Friday, December 14, 2007

Targeted attacks

Cyber Crooks are beginning to take more time in preparing attacks and doing thorough research in hopes of pulling off Social Engineering attacks that will net them valuable data. Social Engineering is becoming one of the most popular attack methods in recent years. Phishing attacks trick users into giving up their login credentials to various sites such as Paypal, Ebay, Online Banking and many others.

Recently a targeted attack was launched at Oak Ridge National Laboratory (ORNL) where crooks tricked employees into opening an attachment that appeared to be official.

"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country. A hacker illegally gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications. When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory."

Attackers will gain as much information about an organization as they can and then craft the attack appropriately. If they are looking at a Life Insurance company they know there is data somewhere that will allow them to commit identity theft. They must figure out how to get that data. They will likely try and find out who the key people in the organization is and what their role in the company is. If this is an attack to be carried out by organized crime they will likely have a lot of resources at their disposal. I would guess they would have security experts from the dark side on their team who have been searching for and possibly finding unknown vulnerabilities that can be exploited.

US-CERT just released an advisory about attacks involving exploitation of Microsoft Access Database files.

US-CERT is aware of a stack buffer overflow vulnerability in the way that Microsoft Access handles specially crafted database files. Opening a specially crafted Microsoft Access Database (e.g., .MDB) can cause arbitrary code execution without requiring any additional user interaction. Microsoft Access files are considered to be high-risk, so it may be possible to execute arbitrary code without using a vulnerability in Microsoft Access.

There isn't a lot of information on this current advisory and it isn't know if this an exploit for an unknown vulnerability or not. If it is an unknown vulnerability and someone has exploit code for it they have a perfect tool to break into a network with. It is unlikely that anti-virus or SPAM filters would detect this file if sent as an attachment. Some organizations will block this kind of attachment. One good way to deliver the goods would be to find an XSS (Cross Site Scripting) vulnerability on their own website where they can then host an evil link to the file which appears to be located right on the organizations own website. An email can be sent to the appropriate people (CEO, Finance Director, System Administrator, etc) with a link and other text making it look legit. They may even include the company logo and an official looking signature. If one of the recepients opens the attachment (that currently isn't detected by AntiVirus) the exploit would run and possibly compromise the computer of the user. Most of the time an exploit would download other malware from an external site and then install it on the system. If the user is logged in with administrator rights then a rootkit could be installed to hide all the files planted on the system. So even down the road AntiVirus knows how to detect the malware the rootkit will be hiding it from the AntiVirus software. This could go undetected long enough for the attackers to capture keystrokes from the unsuspecting user. Once they get the login information they need they can then login to other applications where the data may be stored. If the end user was a DBA or other user that has direct access to the sensitive data it is pretty much game over.

You will likely hear me often mention one vulnerability (actually it was a feature) that existed in every single version of Windows back to version 3.0 in 1990. The Windows Metafile Vulnerability which was made public December 2005. This 'feature' would allow anyone that had proper exploit code gain complete control over the system. For 15 years this existed! We can only speculate at how many people found that vulnerability and exploited it over the years. A fix was released from Microsoft to address the problem but they kind of dragged their feet a little. SANS published a diary about a Zero Day WMF Exploit problem that caused the Internet to turn Yellow (at least the SANS ISC Infocon Color turned yellow). For Microsoft Windows users the Internet was just plain unsafe. There was no offical patch or workarounds initially so everyone was vulnerable. With exploit code freely available all you had to do was generate an evil WMF file, rename it to something.jpg (Windows finds the incorrect filename and fixes it for you! doh!) and then embed into your most trusted forum or your Myspace page and infect anyone that simply viewed the image.

It is very hard to protect yourself from targeted attacks from exploits to unknown vulnerabilites. Those that are watching their networks very closely are more likely to see such an attack and act before much damage is done. An elite System Administrator will have various things in place to watch for suspicious activity. Intrusion Detection Systems, Syslog Servers, file monitoring software such as Tripwire, host based security suites that include protection from viruses, spyware and contains things like anomaly detection, web surfing protection and buffer overflow protection. The old days of just having AntiVirus software and a firewall are long gone. You really need to have as many layers of security and protection in place as possible and then still be very careful. And look at your logs often!

1 comment:

Smith said...

Hey Thanks a lot for sharing such a nice article, i had gone through it,SECURITY IS a major concern these days, not only in physical space but also in the cyber space.for more information check this link: