The 2014–2015 Anthem Blue Cross and Blue Shield Break-In Case Study
Anthem has stated that their systems were entered into during December 2014–January 2015. Anthem is an insurance company. It has 12 State Blue Cross and Blue Shield Healthcare Insurance Companies, and a Life Insurance Company and a number of Affiliated Companies. It seems clear, however, that this unauthorized entry occurred between January 2014 and April 2014 (Brian Krebs, Krebs on Security Blog, February 9, 2015). We believe that the attackers are based in Shanghai, China, and are loosely aligned with the Chinese military. They have a mature set of tools, are exceptionally skilled, and intend to gain a persistent, long-term presence in the systems that they enter. It is not yet clear what they intend to do with this presence, what information they have downloaded, what they will do within the Anthem systems, or what they will do to the various health-care providers that have “trusted connections” with the Anthem systems, be they businesses, customers, hospitals, drug companies, pharmacies, medical practitioners, or other insurance companies (including the U.S. government Medicare/Medicaid system). However, the combined vulnerability of these entities is clear.
Such hacking groups, variously identified as “Deep Panda” and variations on that name, must be self-financed. Their source of income for supporting their operation comes from the sites that they attack. Thus, they offer for sale on the anonymous sites of the “dark web” bundles of between 2,000 and 10,000 IDs, including social security numbers, wage information, and location information. For example, the Anthem customer file contained 78.8 million customer records, which can be sold to middlemen on the dark web at $50 apiece ($4 billion in total) and then resold by those middlemen to criminal groups and individuals at a standard price of $350 for each ID.
The criminals who purchase and use these stolen IDs only have the resources to purchase this valuable information in small bundles, usually no more than 2,000–10,000 IDs at a time. They quickly use them and resell them to other groups to reclaim their original investment. The stolen Anthem customer IDs originally placed on the dark web can be sold repeatedly over time, whether piecemeal or in bulk, for use in acquiring passports and credit cards and performing banking fraud.
Since the Anthem break-in is such a clear-cut example, we will step through the process in sequential sections, illustrating at each step the tools and techniques that were almost certainly employed. We begin with the reconnaissance phase, possibly the most important step. Then, we address the capture of an Anthem technician’s identity and how, subsequently, a hacker gained entry by posing as that authorized system technician or system user.
We then discuss how the intruders scanned Anthem’s networks, systems, servers, and databases; strategically placed malware at carefully selected locations in the system; performed the initial extraction of information, downloading it across the Internet to selected web locations; and then continued to withdraw from Anthem’s systems.
Then, we examine the hackers’ periodic reentry of the system to establish a persistent presence, test new variations of their malware, and eventually perform their intended actions. And finally, we examine the spread of the attack across the trusted connections to the rest of the health-care industry, and we speculate on the purposes of such a widespread presence.
The first step in research is exploration: the discovery of the layout of the operation to be attacked. Nation-state hacking groups are distant and thus have two sources. First, there is an array of social-media sites to be searched for Anthem-based employees including LinkedIn, Facebook, and many others, which provide employee-identifying information and activity descriptions as well as employment information, telephone numbers, and most of all, e-mail addresses—which are all-important to the hackers.
However, the specific identities that the hackers wish to acquire are those with special access privileges. Once these are acquired, a quick entry, placement, and download can be efficiently conducted without detection. This indicates that the best target was the technicians that support Anthem’s computer applications, systems, and data centers.
How does one best discover these addresses? The simplest approach is to hire someone to gain employment in (or at least gain entry to) Anthem buildings and acquire an Anthem telephone book. All companies have these for easy discovery of internal telephone, mail, and location information. Even organization charts are frequently provided as an additional benefit. Where this information is not provided in book form, there is generally an easily accessible computerized file of such information available online to most employees. This file or book is valuable for understanding who is who in the company, where they are located, and in what organization they reside. Most important to the hackers is accessibility to entry-level employees, as well as contract employees who might be also be accessed.
Step 2: Picking the Right Target and Spear Phishing Them
The goal of the hacker is to “become” the target technician. To this end, they want to observe all the keystrokes that the technician initiates, the technician’s keyed-in password and identification information, the systems that the technician can access, and the locations of applications, services, and databases across the Anthem site. The hacker seeks all the passwords and special-access information that the technician normally uses to gain entry to these systems.
Two basic techniques are employed to acquire the targeted technician’s credentials, access the systems that he or she can access, and further access information and passwords. Those techniques are spear phishing and the use of attractive waterholes.
With spear phishing, the attacker sends an e-mail to the identified technician with a clickable URL identified for response. An example might be an e-mail purportedly from a supervisor asking for next week’s schedule for the technician or the unit, the application patches, or some routine process. The technician clicks on the URL, which triggers the downloading of a keystroke-logging software, quite frequently the software package ScanBox, and sends a benign message to the supervisor, which is usually ignored. From then on, the hackers see everything the technician sees and everything the technician types, including passwords, IDs, system numbers, and database names and locations.
The other approach used to capture credentials is to create an attractive nuisance: a waterhole. In the animal world, instead of chasing prey, the smart predators hang around waterholes and wait for their prey to come to them. Similarly, malware can be placed on a website that contains information that the technician might find useful. Then, that site is advertised to the technician, and the technician may connect and find useful information that contains a link to the hidden ScanBox key logging software; this link causes it to be downloaded, installed, and executed on the technician’s computer. From then on, every keystroke that the technician makes and every screen displayed on the technician’s screen are transmitted to the hackers. This allows the hackers to see the credentials, passwords, and IDs that the technician uses; all the systems, networks, applications, and databases that the technician is accessing; where they are all located; and what is required to access them.
If the technician works an 8 am–5 pm shift, the attacker will usually enter on the least active shift, usually between midnight and 5 am. And if the attacker is in China, that time is comfortably in the afternoon for them.
The purpose of this initial entry is to place special undetectable software on principal systems, with Trojan. Derusbi and backdoor L-traps being the most commonly placed malware. Usually, these are encrypted so that they are unlikely to match the signatures of malware for which the scanners and monitors will be looking during their searches. Triggers can also be placed in the software of application systems or even in the operating systems (with Linux, UNIX, and Windows being most vulnerable) and database management systems, such as Oracle, that the target enterprise might employ.
The next step is to traverse the connecting network to create a map of the location on the internal Anthem network where the systems are located, determine what other sites exist, and find out how they might each be accessed. Then, the user and system password files are located and transmitted to the hacking group, either directly to China or to an intermediate site on the dark web.
Cleanup is the last step. Since all traffic against any system and its database is logged on a log tape/data set, a before, after, and transaction detail is created for each access. The attacker must employ specialized software to read these log tapes, clean them of any evidence, and restore their timing and appearance as they were before the entry occurred. Frequently, malware might also be placed in that log system for future use to ensure anonymity.
Next Steps to Establish an Undetectable Anonymous Persistent Presence
RSA research published an in-depth report on a commercial virtual private network (VPN), originating in China, which is called the Terracotta VPN. Frequently, the hackers will employ their special Terracotta VPN to enter the target site so they look like regular off-site users accessing the systems. Others continue to enter using the stolen technician’s ID credentials and password.
Password Decryption Process and Equipment
Once the password files are downloaded, they must be decrypted. Although the files contain thousands of user passwords, the attackers only need to decrypt an initial working set, so brute-force techniques are employed. Although they can use many tools, a currently popular approach is to employ one of Jamey Gosley’s decryption machines, which use a massively parallel processing approach. Four machines, each with a main processor and a distributed set of up to 48 advanced graphic processors (AGPs), are placed in an array. A modified version of the graphic software VLC is then used to distribute groups of the passwords to each AGP. They begin in parallel a trial-and-error process to try to decrypt these passwords and compare the results with a file of commonly known and frequently used passwords.
When a match is found, the hackers now have a vehicle for authorized entry. After they have found a useful set, they can then take their time breaking the rest of the encrypted passwords. Time is on their side. Meanwhile, the customer identification files are downloaded. Unfortunately, these files, similarly to all files used by the Anthem application systems, are not encrypted. Only files transmitted outside the Anthem network are encrypted for transmission, the assumption being that that is where they are most vulnerable. However, the hackers are now insiders with knowledge about these encryptions and their associated keys, so even the transmitted files are now vulnerable.
On subsequent entries, usually monthly, the hackers place a series of software components that will persistently and undetectably hide in the Anthem systems. The hackers then periodically examine the hidden software to see if it has been detected and removed. Over time, they will place variations of the malware in the system to experiment with what is detectable by the scanners and monitors, and to determine what still remains undetectable. This is an ongoing experimental process with the victim providing the testbed for discovering and trying out new variations of the attackers’ malware.
The hackers traverse the trusted connecting networks to other insurance companies’ systems, hospital systems, medical provider systems, pharmaceutical company systems, and pharmacies. Undetectable persistent infection of those systems is the initial intent, facilitating later malicious processing.
The customer ID information is then sold in small batches (2,000–10,000) on the dark web. The purchasers have recently been small criminal gangs in South Florida and the Bahamas. They have bought clusters of IDs for universities and companies in small towns, usually in the Midwest and Central Plains states, where they will be less evident to the understaffed, undereducated, and slow-moving Federal Bureau of Investigation (FBI) technicians and investigators. For example, the FBI has one such individual, recently hired from college, as their single investigator.
The gang might pay 10,000 * $300 for a set. Those IDs representing the top third of the highest earners will go to a team of hired temporary clerks. They will type in customer information on an imitation 1040 Internal Revenue Service (IRS) form using a common system such as TurboTax, make up $20,000 worth of deductions, and file for a return under $10,000, usually around $9,000.
Another set of individuals acquires debit cards, telephone cards, and temporary bank accounts that can be used to allow the fraudulent filings to be paid to the IRS, usually with the imitated Anthem customer’s real address identified. Then the address is changed to a South Florida temporary site where it can be accessed.
Within one month, the purchase of the 10,000 IDs, filing of false 1040s, and payment reception have been completed; the gang is disbursed, frequently with no knowledge of the gang leader, who receives the bulk of the money. It is months later before the IRS uncovers the fraud, and months more before the FBI may become involved. By then, the gang is long gone and the information has been sold to Californian, Russian, Ukrainian, and Eastern European gangs for their purposes. Figure 2.1 portrays that sequence of events.
Beyond selecting a path that will make their access anonymous, attackers will edit and reverse or “clean” the logs after they have performed their desired activities on the compromised information system. Initially, these modifications are brief, since they are only downloading a few critical files that contain passwords. On the second round of attack, once useful passwords have been cracked, the hackers will reenter the system and diversify their attack openings through the installation of Trojans, web shells, timers, and more keystroke loggers. After each pass, the logs, warnings, and notification of changes are overwritten, hidden, or deleted in order to prevent legitimate administrators and users from detecting their presence.
Figure 2.1 The steps in the Anthem break-in.
Tool 1: Initial Spear-Phishing Entry Leading to the ScanBox Keystroke Logger
The most common method of stealing sensitive information and authentication credentials in order to traverse the portals to an enterprise’s network is with a keystroke grabber. These programs are secretly installed on target computers to record or log the keys struck on a keyboard by the user on the affected device. This malware is used to obtain sensitive data such as login information to further infiltrate a system or network. There are numerous keylogging methods, ranging from hardware- and software-based approaches, which we shall briefly describe in the following section, to the most popular keystroke-logging software—ScanBox (Figure 2.2).
Among these varied types of keystroke loggers are
1. Software-based keyloggers: Software-based keyloggers are computer programs designed to work on a target computer’s specific software. There are a number of varied keylogger software categories.
Figure 2.2 Keystroke logging and stealing as the user types.
2. Hypervisor-based keyloggers: Modern virtualized computing employs a hypervisor module upon which a number of operating systems can sit, each running their own set of applications. If that hypervisor becomes infected with malware, keylogger software can theoretically reside in that malware-infected hypervisor environment, running underneath the operating system. The keylogger is difficult to detect and essentially becomes a virtual machine in its own right, operating independently.
3. Kernel-based keyloggers: Malware, once inserted on a machine, can obtain root access in order to hide itself in the operating system and begin intercepting keystrokes that pass through the kernel module that interfaces with the machine hardware. Keyloggers such as these (which reside at the kernel level) are quite difficult to detect, especially by scanning applications that do not themselves have root access. They are frequently implemented as rootkits that subvert the operating system kernel and thus gain unauthorized access to the hardware, making them very powerful. A keylogger using this method can act as a keyboard device driver, for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.
4. API-based keyloggers: These application programming interface (API) keyloggers hook keyboard APIs inside a running application. The keylogger registers for keystroke events as if it was a normal piece of the application instead of malware. The keylogger receives an event each time the user presses or releases a key. The keylogger simply records it, and the malware transmits the logged information to the hackers.
5. Form grabbing–based keyloggers: Form grabbing–based keyloggers log web-form submissions by recording the web-browsing history on submit events. These happen when the user finishes filling in a form and submits it, usually by clicking a button or hitting enter. This records form data before it is passed over the Internet.
6. Memory injection–based (MitB) keyloggers: Memory injection (MitB)–based keyloggers alter memory tables associated with the browser and other system functions to perform their logging. By patching memory tables or injecting directly into memory, this technique can be used by malware authors who are looking to bypass Windows user account control (UAC). Non-Windows systems have their own similar protection mechanisms that need to be thwarted somehow by the keylogger.
7. Remote access software keyloggers: These are local software keyloggers with an added feature that allows access to the locally recorded data from a remote location. Remote communication may be achieved using one of the following methods:
a. Data is uploaded to a website, database, or FTP server.
b. Data is periodically e-mailed to a predefined e-mail address.
c. Data is wirelessly transmitted by means of an attached hardware system.
d. The software enables a remote login to the local machine from the Internet or the local network, allowing data logs stored on the target machine to be accessed.
Most of these processes are not stopped by Hypertext Transfer Protocol secure (HTTPS) encryption because that only protects data in transit between computers, whereas this is a threat within your own computer—directly connected to the keyboard.
8. Hardware-based keyloggers: Hardware-based keyloggers do not depend on any software being installed, as they exist at a hardware level in a computer system.
9. Firmware-based keyloggers: This basic input/output system (BIOS)-level firmware that handles keyboard events can be modified to record these events as they are processed. Physical and/or root-level access to the machine is required, and the logging software loaded into the BIOS has to be tailored to the specific hardware that it will be running on (Figure 2.3).
Figure 2.3 Firmware-based keylogger.
Figure 2.4 Hardware keylogger examples.
10. Keyboard hardware: Hardware keyloggers are used for keystroke logging by means of a hardware circuit that is attached somewhere in between the computer keyboard and the computer, typically in-line with the keyboard’s cable connector. There are also USB connector–based hardware keyloggers. More stealthy implementations can be installed or built into standard keyboards, so no device is visible on the external cable. Both types log all keyboard activity to their internal memory, which can subsequently be accessed, for example, by typing in a secret key sequence. A hardware keylogger has an advantage over a software solution: It is not dependent on being installed on the target computer’s operating system and therefore will not interfere with any program running on the target machine or be detected by any software. However, its physical presence may be detected if, for example, it is installed outside the case as an in-line device between the computer and the keyboard. Some of these implementations have the ability to be controlled and monitored remotely by means of wireless communication (Figure 2.4).
11. Wireless keyboard sniffers: These passive sniffers collect packets of data being transferred from a wireless keyboard and its receiver. As encryption may be used to secure the wireless communications between the two devices, this may need to be cracked beforehand if the transmissions are to be read.
12. Keyboard overlays: Criminals have been known to use keyboard overlays on ATMs to capture people’s personal identification numbers (PINs). Each keypress is registered by the keyboard of the ATM as well as by the keypad that the criminal has placed over it. The device is designed to look like an integrated part of the machine so that bank customers are unaware of its presence.
13. Acoustic keyloggers: Acoustic cryptanalysis can be used to monitor the sound created by someone typing on a computer. Each key on the keyboard makes a subtly different acoustic signature when struck. It is then possible to identify which keystroke signature relates to which keyboard character via statistical methods such as frequency analysis. The repetition frequency of similar acoustic keystroke signatures, the timings between different keyboard strokes, and other context information such as the probable language in which the user is writing are used in this analysis to map sounds to letters. For this method, a fairly long recording (1000 or more keystrokes) is required so that a big enough sample is collected.
14. Electromagnetic emissions: It is possible to capture the electromagnetic emissions of a wired keyboard from up to 20 m (66 ft.) away, without being physically wired to it. In 2009, Swiss researchers tested 11 different USB, PS/2, and laptop keyboards in a semianechoic chamber and found them all vulnerable, primarily because of the prohibitive cost of adding shielding during manufacture. The researchers used a wideband receiver to tune into the specific frequency of the emissions radiated from the keyboards.
15. Smartphone sensors: Researchers have demonstrated that it is possible to capture the keystrokes of nearby computer keyboards using only the commodity accelerometer found in smartphones. The attack is made possible by placing a smartphone near a keyboard on the same desk. The smartphone’s accelerometer can then detect the vibrations created by typing on the keyboard and translate this raw accelerometer signal into readable sentences with as much as 80% accuracy. The technique involves working through probability by detecting pairs of keystrokes rather than individual keys. It models “keyboard events” in pairs and then works out whether the pair of keys pressed is on the left or the right side of the keyboard and whether they are close together or far apart on the QWERTY keyboard. Once it has worked this out, it compares the results with a preloaded dictionary in which each word has been broken down in the same way. Similar techniques have also been shown to be effective in capturing keystrokes on touchscreen keyboards, and in some cases in combination with a gyroscope (Figure 2.5).
16. ScanBox: ScanBox, a particularly malicious keystroke grabbing program, performs the keylogging of users when they visit a compromised website without requiring malware to be deployed, and it can collect a great deal of information that can be used to design future attacks.
Depending on the browser used, ScanBox would deploy reconnaissance software, code for detecting Flash, SharePoint, Adobe PDF Reader, and Java. Some of them, including the JavaScript keylogger, are launched on any of the major browsers on the market (Internet Explorer, Mozilla Firefox, Google Chrome, and Safari).
There are now several alterations to the ScanBox code base, including new modules and changes to avoid signature-based detection, as well as extra techniques to try to identify whether those being scanned are real machines or researchers.
A motivation for selectively loading plug-ins is likely to be to prevent crashes or any errors appearing (which may alert the owner of the compromised site) when the page is loaded, as some of the plug-ins are only compatible with specific browsers. Selectively loading plug-ins has the added bonus of slightly reducing researchers’ access to the attacker’s code. Developers are continuing to update and test variants of the framework, including new server-side code being tested by budding hackers.
Keystroke loggers are a particularly dangerous security threat because users typically don’t realize they’re even there. As increasing amounts of personal, corporate, and financial data is logged and saved on devices, it is vital to understand the risks at both the software and the hardware level. Even the most secure user-authentication system is vulnerable if the passwords are sniffed directly from the keyboard.
Figure 2.5 Smartphone keylogging sensor.
Tool 2: Setting Up an Anonymous Path Using Tor
The attacking team intends their source location, as well as the path and sequence of routers their traffic flows through, to be untraceable by either victims, police, FBI, Interpol, governments, or institutions. To set up such paths and hide their traffic, not only from these parties but also from the routing entities used along their path to the victim, the attackers employ a variety of tools, sites, and methods. Using these, they create an anonymous path from the attackers to the victim and an anonymous return path back to those attackers. Over those anonymous return paths flow the information stolen in their current attack venture. Among the tools and techniques employed in creating these anonymous paths are
Tor/onion routing: The Tor protocol was written by the U.S. Navy research laboratory. Tor directs Internet traffic through a subnetwork of the World Wide Web of the public Internet, termed the dark or deep web. This network is composed of sites hosting anonymous routers that are managed and set up by activists or volunteers. These sites and the services they offer are reached using an “onion” address—a pseudo address that is part of a special top-level domain and is hidden from the Internet’s domain name system. Users of such services frequently use Foxfire 4.3 as their browser to access such services.
Among the services offered is anonymous routing employing the Tor protocol. This allows the creation of a network of virtual tunnels, which are used to hide websites from each other and outsiders. They are forward creating networks and hidden backward paths (Figure 2.6).
Figure 2.6 How the Tor network works (https://www.torproject.org/).
On this anonymous subset of the web, anonymous attackers need to know the available routers and their capacities, have access to the routers, and have the ability to select a subset of a few routers with which they can set up a hidden, anonymous path to a target; and a similar hidden, anonymous return path. They pick a set of between three and five routers to create a path, never using the same path twice. They set up each path so that no single point along the way can look backward and see where traffic is generated from, nor its ultimate destination. Once a path through this network is established, and they can access the target site, submit chosen initial malware, and then download information back through that path to the original site in such a way that it can’t be tracked; the attackers can then reenter the target site to insinuate further malware and retrieve additional information.
An example of such an anonymous route through a set of three possible routing sites on the dark web is one where the path might be from Shanghai, China (where the location of Dark Panda has been identified), through an anonymous router in Hong Kong, to similar ones in Moscow and Amsterdam, and then on to the target site of one of Anthem’s proprietary and/or cloud-based data centers (Figure 2.7).
There are two types of Tor packets: control and relay packets. Figure 2.8 shows a control Tor packet.
The Tor control process sets up the anonymous path. The initial control packets are sent out from the source site’s anonymous edge router to an initial anonymous router on the dark web. This establishes a control link, and an acknowledgment is received that the link has been successfully created. Another control packet is then sent from the first link along to the second link, followed by a further acknowledgment. The process continues in this manner from the second to the third link and so forth. The links along the anonymous path are thus established by the Tor control process with Tor control packets, one link at a time, along the anonymous path.
Figure 2.7 A possible routing path used to attack Anthem’s data center.
Figure 2.8 Tor control packet.
Figure 2.9 Tor relay packet.
When the whole end-to-end path has been created, the attackers send relay packets containing their malware, code, and software to the destination target site to establish an anonymous and persistent presence in that corporation’s system. They then access files and return them along the anonymous path back to the attacker’s chosen website. Figure 2.9 shows the structure of the relay Tor packet.
This relay packet forwards the attacker’s Internet Protocol (IP) packets along the established anonymous paths to the target’s site and returns extracted information along the anonymous path back to the original site. So, relay packets are used in this way to deliver the malware to the target site and retrieve stolen valuable information files from that target along the anonymous path to the attacker’s hidden destination site. And this process begins downloading an entire stream of packets—not just one small record at a time.
There are specialized Tor browsers that help attackers discover useful relay sites that can be used for constructing their Tor network, but many just use Foxfire 4.3 for exploring sites on the dark web. The use of the more specialized Tor browsers, however, prevents somebody watching your Internet connections and learning the sites you visit and prevents the sites you visit from learning your physical location. Furthermore, they enable a potential attacker to access sites that are blocked from and by standard browsers.
The main point of the Tor network is to mask a user’s location and Internet usage from people whom they suspect might be viewing their traffic activities. Using Tor does not make you completely invisible, but it certainly does make it more difficult to trace an end user’s Internet activity. The main principle and purpose of Tor is to protect users’ personal privacy and freedom and ensure their right to privacy. This is achieved to a significant degree by Tor through their relays, which prevent their Internet activities from being monitored, and the protocol offers a significant set of facilities for nation-states, hackers, and criminal gangs to perform destructive and unlawful activities cloaked by the Tor anonymous routing system.
In onion wrapping, the source of the data sends the onion-wrapped message or information to Router A, which adds an outer layer of route addressing and may perform internal packet encryption. That site learns nothing about the enclosed packet—only where to send it next. Router A sends the onion-wrapped packet to Router B, which adds another onion wrapper before sending it on to Router C, which transmits the original message to its destination (Figure 2.10).
The information return process follows a similar pattern, whereby each router along the way can only see the next address along the way, with the previous router, the source, and the ultimate destination cloaked from view.
Figure 2.10 Onion-wrapping the Tor packets.
Tool 3: CrowdStrike Identified Hacker Clusters, China Chopper Web-Shell Controller
CrowdStrike’s Identified Hacking Clusters
CrowdStrike, the well-known network security firm, has identified a more extensive group of hacking clusters. Malware is responsible for only 40% of breaches, and external attackers are increasingly leveraging malware-free intrusion approaches to blend in and “fly under the radar” by assuming insider credentials within victim organizations. The nature of the game now is persistence and gaining long-term access to the enterprise. The chances of ultimate discovery and effective remediation diminish greatly when no external binaries are brought into the environment and no unusual outbound command and control (C&C) traffic is taking place.
The idea behind a malware-free intrusion is very simple—malware, even if it’s unknown to antivirus, is still very noisy. The presence of unknown and previously unseen binaries running in your environment, making file and registry changes to your system, and calling out to the network—these are all things that can be observed and will eventually trigger suspicion on the part of a proactive security operations center (SOC) analyst or incident responder. So, if you’re an attacker who is trying to stay undetected for as long as possible, what do you do?
The obvious answer is that you break in without using malware, emulating legitimate insiders. Insider detection has always been one of the hardest problems to solve in cyber security because the attacker, by definition, looks like someone who is supposed to be inside your network and is doing things that are largely legitimate and expected. Thus, wherever the adversaries can emulate this behavior, they are quite successful in achieving their objective of stealth.
Malware-Free Intrusion Process
A large defense contractor hired CrowdStrike services after struggling for months to remediate an intrusion from a sophisticated nation-state affiliated actor. The adversary kept coming back, and the client could not identify the point of entry, despite having numerous host and network forensics and whitelisting as well as indicator of compromise (IOC) scanning malware detection tools. The explicit mission was to identify the C&C channels that the adversary was using to get inside the environment. In the end, it turned out that the question they were asking—that is, which C&C servers were being compromised—was the wrong one. Once the services team deployed next-generation end-point technology across their servers and desktops to profile and identify all adversary activity, it was determined that the adversary had compromised their two-factor authentication system, had stolen the seed values, and was coming in through the VPN system using legitimate credentials and generated two-factor token values. There were no C&C server IOCs to detect, and once the adversary was inside the network, they were able to move around freely using Windows system administration tools, without the actual use of malware. This critical gap between current enterprise defense strategy and the evolution in adversary tactics is responsible for a growing number of successful intrusions, as well as the fact that a typical breach remains undiscovered for over 200 days. In response, organizations now need to adapt their strategy and augment their malware detection and IOC scanning tools with solutions that can hunt for, detect, and ultimately prevent intrusive activity even when no malware is present.
How CrowdStrike Describes How Malware-Free Attackers Operate
CrowdStrike describes the attacking components and tools commonly employed as “malware-free intrusion tradecraft” and a set of procedures they follow using these tools and techniques.
Malware-free intrusion tradecraft: Actors affiliated with the Chinese nation-state, such as Deep Panda and Hurricane Panda, have been observed using the following tradecraft. Such compromise can be achieved via
1. Structured Query Language (SQL) is a simplified programming language for querying information stored in relational databases.
2. Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations.
3. Attacks against Linux web servers have recently been detected.
4. The use of the Bash vulnerability known as ShellShock.
5. That allows actors to install a web shell on the server, with China Chopper being the most common tool of choice. The reason it’s so popular is that it is almost elegant in its simplicity. The web shell consists of a tiny text file (often as little as 24 bytes in size) that contains little more than an “eval( )” statement, which allows the attacker to execute processes on the web server. That script can be easily obfuscated to evade signature and IOC scanning technologies.
6. The intrusion begins with the compromise of an external-facing web server, often a Windows IIS server.
China Chopper Web Shell Controller
On the attackers’ site, a controller application is executed that allows them to upload or download files and provides access to a virtual terminal from which they can execute commands.
Through the installed web shell, the attacker uploads a credential theft tool to steal Windows passwords and hashes and on occasion upload “Kerberos Golden Tickets,” which can provide the attackers with persistent access to the network for as long as they deem necessary.
Technically, such a credential theft tool should be considered malware, but it is malware that traditional antimalware defenses do not identify and deal with, since there have been a continuous stream of repackaged and rewritten versions of these credential theft tools that can escape all signature and IOC-based detections; moreover, new mutant variations are constantly being made available and deployed.
Once appropriate credentials have been acquired, the attacker continues laterally across the internal corporate network using Windows Management Instrumentation (WMI) commands or Remote Desktop Protocol (RDP) sessions, just as a Windows administrator might employ, and creates scheduled tasks with Powershell scripts to maintain a persistent presence in the system. RDP is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software. WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment.
Also frequently observed is the use of the “sticky keys” trick for maintaining malware-free persistence on a victim network. With the “sticky keys” trick, the attacker modifies the registry on a target’s system server using WMI to set a “cmd.exe” as a debugger for tools such as sethc. exe of StickyKeys and osk.exe to allow an on-screen keyboard. To reset a forgotten administrator password, there are a well-known, oft-published set of steps to follow after first rebooting from Windows and accessing the command prompt and then using the drive letter of the partition where Windows is installed and typing a set of simple commands.
Once that is completed, an attacker can remotely use RDP to enter a compromised server, press the StickyKeys or on-screen keyboard hotkeys, and instantly trigger a command prompt running with system-level privileges, without even being required to login to that remote compromised server. Even if passwords are eventually reset across the victim’s environment, the attacker still maintains persistent access unless the victim goes through the process of cleaning up all the registry entries on that server and across the victim’s entire network.
Types of Common Monitoring Software Employed
Understanding the difficulty in avoiding spear phishing and the associated valid-credential capture 100% of the time, modern enterprises assume that they have already been penetrated and employ a set of monitoring software that looks for the signatures of malware and abnormal activity on their systems. Such abnormality may show as
1. Normal activity occurring at the wrong time of day
2. Normal activity coming from a wrong source
3. Activity occurring abnormally between systems
4. Presence of abnormal activity or abnormal software
Looking for Derusbi Parsing Software
Among these abnormal software items are frequently found one of various forms of Derusbi parsing malware, of which the two most popular are
1. derusbi_server.lua, a parser for Derusbi handshakes
2. derusbi_varient.parser, a parser for Derusbi variant beaconing
The Trojan.Derusbi software avoids detection by using its own proprietary handshakes with pseudorandomly calculated and assigned values, which are dynamically calculated at run-time and then used with the handshake execution. This is hard to detect as abnormal.
1. Employing security analytic parsers: We can detect these Trojan handshakes and new emerging variations of them. The parsers generate metadata under the names:
a. derusbi_handshake
b. derusbi_varient
2. Imported security feeds: Security feeds are also imported into security analytic routines to detect hacker activity. Feeds identify any machines on the network that may be communicating with maliciously placed IP addresses or URLs that have been linked with Shell Crew previously identified domains or IP addresses. Shell Crew is the term applied by the security firm RSA to those groups, frequently associated with nation states, that attempt to invade and insert persistently resident malware in the systems of companies they have invaded. The following feeds with generated metadata named are malware:
a. derusbi_domain_march2015
b. derusbi_ip_march2015
RSA’s Enterprise Compromise Assessment Tool (ECAT) scanning software is an end-point threat detection and response solution that automates the detection of anomalies; identifies programs that have been modified; exposes targeted, advanced malware; and highlights suspicious activity. ECAT is particularly effective at identifying what is classified as “signature-less malware,” which does not have the appearance of malware but must be identified by its behavior patterns. Malicious executable software can be identified as RSA’s ECAT scans across thousands of machines to identify malicious programs and especially identifies all that are configured to run automatically at startup, which might include, among valid software, malware that is triggered to run at startup. ECAT is an end point threat detection and response solution that exposes targeted, advanced malware, highlights suspicious activity for investigation, and instantly determines the scope of a compromise to help security teams stop advanced threats faster. ECAT’s unique behavioral-based detection identifies unknown, zero-day malware and compromises that other tools don’t see.
ECAT incorporates an intelligent risk–level scoring system, which prioritizes suspicious end-point activity while leveraging dynamic data-trained (through automatic machine) learning as it systematically performs its scans and focuses the analyst on real threats in the early stages.
ECAT Steps
1. First, ECAT creates a “normal activity” file of what normal activity in the systems looks like. This includes, but is not limited to, who regularly accesses what files, the time of day and day of the week this occurs, and what activities are undertaken. Then ECAT creates a file of the material that is normally transferred outside the system, including what file, by whom, at what time of day/day of the week, in what form, and to what designated destination.
2. ECAT then looks at all outbound traffic and both the content being sent and its destinations. ECAT detects the creation of a suspicious outbound connection by comparing the source of files being created for transmission with normal traffic and the destinations they will be sent to with traditional destinations. Any differences from the norm are tagged. The time of day and day of the week that such activity occurs are also compared with the times and days of normal activity.
3. ECAT then sends an “alert” message to system security technicians of the creation of a suspicious outbound connection, including the files and the abnormal destinations.
4. Finally, ECAT sends a view of the files being sent over the outbound connection to the system security technicians.
Hackers employ tools such as the open software VirusTotal to test whether variations of the Trojan family of code can be detected until they find one that is currently undetected. The hackers continue to make small changes to the Trojan code until they find a variant that is not currently detected by any of the popular antivirus software.
There are two operational approaches when malware is detected: blocking and observational steps.
1. Blocking: The traditional approach is to block all abnormal activity as soon as it is detected. However, this also notifies the attacker that detection has occurred.
2. Observational: An alternative is to let the outbound transmission occur and set up observational software to attempt to observe the pattern of such activity and the path to the destination that the attacker employs to retrieve the stolen files. Tor Anonymity Wrapping can defeat this observational process step.
3. Honey pots: Frequently, the security personnel will then set up an attractive system and files, termed a honey pot, where seemingly valid internal information appears, and then watch, wait, and track activity. Results are then shared with the FBI, appropriate security firms, and other industry organizations.
QUESTIONS
1. The goal of a hacker is to become the target technician to observe all the keystrokes. What are the two basic techniques that a hacker uses to do this?
2. What is a scanning software that detects suspicious outbound connection?
3. This server helps give hackers free rein to attack and invade web servers.
4. Using Windows Management Instrumentation (WMI) extensions to the Windows Driver Model to set a cmd.exe, what is a trick a hacker uses and how do they do it?
5. How does the Tor protocol work?
6. Describe the two types of Tor packets that hackers use to attack their target.
7. Tor messages are encapsulated in layers of encryption. This is analogous to a vegetable. What is this process called?