Security researcher shares blow-by-blow account of advanced persistent threat
- 30 October, 2012 18:35
Hackers are brazenly infiltrating corporate networks to steal valuable data for purposes of sharing it with other companies or nation-states -- and they're getting away with it, say security researchers sharing war stories at the Hacker Halted conference in Miami this week.
"Unfortunately, IDS [intrusion-detection systems] didn't detect them," said Gianni Gnesa, security researcher at Ptrace Security, based in Switzerland, who described a recent attack on a Swiss firm to steal important data.
It started by targeting an employee after he had placed an inquiry on Craigslist related to furniture. The email he got back redirected him to a dynamic-exploit delivery page created by an attacker, which successfully exploited Windows Internet Explorer on his Windows 7 machine to compromise it. This MS12-037 exploit, though not a zero-day attack then, did not have a patch available for it at the time, Gnesa said.
Once into the compromised employee machine, the attacker used a collection of tools and a sniffer to look for where valuable content might be stored in the Swiss company's network. Though he found an application server, he couldn't get into it. But the attacker did break into the network printer, a Toshiba, and went on to check for passwords. "The administration password was in the HTML code," said Gnesa. "And unfortunately, that password was also used on another machine."
Eventually the attacker made his way to documents, diagrams and other valuable intellectual property stored on a Linux file server. Although the server was well-kept in terms of security, the backup for it was not, and by using what Gnesa referred to as the phpMyAdmin 3.4.1 swekey RCEexploit, the attacker got to the remote shell on the backup server. With yet another trick, the Linux 2.6.x umount exploit, he got to the root shell and had access to every file and directory, said Gnesa.
The attacker was interested in extracting large volumes of sensitive data, which he did, sending it encrypted to a compromised host in Malaysia, said Gnesa. The Swiss firm found out something was amiss after the attacker brazenly attempted to send money into a foreign bank account based on signatures and documents he had stolen. But the Swiss bank thought the requested funds transfer to be suspicious and notified the victim's firm. At that point, Ptrace was brought in to pull together a forensics analysis of what had happened.
Gnesa said he thinks the attack took about two weeks to carry out in full -- but it took a month and a half to really understand the details of it.
The main countermeasures he could recommend to try and prevent this type of stealthy attack to exploit stolen data is to use security event and information management tools -- such as HP ArcSight, Novell Sentinel, Tripwire Log Center and Splunk, among others -- to get a view on unusual traffic. It also would help to have staff training to understand the nature of targeted attacks.
"If an attacker wants to get inside your network, he will," said Gnesa. "The only thing you can do is make it harder for him."
He said after the Swiss firm completed its investigation into the attack, the company made changes, such as adding an individual responsible for security, and prohibiting use of social networks, plus changing the network topology.
This type of stealthy attack to steal important documents and information is often carried out to provide this data to industry competitors or nation-states. The attacks have come to be known as "advanced persistent threats" (APT) and other security experts speaking at the Hacker Halted conference said they see evidence of them all the time.
"I have never walked into a network that wasn't already owned," said Matt Watchinski, vice president of vulnerability research at Sourcefire, who also gave a presentation at Hacker Halted. "The real question is -- how long were you owned?"
He said a common pattern is that the IT security people fighting these APTs, which today often get blamed on Chinese attackers, go to their boss and say, "yes, we got rid of the Chinese." But you didn't, they're back."
He said one company he knows has had hundreds of Flash zero-day exploits for PDF thrown into the company's corporate email over and over again for a phishing attack, and once a week one would get into the network.
Considering that Flash zero day exploits are being sold for up to $250,000 each, Watchinski said it's easy to think about these particular zero-day PDF attacks that "this guy blew through $5 million." Eventually the attacker stopped sending his PDF Flash zero-day exploits, and "he moved on to someone else in the industry."
He said he hopes that companies share their experiences on these attacks because it could likely help combat the situation.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.