Session Recording: https://vimeo.com/249802858 (Available 1/5-1/12)
Next Sessions Registration: https://networkdefense.clickmeeting.com/cuckoos-egg-6
This week, we reviewed chapters 24-30.
Cliff arrives at the lab and talks with his boss who wants him to discuss an ongoing attack being dealt with at Stanford. Dan from Stanford calls Cliff and mentions that he would have e-mailed Cliff about the details, but he is concerned that someone else might be reading it so he chose to discuss in person. They had been relying on the phone more in light of this.
Stanford had a similar monitoring system and saw the attacker (also traced to McClean, VA) uploaded a homework problem to their server complete with this name, Knute Sears, and the name of his teacher, Mr. Maher. Due to the nature of the homework, they believed it to be associated with a high school kid. In an effort to help and potentially connect the LBL and Stanford breaches Cliff worked with his sister to look for schools that might have a Mr. Maher. They only found one, but he was a history teacher, not math. There was also no Knute Sears enrolled there. This was a dead end.
Operational Security for Infosec Practitioners
We provide general security advice to users all the time, but we also must consider the security of our operational tasking. OPSEC is unique to the operations of an individual role and the security role is no different. We often research potentially malicious sites and files and have to protect ourselves from the inherent nature of that work using special precautions just like someone dealing with biological weapons might need to take extra opsec precautions to protect themselves to a greater degree than someone in the general public would.
To this end, we discussed OPSEC concerns related to browsing specifically. I discussed information available to the browser by just visiting a website and how people take advantage of that. I also discussed the modern advertising ecosystem and how it makes a perfect platform for the distribution of malicious code. We played a game where I showed ads and students guessed whether they were legit or led to malware. The conclusion? It’s often impossible to tell, even for those with a trained eye. This compounds the problem ad networks present. I provided several practical steps practitioners can take to strengthen their OPSEC including running ad and script blockers, disabling password manager autofill, disabling browser prefetch, and browsing from a VM to reduce attack surface.
More Reading:
- 20 Home Pages, 500 Trackers Loaded: https://mondaynote.com/20-home-pages-500-trackers-loaded-media-succumbs-to-monitoring-frenzy-9efeb389cbbd
- Ad Targeters are Pulling Data from Browser Password Managers: https://flipboard.com/@flipboard/-ad-targeters-are-pulling-data-from-your/f-1775c6c6f3%2Ftheverge.com
- Adblock Plus: https://adblockplus.org/
- uBlock Origin: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en
- NoScript: https://noscript.net/
- Malicious TOR Exit Node Adding Malware to Binaries: https://threatpost.com/researcher-finds-tor-exit-node-adding-malware-to-binaries/109008/
- Two Ways Chrome Sacrifices Security in the name of Speed http://lightpointsecurity.com/content/two-ways-google-chrome-sacrifices-security-in-the-name-of-speed
- Browser-Based CryptoCurrency Mining: https://www.symantec.com/blogs/threat-intelligence/browser-mining-cryptocurrency
Dig Deeper Exercises:
- Level 1
- Implement the “safify” alias and test it out a few times.
- Level 2
- Install an ad blocker like uBlock Origin or AdBlock Plus. Visit two sites you frequent and view the logs generated by your ad blocker. How many ad networks did you find?
- Level 3
- Take the same page and find the HTML/Javascript that delivered the ad. Analyze its function and consider what would need to be changed in order for malicious content to be delivered here.
Cliff receives a call from Mike Gibbons at the Virginia FBI office. He is much more interested in the case than the California FBI and agrees with Cliff’s plan to have MITRE trace the call the next time the attacker shows up. This event soon took place and MITRE was able to confirm that someone was connecting to LBL from their network but they were unable to trace the source of the call due to the complexity of their network.
Cliff formulates the hypothesis that MITRE might be serving as a hop point for many different attackers. For this to be true, three things would have to occur.
- There would have to be a way for anyone to connect to MITRE’s network
- A MITRE system would have to allow strangers to authenticate to it
- They would have to provide unaudited outgoing long distance telephone service
Cliff knew that the third thing was already true. He wanted to test the first two, but to do that he would have to assume the role of an attacker and conduct a pseudo-penetration test. He connects to Tymnet and uses a MITRE account and finds at least one system called AEROVAX left wide open that he can dial out from. This confirms his hypothesis.
While poking around the MITRE network he also discovers that the AEROVAX system has been infected for at least six months with a trojan horse that is stealing passwords at login. He informs MITRE about this issue and in exchange for this information they agree to send him a copy of their outgoing phone bill so he can assess the movement of the attacker.
Cliff receives the phone bill information and writes correlation software to analyze it. He highlights the calls he knows are from the attacker and flags calls before and after them. Eventually, he comes up with a list of probable calls made by the attacker. It includes several familiar entities like Anniston, along with others like Oak Ridge, San Diego, and Norfolk. He also discovers a bunch of short 1 minute phone calls to military bases and ponders the reason behind them.
Attacker Pivoting
At this point we’ve seen the attacker pivot through all sorts of networks to reach their goal. This is done to keep people from finding the true identity of the attacker. It protects them from prosecution and relaliation while also providing resiliiency to their attack infrastructure. I discussed and demonstrate some very simple techniques attackers can use for pivoting. This included a demonstration of “living off the land” with SSH and using netcat to shovel command line access back to an attacker through an intermediary host. I also discussed purpose built malware like HTRAN. Finally, I discussed some realities of attribution in the modern landscape and its limitations.
More Reading:
- Netcat Cheat Sheet: https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
- HTRAN Research from SecureWorks: https://www.secureworks.com/research/htran
- Forensic Analysis of Mandiant’s APT 1 Report (Mentioning HTRAN): http://espionageware.blogspot.com/2013/03/forensics-analysis-of-mandiants-apt1.html
Dig Deeper Exercises:
- Level 1
- Create a simple chat client by using a netcat relay between two hosts. Try implementing this in TCP and UDP.
- Level 2
- Expand your chat client to go through an intermediate jump host as to conceal your originating IP from the victim.
- Level 3
- TCP Spoofing is a technique that attackers can theoretically use to send data to a network indirectly, but it is challenging in practice. Research this technique to understand how it works and its limitations.
MITRE decides to shut down it’s outbound modems basically eliminating the pathway the attacker was taking into the LBL network. At this point Cliff thinks the investigation might be over. He ties up a few loose ends by notifying network owners at Navy Regional Automated Data Center and an unmentioned Georgia college about potential breaches on their network. Through these discussions he confirms activity similar to what he has observed, as well as a similar compromise on the JPL network in California.
Cliff also refines his profile of the attacker he is tracing. The attacker is fluent in Unix and VMS which means it is unlikely they are a high school student akin to what the Stanford breach had revealed. Meanwhile, Teejay from the CIA calls and asks Cliff to send an updated copy of his logbook.
Cliff also builds another statistical analysis tool to calculate the attacker’s average login time. This turned out to be from 12-3PM on weekdays, and as early as 6 AM on weekends. This supported the notion that if the attacker was in Europe they would only break in during the evening during the week day but were more flexible during the weekend.
Sventek comes back and this time Cliff initiates a trace via his Tymnet contacts. They find the call is coming from a new location. It’s coming from International Telephone and Telegraph company (which means it is international) and traced to the Westar 3 satellite. This means the call is coming from Spain, France, Germany, or Britain but at first they can’t definitively say where until they get more information. Cliff gets a call from Ron Vivier later and finds that the call has been traced to the German Datex Network in West Germany.
There are now two possibilities. Either the hacker is indeed dialing in from Germany, or they are using the Datex network as a hop point in a similar fashion to how someone would use Tymnet. Either way, the next step would be to request information from German Bundespost, the government monopoly that runs the communication network.
Cliff starts piecing together more of the puzzle and confirms that local times in Germany sync up with his weekday after-hours theory on call times. He also remembers that a username used by the attacker one was Jaeger, which is German for Hunter. Cliff isn’t ready to fully accept this conclusion, but some of his data points seemed to fit.
Questions to Consider
What OPSEC failures by attackers can lead to attribution by defenders?
Consider:
- Use of public tools
- Custom malware
- Attack sourcing
- Shared infrastructure
- Multiple victims
Next Session
January 11th 7:30PM ET
Read Chapters 30-37
Register/Attend Here: https://networkdefense.clickmeeting.com/cuckoos-egg-6