Category: Case Study

Org 6, globally recognised for innovative research, was informed that suspect traffic had been observed communicating with a known command and control node IP address in September 2013.

An investigation into the incident found that in May 2013, a user had conducted a Google search for an updated driver for a specialist piece of software that facilitated console access to devices used in industrial control systems (ICS). The vendor name, type and the keyword ‘driver’, was specified as part of the search query. Given the uniqueness of the requested query, the legitimate vendor’s website was returned and subsequently the link clicked on, to visit the website. The user proceeded to download the required driver, which was delivered as a zip file. Extraction of this file presented a setup executable, which launched a malicious DLL, and wrote multiple DLLs to the users roaming profile, at which point the user’s host became compromised with a remote access trojan (RAT). Once a user’s roaming profile has been infected any subsequent machines logged into are at risk of also becoming infected.

Analysis of the malware found on the user’s host was undertaken to determine its capabilities and to extract any further information that could be used to identify other compromised machines. The malware was created in March 2013 and was capable of validating its persistence, checking for, and injecting further malicious code into web browsers on the machine. Additionally, several new command and control servers were also identified through this process.

Lack of reliable logging meant that it was not possible to determine the impact and whether the attacker had been able to acquire data from other systems on the network. If successful, attacks of this nature that take advantage of trusted relationships, such as vendor and consumer, can promptly and efficiently compromise large portions of a particularly niche industry.

Specific Failures Leading to Compromise

• Insufficient Internal Segregation Between Hosts
• Machines used for ICS also used for day-to-day business
• Lack of logging, either centrally or on individual hosts

ATTACK TIMELINE

• Targeting to Compromise: up to 2 months
• Compromise to Exfiltration: < 1 day
• Compromise to Discovery: up to 4 months
• Compromise to Containment: Discovery + 3 days
• Method of Discovery: External – third-party notification
• Threat Actor: External – assessed to be highly targeted
• Assets Compromised: Internal workstations
• Business Impact: Not possible to ascertain

Org 5 is a mid-sized discount retailer specialising in low cost household items. Over recent times, the company has gone through a period of rapid growth followed by significant resource constraints on its IT department. The IT department attempts to manage this rapid growth and keeps everything up to date as much as possible by contracting with its software providers to manage updates.

Org 5 accepts payment card transactions through its merchant acquiring bank and uses an approved off the shelf point-of-sale application, to handle the processing of payment card data from the till through local gateways at each store to the bank. The POS application is sold and managed by a local UK reseller.

Org 5 received complaints from their customers that fraud was starting to show up on cards after having shopped at Org 5 stores. This was followed by a notice from their banks that Visa and Master Card had identified them as a common point of purchase in payment card fraud.

An investigation was initiated at several of the stores where the customers had shopped with cards that had been identified with fraud. Meanwhile, fraud rates were rapidly increasing and many more complaints were coming in daily with the press wanting to know what had happened. Investigators arrived on-site and found immediately that the POS system was logging customer card data to log files in plain text, a software bug that had been updated and fixed by the POS reseller six months earlier.

Upon further investigation, it was identified that the remote access credentials used by the POS reseller had a very weak password and had been used to log in from an unauthorised location several times in the past three months. An attacker had guessed the password, logged in and found the updated version of the POS software and re-installed the older version that logs payment card data to debug logs. Since the software continued to work as normal, nobody noticed. In fact, there had been several updates in the past six months and every time the reseller dutifully logged in to update the POS software and the attacker then logged in shortly after to collect stolen data and downgrade the software again. Eventually, the attacker evidently decided they had stolen enough card data and were at risk of detection. This lead to them selling the stolen card data on the black market, resulting in fraud alerts.

Specific Failures Leading to Compromise

• Poor remote access controls
• No integrity checking on critical software

ATTACK TIMELINE

• Targeting to Compromise: 8 days (evidence in logs showed persistent password guessing)
• Compromise to Exfiltration: 6 hours
• Compromise to Discovery: 3 months
• Compromise to Containment: 3 months + 1 day
• Method of Discovery: External – third-party notification due to fraud
• Threat Actor: External – targeted organised crime
• Assets Compromised: Point of Sale Gateway (remote access), Point of Sale Terminals (POS software + Logs)

Org 10 is a large multi-national financial services provider. Org 10 began receiving notifications from various customers regarding phishing emails that appeared to originate from its mail server and resulted in customer’s computer systems becoming infected and their customers losing their money through fraud. The phishing emails contained an attachment that was identified as a malicious trojan by antivirus (AV) software running on some of the customer systems. Org5 initiated an investigation.

The emails were examined and, although they looked and felt like an email from Org 10, examination of the mail headers showed that they were an imitation that had been sent from a compromised third party mail server. Targeting of Org 10’s customers is believed to have occurred as the result of a web application vulnerability on their website that allowed attackers to derive all of their customer’s email addresses.

The email attachment was a file named “Statement_Jan_2015.zip”. The zip file contained a malicious executable named “Statement_Jan_2015.exe”. The email evoked emotion as a distraction by claiming to report a large overdraft on the owner’s account.

The attached malware was consistent with the Zeus family of Trojans and had the ability to steal personal data from affected systems. The type of collected data can include banking information, login credentials, or any other information of interest to the attacker. Once installed on the infected system, the malware connects to command and control servers or malicious sites to download additional malware, and upload collected data.

The malware gained persistence on the infected machines and extracted personal data as well as initiating transfers from the user’s bank accounts to accounts controlled by the malware authors. Org 10 found that, although anti-virus products update regularly to detect the malware variants, the authors change the malware so often that their customers continue to become re-infected on a regular basis.

Specific Failures Leading to Compromise

• Web application vulnerability allowing usernames to be derived
• Insufficient communication with customers indicating that attachments are never sent

ATTACK TIMELINE

• Targeting to Compromise: Hours (dependant on opening and executing email)
• Compromise to Exfiltration: 1 Day
• Compromise to Discovery: 1 Day
• Compromise to Containment: 10 Days
• Method of Discovery: External – Customer identified that money has left their account
• Threat Actor: External – targeted
• Assets Compromised: End User System, Org 10 Financial customer authentication credentials
• Business Impact: Medium – customers defrauded which Org5 had to recompense for

Org 9 is a multi-national Japanese manufacturing robotics company headquartered in Japan with European operations. Org 9 designs and manufactures robotics used in fabrication and manufacturing facilities throughout the world from automotive production lines to the assembly of micro-electronics.

The UK branch of Org 9 received a notification from its Japanese IT security team that a user had reported a suspicious incident. The incident consisted of emails received from two UK employees, a high level engineer and sales person who were long standing and trusted employees. The recipients were chief design engineers and executives located in Japan.

The suspected emails contained a malicious executable. Since the email was sent internally from employee to employee, the email had not traversed normal email spam filtering which blocks encrypted executable files. When queried regarding the emails, the two employees stated they had not sent the emails which raised suspicion of a suspected compromise of the user’s credentials, laptops or the Org 9 UK corporate infrastructure and exchange environment.

An investigation was carried out on the user laptops, which did not identify any malware or evidence that the emails had been sent from the user’s laptops. Upon examination of the email headers and Exchange Server logs, it was determined that the emails had originated from Outlook Web Access (OWA) sessions which allows users to log on and send emails directly from the internet.

The user’s accounts did not show high levels of failed password attempts and their passwords were complex and regularly changed. However, upon examination of email logs, it was noted that the two users had logged on to OWA from the same source once week prior to the incident when both employees attended a trade show in Belgium where Org 9 was an exhibitor. Examination of the users’ internet cache revealed a fake OWA page that was made to represent the OWA login page. Further analysis indicated that the two laptops authenticated to a wireless access point whilst attending the event that matched the network name, but did not have a hardware (BSSID) address that matched any wireless access points at the event premises. It was subsequently determined that a fake wireless access point had been operating near the Org 9 stand at the event which intercepted requests to the Org 9 domain and redirected to a fake Org 9 OWA page in order to steal user’s credentials and conduct further targeted social engineering attacks against Org 9 employees in the Japanese headquarters.

Specific Failures Leading to Compromise

• User awareness training of phishing attacks and use of trusted networks only
• Lack of two factor authentication

ATTACK TIMELINE

• Targeting to Compromise: Days (Exact time to plan targeting unknown)
• Compromise to Exfiltration: 7 Days
• Compromise to Discovery: 8 Days
• Compromise to Containment: 8 Days
• Method of Discovery: Internal – employee reported incident
• Threat Actor: External – highly targeted
• Assets Compromised: UK employees email comms, Japanese employees’ workstations
• Business Impact: Low – Mail from phished employees compromised but incident caught early

Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident and an investigation was immediately launched.

The investigation found that a regular user had opened a phishing email that contained a link to a malicious site. Examination of the payload found that it hosted an exploit for what was, at the time, a novel remote code execution vulnerability (0-day) in Adobe Flash.

The payload dropped by the exploit had gained high privileges on the user’s machine and disabled antivirus, which is a common technique used by malware. The disabled antivirus was flagged by the centralised AV monitoring in Org2 and so a support call was automatically placed. The administrator had then logged into the machine to understand why the AV was not functioning whereby their domain credentials were stolen.

The attacker had then attacked the internal network, including the domain controllers using the stolen credentials. As part of their attacks they had installed credential stealing malware on the domain controllers and gained large numbers of plaintext credentials.

Although a patch from Adobe was relatively quick to be published, Org2 had a period of exposure were there were no patches available and managed this through user awareness, stripping links from email and ceasing the practice of logging onto user systems with domain credentials.

Specific Failures Leading to Compromise

• Flash installed on user PC with no business case for its use
• Administrator interacting with a suspect machine whilst using a domain account
• Users insufficiently aware of risks of links in emails

ATTACK TIMELINE

• Targeting to Compromise: 6 weeks (from domain registration & setup)
• Compromise to Exfiltration: 4 days
• Compromise to Discovery: 4 days
• Compromise to Containment: 9 days
• Method of Discovery: Internal – AV triggering on malware found on DCs
• Threat Actor: External – highly targeted
• Assets Compromised: End user system, Domain Credentials, Domain Controllers
• Business Impact: High – IP Informational assets stolen