August 16, 2018

When Attackers Go Spear Phishing,
 Instructions Are Followed

By  Uncategorized  0 Comments

What does the indictment by the US Department of Justice of 12 Russians teach us about securing our information systems?

As you may recall, in 2016, as the primaries are being held to choose the candidates for the US Presidential election in November. The indictment charges the Russians of manipulating public opinion by hacking systems of State Board of Elections (SBOE), the Democrat National Committee (DNC), and the Democratic Congressional Campaign Committee (DCCC) to release select information.

Now, in July 2018, Robert S. Mueller, as the head of the DoJ, has filed an indictment against 12 Russian nationals who are accused of being the perpetrators of these intrusions and resulting leaks of confidential information that benefitted the Republican campaign.

As a CSO tasked with securing your organization’s information system, is there something, anything, beyond the politics of it all, to be learned from this? Perhaps this indictment, beyond the primary purpose that it serves in it’s judicial context, can shed some light on what exactly such attacks look like.

You can distinguish 2 different attack vectors:

E-Mail

Generic Spear Phishing: attackers targeted some well-known figures with purpose built e-mail messages and fake web sites to get credentials.

Socially Weaponized Spear Phishing: by analyzing the e-mail messages recovered by the previous, successful, spear phishing campaigns, the attackers can target high-value, but less well-known, actors of a target organization with with messages and wording that closely resembles the culture and tone of the impersonated sender and target. The efficacy of this approach can be augmented by typo-squatting legitimate e-mail addresses that the attackers are trying to impersonate.

Vulnerabilities

Scanning: the attackers can go looking for vulnerabilities in the target infrastructure manually or using automated tools.

Exploitation: if vulnerabilities are found, the attackers will try to exploit these. In this situation they installed malware such as X-Agent to recover key strokes and screen shots, and later X-Tunnel to exfiltrate large amounts of data.

Anatomy of the Phishing Attacks

  1. The attackers used a Yandex e-mail account to send e-mail messages to people. These messages were crafted to look like messages from Google.
  2. Inside these mails were shortened URLs, provided by Bitly, pointing to a fake Google login page.
  3. The fake page was well crafted and difficult to distinguish from a real Google login page.

Data Exfiltration

The attackers have two ways to get data out:

  1. collecting the data e-mail messages from compromised accounts, and
  2. using X-Agent and X-Tunnel to extract files from computers.

But there is a third way, which is much harder to detect. Many large organizations now use Cloud computing services such as AWS or Azure. These Cloud services provide mass storage features – mass storage which can be cloned and copied elsewhere. Using the stolen credentials from the spear phishing and X-Agent keystroke logging, attackers gained access to the Cloud service accounts.

Much more convenient and much harder to detect than using specialized tools that need to be installed on compromised target systems, that still need to upload the data unto machines on the Internet.

Response

The attackers have many advantages:

  • They can change their tactics as fast as needed to adapt to the target environment. Until they find a way in, they keep trying.
  • They have no SLAs to meet or respect.
  • They can generate revenue to support their objective illicitly – such as by mining crypto currency on foreign compute power or redirecting donation traffic from a legitimate site to a real fake copy.

Siphoning off donations is particularly insidious, as neither the party which should have received the funds is likely to notice that the funds never arrived, nor is the person donating expecting any kind of product in return and will likely also never notice their donation was stolen.

Nevertheless, the attackers are limited by two significant constraints:

  1. remaining undetected, and
  2. being able to process the vast volumes of data that might have been stolen.

When the DNC and DCCC became aware that their networks had been infiltrated and machines compromised, CrowdStrike analyzed the extent of the breach and proceeded to remove the intruders over the course of 6 months.

Regardless of whether you are Manning, Snowden, Guccifer 2.0, or anon – if you bulk release the stolen data it will have hardly any impact. You need to analyze the context and distill it into a 140 character sound-bite that speaks to the self-righteous rage of your supporters or opponents. Getting the data might be the easy part, using it effectively is the hard part. Consider for example the 9GB data dump that tried to harm the En Marche campaign in France versus the one picture of a financial document trying to tie Macron to off-shore banks.

Countermeasures

Protect your web assets: there should be a vulnerability management program in place to identify vulnerabilities and fix them. This extends to web application vulnerabilities. Complement this with web application firewalls which are a good counter measure to detect attacks inside web applications. Detection is easy – just don’t forget to fix.

Protect your e-mail: perhaps scrub all links and attachments from e-mail?

Or, if your e-mail provider is in the Cloud, consider using multi-factor authentication.

Google e-mail now have an Advanced Protection Program, which requires users to use a physical Security Key, in addition to their password, to sign in to their Google Account.

Identity Access Management: have assurance that you know who connected to do what on which cloud Application, and for what reason.

Amazon Web Services, Google Cloud, and Microsoft Azure all support multi-factor authentication. If credentials are stolen, attackers should not be able to re-use them from elsewhere.

When All Else Fails

When all else fails of course you want to call in law enforcement, specialized government agencies, and specialist consulting companies.

But you might also want to leverage the principle of garbage in, garbage out, and take advantage of the attackers’ difficulty in identifying garbage in the volumes of data that they may have exfiltrated.

The En Marche campaign flooded the attacker’s phishing site with legitimate and garbage credentials, they also added garbage content to e-mail exchanges. Perhaps the claims that Macron had off-shore bank accounts was actually based on a fake document they planted.

Patently false claims destroy the credibility of any leaker.

References

https://int.nyt.com/data/documenthelper/80-netyksho-et-al-indictment/ba0521c1eef869deecbe/optimized/full.pdf

https://www.secureworks.com/research/threat-group-4127-targets-google-accounts

https://acsc.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

https://acsc.gov.au/publications/protect/cloud-security-tenants.htm

https://www.thedailybeast.com/fighting-back-against-putins-hackers

https://www.nytimes.com/2017/05/09/world/europe/hackers-came-but-the-french-were-prepared.html

https://landing.google.com/advancedprotection/

https://aws.amazon.com/iam/details/mfa/

https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/

https://cloud.google.com/identity/solutions/enforce-mfa