Far from being a digital forensic investigation, the team report that "in many of our cases, we find that traditional investigative techniques are just as important as, if not more so, than data obtained from the latest forensic tools."
In this case they spoke to the chief design engineer on the relevant project, and discovered he was looking for work elsewhere, and had been conducted by a recruiter on LinkdIn. The investigators then found an email from this recruiter on the chief design engineer’s computer, which had arrived before the beaconing activity had begun, and had a job listing document attached that had malware embedded in it.
Having identified the key person, the attackers had gained access by pretending to have something they wanted i.e. a new job.
2. The Slick Willie
Carried out by organised crime rings, and taking weeks or months to discover, financial pretexting is solely motivated by money, and takes months to contain.
A regional banking organisation was told to contact the team by its cyber insurance carrier. An attacker tried to trigger a total of $5.3m worth of wire transfers, through the FedWire system, but due to the affect on the bank’s reserves, the Fed notified the bank.
The finance manager who had triggered these requests for transfers was unaware of the attempts, but had noticed that her system "does things on its own sometimes." What had happened was that an email purportedly from the CIO praising the manager had arrived, but it was false and containted the Zeus Trojan instead. This variant stole credentials and data, but also gave full remote access control to the hackers.
3. The Boss Hogg
As well as theft, hackers have tried to remove money via extortion. This kind of attack is often executed using ransomware by a variety of actors for financial gain. It plays on the victim’s desire to maintain confidentiality and integrity.
In one example, someone in the IT infrastructure team at a manufacturer and retailer was contacted by someone from South East Asia who said they had stolen customer data. They were demanding $50k in return for not releasing it, and sent a sample of the data.
A look at the firm’s e-commerce platform revealed attackers could "force browse" purchase confirmation pages so customers’ details could be viewed by changing the URL strong of any standard purchase confirmation page.
An attack had accessed several hundred gigabytes worth of transaction information, using a script to access the back-end of the e-commerce application. They had got data for 1.5m customer orders.
Instead of paying the ransom, the firm decided to publicly admit what had happen, apologise, and rebuild its e-commerce architecture from scratch.
4. The Rotten Apple.
Insider threats are not very sophisticated, but very dangerous, with attackers using access they have to gain money, knowledge, or settle a grudge.
One data breach involved a middle manager of a firm who was suspected of gaining access to the CEO’s email. The breakthrough came when the suspect was found to be good friends with one of the IT managers who had access to the firm’s onsite email spam filter, and had given the middle manager his credentials.
This meant that the he could access any employees’ employee. Indeed the suspected middle manager’s system showed signs of using his colleague in IT’s credentials.
Both employees were fired, and the spam filter reconfigured to only log flagged messages.
5. The Busted Chain
Attacks from business to business partners misuse insider information and privilege for financial gain and espionage.
An investigation centred around payment card fraud from an oil and gas company, with the pattern beginning at a single patrol station and escalating over the course of a month. Evidence gathering traps that incorporated keystroke logging, file integrity monitoring with alerting and playback recording of remote support sessions, were deployed to find out what was going on.
It was discovered that an IT support contractor was connecting to Remote Desktop via VPN to the payment processing server, setting the clock system forward two years, then changing a configuring file so that that it output a file that capture clear text copies of authorisation requests. This meant that the magnetic stripe sequence for credit cards was captured. The clock was then reset to the correct data and time.
When an evidence trap was triggered, the police went to the vendor’s support centre and found only one employee there, who regularly took late shifts when only one person was on duty who had tried to cover their tracks by conducting the attacks on their manager’s computer.
6. The Porta Bella
Infections via the humble USB stick still occur, with this particular kind of attack often emanating from China, North Korea, and Russia. It is often perpetuated against those in manufacturing, professional services, or the public sector.
On an occasion reported by Verizon, the victim was in the film industry, who had received a USB stick that looked like it was from a well-known production company. He inserted the USB and ran an executable file.
The file played a film trailer, and also installed malware, hoping to steal an unreleased movie. Verizon said that "The malware established persistence via Windows Registry key entries and attempted to reach out to a C2 server." There was a proxy server that monitored outgoing traffic from the corporate network, the connection was blocked, but only logged as low level security incident at the time.
A security review revealed that a connection to an encrypted server had been made. Attention turned to the USB drive, and the malware discovered.
7. The bad tuna
Pin Entry Devices in a chain of stores were thought to have been altered, something that was reinforced by initial investigation. An additional magnetic stripe reader had been installed under the legitimate one, and a membrane touch pad was installed under the legitimate one. PINs could therefore be capture from legitimate transactions.
There was also an extra circuit board, which had a memory chip and Bluetooth device. Its range of 50 yards meant the attack could sit safely in their car, download the data, then clear the memory card so it could collect more data.
8. The Dark Shadow
Hacktivists are a growing threat, and their attacks can take up to months to discover, although they can be remediated fairly quickly. Motivated by ideology, the hackers often go after the information, financial, and public sectors.
A critical infrastructure firm raised the alarm, despite not think there was any evidence of unauthorised access. Verizon found that "Its internet facing perimeter showed several high-risk vulnerabilities often seen being exploited in the wild." Staff interviews then revealed concerns about suspicious cyber activity.
The firm’s internet traffic was correlated against Verizon Cyber Intelligence Center’s information, showing positive results. IP addresses associated with attacks from three previous hacktivist incidents were flagged, and corroborated with logs from the payment application.
The hackers used something designed to make customers’ life easy, to get access into customer details and payment information, with 2.5m record stolen. No fraudulent activity was found.
Worryingly, having got in through the payment application, the hackers could access the water district’s valve and flow application, which ran on the same system. Settings were modified by the hackers, without much knowledge of how the system work, including two instances where they altered the amount of chemicals that entered the supply.
9. The Imperfect Stranger
Rogue connection attacks are used by organised crime, via crimeware and privilege misuse. They are opportunistic, and motivated by money.
A firm in the financial industry received customer complaints that customers could not access their accounts, received a message that the site was blocked due to security concerns, but the firm was unaware of the cause.
A look through the BYOD network identified that someone’s personal laptop had been infected with malware at home, which was the connected to the firm’s BYOD network.
Minimal oversight was applied to the BYOD network as sensitive data is not expected to be there. However, the guest and BYOD were going out through the same Network Address Translation as the corporate networks. "This resulted in the corporate network’s reputation being affected by any-and-all devices connected to the guest and BYOD networks," said Verizon.
10. The Soup Sammich
The logic switch is a very sophisticated attack, normally by organisaed crime, and a variety of other groups, including those affiliated to the state. They use SQL injection, stolen credentials, backdoors, command and control, and privilege abuse to attack web apps.
Several high value bank accounts saw millions of dollars worth of fraudulent ATM, with these attacks happening globally in a two hour time window.
All the accounts in this pump and dump attack had the same Issuer Identification number, and it was reveal that one of the bank’s IT admins was involved. They had stolen credentials from another admin, and used them to modify security around high value accounts.
Logs show that the rogue admin had modified the controls used to protection authentication information, fraudulently transferring money into the account and removing withdrawal limits. The processing system was then sent a large number of transaction requests.
A piece of malware was being used to capture large amounts of encrypted transaction details, and converted the data to plain text thanks to degraded encryption. It could also collect other sensivtive data, allowing fake cards to be created to steal millions of dollars at numerous locations in just two hours.
11. The Snake Bite
Another attack against web apps is the SQL injection, normally by activist, organisd and state affiliated groups. The attacks are often against key industries for financial, espionage, or ideological reasons.
Over two payroll cycles no one in the C-Suite of a US industrial parts manufacturer received their direct deposit paycheck. IT and Security disagreed as to whether a breach had occurred.
There was a web-facing HR portal that employees could get into using their Social Security number and a six digital pin, which Verizon describes as "just about the worst authentication schema possible".
Furthermore, the investigators found it had never been updated or subject to a vulnerability scan, making an SQL injection very likely. It turned out that the system had been exploited tens of thousands of times.
The attackers escalated privileges to be able to execute system level-commands, download additional tools from the web, and all the direct deposit and bank information for the execs.
12. The Roman Holiday
This compromises of a CMS carried out via organised crime and are moderately sophisticated, and can take months to discover. The particular attack Verizon used involved Pirates.
Pirates would board the ships of a global shipping firm, restrain the crew, and head for certain cargo containers. They clearly had prior knowledge of both the cargo and the ships.
The company used its own CMS to manage shipping inventories. It was discovered by focussing in on the CMS’ network traffic that the server had a malicious shell uploaded onto it using an insecure upload script. With the shell upload it could be directly called and have execute permissions executive, allowing the pirate get all the information they need to find the most valuable loot.
The attackers were not so clever though. They failed to enable SSL, so all their commands were sent over plain text, making them easily extracted by the cyber security investigators.
13. The Alley Cat
Backdoors are something of a hot topic at the moment, and are used by state-affiliated and orgnaised crime attacks from places such as Romania, Russia, and China.
"A manufacturing firm, found numerous instances of connections between the company’s R&D department and an external IP address," explain Verizon. 2GB of data had been transferred over the network in 24hours.
The shared computer system of an engineering team had been breached, meal all the credentials of everyone on the system were compromised. Access had been gained by someone downloading a Remote Access Trojan backdoor, and used to escalate credentials and privileges.
Verizon aligned the attack with an APT by a known group known group from Asia.
14. The Rabbit Hole
DNS tunnelling encompasses all incident patterns to export and capture stored data.
A firm had seen a variety of unexplained security incidents, and logs ruled out obvious signs of a compromise. There was some "head-scratchingly-odd" DNNS traffic identified in logs, with all of the request from the backup servers being routed to a single remote server.
Data was being exfiltrated, thanks to User Datagram Port, which "represented a direct path from the backup servers to the public internet."
A network admins desktop system was found to multiple pieces of malware on it, which had stolen local files and erased some evidence of the attacks
15. The Catch 22
Data ransomware is an increasing concern too.
A smaller company began have issues access to its financial database, with some users getting a ransom message. When the ransom was paid in Bitcoin, the firm found that the link had been taken down and they did not have instructions to get the keys to decrypt the data.
There was ransomware on three systems, including one that had a key database application on it. Several thousands files encrypted by the malware were identified, as were a number of IP addresses associated with cyber attacks. Links to Adobe Flash files were found.
16. The flea flicker
Sophisticated malware is used by state-affiiated and organised crime groups for espionage.
A multinational financial institution thought that both its intellectual property and customer information had been stolen. Verizon found that traffic associated with previously known command and control servers involved in intellectual property theft. Ultimately, a single suspect IP address was identified, although it couldn’t be tied to an individual system.
Initial access had come via social engineering, with a link sent. "Upon clicking this link, installation of some basic system exploitation tools occurred, followed by lateral movement within the environment and installation of additional malware."
17. The Leaky Boot
Targeting accommodation and retail, RAM Scraper is malware that takes targeted data from physical memory. Attacks originate from places scuh as Romania, Germany, China and Russia.
RAM Scrapers are hard to discover, but memory dumps and disk images help the Verizon team "quickly locate a myriad of suspect processes."
A number of backdoors and a tool for dumping passwords were identified, which had allowed attacks to create admin accounts and more around the network. They then access the processing servers which handle victims’ credit card transaction.
Those servers had been infected with a more specialised piece of malware – a RAM scaper with exfiltration capabilities. It "had been installed to hook into the specific process that took the credit card information as it was swiped."
18. The Poached Egg
Credential theft can be highly sophisticated, targeting a variety of sectors such as financial services, the public sector, retail, professional services, and information. It can be executed for financial gain, espionage and ideology.
The police contacted a firm to notify them of a breach, which led to the Verizon Risk Team being engaged. They found that compromise had gone beyond what law enforcement had suspected, with numerous systems communicating with an external malicious IP address.
A malicious web shell had been put onto a webserver, with the hackers using an SQL injection to gain access to the system using a web-facing web server.
The web shell was used as a backdoor to upload malware that was capable of dumping passwords, stealing credentials via keylogging andperforming exfiltration of data. The idea was to get credentials and go deeper into the network, and this happened, with admin account compromised. A spreadsheet of 100 credentials was also found, from a password depository that had not required two factor authentication.
This article is from the CBROnline archive: some formatting and images may not be present.