Anatomy of a Spear Phishing Attack

Most large organizations employ an impressive technological arsenal of perimeter and internal technical security controls.  From IDS and application firewalls to web content scanning and endpoint antivirus, the typical CSO or IS management team typically feels they have positioned the company to effectively detect and respond to attack.

No matter the degree of sophistication employed in an organization’s security program, there often remains one significant vulnerability that is completely neglected – the people and processes that are behind each system.  A lack of education, policy, or procedure can lead to devastating compromise via the actions of a single unwitting employee.

Critical Assets was recently asked to respond to an incident at a leading online services company where a series of targeted messages led to total compromise of a company’s production servers.  Along with root access to these servers, illicitly obtained data included primary intellectual property (product source code), firewall configuration files, SSL keys, and the organizations entire credit card database.  The company utilized state-of-the-art security devices and employed talented staff -- How could a simple email result in such catastrophic intrusion?

Two email messages were sent to separate organizations within the company.  The first was targeted at product developers -- those who created and maintained the company’s products. As is true with many technology product companies, the developers were afforded a certain amount of latitude with respect to implementing company-required security controls.  The second email was focused on the company’s social media outlet (a large number of corporate bloggers.)

The BLOG-O-SPEAR
The message received by the bloggers was relatively sophisticated in that it contained corporate branding (logos, look-and-feel), and used the name of a real employee – the “chief blogger” as it were.  It took advantage of a recent post indicating that the company had moved to a new blog platform, and solicited employees to provide feedback on some new features by clicking on a hyperlink.  Both the linked site and the return address of the “real” employee used a simple variant of the company’s actual domain name.  Note all images shown have been redacted, and the company logos have been changed where appropriate.

The site itself was an insecure replica of the employee portal, which was designed to simply allow input of a user’s credentials, and then immediately reload without dialog or error.


Many users assumed something was wrong with the site, but rather than report the anomaly, they continued to try various combinations of username and password and eventually gave up.


The resulting passwords generated by this incident were used to gain access to the employee portal, which granted full access to the corporate blog, product licensing servers, transactional data, and even remote workstation access.  The blog itself was compromised, the ability to generate license keys for core products was obtained, and other sensitive information was divulged.

C # STICK HEADED STRAIGHT FOR EYE
The message sent to the group of developers was similar in form, but far more insidious in function.

The attackers certainly did their homework -   Like the first message, it utilized corporate look-and-feel and appeared to arrive from the company’s event coordinator.  To pique interest, the email covered a relevant topic (a product development seminar sponsored by another company), and included the enticing prospect of free food and an “Open Bar!” at a local restaurant.  To provide an even greater sense of urgency, the message boldly proclaimed that seating was limited and time was running out!  Fortunately for the intruder, most people have an affinity for both food and happy hour - thus a response was almost guaranteed.

Any respondent was sent to an external website that appeared to require the use of a Java application in order to register for the event.  Though the application was unsigned, several users elected to run it anyway.  Unbeknownst to these employees, execution of the Java application appeared to do nothing at all, but behind the scenes, a “reverse shell” session was made to an external system under control of the attacker.  This session gave the attacker almost total control of a highly privileged developer workstation, and was not detected by internal security controls.  The application was platform-agnostic, and was most effective on OSX and Linux machines – the bulk of the development population.

The remote attacker used this connection to take advantage of lax internal security, often the result of a well-intentioned attempt to facilitate unhindered collaboration and efficient workflow for developers.  Once on the inside, an insecure NFS volume containing developer “home” folders was discovered and scoured for usernames, passwords, configuration files, and other data needed to further penetrate the company’s systems.  Discovered credentials were then used to take advantage of an implicit trust relationship between a single Linux host and every production server.  At that point, the game was over – totally undetected, and all in the space of a few hours.

Remediation of this incident required the realization of a few important factors:

• Employees must be educated on how to recognize spoofed websites and phishing attempts.


• Employees must have a simple, readily available mechanism to report suspected security incidents, and should be incentivized to do so.


• The most robust perimeter security is never a substitute for poor internal security.

 

Breaches of this magnitude make headlines, and have the potential to put a company out of business.  Fortunately, this was a sponsored penetration test conducted by Critical Assets which served to greatly strengthen the company’s overall security posture.  Would your organization pass the test?

Google blames China for phishing attack. China Denies Allegations.

War Games II. This time it's Matthew Broderick against a whole city full of trained Chinese hackers.

 

http://online.wsj.com/article/SB10001424052702304563104576361300123816450.html?mod=WSJ_hp_LEFTTopStories

OWASP San Diego: Jeremiah Grossman To Present on 6/14

The Open Web Application Security Project (OWASP) Chapter in San Diego is holding a meeting to discuss the latest developments in the OWASP organization and new ideas in leading-edge secure web development. Join us in welcoming Jeremiah Grossman to present details of the many notable and new web hacking techniques revealed in 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users. Enjoy Sushi and Sake refreshments from our friends at Whitehat Security as you network with some of the best security auditors, researchers, and developers in the San Diego area. We look forward to seeing you there!

Date: June 14th, 2011
Time: 6:00pm - 8:00pm
Location: 10240 Sorrento Valley Rd
San Diego, California 92121

Please RSVP: rsvp@owasp-sd.org
858-754-9701

About OWASP:
The Open Web Application Security Project (OWASP.ORG) is a non-profit community devoted to improving focus on application security. OWASP continues to grow and deliver exceptional resources to security conscious individuals who are required to make informed decisions about true application security risks. A plethora of funded open-source products, new coding principals that have been adopted by PCI standards, and a unique list of involved security professionals make OWASP an invaluable forum to attend.

RSA: Who is the doctor's doctor?

[caption id="attachment_150" align="alignnone" width="348" caption="Some solid security logic."][/caption]

It's pretty clear at this point that there's a trending of attacks focused on security solution providers. The most recent victim in the post-HBGary landscape is RSA.

A lot of people seem to be talking about what they believe actually happened during the breach. The company has yet to officially comment on the details of the incident and seems to be wordsmithing any communication to the outside world pretty heavily. While I'm sure the technical facts will be interesting, and that they will make their way around the rumor mill eventually, I'd like to talk instead about something that I feel is more important - due and reciprocal care.

The medical industry seems to have this concept pretty well wrapped up. If you ask a psychologist, "who listens to your problems?" they will tell you that their psychologist does. This is because it is considered unprofessional, and in some cases a violation of ethics code to self-diagnose, self-prescribe, and self-medicate. Of course, this begs the question of who treats the psychologist that treated the first psychologist? Well, another psychologist of course. So, theoretically, as long as there are at least 3 physicians in the world who practice psychology, this model will continue to function, and we won't end up with a bunch of mentally disturbed psychologists.

I doubt anyone on the professional services end of the information security industry would argue that there's a shortage of proprietors offering security assessment and remediation. So then why do things like the RSA incident happen? It's because nobody is examining the physician. In fact, I'd be willing to bet that if you took a sample set of posture assessments from top 10 information security product and service vendors, the results of what's already left the building would be staggering. Further, most people close to the steam will tell you that things have not changed dramatically from the days when the entire Solaris source tree was essentially public domain in the hacker underground, and Larry Ellison's personal passwords were in a t-file.

Why? It's simple. Just because your company's primary business is security does not mean that you possess said security. What it does mean, however is that the risk you take is not only limited your standard business risk, but that your reputation is predicated on your ability to protect own your assets in the same manner that you would help the customer protect theirs.

So that you don't think we're calling the kettle black, we have in fact engaged an outside advisor to look at the company footprint, assess security, and make recommendations for remediation. If you're a security vendor, shouldn't you?