Saturday, November 24, 2012

Red Sky Weekly - Anatomy of an Attack

Thanksgiving and Black Friday mark the start of the holiday season --bringing not only scrums for $97 televisions at Walmart, but also exponential increases in online activity. During the next several weeks, lasting until roughly the second week in January, more retail dollars will flow than any other time of the year. What’s this mean to you? Willie Sutton once said when asked why he robbed banks “That’s where the money is”. Why will hackers be out in force? Now is when the money flows.

What do these attacks look like? This week, a report detailing an incident at a state government victim was posted (leaked?) to the Internet. While there is no evidence (that I can see) of APT activity (bad guys paid by a government to steal information), this is clearly a targeted event carried out with purpose over the course of several weeks using multiple accesses ranging from backdoors to legitimate (but stolen) credentialed accounts. The organization owning the victim network moves a lot of money, and is responsible for protecting privacy information for millions of people.

In this case, the victim had been notified by a law enforcement agency that the privacy information (PII) of at least three people had been identified as stolen (this is probably the most common way of finding out about breaches such as this --someone else usually tells the victim).  A consultant was called in to identify the extent of losses, figure out if it was ongoing, and create remediation plans.

According to the report, the attack went something like this:

  1. The initial attack vector was confirmed as phishing emails, delivered on August 13, 2012. At least one user clicked, rendering the network compromised and likely, first credentials captured.
  2. Fourteen days later (8/27), the attacker entered the network, logging into a Citrix server (remote access) using credentials obtained (probably) during the initial August 13th breach.
  3. On the 29th, the attacker reentered the network, releasing tools designed to capture other user credentials on six additional servers.
  4. Between September 1st and the 4th, the attacker executed additional tools to capture Windows credentials. Additional tools were used to create ‘backdoor’ capabilities. The attacker uses new-found bounty to perform reconnaissance on other parts of the network.
  5. After roughly a week, the attacker performed additional reconnaissance on the network, until finally...
  6. Over the course of three days in mid-September, the attacker copied database backup files to a staging area, where they were encrypted into 15 encrypted 7-zip files. The files were then moved to another server (presumably their own) before deleting the files from the staging server.

The attack resulted in compromises of at least 44 systems. (One member claims the cost of fixing each server is roughly $10,000. At that price per machine, this incident cost, at a minimum, $440,000, but likely significantly more. This is a very public breach.)

  • One had a ‘backdoor’ loaded, three had database backups or files stolen
  • One server was used to remove data from the network, but 39 systems were accessed by the attacker during reconnaissance or password captures
  • Roughly 75 GB of data were compressed into fifteen 8.2 GB 7-zip files and (presumably, although not confirmed) removed from the network (we must assume these files contained information related to revenue generation and capture in the state, although the report does not mention losses of any privacy information)

  • Fourteen of the files contained 23 database backups, one contained roughly 1200 files related to the encrypted version of the data encryption key

Over the past months, you’ve read about Fusion Reports. The Fusion Report is a compilation of all information known about the attack --taken from one victim or multiple victims in the Red Sky Alliance, or externally when data is available. The Fusion Report is a two part report

Part one is authored in prose; intended to show our work and tell the story of the attack(s), much like shown above.

Part two is mitigation. Red Sky Analysts author snort, yara, etc., signatures when we can. Artifacts --file names with full directory structures, including file hash values and other meta data are included, and “Kill Chain” Formatted indicators are presented in a final tabular format. A sample is shown below. the idea is, Alliance members should be able to take information from any of our reports and cut/paste information distilled from reporting into highly actionable information that any member can act on today.

In this case, the kill chain information might look like
Table 1. (Completely fictitious. Please do not attempt to use):
Table 1: Sample Fusion Report indicator list
So here’s the deal. Remember Willie Sutton? There will be more retail transactions in the next few weeks than any other time during the year. Retailers will lose money as a result of cyber shenanigans. In addition to retail losses, the added noise on the networks will create opportunities for others to steal information from non-retailers, and to top it off, kids all over the world are home for the holidays, so the kiddie scripters will be active too (they always are over Christmas vacation!). Wouldn’t it be nice to be getting fusion reports, each containing hundreds of indicators from the Alliance --before you are attacked? The only way you can is to join.

Red Sky = private
Corporate members only

Beadwindow = Private | Public
Many of our private corporate members + government members

Drop us a note. Join us now.

Until next time, have a great week!

Monday, November 19, 2012

Academic Services Division

Two items for the blog.  First, with Thanksgiving this week I'd like to say thank you to all our members of the armed services both present and past and to all first responders and people who will give their time and effort to keep us safe.  Many of us are generally quite comfortable and it unfortunately takes an event like Sandy to make us realize what these people do for us.  Red Sky has a commitment to helping our veterans transition to civilian life by working with any of them who would like to work as data analysts.  If your organization can do anything to help, I ask that as a way of saying thank you, you consider qualified veterans.  Red Sky is developing a relationship with the Wounded Warriors Project but your company should feel free to work with an organization that best suits your needs.

Second, I was reading this week on various sites about the recent Iranian attack on American banks.  When the attack was going on I was at a meeting in a bank relating to advanced persistent threats.  As I read about the attacks, it seems that it began with hackers getting into the computer network at the University of Michigan's Engineering School (see link below) by using little used ports.

As the Director of Academic Services, I work with colleges and universities as well as non-profit and government agencies in protesting their networks.  By getting into the commercial world through a university, it highlights that all our networks are intertwined more that we sometimes realize.   The openness of academia makes it an ideal place to get into other networks.

Red Sky is based on the simple concept that intelligent people working together can achieve more than any one person alone.  I invite you to contact me concerning Red sky's Beadwindow to discuss our common areas of interest and better protect all our networks.

Dave Chauvette

University Of Michigan and Iranian Cyber Attack