Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

GLOBAL THREAT INTELLIGENCE REPORT: NOVEMBER 2014

leave a comment »

Executive Summary:

In the month of November 2014 two stories made the news that have direct corollaries to many corporations. These two stories center on actor’s modus operandi and their targeting of companies, individuals, and infrastructure in vary particular ways.

The first actor/incident is SONY and their alleged attacker the GOP (Guardians of Peace) Sony was hacked by unknown person(s) and approximately 111tb (Terabytes) of information taken from their networks and systems. The data began to be leaked on the internet via Bit-torrent and other sites in blocks of 1 gig to 100 gig per release.

The second attack/actor is being called FIN/4 and they are an unknown group that has been targeting corporations’ executives via Phishing. FIN/4 is looking for M&A information that they can steal to play the market with or have inside information for other companies to use by selling it to them. FIN/4 has been detected attacking Big Pharma looking for insider information primarily but has also been seen attacking other types of companies such as holding companies in search of information they desire.

Global Threats:

Sony Hack (GOP): Destructive Hacking and Malware

The Sony Corporation was hacked over an indeterminate time within the last year and was tipped to the fact on or about November 24th – 25th of 2014 by the attackers. A group or person, calling themselves “The GoP” or Guardians of Peace released malware on the Sony network that then changed the login screens of all machines to a picture of a skeleton and a threat (see below)

Once the malware was delivered and triggered the screens of PC’s were changed to the image and a wiper utility went into action destroying the MBR (Master Boot Record) thus damaging the operating system and all data on the drive.

The attack on Sony should be a warning to all companies and entities with networking infrastructures. This attack seems to have been carried out by an insider (likely an IT person) with intimate knowledge of their network and where data lives. The malware itself had been hard coded with server DNS names within Sony’s network as well so this was a very targeted attack.

The attack on Sony has been in the news quite a bit and the full extent of the hack and the repercussions has yet to be fully determined. In the case of Sony stock it has taken a hit and has been up and down with the news stories and releases of information by the GOP online. Reputation wise the company has taken a great hit and in fact may be in jeopardy because other companies and banks are not wanting to loan them funds or work with them as thousands of records online already from Sony show that they were not taking due diligence with PII and PCI data internally. The majority of documents were unencrypted as well as those with passwords had the actual passwords in a file with the documents or built into the documents file name itself.

Observations:

The attack on Sony was most likely an insider attack and as such is one of the hardest types of attacks to protect against. However, since the release of data from Sony has been on the internet it has come to light that the following glaring issues existed that led to their devastating compromise;

  • Sony did not have adequate staff working in information security and had in fact been heavily relying on contractors which were transient in nature

  • Sony had not been using encryption on files for PII or PCI

DATASECFull employee lists with SSN’s not encrypted and not passworded

  • Sony had not fully instituted complex passwords on systems and files

PASSINFILENAME

Password in the file name itself

    • Examples: s0ny123 (lotus notes user pass)

    • Notes password II: password

    • AD login: 163erie (Less than 8 chars)

    • Passwords were re-used for user in this case with corporate AMEX account as well.

  • Attackers were able to exfiltrate 111 terabytes of information. This exfil likely happened on local external drives but could have been done over the network over time. IF this was carried out over the network then Sony either could not see the immense amount of data being siphoned or they ignored it. Internal intelligence and telemetry is a key to stopping exfiltration of corporate data.

  • This attack and exfil of data so thoroughly compromised Sony that they had to shut down their network completely and have employees only use pencils and paper for work.

Assessment:

This attack on Sony was motivated (most likely) not by nation state actors upset about a movie, but instead by how Sony treated some employee(s) somewhere in their view. The GOP in their communications keeps talking about how Sony is a bad corporation and it treats its people poorly. No matter the motives and the actors however, the important things to learn from this attack are the following things;

  1. Insider attacks are the greatest risk to any organization

  2. Lax security policies and processes for securing data on drives with proper passwords and encryption led to complete compromise of corporate and employee data from this attack. Were the files encrypted and properly password protected this may have been mitigated.

  3. Any corporation could fall victim to the same type of attack.

  4. The malware used, contrary to the news cycle. Is not new and not exotic. MBR wipers have been around since 1998. It is easy to re-work malware (reverse engineer) to be undetectable to the antivirus utilities and thus not be seen.

What corporations need to take away from this incident is that it can happen to anyone. It can especially happen to a company not paying attention to internal data, systems, and traffic. A secondary concern that companies all should have is that now that this attack has happened, it will give others ideas and potentially open the door to more like this in the future as a means of hacktivism or revenge. A second and more important takeaway should be the following;

“It’s not important who attacked you after the fact. It’s important to discover and remediate the compromise through proper incident response and then fix the problems that allowed for the compromise to happen in the first place”

While threat intelligence is an important tool in the security arsenal, the focus on the who and not so much on the why and how has been in the news and the focus of Sony at least in the media sphere. A recent memo from the founder of Mandiant, the company carrying out the DFIR on Sony in this incident and leaked, alludes to the fact that this attack was “unprecedented and unstoppable” This language and this memo is a disservice to the industry and allows for companies to believe that by having lax security controls and the illusion of nation state actors, one can have the blame for a major incident removed from the company whose atmosphere allowed the attack.

As shown above the data was out in the open and efforts to protect data like PII and PCI were just not taken. Of course an insider attack is hard to foil but at this time it is speculative whether or not it was an insider even with the GOP bulletins saying that it was in fact the case. As well, in the case of Sony there is a long history of over 20 hacks on them that succeeded in the past, and thus it seems that not only are they a big target, but also an easy one because they seem to have not been able to secure their environment well enough to stop attacks whatsoever. Given all of these factors it should be evident that any corporation should look at the data coming out of Sony to study just what went wrong and attempt to not be the next company to fall prey to this.

Finally, this attack on Sony should be a lesson for everyone in that now that this has happened, and utterly destroyed the capacity of a company others in the future will use it as a model for their own attacks. The notion is now out there in the open and in reality I guess one could call this the realization of the “Fire Sale” as seen in the movies. This is a turning point in information warfare and protection that everyone should take heed of and attempt to be ready for. While there may be no magic bullet to stop these types of attacks from happening there are certainly means at the disposal of corporations and security groups to at least attempt to detect and stop such attacks. Specifically there should be means to detect large data transfers within the network as well as going out of the domain itself.

FIN4: Spear Phishing and Stock Manipulation

FIN/4 is the name that Cylance has given to the group of actors using “Spear Phishing” to attack corporations email systems to steal corporate information. The information that these attackers are leveraging though is all to do with M&A’s and other insider information that the adversary wants to use or sell as intelligence for stock trades.

What makes the FIN/4 different is this focus only on M&A or insider data. They only go after OWA or other email systems and do not hack any further into the networks. This type of activity nets them what they want and does not lead to their being discovered as easily. Through password dumps and email trails these attackers are able to compromise systems and data they require and then go quiet while auditing all the information passing through those systems.

Assessment:

FIN/4 is a new twist on an old idea. This actor set is as yet new and it is unclear whether or not it is nation state or other. However their pattern of attacks should be something that every company should pay attention to whether they are actively traded on the stock market or not. This type of attack set is low and slow and nets quite a bit of data from common end user frailties. The introduction of malware or just the compromise of accounts can lead to the full compromise of a company just as much as is evidenced in the Sony attack above.

Download Document HERE

Written by Krypt3ia

2014/12/09 at 19:58

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: