Advertisement
<a href="http://krebsonsecurity.com/chasing-apt-persistence-pays-off/?administer_redirect_13=http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Posts Tagged: advanced persistent threat

    A Little Sunshine / The Coming Storm30 Comments
    27
    Oct 11

    Chasing APT: Persistence Pays Off

    The IT director for an international hedge fund received the bad news in a phone call from a stranger: Chinese hackers were running amok on the fund’s network. Not seeing evidence of the claimed intrusion, and unsure about the credibility of the caller, the IT director fired off an email to a reporter.

    “So do you think this is legit, or is the guy trying to scare us?” the IT director asked in an email to KrebsOnSecurity.com, agreeing to discuss the incident if he and his company were not named. “He has sent me the logs for the connections to the infected server. I checked the firewall and am not seeing any active connections.”

    The call, from Hermes Bojaxhi of Columbia, Md. based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), was indeed legit, and a follow-up investigation by the hedge fund revealed that at least 15 PCs within the financial services company were compromised and were sending proprietary information to the attackers.

    CyberESI knew about the incident because it was monitoring several hacked, legitimate servers that the attackers were using to siphon data from multiple victims. Bojaxhi said the hedge fund notification was one of several he made that week to Fortune 500 companies that also had been hacked and were communicating with the same compromised servers.

    And it wasn’t his first call to the hedge fund.

    “On that particular victim, I tried to reach out to them a month prior, but I was handed off to an administrative assistant,” Bojaxhi said. “We had 25 [victim organizations] to call that day. But when they popped back up on the radar a month later, I tried again.”

    The hedge fund incident illustrates the complexities of defending against and detecting targeted attacks, even when victims are alerted to the problem by an outside party.

    Joe Drissel, founder and CEO for CyberESI, said too many companies think of cyberattacks as automated threats that can be blocked with the proper mix of hardware and software.

    “So many firms are stuck in a paradigm of drive-bys, not targeted attacks,” Drissel said. “There seems to be a real disconnect with what’s really happening on a daily basis. We’re trying to fight an asymmetrical war in a symmetrical way, sort of like we’re British soldiers [in Revolutionary War], all walking in line and they’re picking us off one by one. By the time we turn around and aim, they’re already gone.”

    None of the first three Trojans installed on the hedge fund’s computers were initially detected by any of the 42 anti-virus products bundled into the scanning tools at Virustotal.com.

    Drissel said victims that his company notifies sometimes mistakenly think his firm is involved in the attack, or that they’re somehow joking.

    “One guy laughed and said, ‘Thank you for watching out for our company,’ but he didn’t call us back,” Drissel said of a conversation with a victim earlier this year, declining to name the victim. “We watched [the attackers] exfiltrate weapons systems data for the Defense Department out of their systems, and ended up having to text the same guy a file stolen off their servers. Fifteen minutes later, we got a call back from him, and they unplugged their entire corporate network.”

    Some say that the attacks CyberESI notifies companies about — often referred to as the advanced persistent threat (APT) –  are over-hyped, and that the malware and exploits used in these incursions usually aren’t that sophisticated. APT attacks also are frequently associated with targets in the U.S. government and companies in the defense industry.

    But most APT attackers tend to be only as sophisticated as they need to be, which often isn’t too sophisticated, said Gavin Reid, senior manager of Cisco’s computer security incident response team. Speaking at a conference in Warsaw, Poland this week, Reid said successful APT attacks need not use zero-day software flaws.

    “People will say, ‘Well, this attack wasn’t very advanced, so it can’t be APT’, but I will tell you the folks who are behind some of this stuff are not going to use cool zero-day stuff if they can go in the underground economy and say, ‘Hey, I need [access to] an infected machine in this organization,’ and pay $50 in Paypal in order to get that,” Reid said.

    Continue reading →

    A Little Sunshine / The Coming Storm94 Comments
    24
    Oct 11

    Who Else Was Hit by the RSA Attackers?

    The data breach disclosed in March by security firm RSA received worldwide attention because it highlighted the challenges that organizations face in detecting and blocking intrusions from targeted cyber attacks. The subtext of the story was that if this could happen to one of the largest and most integral security firms, what hope was there for organizations that aren’t focused on security?

    Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure. But so far, no one has been willing to talk publicly about which other companies may have been hit.  Today’s post features a never-before-published list of those victim organizations. The information suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.

    Since the RSA incident was disclosed, lawmakers in the U.S. Congress have taken a renewed interest in so-called “advanced persistent threat” or APT attacks. Some of the industry’s top security experts have been summoned to Capitol Hill to brief lawmakers and staff about the extent of the damage. The information below was shared with congressional staff.

    Below is a list of companies whose networks were shown to have been phoning home to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010.

    A few caveats are in order here. First, many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit. Second, it is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims. Finally, some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.

    Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS), the Massachusetts Institute of Technology, Motorola Inc., Northrop Grumman, Novell, Perot Systems, PriceWaterhouseCoopers LLP, Research in Motion (RIM) Ltd., Seagate Technology, Thomson Financial, Unisys Corp., USAA, Verisign, VMWare, Wachovia Corp., and Wells Fargo & Co.

    At the end of the victim list is a pie chart that shows the geographic distribution of the command and control networks used to coordinate the attacks. The chart indicates that the overwhelming majority of the C&Cs are located in or around Beijing, China.

    302-DIRECT-MEDIA-ASN
    8e6 Technologies, Inc.
    AAPT AAPT Limited
    ABBOTT Abbot Labs
    ABOVENET-CUSTOMER – Abovenet Communications, Inc
    ACCNETWORKS – Advanced Computer Connections
    ACEDATACENTERS-AS-1 – Ace Data Centers, Inc.
    ACSEAST – ACS Inc.
    ACS-INTERNET – Affiliated Computer Services
    ACS-INTERNET – Armstrong Cable Services
    ADELPHIA-AS – Road Runner HoldCo LLC
    Administracion Nacional de Telecomunicaciones
    AERO-NET – The Aerospace Corporation
    AHP – WYETH-AYERST/AMERICAN HOME PRODUCTS
    AIRLOGIC – Digital Magicians, Inc.
    AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
    AIS-WEST – American Internet Services, LLC.
    AKADO-STOLITSA-AS _AKADO-Stolitsa_ JSC
    ALCANET Corporate ALCANET Access
    ALCANET-DE-AS Alcanet International Deutschland GmbH
    ALCATEL-NA – Alcanet International NA
    ALCHEMYNET – Alchemy Communications, Inc.
    Alestra, S. de R.L. de C.V.
    ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd.,Alliance Gateway AS,Broadband Services Provider,Kolkata,India
    ALMAZAYA Almazaya gateway L.L.C
    AMAZON-AES – Amazon.com, Inc.
    AMERITECH-AS – AT&T Services, Inc.
    AMNET-AU-AP Amnet IT Services Pty Ltd
    ANITEX-AS Anitex Autonomus System
    AOL-ATDN – AOL Transit Data Network
    API-DIGITAL – API Digital Communications Group, LLC
    APOLLO-AS LATTELEKOM-APOLLO
    APOLLO-GROUP-INC – University of Phoenix
    APT-AP AS
    ARLINGTONVA – Arlington County Government

    Continue reading →

    A Little Sunshine / The Coming Storm21 Comments
    3
    May 11

    Advanced Persistent Tweets: Zero-Day in 140 Characters

    The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from businesses and the U.S. government often are described as being ultra-sophisticated, almost ninja-like in stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — the Chinese developers of those attack tools left clues aplenty about their identities and locations, with one apparent contender even Tweeting about having newly discovered a vulnerability days in advance of its use in the wild.

    Zero-day threats are attacks which exploit security vulnerabilities that a software vendor learns about at the same time as the general public  does;   The vendor has “zero days” to fix the flaw before it gets exploited. RSA and others have labeled recent zero-day attacks as the epitome of the so-called “advanced persistent threat” (APT), a controversial term describing the daily onslaught of digital assaults launched by attackers who are considered highly-skilled, determined and possessed of a long-term perspective on their mission. Because these attacks often result in the theft of sensitive and proprietary information from the government and private industry, the details usually are shrouded in secrecy when law enforcement and national security investigators swoop in.

    Open source information available about the tools used in recent attacks labeled APT indicates that some of the actors involved are doing little to cover their tracks: Not only are they potentially identifiable, they don’t seem particularly concerned about suffering any consequences from their actions.

    Bragging rights may play a part in the attackers’  lack of duplicity. On Apr. 11, 2011, security experts began publishing information about a new zero-day attack that exploited a previously unknown vulnerability in Adobe‘s Flash Player software, a browser plug-in installed in 96 percent of the world’s Microsoft Windows PCs .  The exploit code was hidden inside a Microsoft Word document titled “Disentangling Industrial Policy and Competition Policy.doc,” and reportedly was emailed to an unknown number of U.S. government employees and contractors.

    Four days earlier, on Apr. 7, an individual on Twitter calling himself “Yuange” and adopting the humble motto “No. 1 hacker in China top hacker in the world,” tweeted a small snippet of exploit code, apparently to signal that he had advance knowledge of the attack:

    call [0x1111110+0x08].

    It wasn’t long before malware researchers were extracting that exact string from the innards of a Flash exploit that was landing in email inboxes around the globe.

    Tweeting a key snippet of code hidden in a zero-day exploit in advance of its public release may seem like the hacker equivalent of Babe Ruth pointing to the cheap seats right before nailing a home run. But investigators say the Chinese Internet address used to download the malicious files in the early hours of the April Flash zero-day attacks — 123.123.123.123 — was in some ways bolder than most because that address  would appear highly unusual and memorable to any reasonably vigilant network administrator.

    This wasn’t the first time Yuange had bragged about advance knowledge of impending zero-day attacks. On Oct. 27, 2010, he boasted of authoring a zero-day exploit targeting a previously unknown vulnerability in Mozilla’s Firefox Web browser:

    Wrote the firefox 0day. You may see “for(inx=0′inx<0×8964;inx++). You should know why 0×8964 here.

    That same day, experts discovered that the Web site for the Nobel Peace Prize was serving up malicious software that exploited a new vulnerability in Firefox. An analysis of the attack code published by a member of Mozilla’s security team revealed the exact code snippet Yuange had tweeted.

    On February 28, 2011, Yuange taunted on Twitter that new zero-day traps were being set:

    ready? new flash 0day is on the way.

    On Mar. 14, Adobe acknowledged that a new Flash flaw was being exploited via a booby-trapped Flash component tucked inside of Microsoft Excel files. Three days after that, EMC’s security division RSA dropped a bombshell: Secret files related to its widely used SecurID authentication tokens had been stolen in “an extremely sophisticated cyber attack.” A follow-up blog post from RSA’s Uri River two weeks later stated that the break-in was precipitated by the zero-day Adobe had warned about on Mar. 14, and that the lure used in the attack on RSA was an Excel file named “2011 Recruitment Plan.”

    Continue reading →

    Other18 Comments
    28
    Jul 10

    Hacked Companies Hit by the Obvious in 2009

    As a rule, I tend to avoid writing about reports and studies unless they offer truly valuable and actionable insights: Too often, reports have preconceived findings that merely serve to increase hype and drum up business for the companies that commission them. But I always make an exception for the annual data breach report issued by the Verizon Business RISK team, which is consistently so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about from its contents.

    Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out of the way first:

    -Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs.  285 million in 2008).

    -85 percent of records last year were compromised by organized criminal groups (this is virtually unchanged from the previous report).

    -94 percent of compromised records were the result of breaches at companies in the financial services industry.

    -45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

    Among the most counter-intuitive findings in the report?

    There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch. In most cases, the breaches were caused by weaknesses that could be picked up by a free Web vulnerability scanner:

    “Organizations exert a great deal of effort around the testing and deployment of patches — and well they should. Vulnerability management is a critical aspect of any security program. However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

    Speaking of log files, one of the most interesting sections of the 66-page report comes in a sidebar titled “Of Needles and Haystacks,” which states that 86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual patterns in the log files created by their Web servers.

    Continue reading →