17 February 2015

Some of the largest and most renowned organisations in the world have become victims of hackers despite having – one would assume – top-of-the-range firewalls and anti-virus solutions.  But don’t make the mistake of thinking that attackers only target big brands.  Small companies too are at risk from an array of increasingly inventive forms of attack.

For many companies there is still a degree of puzzlement about why, having deployed a top line next generation firewall and a fully featured desktop anti-virus solution, they can still become infected.  And yet they do.  Target, Sony, eBay and others all had good quality defences in place yet they were compromised, and if these giants can be slain, then smaller firms can be too. Some people incorrectly assume that hackers only target big companies.  Who would bother with a small or medium sized company, they think.  The answer is that there is value in smaller companies, whether it is for their banking details or as access to their suppliers and customers.  From a hacker’s perspective, there is real value in all networks, no matter how small. So how do hackers still manage to penetrate networks, given that there are usually firewalls and anti-virus solutions in place?  And how can the enemy remain concealed ‘inside the gate’ for months sometimes, without detection.  This article looks at that very issue. Phishing There was a time when I was asked ‘what is a phishing email’, but that time has long gone!  Phishing attacks are, however, getting increasingly sophisticated and form around 70% of the approach that all advanced persistent threats take.  It is also a depressing statistic that 30% of users will click on a phishing email, even after training, either to open an attachment or to follow a link.  In some cases it is understandable.  The picture below shows a typical example, and who is not going to want to learn a bit more about Jane Watson? Watson Anyone who clicks on the Jane Watson link will be taken to a webpage like the one in the figure below, which is convincing.  Users might think that they had logged out of LinkedIn and maybe they actually had; the fact that the URL is wrong is a detail that many would miss.  So, they enter their email address and password which is the purpose of the site.  As a result, the attackers now have where the user is from, which the attacker will hope is a company, and his or her password.  There is a strong possibility the user will reuse that password elsewhere, for example for remote access to the company.  Maybe it is also the user’s active directory log on. The final trick is to see if the visitor is foolish enough to click on an invitation to update his flash.  If so, an update can be downloaded, but it will carry a malicious ‘quiet’ payload, and the user will not know what he has done.


This is, nonetheless, a lot of work for hackers.  They need to set up a website on a server that is not on a real-time blacklist, which isn’t a huge ordeal, but the design can be if they want it to be convincing.  They then need to persuade someone to visit this website, and that can be difficult.  So another option is to use an existing site with a good reputation and a good hit rate.  Earlier this year, Jamie Oliver’s website was hacked and a rather nasty piece of malware known as Dorkbot.ed was installed.  Any visitors, and there are about 10 million hits on Jamie Oliver’s site a week, who had not updated their browsers, were vulnerable to being infected. JamieOliver The figure below shows the process and it is pretty easily done. 1.    User visits infected website believing it is reputable. 2.    The user’s browser is unpatched and vulnerable.  The site is able to infect the user’s machine. 3.    The Trojan that is installed calls back to its Command and Control (C&C) servers to ask what to do. 4.    C&C tells it to download Dorkbot.ed. 5.    Dorkbot.ed listens for usernames and passwords and sends them back to the C&C. DorkbotDorkbot.ed has two other nasty little features, the first is that it endeavours to disable updates to the system it is on to increase its time of infection.  The second is that it can act as an email server, sending out further phishing and spam emails, but now from a good IP address and a legitimate email address. Remote access Increasingly, organisations need to allow remote users to have access to systems on their corporate network.  Perhaps they are home workers, members of the sales team or simply suppliers needing to support their application.  Some organisations allow Remote Desktop or other virtualised desktop applications to access directly without a virtual private network (VPN).  From exploits described above, there are plenty of username and password databases being exchanged in the Internet’s darkest corners.  It does not have to be related directly to the company because users re-use passwords.  Finding a password is not only possible but also very straightforward, particularly when users choose ‘easy’ passwords and when there is a total lack of monitoring, allowing the brute forcing of passwords. RemoteDesktop The figure above shows the steps that an actual attack took.  The attacker had acquired the username and password and was able to log on to the desktop.  Once on the virtual desktop, the attacker was able to access a switch, as it was left with the default username and password from its installation.  Once on the switch, the hacker was able to sniff the traffic, find other systems suitable for attack and detect any passwords sent in plain text.  This information allowed the attacker onto one of the systems from where they were able to escalate their priviledges.  Once admin was achieved, the network was effectively compromised allowing access to sensitive data.   In this case, there is no question that internal hardening of the network would have made this attack a lot less effective. And many other compromises The perimeter is now very porous, so the number of applications that ride on the back of legitimate protocols like http and https means that it is difficult for gateway solutions to block them as they have done in the past.  It is also the case that protocols like DNS and NTP are also being abused as they are frequently allowed through the firewall. The trend towards Bring Your Own Device (BYOD) creates inevitable additional security concerns.  These devices are no longer under the control of the IT department, so the company cannot enforce good policy; the user may habitually logon as ‘admin’, meaning any compromise is much more powerful; and users may have installed dubious applications for home use.  The list goes on. Voice over IP (VoIP) still remains a viable access point for hackers, as such applications have vulnerabilities.  TCP ports 5060 or 5061 must be open and sometimes are left open to the Internet along with the administration interface.  Once inside the firewall and on the server, if the internal network is not hardened, it can be possible to use techniques like VLAN hopping to gain greater access to the network.  Then there are the regular toll fraud exploits that allow attackers to rack up huge charges in a short amount of time. CCTV set up by some physical security companies can be left open to the Internet and provide an attack vector into the company.  Whilst the supplier installs and patches its application, the underlying server itself can be ignored, leaving vulnerabilities open to exploit.  It is also possible for the physical security company itself to come under attack, its infrastructure to be infected and an attack to be launched from a trusted provider. Some companies are using home routers as their gateway defence.  These are frequently not up to the task and have fundamental flaws in their administration interface, enabling attackers to gain a foothold on the network. Social Media has proved a good way of persuading users to download files and there is always a lag between the malware being released and anti-virus houses providing a solution to block it (by which time, it can be too late). Then there are the more esoteric attacks which are still remarkably successful.  Rogue wireless access points added to company networks and set up to sniff out username and passwords.  USB sticks left in parking lots and reception, which are then plugged into a system somewhere when ‘someone helpful’ tries to find out who it belongs to.  Wireless keyboard sniffers made to look like phone chargers allowing hackers to log all the keystrokes of a particular keyboard and learn the username and passwords of key accounts.  There have even been rumours that e-cigarettes have been infected with malware so that when they are plugged into the USB port of a laptop to charge, they will infect those laptops.  Whilst this last example is not confirmed, it is plausible and is indicative of the way attackers are thinking as they try to install their malware on as many systems as they can. Conclusion The examples above are in no way comprehensive.  One thought to take away from this article is that much of the hype is around targeted and advanced persistent threats, but the threat is greater than this.  It is definitely true that attackers are targeting particular companies, however, from the exploits described above, many of the attacks are not targeted, and those that are might be more aimed at an industry vertical.  For instance, an interesting article on double entry book keeping might result in an enthusiastic accountant double clicking on an infected document. If the firewall and anti-virus do not block attacks and if there is no visibility of the activity on the network, an organisation might not know it is infected until its customers tell it, which is just embarrassing and hugely damaging to company reputation.  Firewalls and anti-virus are highly important, but they are just part of what has to be a multi-layered approach to security with visibility of the activity on the network being a key part of the defence.        

back to all posts