Threat Intelligence Report – December/January 2014/2015
Threat Intelligence Report – December/January 2014/2015
In the months of December 2014 and January 2015 many paradigms on how the security of the Internet was perceived began to change. With the advent of the Sony hack and all of the fallout since, there has been quite a bit of angst on the part of governments across the globe in response to the attack.
This concern is warranted because the Sony hack set a precedent in destructive actions on the part of a nation state (ostensibly) to attack a private corporation and completely destroy it’s capability to function as a company for many months. To date, Sony is still off line internally with all of it’s various systems being reconstructed to enable workers to resume regular business.
Alternatively, other attacks like the Christmas day attacks on Sony and Microsoft’s PSN and Xbox networks took their functions off line at a key time for gamers with new consoles to play the games they got for Christmas. These DoS (Denial of Service) attacks were carried out by a group of “script kiddies” (hackers without real skills) called “The Lizard Squad” and their arrests are now happening in January by the FBI and others across the globe.
The final assessment though is that the game has changed and the rules are yet to be determined on a legal level as well as on an attackers decision process on how far is too far to go. In the case of the Sony attack, whether or not it was a nation state doing so, the game changer is that they completely destroyed the capabilities for Sony to operate their business. This situation ups the stakes for other adversaries, both nation state and other, to a level at which nothing is taboo and everything is possible.
In short, we are living is “Interesting Times” as the Chinese say, and we had all be ready to handle the outcomes of potential attacks like the Sony attack because it is likely that it will not be the last one of it’s kind.
The Sony attack was not new in the sense that the malware had been around for some time on the Internet. A version of it had been used in 2013 on banks in South Korea and it managed to destroy quite a bit of data. However, the attacks in 2013 had been stopped before the complete destruction of the banks systems was complete. However, the notion of using such malware attacks by an adversary in such a way had not been carried out before on private entities and this was the game changer.
In the case of Sony, an iteration of the malware from 2013 (DarkSeoul) was upgraded with about forty percent more changes to the base code that refined the process a bit. The malware, after editing was leaner and able to destroy drives in a very quick fashion. The crux of the attack lay in the malware choosing a certain section of the drive (middle) and quickly taking that section out with destructive wiper tools. In essence, that one stripe made the drive useless.
This in tandem with the hard coded domain names, addresses, and passwords of high level accounts, made the attack all the more destructive and pervasive. The sole intent of the upgrades and deployment of this malware package (4 variations of malware in total) was to take Sony off line hard at a maximum cost.
The assessment that goes along with this attack on Sony is alluded to in the executive summary. The crux of the meaning being that this malware was not advanced. It has been around since 1998 as a concept, and the attacks used to place it in the network were not new as well. What is different is that the actor was willing to carry out such an attack on their target in the first place.
The changes to laws you are seeing proposed by the Obama Administration show just how in earnest they are to respond to this change in tempo of cyber warfare. There are few international laws that handle this type of attack and we have yet to have any real substantive ground rules that all countries would abide by in this battle space.
Additionally, the attack on Sony also sets the tone for non state and chaotic actors who may want to just wreak havoc wherever they can with the same tools. Remember that the code is already out there and the access can be granted through phishing attacks or insider access at any company. This attack and the narrative on how it happened should be paid heed by every company today because they too could be the next Sony with the right adversary set to destroy them.
As stated above, the US Government has been actively seeking to update and create new policy on hacking and cyber warfare since the Sony attacks occurred. The Obama White House has in fact put forth changes to the CFAA (Computer Fraud and Abuse Act) as well as new legislation covering all manner of information sharing as well as repercussions for hacking.
The primary concern for business though should be the changes to reporting on incidents as well as the proposals for an information sharing between companies and the government on security threats being seen in the wild. These information sharing programs already exist in the private defense contractor space but as yet do not exist outside of that realm. The matter of the reporting of incidents however is a new and prickly topic and as such should be watched closely by corporations to be sure of what they may have to report on and in what time frames. Additionally, they should be concerned with fines for non reporting as well as issues over releasing data on vulnerabilities they may have.
The primary concern that companies will be looking at will be the reporting and repercussions from doing so. At present this is all notional and with the president being a “lame duck” it may not be something that companies will have to concern themselves with at all. That is unless the Senate and House decide to act on these proposals.
The Lizard Squad, is a loosely knit group of script kiddies that created a now defunct DoS (Denial of Service) software package that was used to take Sony PSN and MS Xbox networks down on 12/25/14.
These attacks were chaotic in that the Lizard Squad just did it because they wanted to. There was no political agenda, there was no real stated reason, they just took things off-line to make people unhappy and to gather fame for themselves.
At present, the Lizard Squad’s tool is off-line, the code of which has been dumped online, and the services users passwords (which were not encrypted) are in the open. The FBI is investigating the incident and has in fact captured three of the hackers from the group already with more to come.
The Lizard Squad is just one group of many that come into existence and go out of existence on-line regularly. Loosely modeled on Anonymous, the Lizard Squad acted out of a need to chaotically cause mischief on-line without much more reason than they wanted to.
This type of actor is becoming more prominent with actions like this and with each big story, and the attention they are given, more will rise up like them to sow havoc on companies on-line. These actors for the most part usually carry out attacks though that are not as complex or devastating as the Sony attack but they could also evolve and carry out like attacks.
It is thus important that companies pay more attention to groups like these and monitor OSINT and other threat intelligence feeds to be aware of groups that might target them. Being armed with information may make all the difference in the world to your OPSEC against such attacks by these actors.
Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. Threat actors can use a password of their choosing to authenticate as any user. This malware was given the name “Skeleton Key.”
CTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services. Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.
This malware is novel in that it uses a flaw in the Active Directory in tandem with single factor authentication. This novel approach, if not mitigated by Microsoft, could be enhanced and used more widely by attackers. There is however one flaw in the malware that mitigates the attack;
The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted. CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.
However, if you have a level of compromise that would grant the access needed to install malware on the domain controller, then this attack is secondary because the adversary has already compromised you at a deep level.
Full report for download HERE: Report