read about Fusion Reports. The Fusion Report is a compilation of all information known about the attack --taken from one victim or multiple victims in the Red Sky Alliance, or externally when data is available. The Fusion Report is a two part report:
Part one is authored in prose; intended to show our work and tell the story of the attack(s), much like shown above.
Part two is mitigation. Red Sky Analysts author snort, yara, etc., signatures when we can. Artifacts --file names with full directory structures, including file hash values and other meta data are included, and “Kill Chain” Formatted indicators are presented in a final tabular format. A sample is shown below. the idea is, Alliance members should be able to take information from any of our reports and cut/paste information distilled from reporting into highly actionable information that any member can act on today.
In this case, the kill chain information might look like Table 1. (Completely fictitious. Please do not attempt to use):
|Table 1: Sample Fusion Report indicator list|
Drop us a note. Join us now.
Until next time, have a great week!