No matter the degree of sophistication employed in an organization’s security program, there often remains one significant vulnerability that is completely neglected – the people and processes that are behind each system. A lack of education, policy, or procedure can lead to devastating compromise via the actions of a single unwitting employee.
Critical Assets was recently asked to respond to an incident at a leading online services company where a series of targeted messages led to total compromise of a company’s production servers. Along with root access to these servers, illicitly obtained data included primary intellectual property (product source code), firewall configuration files, SSL keys, and the organizations entire credit card database. The company utilized state-of-the-art security devices and employed talented staff -- How could a simple email result in such catastrophic intrusion?
Two email messages were sent to separate organizations within the company. The first was targeted at product developers -- those who created and maintained the company’s products. As is true with many technology product companies, the developers were afforded a certain amount of latitude with respect to implementing company-required security controls. The second email was focused on the company’s social media outlet (a large number of corporate bloggers.)
The BLOG-O-SPEAR
The message received by the bloggers was relatively sophisticated in that it contained corporate branding (logos, look-and-feel), and used the name of a real employee – the “chief blogger” as it were. It took advantage of a recent post indicating that the company had moved to a new blog platform, and solicited employees to provide feedback on some new features by clicking on a hyperlink. Both the linked site and the return address of the “real” employee used a simple variant of the company’s actual domain name. Note all images shown have been redacted, and the company logos have been changed where appropriate.
The site itself was an insecure replica of the employee portal, which was designed to simply allow input of a user’s credentials, and then immediately reload without dialog or error.
Many users assumed something was wrong with the site, but rather than report the anomaly, they continued to try various combinations of username and password and eventually gave up.
The resulting passwords generated by this incident were used to gain access to the employee portal, which granted full access to the corporate blog, product licensing servers, transactional data, and even remote workstation access. The blog itself was compromised, the ability to generate license keys for core products was obtained, and other sensitive information was divulged.
C # STICK HEADED STRAIGHT FOR EYE
The message sent to the group of developers was similar in form, but far more insidious in function.
The attackers certainly did their homework - Like the first message, it utilized corporate look-and-feel and appeared to arrive from the company’s event coordinator. To pique interest, the email covered a relevant topic (a product development seminar sponsored by another company), and included the enticing prospect of free food and an “Open Bar!” at a local restaurant. To provide an even greater sense of urgency, the message boldly proclaimed that seating was limited and time was running out! Fortunately for the intruder, most people have an affinity for both food and happy hour - thus a response was almost guaranteed.
Any respondent was sent to an external website that appeared to require the use of a Java application in order to register for the event. Though the application was unsigned, several users elected to run it anyway. Unbeknownst to these employees, execution of the Java application appeared to do nothing at all, but behind the scenes, a “reverse shell” session was made to an external system under control of the attacker. This session gave the attacker almost total control of a highly privileged developer workstation, and was not detected by internal security controls. The application was platform-agnostic, and was most effective on OSX and Linux machines – the bulk of the development population.
The remote attacker used this connection to take advantage of lax internal security, often the result of a well-intentioned attempt to facilitate unhindered collaboration and efficient workflow for developers. Once on the inside, an insecure NFS volume containing developer “home” folders was discovered and scoured for usernames, passwords, configuration files, and other data needed to further penetrate the company’s systems. Discovered credentials were then used to take advantage of an implicit trust relationship between a single Linux host and every production server. At that point, the game was over – totally undetected, and all in the space of a few hours.
Remediation of this incident required the realization of a few important factors:
- Employees must be educated on how to recognize spoofed websites and phishing attempts.
- Employees must have a simple, readily available mechanism to report suspected security incidents, and should be incentivized to do so.
- The most robust perimeter security is never a substitute for poor internal security.
Breaches of this magnitude make headlines, and have the potential to put a company out of business. Fortunately, this was a sponsored penetration test conducted by Critical Assets which served to greatly strengthen the company’s overall security posture. Would your organization pass the test?
No comments:
Post a Comment