Well it looks like 2013 is going to be another interesting year in cyber security. We are not even through the first couple of days, and somebody has already thrown out the first phishing line into the water. I'm sure that all of you have at some point received an email that made you scratch your head. If not...just wait, more will follow. Firewalls are programmed to block unwanted incoming packets, and hackers know that if someone from the inside clicks on a link or opens an attachment, then the user will be requesting the packets to be escorted safely through the firewall over exisitng open ports.

Phishing attacks accounted for the highest number of cyber security incidents in 2012, and it looks like 2013 is off to a great start. Check out the little gift that showed up in my inbox this morning...

First Phish of the New Year

If you ever receive an email that asks you to click on a link, or open an attachment, take a step back and read all of the details involved in the email first to make sure that it seems right. For me this one was an easy one to detect because I do not have any IT Services or inboxes hosted in Sweden (the .se domain extension on the email source).  Even if the content of the email seems right and appropriate, I would take an additional precaution and go to the root domain of the source of the email to see if the domain is even a legitimate web site. So for this one, I went to www.svenskakyrkan.se (mostly out of curiousity), and found that the site did not exist.

Okay, so I'm now 2 out of 2, and know for sure that this is a phishing campaign to attract unknowing victims to click on the email.  Lastly, if you are a brave soul, you could spin up a Virtual Machine, and actually click on the link.. start up a debugger, open up a bag of popcorn, and sit back and enjoy the entertainment, as the malware hooks into the operating system of your virtual machine and begins to phone home back to the owner of the site, who now has remote control of your computer. I'm not saying that this is what the link in this phishing campaign does, but many like this one are deisgned to allow a remote attacker to have control of your computer.

So not even 3 days into the New Year, the nets are being cast, he botnet armies are swarming, malware is rampant, and it is appearant to me that 2013 will be another fun ride in the world of cyber security. Brace yourself folks, it's going to be a fun ride.

Best Wishes for the New Year!

Jonathan

October is Cybersecurity Awareness month, and it just happened that I received an interesting email yesterday that I can use to show the importance of being aware of what you click on with your computer, smartphone, or tablet device. This is the story of how I was able to detect a Location-Based Phishing Attack with a Malware Dropper yesterday.

I received an email that at first glance appeared to come from Delta Airlines. (See the image attached to this article).

Since I do travel a lot, I was thinking that maybe this was a mistake because I don't normally travel on Delta. The body of the message also indicated travel out of Riverside, which was not far from where I was working yesterday.

The following things looked strange to me:

1. The creator/sender of this email had captured the location from my ISP (Internet Service Provider), and used a script to automatically write into the body of the email the closest airport as a way to get me interested in clicking on the attachment. I did not have plans to travel out of that airport, but I was still curious in case Delta had made an error somehow.

2. When I looked at the attachment, it was not an eTicket or even a PDF file, it was a .ZIP file, which is a container for files inside of it.

3. Upon further inspection, the actual email address domain was not @delta.com but something close @deltaa.com - there was an extra "a" in the domain name. Anyone could have registered that domain name to send out legitimate email from a legitimate domain source (no DNS spoofing required), and the domain name was close enough to fool someone that did not take the time to look closely at the domain name.

4. At this point, my spidy senses were on alert, and I was about 99% sure that this was a malicious phishing attack, but I wanted to check out that .zip file.  I carefully copied the .ZIP file into a clean sandbox VM (virtual machine) environment, and expanded its contents. The internal file that the .zip container was holding was a .EXE executable file and it was definitely malicious.

You see, several years ago hackers used to try clever ways to bypass firewalls or overwhelm system resources, but these tactics eventually were detected, logs of their attempts alerted system administrators, and defenses were built to keep them outside of the network. Many in the offensive community determined quickly that since firewalls allow certain types of traffic through as part of the normal process of doing business, an easier way to compromise a system is to slip a malicious file or malware through existing open channels, like email, web, or other known legitimate business traffic. Now all they needed to do was to have a human on the other end click on their bait to essentially digitally invite them into the network.

This email that I received was what I would call a Location-Based Phishing Attack with a Malware Dropper. It used my location to automatically craft an email with the closest airport, it used a legitimate domain name so as to ensure not to get labeled as junk mail or blocked as a domain spoofing attack, and it used a dropper (.zip file container) to drop a malicious executable onto the victim's machine. The .EXE automatically installs itself as a rootkit, thus inviting or allowing the attacker to connect to the compromised computer through the firewall. The dropper file essentially beacons outbound through approved firewall ports to one or more C&C (command and control) servers on the Internet that allows the attacker to have remote control of the computer.

Now this attack was definitely clever, and could have been successful on me had I not noticed a few things that seemed out of place. If I had my black hat on though, I would have made this attack even more deadly by using a compromised PDF file that looked like a boarding ticket instead of a zip file. Most people happily click on PDF documents every day.

Hope this example that happened to me can be a lesson for all of us to be careful of what we click on. Please pass along this link to coworkers, friends, and family.

I know this month overlaps with Breast Cancer Awareness month, but I don't think my laptop would be happy with a pink cover on it.

Happy Cybersecurity Awareness Month, and practice safe computing!
Jonathan

We are hired on a routine basis to conduct penetration testing into utility systems and to conduct NERC CIP Cyber Vulnerability Assessments of the internal SCADA components as well, so my remarks below eminate from real field work that we have been conducting for over 10 years now.  

A solid cyber security program must be balanced between four key themes:
1. Building and maintaining a strong DEFENSIVE capability to block threats at the perimeter
2. Having the DETECTION capabilities to know when something abnormal has occurred
3. Developing your IT security team's capabilities through training and exercises so they are prepared to RESPOND when needed
4. Leveraging technology to be able to quickly RESTORE systems after an attack or incident

To sum it up to one word each, the four stages of cyber security that we see are:
1. DEFEND
2. DETECT
3. RESPOND
4. RESTORE

1. Unfortunately, many of our clients in the utility industry may claim they are NERC CIP compliant, and they may have checked all of the regulatory check boxes, but when the rubber meets the road, they are not truly ready for a real cyber threat when it hits. They do not have the capability to really defend their systems from a targeted spear-phishing attack (because humans will click on attachments and links they shouldn't despite all of the awareness training you throw at them).  They should leverage IPS appliances at the perimeter of the networks that perform deep packet inspection of every packet entering the network. Technology can help offset human weaknesses.

2. They do not have the detection systems in place to know when malware or a rootkit is phoning home to command and control servers and stealing information off of their network. Many are not monitoring their front door. A simple network monitoring solution that monitors, tracks, and alerts on abnormal traffic patterns can detect most APT attacks, but very few are investing in these monitoring systems.

3. While they may have documented procedures for responding to incidents, their staff has not exercised the procedures enough to know instinctively what to do... if they are able to detect they have been compromised. Building out an Incident Response system is very important, and it is too late to do this while you are under attack. The plans and procedures must be built before the attack happens, and the technical staff should be ready to evoke the Incident Response system at any given time, and know what steps to follow to contain the threat and start the recovery process.

4. Lastly, many of the site that we have been to are not ready to restore these systems quickly back to a "normal" state. There have been great advancements in technology made over the past 10 years. The days of restoring from tape systems are long behind us.  Many systems can now leverage Virtual Machine (VM) technology, full system backups, over-the-wire backup and restore, and fully redundant, high-availability capabilities so that they can survive with parts of the system taken down, or restore systems back to a clean state within minutes.

Hope these comments / thoughts can help you determine if your organization has those above four areas of cyber security covered!

Jonathan

If you are a security professional, or working in an IT Security capacity, I'm sure you have heard by now of the "Flame" virus that is being used to extract intellectual property with various stealth surveillance capabilities, including turning on the system microphone to record conversations in the room.  This hacking framework has been likened to Stuxnet, but it does not have the same targeted focus of causing damage to SCADA and Industrial Control Systems equipment. The main objective of this virus appears to be to steal information.

While some have called this the most complex malware framework since Stuxnet, in my opinion, Flame is just the next logical evolution for similar IP-stealing threats we have seen for the past 18 months.

Although Flame does not appear to have been written to specifically harm SCADA and Industrial Control Systems, it does reinforce the need for strong perimeter protection and situational awareness.  Since Flame is targeting corporate IT environments, those organizations that still have their SCADA and Industrial Control Systems directly on their Corporate IT networks will have the most difficult time in protecting their SCADA / ICS components.

We are often asked by our clients what small security investments would pay off the greatest amount in terms of a more secure environment. Implementing a strong perimeter between the corporate IT and SCADA networks will block about 95% of typical IT threats. If we assume that most major corporations have or will be hacked at some point in their lifecycle, we should backup that strong SCADA defense perimeter with detective capabilities. In our field assessments, we have seen an unfortunate trend that most organizations do not have the technology or processes in place to detect when they have been compromised. Monitoring basic network statistics like the amount of traffic (bytes) sent and received by each switch port and trunk can provide a clue when information is being stolen right through the firewall.

Ask yourself and others within your company if you believe that your organization can currently deflect stealthy network attacks like Flame. Then ask the next question... Can you detect if you have been compromised? Start asking the tough questions - that is the only way we can collectively increase our level of security.

Jonathan

Dale and Reed at Digital Bond have taken some of their basecamp research and weaponized several Metasploit exploints for point-click-shoot PLC mayhem. This includes the "modiconstux" module, which implements a Stuxnet-type attack on a Schneider Modicon Quantum PLC.

The other basecamp exploit modules released yesterday are:

1. Modiconstop – Stops a Schneider Modicon Quantum PLC from operating. It is another command that lacks authentication or other security, and its only one packet to send to stop the CPU.

2. Ged20tftpbo – A buffer overflow of the tftp service on the GE D20 PLC. Note that other GE D20 Metasploit modules had been released earlier in Project Basecamp including modules that allow remote control and recover all user credentials.

More information can be found at the Dark Reading site.

While it is nice to have the ability to demonstrate how easy it is to subvert PLCs, RTUs, and embedded control system devices, I struggle with how asset owners will be able to react to this to quickly close the risk associated with releasing this capability into the public domain. It is one thing to show this in a training class or security conference for effect or to raise awareness, but it is another thing to release the capability to anyone with an Internet connection and latest BackTrack release.

One thing that we all agree with is that keeping one's head in the sand is no longer an option for those tasked with securing SCADA and Industrial Control Systems. The spotlight has shifted from IT Enterprise systems to SCADA systems, and new SCADA vulnerabilities are cropping up like weeds in a summer garden. It is going to get worse before it gets better.