For this week, conduct some research for a security incident where social engineering was used to learn additional information about the target, to ultimately gain unauthorized access to system(s). Provide the class with the reference to the article(s) you read about the incident, and tell us what you have learned from the incident that you can use when preforming your own ethical hacking engagements.
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Vince Kelly says
For this week, conduct some research for a security incident where social engineering was used to learn additional information about the target, to ultimately gain unauthorized access to system(s). Provide the class with the reference to the article(s) you read about the incident, and tell us what you have learned from the incident that you can use when preforming your own ethical hacking engagements
In 2011, RSA employees (RSA is the security division of EMC Corp) was a victim of a phishing attack that targeted a group of ‘low-level’ employees. Once the attack succeeded, the (state-sponsored) attackers were able to penetrate even deeper into the RSA infrastructure until they reached a point where they were able to exfiltrate critical IP around was, until then, the ‘gold standard’ for corporate security – the RSA SecurID two-factor token authentication system. The breach ultimately cost RSA $66M and shook the security industry to its core – ‘…if a breach like this could happen to RSA, then it could happen to ANYONE!’ It also was interesting to see how a ‘meager’ social engineering attack like phishing could quickly mushroom into a major exploit.
The attack as described by RSA:
….Using a spear phishing campaign, the attackers lured an employee into retrieving a message from a junk mail folder and opening a Microsoft Excel spreadsheet containing an Adobe Flash zero-day vulnerability. From there, the attackers targeted other systems, elevating their privileges until they could gain access to RSA’s proprietary data.
The really interesting thing about this attack was that it was carried out EXACTLY as described on slide 11 of week 8 content – note the description of the attack in the RSA blog post
(https://www.rsa.com/en-us/blog):
“The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high-profile or high-value targets. The email subject line read ‘2011 Recruitment Plan.’ “The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled ‘2011 Recruitment plan.xls.’
“The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).”
Interesting to note in that post how they described the attack as ‘targeted’, and how ‘…you wouldn’t consider these users particularly high profile or high-value targets….” (just like week 8 slide 11 points out)
Once the phishing attack succeeded, the attackers then used a poison Ivy attack to move from system to system until they were finally able to get to the systems containing RSA’s most valuable IP which they then began to exfiltrate.
Below is an explanation of what the poison ivy is and how it works:
Once inside a network, the attacker carries out privilege elevation attacks to gain access to higher value administrator accounts. Such stepping stone attacks allow hackers to jump from compromised access to a low interest account onto accounts with far more privileges before carrying out the end purpose of a multi-stage assault, normally the extraction of commercially or financially sensitive information.
Another interesting aspect of this breach was that RSA actually the attack too late – Even though RSA detected the attack in progress hackers still managed to make off with sensitive data.
I took a couple of things away from this exploit:
– Attackers don’t always use sophisticated tools, often start out small to gain access and then use more
sophisticated tools as they progress through the environment.
– DEFENSE IN DEPTH is absolutely key! Creating enough barriers to just slow the attackers down could
allow you more time for your detective controls to kick in.
The RSA breach: One year later
https://searchsecurity.techtarget.com/magazineContent/The-RSA-breach-One-year-later
RSA explains how attackers breached its systems
https://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/
Duy Nguyen says
https://www.forbes.com/sites/laurashin/2017/01/04/be-prepared-the-top-social-engineering-scams-of-2017/#6b0b0f217fec
The article reviews various social engineering scams of 2017. Unlike hacking where the perpetrator has technical and in-depth knowledge of systems or processes, social engineering scammers use crafty and clever ways to trick users or customer service agents into giving away PII. An example that was referenced was scammers, tricking customer service agents into sending user’s phone numbers to their devices where they were able to use that to reset passwords to victim’s accounts. The four main way social engineering occurs is by phishing, where scammers use email to trick someone into giving them access to critical information. Vishing, this is the same as phishing by through voice. Impersonation, which is done in person or on-site, and smishing, where the scam occurs over text messaging.
Some of the notable scams on 2017 were the IRS scams. Where calls are done from a spoofed phone number to the victim and usually states that older tax debt needs to be paid right away else the victim would face criminal charges. Another scam that was notable in 2017 was ransomware, where the scammers would convince a target that their data or computer has been hacked and encrypted. The only way to get back their data was to pay a set amount. One more that was mentioned in the article was the Business Email Compromise scams, where the perpetrator gains access to a business email accounts and pretends to be a high-level executive. Usually emailing employees to wire money to certain accounts or disclose additional data.
One commonality that these incidents have in common is the victim is always cooperative and does not ask the necessary questions. In a corporate setting, the most important thing would have to be training and educating employees on security common hacks. Just teaching the employee to be more cautious and aware of organizational policies and procedures.
Jonathan Reid Kerr says
https://resources.infosecinstitute.com/the-top-ten-most-famous-social-engineering-attacks/#gref
Out of the listed high-profile attacks that occurred from 2011 to 2016, I was most interested in the Bit9 attack and the attack on Target’s POS system.
https://krebsonsecurity.com/tag/bit9-breach/
In the Bit9 incident, the attackers used a watering hole attack which malware is installed on websites which employees might frequently visit. Once they hit their target, they stole the certificates that Bit9 used to sign their code. Thus, the attackers could pass-off malware as legitimate software developed by Bit9, and infect other organizations that trusted the certificates. The reason I found this interesting was that Bit9 was used to target other organizations, and thus a penetration attack against them may not find such a vulnerability. Though from what I researched the attackers gained an older certificates, presumably from a virtual machine, that they no longer used to sign their software. However, the attack used in this case and the use of Bit9 as a means to an end shows that protecting your own company from an attack is only part of the picture. Attacks which may impact companies other than the target organization should definitely be a factor of a ethical hacking engagements, whether it’s from a company like Bit9, or the ones which use their software.
https://www.pcworld.com/article/2087240/target-pointofsale-terminals-were-infected-with-malware.html
The other attack in the article is the one on Target’s POS system. In a similar fashion to the Bit9 attack, the initial target was not Target itself, but a company which provided maintenance for many of their HVAC systems. The company in question, Fazio Mechanical Services, was targeted with a phishing email which allowed the attackers to gain employee credentials. Due to the way Target’s network was set-up, with the payment network connected to the rest of the network, once the attackers had access to network credentials from Fazio. Once inside, they installed malware which allowed them to record and extract customer information from transactions stored in the POS system’s RAM memory. This attack, in a similar fashion to Bit9, shows that you have to be aware of not just your own vulnerabilities but those of services or systems that your company uses. This is definitely a method of attack which needs to be addressed, though testing for such an attack may not be feasible or possible in some situations.
Dan Bilenker says
“Fraudsters duped this company into handing over $40 million”
Author: Robert Hackett 10AUG2015
Ubiquiti Networks is a San Jose, CA based manufacturer of networking products. In a 4th Quarter Earnings announcement for FY2015, the company announced it had been the victim of a 40Million dollar wire-transfer scam. The scammers targeted employees responsible for controlling vendor payments and overseeing financial records. Surprisingly, the method of attack was very low-tech. To execute the fraud, the scammers posed as senior company executives, and sent e-mails to finance employees instructing them to update vendor payment accounts. The updates included minor variations to bank account numbers, causing all subsequent payments to be mistakenly transferred to fraudulent accounts. Due to the extremely minor changes requested, finance employees did not suspect that they were being duped into transferring money to criminal accounts. Once, the breach was discovered, the company successfully recovered 8.1 million, and [is] was litigating an additional 6.8 million. The potential to regain the rest remains uncertain. In it’s investigation of the fraud, Ubiquiti found that no internal systems were compromised, nor was any PII or proprietary data obtained in the breach. The attack was extremely effective without penetrating the IT assets of the company.
The FBI recommends the following measures to protect against IT based social engineering attacks:
Avoid Free Web-Based E-mail: Refrain from using free web based email accounts to conduct company communications. Establish a trusted domain, and require all e-mails pertaining to business related matters to originate from within the established domain.
Be careful on social media: Avoid posting information that can be used to falsify your identity. Ensure pictures don’t contain information that can be used to impersonate you, or information about your place of work,
Thoroughly read emails and be wary of emails that urge secrecy or hasty action. If you receive an email as such, verify before acting. For example, if you receive an email that appears to be from your boss, urging you to update vendor payment accounts immediately, contact them and verify that the request is legitimate.
Consider additional IT and Financial security procedures and 2-step verification processes.
Beware of sudden changes in business practices that differ from established norms, such as a contact suddenly requesting to be contacted via personal email or phone.
Immediately delete unsolicited e-mail (spam) from unknown addresses or users. Once verified, do not open spam e-mail, click on links in the e-mail, or open attachments. Typically, these types of emails serve as a vessel for malware and other malicious items.
LINK TO ARTICLE:
http://fortune.com/2015/08/10/ubiquiti-networks-email-scam-40-million/