Table of Contents
Chapter I; Understanding The Cyber Kill Chain
Chapter 2; Pre-cyber Threats
Chapter 3; The Emergence of The Cyber Threats
Chapter 4; Botnets And The Cybercrime Industry
Chapter 5; Cloaking And Alternate Data Streams
Chapter 6; Controlling The Target Through a Rootkit
Chapter 7; Phishing And Watering Holes
Chapter 8; Understanding Advanced Persistent Threats
Chapter 9; Ransomware: A Modern Form of Extortion
Chapter 10; Hardware Implants And Other Cyber FUD
Chapter 1; Understanding the Cyber Kill Chain
In the 1990s, cyber attack was generally associated with pranks by bored teenagers just hacking around for fun. However, the potential for committing crime via the Internet did not go unnoticed, nor did the possibility of exploiting connectivity for intelligence gathering. Nowadays, cyber attacks come mostly from organized criminals and state-sponsored agents using well-defined end-to-end business processes. In 2009, a team from the *Lockheed Martin Cyber Emergency Response Team produced a seminal paper on cyber attack called "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. The research paper introduced the concept of what is now commonly known as the Cyber Kill Chain.
The Cyber Kill Chain views an attack in seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Action. An attack doesn't always progress from one step to the next. They'll often overlap, but each stage represents a milestone in prosecuting the attack. Reconnaissance is the term given to finding a target and understanding its characteristics, the cyber equivalent of casing the joint. Individuals typically have one address on the Internet, which has been allocated by their Internet Service Provider, whereas a business may have a number of addresses in what's known as their Internet Domain.
A cyber attack against a business target will start with a known website address, and then scan the Internet space around that address for other systems used by the target. The business will see this as a response check on every host in its domain. This is known as an IP address scan. When the attacker has a list of active hosts, he or she will scan each host in turn to find out what entry points are exposed. This is known as a Port scan. This is done to identify potential vectors for attack and check the versions of software used in those vectors. Attacks nowadays are not done manually.
An attacker will usually purchase time on a network of compromised computers in order to run automated scans. These networks are known as Botnets, and may consist of hundreds of thousands, if not millions of compromised computers. This allows cyber attacks to be run at scale. Weaponization means taking a known vulnerability and customizing it to a specific target or group of targets, and integrating it to enable it to be run from an automated cyber attack platform. The weaponized malware may be designed to exploit a vulnerability in a specific version of an operating system, or target a specific online banking website. In the age of hacking as a business, cyber criminals will often purchase the weaponized malware from dedicated developers, rather than develop their own. The most common way of delivering malware is to attach an infected document, a PDF image, or other electronic item in a way that when the document is opened, the malware will self-install. This file can then be sent to the victim via email, a process known as phishing. Another way might be to find a vulnerable website, infect it with malware, and send an email invitation to the target to visit the website. If the victim visits the website, then the malware is downloaded and infects their workstation.
A third way might be to use default user IDs and passwords built into software on the target system, or to use a stolen user ID and password to enter the target system and directly implant the malware. It's also possible to find flaws in the software that's exposed to the Internet and to manually deliver the malware. In practice, an attack will often require establishing a beachhead on an Internet-exposed host, and then using that to penetrate deeper into the system to get to the real target, which may not be directly connected to the Internet. Finally, an infected flash drive can be used to deliver the malware, and this can be very effective if the target system is not connected to the Internet. This requires that a user of the target system can be persuaded or tricked into using the flash drive. For email attachment and flash drive attacks, the infected item will exploit a vulnerability in the target software post-delivery, when the document is opened. A compromised website may similarly download HTML code, which takes advantage of a browser vulnerability. In the case of remote access, the exploitation phase may use a packet stream to exploit a vulnerability in the protocol of an Internet-exposed service, or may simply use cracked or stolen credentials. After the exploitation phase, the malware or intruder may simply take action, skipping directly to the last phase of the Cyber Kill Chain. However, the more usual case is that a payload is installed either into the memory, or onto the hard disk of the target system. Additionally, some form of mechanism may be introduced to make sure the payload is restarted every time the system is rebooted. One way of doing this in Windows is to add a registry entry to automatically run the payload when the system starts up. The payload will often be, or include, a means of maintaining ongoing access into a command shell. A system compromise is often automated. Once a payload has been installed, the first action it takes will be to connect back to a Command and Control server to register as a compromised host. The attacker will then want to direct the implant to take action, such as listing the sub (indistinct) files, extracting specific named files, modifying or replacing software, and so on. An important feature of the payload is that it can determine the address of the Command and Control server, which may change over time. Exactly what form of action is carried out by the payload when it arrives at its target depends upon the motives of the attacker. A hactivist may want to deface a website. A state-sponsored agent may want to steal sensitive information, and a cyber criminal may want to access a bank account in order to steal money. The common theme, however, is that whatever the action is, it's unlikely to be in the best interests of the target. Stop for a moment and think about this week's current events. Have you heard about a recent attack? How might you relate what you've heard to the Cyber Kill Chain? You probably heard about the action that happened, but not about the delivery phase. How might that have occurred?
Chapter 2; Pre-cyber Threats
In the early days of computing, the security threats faced by businesses reflected traditional pre-IT fraud. One traditional method of fraud is to have non-existence employees on the payroll with pay being drawn and put into someone else's account.
In January, 2012, a woman in Hawaii was indicted for allegedly attempting to embezzle money from the security guarding firm for which she worked by registering and taking the pay for two fictional employees. The scam would net her more than $200,000.
A second method is known as salami fraud, so named because it resembles shaving a thin slice of meat. In this case, what's shaved is the fractions taken off in a rounding calculation, or changing transactions by taking a few cents from them. If the business deals in millions of transactions, then this can become a significant fraud. A third form of fraud is payment for non-existent goods. This can happen when one person has the ability to raise a purchase order, receipt goods, and issue checks. A similar problem occurs for individuals when an online seller receives money in advance for non-existent goods, or has the auctions rigged by entering false bids to inflate prices. As the use of computer systems grew, so did the threats. More sophisticated forms of fraud emerged, taking advantage, in many cases, of the weakening controls in the IT environment.
The early days of computing brought with them youngsters enthralled by the challenge of using a computer and a modem to break into other computers. And so began the age of the teen hacker. This was mostly individual challenge and peer recognition, although there were some early instances of what we now know as cyber espionage and cyber crime. The classic hacker of the 1990s was Kevin Mitnick, otherwise known as Condor. After a decade of hacking for no other reason than to demonstrate how good he was, Mitnick was finally caught and sentenced to three years jail time. The full story, book and film, is described on the "Takedown" website. As the use of the web grew and information websites and business web portals became more common, we saw bored teenagers defacing websites and leaving I-got-you messages. Website defacements were also targeted as part of politically-motivated attacks and used to communicate a political message in what's known as hacktivism.
As dependence upon IT systems grew, another security threat to emerge was the denial-of-service attack, in which a remote attacker can compromise IT systems through exploiting vulnerabilities or through overwhelming their ability to handle the size of information flows. As the internet grew, adversaries were able to take control of large numbers of computers, known as a botnet, and focus them on a single target, substantially amplifying the impact of the denial of service. This is known as a distributed denial of service, or DDoS. A global example of a denial of service occurred in February, 2014 when an unknown attacker launched a rolling wave of distributed denial-of-service attacks on a variety of targets, country by country, around the world. The scale of the attack was enormous. The attack used a special feature of the network time protocol to amplify the data. By the time the packet had reached the target, it had been amplified 50 times, making this the equivalent of about 250,000 individual denial-of-service attacks. One of the businesses targeted in this campaign was attacked by 4,278 individual IP addresses from over 80 countries, delivering a continuous stream of over 1 million packets per minute for about an hour. The graphic shows the timeline of data arriving from the internet to this company.
Chapter 3; The Emergence of The Cyber Threats
By the late 1990s, electronic commerce had become a significant part of the economy and organized crime was starting to look at the potential for low risk, high gain crimes through the internet. Cybercrime started to grow rapidly, with one of the major targets being access to databases of credit card information. The loss of credit cards known as a data breach became a significant risk for businesses as the payment card industry introduced penalties for non-compliance with their cybersecurity standards. By 2010, cybercrime had become as big an industry as illicit drugs.
There have been many data breaches over the last few years. This visualization of data breaches shows the massive breaches in the Shanghai Police, Syniverse and Facebook. With a breach of half a billion records, Facebook takes top place in the last year or so. Credit cards are not the only sensitive information that can be breached. In June 2015, the US government admitted that intruders had stolen personnel files, including security clearance data of over 4 million current and former government employees. Governments have, for some time, been the victims of hacking attacks but with little evidence to be able to positively attribute the source. In June 2007, US officials disclosed that hackers broke into the Pentagon through a directed attack on elements of the email system and called it the most successful cyber attack at that time on the US Defense Department. US attributed the attack to China, one of a number of Chinese attacks on Western governments known by the code name Titan Rain. China denied any involvement in the attacks. In 2010, the first attributed cyber sabotage case was made public. The US confirmed that it had worked with Israel to develop and deploy the Stuxnet malware to attack the Iranian nuclear enrichment program. It was successful, disrupting the nuclear production capability of Iran. We've seen a new form of attack of recent times, cyber influence operations, with the Clinton email attack which focused on election meddling. (upbeat music) Take a moment to check out the world's largest data breaches. Take a look at some of the smaller attacks and see if you can find how many records were lost by the craft beer company BrewDog.
Chapter 4; Botnets And The Cybercrime Industry
By its very nature, cybercrime lends itself to automation. The malware writers in the cybercrime business ecosystem, are now some of the most proficient software writers in the world. But to make money from cybercrime requires automation to carry out attacks at scale. In the early days of computers, viruses propagated through floppy disks. As the internet grew, infections started to appear in file downloads, and as floppy drives phased out, USB drives took their place as a vector for infection. Compromised websites began to host malware, and take advantage of browser weaknesses to infect visitors. As the impact of viruses moved from nuisance value to financial gain, so did automation of the crime. By automating and taking advantage of the growing popularity of email, and the sheer size of the internet, organized crime was able to achieve cybercrime at a scale which is now eclipsed illicit drug dealing. Cybercrime scales by what's known as a botnet. A botnet consists of a criminal, known as the Botmaster, who runs a number of command and control systems. The botmaster will usually encrypt his or her command and control access, and often disguise it to look like normal web traffic when accessing these systems.
Legitimate websites are compromised and used for command and control, operating only for a certain period of time before being discarded, and a new one taking over. The botmaster runs the command and control servers, and each command and control system, in turn, controls a large number of computers known as zombies that have been infected with a back door. A large botnet may have over millions zombies under its control. A typical task for the zombie would be to extract files from a target, to use the targets as a source of email spam, or to send specially crafted packets out as part of a distributed denial of service attack.
Given that the command and control servers change, both the botmaster and the zombies have to be able to find the current server, and they do this by using a domain generation algorithm. This allows the malware to predict what URLs and/or IP addresses may be active at any particular time in the future. The domain name may stay the same, and the IP address change, or the domain and IP address may change together. The most notorious botnet, and the grandfather of many subsequent variants is Zeus. Zeus itself is a botnet construction kit which enables an attacker to create a customized Zeus-style botnet through a simple-to-use desktop application. The construction kit delivers a selectable remote access trojan or RAT, and a command and control module. The Zeus source code was leaked in 2010, and as a result it's been used by many cyber criminals to carry out attacks. It's also been used as the foundation to add functionality and create new botnets, such as Citadel, ICE 9 and Gameover Zeus. Zeus's main purpose is to steal online credentials. It includes automated features such as copying the protected storage area which contains internet passwords, intercepting account credentials typed into a browser, or even modifying banking webpages sent from a server to add requests for passwords. Zeus can be used to target both computers and smartphones. Smartphone infections allows Zeus to steal banking access codes that are sent via text message. Cybercrime is a complex, highly-organized business, involving organized criminals, a variety of service enablers, malware producers, and of course victims. The criminal organizations decide on the crime campaigns, and are supported by the service enablers who run the systems needed to execute the campaign. Banking fraud campaign, for example, will follow the cyber kill chain. It will select targets, through surveillance, which are vulnerable to a specific technical attack. The malware developers will create malware specifically targeted to this attack, customizing it perhaps to a specific bank website. A team of testers will quality assure the software through testing. The malicious payload is delivered, and installed through the botnet. The criminals will often not have their own botnet, but will rent one from another criminal group. For those attacks that are successful, the stolen funds are then transferred to the disposable bank account set up for the campaign. The aim then is to withdraw the funds as cash, to break the electronic money trail. To do this, the campaign use what known as Money Mules. The often poor unfortunates, who were recruited to go and collect the money by withdrawing it out of the fraudster accounts, with the very real risk of being caught. While money mules have traditionally been small time criminals or people with financial difficulties, an interesting development is the emergence of the professional mules for hire, who for about 40% of the money collected, offer a fast and responsive service. These services exist in most US cities. Once such service has been reported as moving between 30,000 and a hundred thousand dollars per day.
Chapter 5; Cloaking And Alternate Data Streams
Attackers who penetrate systems with malware go out of their way to hide it once it's on the target system. If the infection can evade detection, it's more likely to accomplish its intended goals. Let's have a look at some of the ways in which malware can hide. The first method is to use the techniques used by the Windows operating system to hide its own activities. An example of this is the hidden history folder. I'm in a command shell and I'll go into a folder in my user applications directory by typing cd appdata \local \microsoft\windows.
When I list the contents of the directory, there's a number of files and folders, but there's no history sub-directory. I can list hidden files with dir /ah, but there's still no history sub-directory. However, things are not always as they seem. The history sub-directory does exist, but we just can't see it. Let's try to change directories and go into it. cd history. Well that worked. So now let's see what's here. And we see the file desktop.ini. This is the method Microsoft uses to hide the sub-directory. When I take a look at what's in it, by typing desktop.ini I see it has two cloaking entries. The first is a CLSID line, which stops the sub-directory from being included in file-based finds. And the second, the UICLSID line, which stops the sub-directory from being seen using Windows Explorer. Another little known way of hiding on disk is to use what's known as alternate data streams. In the early MS-DOS and FAT file systems, files were simply strings of data which could be read byte by byte by applications. In NTFS, a file is a complex structure. NTF files contain as a minimum a section called $DATA, which is where the data read by an application resides. This is the data stream. However, a file may have many other sections, each with its own name, and each of which can hold information. These are called alternate data streams. Importantly, windows only recognizes the $DATA section so data in any alternate data streams isn't generally recognized.
Okay, back at the terminal, let's go into the temporary folder and create a new file called datafile.txt by typing, type con, the console, to datafile.txt. Here's a text file which has nothing much to hide. It's simply a string of words that is saved to disk. Okay, that's created the file, let's check it. Type datafile.txt, and we can see the contents as we entered them. We can also check its size. Dir datafile.txt is 105 bytes long. I'll create another file called adsfile.txt. Type con: to adsfile.txt. This is my secret message which I want to store where no one can find it. Now I'll insert that into a hidden data stream in datafile.txt by typing, type adsfile.txt to datafile.txt, colon, hidden.txt. Let's see what datafile.txt looks like now. type datafile.txt and dir. So there's no apparent change. However, if I now type more from datafile.txt colon hidden.txt we see the hidden text. Alternate data streams can also be used to hide executable files. As an example, I'll insert the Windows calculator into this text file. type \windows \system32 \calc.exe to datafile.txt and we'll call it mycalc.exe type datafile.txt And dir, and again, we see no change. We can use a special form of the Windows instrumentation tool, wmic, to run this hidden executable. wmic process call create '"C:\temp \datafile.txt: mycalc.exe"
Then we have the calculator executed. While alternate data streams can't be seen in Explorer or by using the dir command normally, it is possible to use the /r command line option on the dir command to see them. dir datafile.txt /r Now we can see that this file does have two additional streams. hidden.txt and mycalc.exe.
Chapter 6; Hiding Using Processes
Let's now look at how we build a program which uses a more sophisticated means of hiding by looking at a simple malware function written as a Windows process to intercept all keystrokes. In Microsoft, when a key on the keyboard is pressed, an event is signaled to the operating system. Windows uses its keyboard driver to read the character that's been pressed and sends it as a message to the application that's waiting for it. However, Windows also allows other processors to look at the message as it passes through the system. That's how hotkeys work. Windows does this by something known as a keyboard hook callback routine. It hooks the key that's been pressed and then calls back after processing it to pass it onto its original destination. This technique can be used to write what's known as a simple keystroke logger. This only takes a few lines of code but it's quite powerful.
I've prepared a keyboard hook program called wmisvc64.cpp, which we can see here. This is a very simple program. The first five lines provide the standard setup code for a C++ program. These are followed at line seven by code which is executed when the program first starts to open an output file called intercept.txt that we'll use later to store intercepted characters.
The next six lines specify a callback procedure. This is the code that's executed when a key is pressed. Events in Windows are quite granular. For instance, a key press involves two events, a key down and a key up. We only need to check one of these, so the callback routine at line 11 just checks for the WM Key Up event. When it sees this, it writes out to the output file the data associated with this event which is the internal Windows code for the character pressed on the keyboard. The final action in this routine is to pass on the event by calling the next hook in the chain, using the aptly named CallNextHookEx function, which will allow the message to resume its path to the target application. The remainder of the program is the main controlling logic for the Windows process that supports the callback routine. We don't need to go into this in detail, but do note at line 20 that we're registering a HotKey with MOD.ALT and zero times three nine which is program speak for ALT nine. When this is pressed, the program will terminate. Okay, let's see this program in action. We can compile this at the command line by entering cl wmisvc64.cpp. Okay, that's compiled and we can now run it by typing wmisvc64 and we'll now close the command window. Let's do a bit of simple forensics and look at what's running on our computer. We'll type control Alt del, open the task manager and look at the processes. There's nothing in the application list to show the interceptors running. If we scroll down to the background processes, at the very bottom, we can see wmisvc64.exe. There's little about it to distinguish it from the normal Windows system processes which are running. It's in plain sight, but it's fairly well hidden, nevertheless. Let's type some data into a notepad document. This is my secret note on writing callback routines to capture keystrokes. Okay, I'll close this. We won't save it, and I'll press ALT nine to terminate the intercept. Let's use Explorer to check the log file the Intercept program has been using. And here we see what the program has intercepted. The intercept contains our exit and also the note that we wrote. And it also contains other keyboard activities, such as ALT and shift keys, which displays various special characters. Of course, what an attacker would like to see in the Intercept they capture is our system access and banking account login. Lesson here is that if an adversary can get access to implant malware on a computer, even a simple program of a few lines and running as a normal user, it can be difficult to detect and has the ability to read everything that's typed including access codes and passwords.
Chapter 6; Controlling The Target Through a Rootkit
Malware using the basic hiding and cloaking techniques can be detected by a knowledgeable investigator. Consequently, the more sophisticated attackers have developed techniques which install malware, not just as an application or process, but deep into the heart of the operating system.
This kind of malware is known as a rootkit. In order to deploy a rootkit, an attacker must first penetrate the target system and then use what's known as a dropper to install the rootkit, which it either carries as a payload or subsequently downloads. The job of the dropper is to check whether the rootkit already exists on the system, whether the system is operating inside a virtual machine, and special checks such as the country in which it's operating. Once satisfied that this is a legitimate and available target, it inserts the rootkit into the system and makes sure it can restart after a system boot and starts it running.
A rootkit doesn't exploit your vulnerabilities. It's designed to hide, operate, and carry out its mission using normal system functions. Similarly, a rootkit isn't a virus. It's an implant which exists in a target, but it doesn't by itself propagate. It can however, be combined with virus-like code to enable propagation laterally once installed in a system. A rootkit is designed to bypass intrusion detection systems. For example, it may contain code to look for and disable certain forms of antivirus or host intrusion detection software. It will also want to avoid detection by a forensics analyst and the best place to hide is in the operating system kernel. This is the inner core of the operating system. An intrusion detection systems can't easily see inside the kernel. Getting into the kernel requires rootkits to be coded as a special form of program called a loadable kernel module or driver. Microsoft provides the Windows driver development kit, or DDK, for developing loadable kernel modules. A driver uses quite complex coding techniques so I'll not delve into the process of developing and deploying a driver. Suffice to say, drivers operate in the deepest part of the kernel, what's known as ring zero, and this gives them access to all the kernel data structures. In addition to being in the kernel, rootkits run with elevated privileges. There's very little that a rootkit can't do and it can be very hard to find. Being a privileged process in the kernel allows a rootkit to employ direct kernel object modification, or DKOM. The kernel uses data structures to keep track of its environment. An example is the process data structure, held in the EPROCESS module. This is a doubly linked list, meaning each entry has two pointers. The forward pointer chain starts at the head of the list and each entry points to the next entry in the list. The backward points chain starts at the end of the list and each entry points to the previous one.
Using these pointers, the kernel can keep track of and manage all active processes. When a user opens task manager, what actually happens is that the task manager application loads and then calls the kernel asking for a list of applications and processes. The kernel checks its data structures, creates the lists and then sends them back to the task manager for display. When the rootkit is loaded, one of the first things it does is to examine the EPROCESS list. It follows the forward chain to find its own process and the previous and next ones. Once it has them, it can then change the pointers so that the previous process points to the one following the rootkit and the one following has its backward pointer changed to point to the one before the rootkit. The first known rootkit to perform DKOM appeared around 2006 and did just this. Changing the list pointers in the EPROCESS data structure to point around its own entry. It then hides rootkit activity from the task manager and event scheduler. DKOM can be used on other data structures such as the driver list and the list of open ports. Rootkits will also intercept and remove their entries from directory and file lists. A common way to provide remote command and control is to create an encrypted channel through the use of secure shell connections. This gives an attacker remote control over compromised systems, and at the same time encrypts any malware that may be downloaded to prevent it from being detected by network-based intrusion detection systems and monitoring tools. Using SSH has the advantage of requiring a username and password to be entered, thereby ensuring only the adversary can use the back door to access the rootkit. Trojan Downloader 3, or TDL3, is the third generation of rootkit developed by the Dogma Millions cybercrime group and is an example of a real world rootkit. The rootkit adds itself as a printer driver which gives it kernel mode driver privileges. It installs an encrypted file system for its own use that begins at the end of the hard disk and grows backwards to the beginning of the disk. Windows just thinks this is free space with nothing in it which means it's not detected by traditional scanning techniques. TDL3 operates on a per install cost model by recording when it gets installed on a target and who purchased this source version. The TDL3 rootkit is used to download, install, and hide malicious payload modules that can then do keystroke monitoring, carry out distributed denial of service attacks, and many more actions.
Chapter 7; Phishing And Watering Holes
As the security of the operating application surface improved, direct penetration of a target became more difficult. Consequently, cyber criminals looked for other ways to get malware into their target. On a workstation, the weakest link, of course, is the person using the computer, and so we become the target. The first approach taken by attackers to exploit the user is what's called phishing. This involves sending an email with a malicious attachment or a link to a malicious site to a lot of users, hoping that at least one will take the bait and open the attachment or click on the link. At this point, the malware downloads into the target system and begins executing. A phishing email will do as much as possible to entice its recipient to open its malicious attachment or to click on the link. In the early days, this might have been a rather crude appeal to greed by suggesting the recipient had won a lottery they hadn't entered. But nowadays, the better phishing attacks are much more sophisticated. The email may pretend to have an up-to-date analysis of a current news topic. It may look like an official bank email asking you, ironically, to check your security or account settings. It may look like a postal email advising you a parcel is ready for pickup. Attachments are always suspicious, and hovering over a supposed government hyperlink to find it links to GF65mmjy.com is a sure giveaway. Sometimes phishing attacks aren't carried out by sending email to a large recipient list but are designed to trap a specific person. These are referred to as spear phishing emails.
In this case, the attacker will have spent a fair bit of time researching the target and will craft an email which may purport to come from a colleague inside the business and use common business terminology. These are not necessarily harder to detect as phishing emails, but they are designed to have the recipient let down their guard. Consider your own email over the last week or month. Have you received a phishing email? What did you do? Did you open it or just delete it? Was it fairly crude or did it look quite convincing? Many phishing emails these days can be quite sophisticated and difficult to detect as traps. Some special forms of phishing campaigns have been seen.
Some phishing campaigns target mobile users while others target users of voice over IP services, an attack also known as phishing. Phishing attacks, like any cyber attack, can be costly. Between 2013 and 2015, cyber attackers scammed over a hundred million dollars out of Facebook and Google by asking for it through phishing emails. Waterholes are another type of attack focused on the user. In this attack, a website which focuses on a specific set of users, doctors, for instance, is compromised. The site is typically one commonly used by the group and when they subsequently visit it, their malware is downloaded. The attacker hopes that the user will do this on their business computer, hence enabling access to their organization. In 2020, Kaspersky discovered a waterhole attack targeting religious charities. The campaign was named Holy Water and worked by tricking visitors into downloading an Adobe update which contained the malware. The attackers have yet to be identified. A good example of how an event can trigger phishing attacks is the 2022 FIFA World Cup where phishing attacks targeting the Middle East doubled in the lead up to the event. Many of the emails look like they were from the FIFA help desk, as we can see here. The goal of these phishing attacks included financial fraud, gaining credentials, stealing information, and surveillance. Many of the emails focused on betting on the World Cup enabling, the attackers to gain credentials which they could reuse.
Chapter 8; Understanding Advanced Persistent Threats
Over recent years, there's been an increasing recognition of the threat posed by nation states using highly sophisticated malware known as advanced persistent threats, or APTs. This is malware directed at political and military targets using a multiple vectors to attack. APTs have a high degree of stealthiness and can persist over a long period of time. There are five key characteristics which make APTs quite different to rootkits. The first is that they tend to be highly customized to a specific target or set of targets rather than being a common code module. An associated characteristic is that they're focused on targeting the specific system or set of systems for which they've been designed, rather than being opportunistic. They usually have multiple advanced and often zero-day exploits through which to exploit the target. Their deployment is likely to be controlled or have some level of intervention by humans rather than being fully automated. And once in place, operate in a low and slow manner in order to remain stealthy and unnoticed. An APT may have one or more objectives depending upon the source of the attack, and these may change over time. An APT may be sent by an adversary to carry out espionage against nation-state targets with the intention of stealing sensitive information. It may be sent to cause sabotage by disrupting the operation of the critical infrastructure systems such as telecommunications, power, and water. An APT must infiltrate its target, find a place to hide, and then continue to operate if it's to succeed as a persistent threat. This requires it to have five key functions. The first is command and control, the ability for the remote attacker to direct tasking and configuration of the implanted malware, to download new payloads, and to provide malware updates. This requires the APT to connect back to its command and control server to look for tasking or to open an access path for the adversary to gain direct control. The more sophisticated APTs don't operate as discreet applications, but attach themselves to an existing application or process that's running in memory. This is known as malware injection. An APT wants to remain invisible for as long as possible and operate as a low-and-slow attack, stealthily extracting what it needs with as little impact on the host computer and without generating regular or predictable network traffic. Consequently, a substantial amount of effort is invested in the cloaking subsystem to ensure that malicious actions can't be observed by legitimate operators of the systems. APT software is typically designed to collect information and it needs to send it back to its control server. This is known as exfiltration, and a good exfiltration system will not only encrypt the information being sent so that it isn't seen by any monitoring systems, but it may also hide it in the kind of packets that are normally ignored, such as HTTP or DNS requests.
The final function is known as reignition. In order to remain operational for a period of time, an APT needs to restart when the system is rebooted or if the system administrator attempts to remove it. The basic approach to reignition on a Windows system is to write a new entry into the registry to instruct Windows to run the malware loader. This may not be the only reignition mechanism, however, as often, an APT will use multiple means of reigniting. So what does an APT really look like when it's militarized and deployed by a state? While a malware module called Agent.BTZ was the earliest recorded APT, infecting the Pentagon in 2008, the most notorious military-grade APT to date has been Stuxnet, detected in 2010. Stuxnet was designed specifically to target centrifuges in the Iranian nuclear program, targeting the Siemens industrial plant equipment used in nuclear fuel enrichment, the kind of equipment used in the uranium enrichment facility at Natanz, Iran.
The US admitted in 2012 that it was responsible, together with Israel, for developing Stuxnet. The key feature of Stuxnet is that it was designed to be delivered via email or on a USB stick, or through prior implantation on electronic equipment being used in the facility. With its design, Stuxnet can get to its target systems even if they're not connected to the internet. Stuxnet, when it was first released, used four previously unknown vulnerabilities on Windows computers to propagate and deliver the payload to the SCADA system. Once on the system, Stuxnet took advantage of a vulnerability in the Siemens WinCC, PCS 7 SCADA control software, which allowed it to take control of the software and then repeatedly speed up and slow down the centrifuges, causing the aluminum tubes to expand and contract, eventually destroying between 900 and 1000 centrifuges. A good source of information on APTs is Kaspersky Labs. Here we see the Kaspersky APT site. If we scroll down the screen, we can see the various APTs. Let's have a look at Stuxnet. By clicking on it and going to the threat, we can see the other APTs which it relate to. Shortly after Stuxnet was made public, a similar APT called Duqu was identified, followed by Flame, and a year or so later, Equation. Defending against APTs is difficult and it's likely that an APT attack will succeed. APTs are usually found when network monitoring detects the installed malware attempting to connect to its command and control systems. Focusing controls which address each stage of the cyber kill chain provides the opportunity for early detection, and using tools such as Microsoft's arbitrary code guard can help stop them. Nevertheless, APTs will often penetrate their targets and the average time it takes to detect them, once in, is measured in months. Advanced persistent threats are very sophisticated forms of malware. They're difficult to detect and there's every indication that they're here to stay.
Chapter 9; Ransomware: A Modern Form of Extortion
Let's have a look at a particular form of malware known as ransomware. For targets with current backups, being hit with ransomware is just a nuisance but for those without it, it can be a very expensive lesson in practical cybersecurity.
Instead of stealing information, ransomware encrypts files or storage systems on its target to lock out their legitimate owner and then demands payment for the decryption key. Asymmetric encryption is typically used for this. I won't delve into the mysteries of asymmetric encryption in this course, but if you'd like to learn more about it, then you can go to the LinkedIn learning page and search for asymmetric encryption. There's plenty of courses to choose from to learn more. Let's look at a contemporary example of ransomware. CryptoLocker emerged in 2013 and was the most prevalent variant of ransomware until mid 2014 when new variants such as TorrentLocker and CryptoWall took over. CryptoLocker was extraordinarily successful with an estimated 234,000 victims. It used phishing campaigns to opportunistically target its victims. These campaigns included the FedEx and UPS you have a parcel emails, which includes a hyperlink to a malicious website where the malware exists. Similar ransomware campaigns using bank emails, FBI notices and speeding fines have also been identified. The newer version, particularly prevalent in the Netherlands, used a malicious attachment, a Word document with an embedded macro which downloaded the malware directly onto the target computer when the document was opened. The person behind the CryptoLocker campaign is a Russian called Evgeny Mikhailovich Bogachev. Bogachev used the game over Zeus botnet, a network of commander control servers to distribute CryptoLocker. The network was taken down by the FBI in June, 2014 but Bogachev is still at large with a $3 million bounty on his head. CryptoLocker executes through a five-stage process. Firstly, the victim computer is infected and the malware is installed. Then the malware attempts to connect to its command control server. It contains an algorithm which randomly creates domain names such as the one shown and tries each of these until it finds one which is active. It then generates an encryption key and uses the advanced encryption algorithm, AES, to encrypt files on the target computer. At that point, the malware issues a demand for money in order to recover the decryption key.
CryptoLocker is particularly difficult to recover from as it uses RSA, a strong asymmetric encryption system to encrypt and send the AES decryption key back to the command and control server ensuring it can't be seen. After being encrypted, the decryption key can't be recovered directly from the victim's computer. More details on CryptoLocker are available from the U.S. cert site shown here. When CryptoLocker hits an enterprise, it can have a pretty serious consequence as it not only encrypts files on the employee's computer, but also encrypts files in any shares that the computer has access to. For a business which manages its information in a Windows file system, this can be devastating with often tens of thousands of business files rendered inaccessible. The criminals running ransomware campaigns usually require payment through financial systems such as Bitcoin or pay safe cards in order to make themselves difficult to trace. When ransomware emerged, payment demands were in the order of a few hundred dollars. It was often easier for the victim to pay the money than cope with the loss of their files and potentially their ability to run their businesses while they engage in a lengthy and likely futile law enforcement pursuit. However, ransomware targeting in demands have changed. The Ryuk ransomware targets local government and small to medium businesses, and its ransom demands vary with one victim being asked for 65 Bitcoins, about $600,000 at the time, and they still get paid. In 2019, two municipalities in the state of Florida together paid over $1.1 million ransom to recover their data.
In the 18 months from June, 2021 to November, 2022, the Hive Ransomware Group has netted over a hundred million dollars with its ransomware campaign which focuses on the healthcare sector and it's also extended this campaign to other areas of the critical infrastructure. The attacks use a variety of tactics including exploiting Microsoft Exchange servers and typically gains access through phishing emails.
Chapter 10; Hardware Implants And Other Cyber FUD
In October, 2018, Bloomberg created a sensation by announcing that the Chinese had implanted tiny chips in the servers of an American company, Super Micro Computer. The article reported that the servers were supplied to the Departments of Defense and other sensitive government agencies, as well as Amazon and Apple. In a letter sent to its customers, Super Micro reported that their investigations found no evidence of Bloomberg's claim. Apple and Amazon also very quickly denied the findings and called on Bloomberg to retract the story. Eventually, one of Bloomberg's named sources said that his comments were taken out of context and he actually told Bloomberg that what it had reported didn't make sense. While he had discussed the theoretical feasibility with Bloomberg, he'd never suggested that they'd been used in the Super Micro board. His overall take on the piece is that the technical details were taken from an earlier black hat presentation he'd made and were jumbled. Another hardware FUD was unleashed when the reports started to emerge about two new computer chip exploits called Meltdown and Spectre.
The initial reports indicated the vulnerabilities in these chips would leak passwords and sensitive data and could be used to steal data from other cloud users. Another report from a computer consultancy company suggested that the current standards of security in the tech industry means that it was crucial that businesses contacted their highly qualified cybersecurity team to protect against Meltdown, Specter and future security threats. Adding to the drama, CNN reported that a US government backed body warned that the chips themselves needed to be replaced to completely fix the problems. One cybersecurity expert announced Meltdown and Specter were disasters and another stated that Meltdown can be exploited by any script kiddie. It was suggested that the exploits are nearly impossible to fix short of shipping out new processes. As it turned out, firmware patches were shipped quickly and there have been no reports of any successful exploit using the two techniques. Meltdown and Spectre were high on drama and low on real risk, and FUD once more trumped common sense. Not all reports relating to hardware insecurity are FUD.
The research has shown here identified flaws in the Trusted Protection module chips from Intel and STMicro, which enabled the extraction of signature keys, breaking the chain of trust for which they form the roots. The researchers have been involved in identifying previous hardware vulnerabilities and are respected in their field. The vulnerability in this case can be readily exploited. For an end user, this particular vulnerability can be exploited via the Target's browser by having it visit a malicious website and it was effective on all versions of Internet Explorer running at the time of the announcement. This announcement was one that was worth taking seriously. Nevertheless, when it comes to sensational exposes regarding cybersecurity, check the evidence before you believe it.
Top comments (0)