Docstoc

Cyber Threats - aimirs.org

Document Sample
Cyber Threats - aimirs.org Powered By Docstoc
					Cyber Threats

 ABMTS – Cincinnati, OH
    Malcolm Sykes, CISSP & Terry Lewis
                     The IRS as Target
   Largest IT environment of any U.S. civilian agency

   More PII than any other government agency

   Process $2.5T of revenues

   Complex & diverse IT infrastructure

 Complex & diverse business processes utilizing many channels (e-file,
paper, internet, phone, walk-in)

   700 + POD’s




                                   1
                    The Threats & Vectors
   Malware (Trojans, viruses, worms, spyware, etc.)
        Web browsing
        E-mail
        Removable Media

   Data Disclosure & Integrity
        Authorized Users
        Lost & stolen equipment
        Network Penetration

   Denial Of Service
        Botnets
        Insider attacks




                                   2
                            Emerging Threats
   Mobile Malware (Blackberry, iPhone, iPad)
   Memory Based root kits & other malware
   Cloud Computing
      Infrastructure & Contractor Outsourcing

   Cross Platform Malware
      Includes virtualized environments

   Blended Threats (multiple vectors)


     Intrusion   Worm       Virus       Blended Threat

             +          +           =




                                                    3
                    Computer Hackers

                       Who are they?
No longer just techno-geeks.




                               4
                            The Attackers
   Financially or Politically motivated
       Criminal gangs
         Employ individuals or groups of hackers to steal PII,

          credit card & banking information.
       Hacker Gangs
         Create & sell botnets & hacker tools
         Sometimes engage in activity to wage cyber war on each other or

          to boost their reputation
       Political or religious groups
         Hacking for military and commercial secrets & to inflict damage

   Well resourced
       Funded by criminal enterprises, nations, political or religious entities



                                       5
           Political or Religious Groups



   Highly motivated, professionally trained & equipped adversaries

   Espionage and sabotage aimed at US Government, Military &
    Commercial sites
   Strategic & Tactical Attacks
   Threat to the military & economic security of the United states




                                    6
                                                             1
                                             Botnet Attack
    Distributed Denial of Service (DDOS) attack launched on weekend of
     July 4, 2009
    Targeted 27 American and South Korean government agencies and
     commercial Web sites
    US Government targets included the White House, Secret Service,
     Federal Trade Commission, Transportation Dept. & the Treasury Dept.
     (but not IRS)
    US Commercial targets included the New York Stock Exchange,
     Nasdaq, Yahoo & The Washington Post
    South Korean targets included the presidential Blue House, Defense
     Ministry, National Assembly, Shinhan Bank, the Chosun Ilbo
     newspaper & top Internet portal Naver.com
    Estimated over 50,000 IP addresses were participating in this attack
          Rated as unsophisticated
          Full Recovery less than one week

As reported in the New York Times July 8, 2009


                                                  7
           Vulnerabilities & Mitigations
   Default machine configurations are inherently insecure
     IRM Requirements & Policy Checkers
     Standard workstation COE image based on the FDCC

   Patching & updating is often delayed in large organizations due to testing &
    implementation restrictions
      Assigned staffs, timeframes & tracking of updates

   Absent, disabled or outdated anti-virus programs, firewalls, etc.
      Compliance reviews

   Risky web-surfing & e-mail behavior
     Security awareness presentations & materials
     AV software, firewalls, site blocking software, network monitoring & IDSs

   Social Engineering
      Security awareness presentations & materials



                                       8
                    Targeting End-users
    Attackers no longer need to penetrate security perimeters

   This is a byproduct of the move towards financially motivated
    malicious activity
   Malicious activity has moved away from targeting computers &
    towards targeting end users themselves
   Specifically, attackers are targeting confidential end-user information
    that can be used in fraudulent activity for financial gain as well as in
    attacking systems




                                    9
    “Electronically Transmitted Diseases”

   More employees are using mobile media
        CDs, DVDs, thumb drives, MP3 players (iPods), external hard drives
   Mobile media is used by criminals as another vector to spread their
    malware. In addition to mobile media containing software, music, etc.
    purchased from flea markets, found in parking lots, etc. some
    commercially produced software has contained code that makes
    systems vulnerable to root kits & other malware
   Mobile media connected to a non-IRS system will be exposed to any
    malware left behind from previously installed ETDs
   Internal Revenue Manual (IRM) 10.8.1.5.2.5 prohibits the use of
    personally owned equipment, including software & media on IRS
    systems & vice versa




                                   10
         Cybersecurity Misconceptions
   No one knows who I am on the Internet

   The Internet is a virtual world, so nothing bad can happen to me

   Security software (anti-virus, firewall, etc.) will protect me

   The IRS will protect me

   Law enforcement will protect me

   Who believes all this?




                                     11
Credit Card Sales




      12
                            “5568”
<A> Billing: Pxxx xxx
<A> xxx xxx Road
<A> Suite 400
<A> xxx, CA xxx
<A> US
<A> Phone: xxxxxx7605
<A> e-mail: pxxx.xxx@atf.gov
<A> Payment Method: Credit Card
<A> Name On Card: Pxxx x. xxx
<A> Credit Card #: 5568xxxxxxxxxxxx
<A> Credit Type: MasterCard
<A> Expires: 05/2009
<A> CVV2: 421



                               13
         Capturing Card Number & PIN
   Organization database attacks
   Social engineering via e-mail, web site, telephone or postal mail
   Dumpster diving & trash collection
   Man in the middle web site attacks
   Bank ATM modifications
      Equipment disguised to look like normal ATM
      Wireless “skimmer” & video camera transmit scanned card
       information & PIN
      Criminals copy cards & use PINs to withdraw cash




                                   14
                      Wireless Scanner
   Equipment being installed on top of existing bank card slot.




                                  15
               Wireless Video Camera
   PIN reading camera being installed on the ATM is housed in an
    innocent looking leaflet enclosure.




                                 16
          From Patch to First Attack
          Oct. 17, 2000 Patch MS00-078
                                                                                                 Sept. 18
 Nimda     336 Days                                                                               2001




                             Jul. 24, 2002 Patch MS02-039
                                                                                                 Jan. 25
Slammer                        185 Days                                                           2003



                            Jul 16, 2003 Patch MS03-026                                         Aug. 11
Blaster                                                                                          2003
                                                            26 Days


                                    Apr. 13, 2004 Patch MS04-011
                                                                                                April 30
Sasser                                                             17 Days                       2004




                                              June
 JView                                        2005                   0-Day   Jul. 12, 2005 Patch MS05-037




                                               17
                     Zero-Day Exploits
   High risk, undocumented vulnerabilities with no approved patch
   Sometimes discovered by hackers & kept secret prior to use
   Some patches not released timely (RPC memory overflow – over 4
    years)
   CSIRC released 10 Critical Advisories & 1 Bulletin for zero-day exploits
    since Jan 1, 2009
   Multiple zero-day exploits targeted IRS Business Units via e-mail




                                   18
                Zero-Day Exploit Against IRS                                                                                                                                         I. M. Hacker




       In February 2009, an e-mail was sent to 2 IRS e-mail accounts
                                                                                                                                                                                                    IRS Employee
                                                                                                                                                                                                    Some Building
                                                                                                                                                                                                    Anywhere, USA 66666




                                                                                                                                                                                                                  I. M. Hacker




        Attachments utilized a Microsoft Excel Zero-Day exploit
                                                                                                                                                                                                                                 IRS Employee





                                                                                                                                                                                                                                 Some Building
                                                                                                                                                                                                                                 Anywhere, USA 66666




    X          Malware designed to export data to a remote IP address
               Used custom encryption (non SSL) over TCP port 443
       Target IRS e-mail Addresses included:
               Former Employee (Account/Email disabled)
               Distribution List (e-mail forwarded to 10 employees)
       Analysis confirmed outbound connection attempts were blocked & no
        data was exported               I. M. Hacker




                                                        IRS Employee
                                                                                                               I. M. Hacker




                                                                                                                               IRS Employee
                                                        Some Building                                                          Some Building
                                                        Anywhere , USA 66666                                                   Anywhere , USA 66666




                                                                       I. M. Hacker                                                           I. M. Hacker




                                                                                       IRS Employee                                                           IRS Employee
                                                                                       Some Building                                                          Some Building
                                                                                       Anywhere , USA 66666                                                   Anywhere , USA 66666




                                        I. M. Hacker
                                                                                                               I. M. Hacker


                                                        IRS Employee
                                                        Some Building                                                          IRS Employee
                                                        Anywhere , USA 66666                                                   Some Building
                                                                                                                               Anywhere , USA 66666



                                                                       I. M. Hacker
                                                                                                                                              I. M. Hacker


                                                                                       IRS Employee
                                                                                       Some Building                                                          IRS Employee
                                                                                       Anywhere , USA 66666                                                   Some Building
                                                                                                                                                              Anywhere , USA 66666




                                       I. M. Hacker
                                                                                                              I. M. Hacker


                                                       IRS Employee
                                                       Some Building                                                          IRS Employee
                                                       Anywhere , USA 66666                                                   Some Building
                                                                                                                              Anywhere , USA 66666



                                                                      I. M. Hacker
                                                                                                                                             I. M. Hacker


                                                                                      IRS Employee
                                                                                      Some Building                                                          IRS Employee
                                                                                      Anywhere , USA 66666                                                   Some Building
                                                                                                                                                             Anywhere , USA 66666




                                            19
     Zero-Day Exploit Overview
                                                      EMAIL

                                                      Email Attachment with
                                                        Microsoft Excel
                                                          Spreadsheet
                                                        Zero-Day Exploit
                                                                                  Email sent via gmail.com
                                                                                                      Spear Phishing Email was sent
                                                                                                      on a Friday targeting two (2)
                                                                                                      IRS email addresses that
                                                                                                      includes a distribution email
       Treasury Email Gateway                                                                         address. NOTE: Following
                                                                                                      Monday was a federal holiday.
                                       e t
                                    he
                                    ds
                           l S nt)
                                 ea
                              pr
                         ce e
                       Ex chm
                    a y ta
                  -D At
                ro il
              Ze ma
                (E




                                                    IRS Environment



             IRS Email Gateway



   Invalid
                                                                              `
                                                                                         X                 Call Back IP Address




                                                                                                     Analysis identified that the malware
                                                                                                     calls back to IP address residing in the
  Account                                                                                            US over TCP port 443 using custom
                                             IRS Distribution List                                   encryption for beaconing and/or data
IRS Employee                                                                                         exfiltration activity.
                                               (10 Employees)



                                                                 20
Real or Fake?




    21
                         CNN Phishing
   Spam e-mail was circulating in January 2009 containing factual
    information about the Israeli/Hamas conflict
   It appeared to originate from CNN & contained a link to a website
    posing as CNN, which contained what looked like a video file
   All links on the website actually resolved to the valid CNN website
   Visitors who attempted to view the video were prompted to update to a
    new version of the Adobe Flash Player
   Update was actually malicious code




                                   22
                                   CNN Phishing

  Israel/Hamas Spam
          Mail
                                                                     hxxp://xxx.cnn.2009.xxxxxxxxxxxxxxxxx.com




                                                                                                               er

                                                                                                               d
                                                                                                          Play

                                                                                                          alle
                                                                                                      inst
                                                                                                     ash
                                                                                                                                                                                                                             hxxp://xxxxx.com/servicepack1.exe




                                                                                                 e Fl

                                                                                                  nd
                                                                                               da
                                                                                              dob

                                                                                           loa
                                                                                         te A

                                                                                       own
                                                                                     pda

                                                                                  e) d
                                                                                 to u
                                                                                                                                                                                           ite
                                                                                                                                                                                         bs                              d


                                                                              .ex
                                                                             pts                                                                                                                                    le
                                                                                                                                                                                   we                          al
                                                                                                                                                                                                             st
                                                                         r1 0
                                                                        tem

                                                                                                                                                                         a   ge                     d
                                                                                                                                                                                                        in
                                                                                                                                                                       st                      an
                                                                   laye
                                                                    d at



IRS.gov Exchange Server                                                                                                                                        d                           d
                                                                                                                                                            on                          de
                                                               o an

                                                               e_P


                                                                                                                                                          c                        oa
                                                                                                                                                       se                 w   nl
                                                           vide




                                                                                                                                                   a                   do
                                                          dob




                                                                                                                                           to                  i   s
                                                                                                                                      d                     e)
                                                                                                                                   te
                                                      e (A
                                                      ews




                                                                                                                                ec                     ex
           Us




                                                                                                                           ir                        1.
                                                                                                                                                   ck
                                                  r vi




                                                                                                                       d
            er




                                                 co d




                                                                                                                  re                      ep
                                                                                                                                               a
                re




                                                                                                              s
                                              Use




                                                                                                i                                  vi c
                                                                                             er
                ce




                                              us




                                                                                                                               r
                                                                                           Us                               se
                     ive




                                                                                                                        (
                                        licio




                                                                                                                   de
                      ss




                                                                                                              co
                                               Ma




                                                                                                          s
                           pa




                                                                                                     ou
                                                                                              i ci
                            m




                                                                                         al
                                                                                     M


                                                                                                                                                                                                             ussia
                                                                                                                                                              ration to R                                                                                  Russian IP
                                                                                                                                                   Data exfilt

                                           `

                                IRS System
          IRS User

                                                                                                     23
        IRS Response to CNN Phishing
   IRS initiated Content Filtering to block the e-mail
   Only 11 of 38 AV products could detect stage one
   Only 2 of 38 AV vendors’ signatures could detect stage two
   Analysis revealed 36 IRS systems visited the fraudulent
    CNN website (Stage One)
   Additional analysis identified 1 IRS system issuing HTTP
    GET requests to the Russian IP address every 20 minutes
    (Stage Two)
   Further analysis confirmed that no data was exported




                              24
                “Just Surfing the Web”
   In November 2009, an employee performs a search via Yahoo! for
    “1979-2007 vehicle wiring diagrams”.




                                 25
                “Just Surfing the Web”
   First (non-sponsored) URL listed by the search engine was malicious
   Embedded HTML executed a PHP file, downloading the malware file
    45096.exe
   Malware executes & begins beaconing home to: kinoarts.com over
    TCP port 80
   Analysis revealed 2 additional call back sites not being blocked by IRS
   Further analysis confirmed outbound connection attempts were
    blocked & no data was exported




                                   26
                              Beacons
   A beacon is an intentionally
    conspicuous device designed to
    attract attention to a specific location
   In the cyber world, a beacon is a
    system that repeatedly attempts to
    make a hidden connection with one or
    more systems outside of its network
   Ordinary user traffic is fairly random,
    so traffic generating a significant
    regular pattern is indicative of a
    beacon




                                     27
                   Beaconing Activity
   Beaconing from infected IRS system attempting to “call home” to a
    website in China for further instructions.
   Website was a known malicious website that was blocked




                                 28
                               SCADA
   Supervisory Control & Data Acquisition
   Provides data display, alarming, trending, reporting, & control for
    devices & equipment in remote locations (via LAN, modem, wireless
    technologies, or Internet)
   Think US Critical Infrastructure




                                   29
             Cyber Attacks on SCADA
   Unintentional consequences caused by internal personnel or
    mechanisms (testing software on operational systems or unauthorized
    system configuration changes)
   Unintentional consequences or collateral damage from malware
   Intentional attacks such as gaining control or DoS attack
       Aurora - Simulated cyber attack on SCADA system in March 2007
   Both unintentional and intentional attacks on SCADA systems have
    been documented




                                  30
Questions or Comments




        31

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:9/3/2011
language:English
pages:32