Malware

How we breach retail networks…

 

Audio Version:

We recently delivered an Advanced Persistent Threat  (APT) Penetration Test to one of our customers. People who know us know that when we say APT we’re not just using buzz words.  Our APT services maintain a 98% success rate at compromise while our unrestricted methodology maintains a 100% success at compromise to date.  (In fact we offer a challenge to back up our stats.  If we don’t penetrate with our unrestricted methodology then your test is free. If we do get in then you pay us an extra 10%.)  Lets begin the story about a large retail customer that wanted our APT services.

When we deliver covert engagements we don’t use the everyday and largely ineffective low and slow methodology.  Instead, we use a realistic offensive methodology that incorporates distributed scanning, the use of custom tools, zero-day malware (RADON) among other things.  We call this methodology Real Time Dynamic Testing™ because it’s delivered in real time and is dynamic.  At the core of our methodology are components normally reserved for vulnerability research and exploit development.  Needless to say, our methodology has teeth.

Our customer (the target) wanted a single /23 attacked during the engagement. The first thing that we did was to perform reconnaissance against the /23 so that we knew what we were up against.  Reconnaissance in this case involved distributed scanning and revealed a large number of http and https services running on 149 live targets.  The majority of the pages were uninteresting and provided static content while a few provided dynamic content.

While evaluating the dynamic pages we came across one that was called Make Boss. The application was appeared to be custom built for the purpose of managing software builds. What really snagged our attention was that […]

Don’t become a Target

All of the recent news about Target, Neiman Marcus, and other businesses being hacked might be a surprise to many but it’s no surprise to us. Truth is that practice of security has devolved into a political image focused designed satisfy technically inept regulatory requirements that do little or nothing to protect critical business assets. What’s worse is that many security companies are capitalizing on this devolution rather than providing effective solutions in the spirit of good security. This is especially true with regards to the penetration testing industry.

We all know that money is the lifeblood of business and that a failure to meet regulatory requirements threatens that lifeblood. After all, when a business is not in compliance it runs the risk of being fined or not being allowed to operate. In addition the imaginary expenses associated with true security are often perceived as a financial burden (another lifeblood threat). This is usually because the RoI of good security is only apparent when a would-be compromise is prevented. Too many business managers are of the opinion that “it won’t happen to us” until they become a target and it does. These combined ignorant views degrade the overall importance of real security and make the satisfaction of regulatory requirements the top priority. This is unfortunate given that compliance often has little to do with actual security.

Most regulatory requirements are so poorly defined they can be satisfied with the most basic solution. For example PCI-DSS requires merchants to undergo regular penetration tests and yet it completely fails to define the minimum level of threat (almost synonymous with quality) that those tests should be delivered at. This lack of clear definition gives business owners the ability to satisfy […]

Whistleblower Series – The real problem with China isn’t China, its you.

Terms like China, APT and Zero-Day are synonymous with Fear, Uncertainty and Doubt (FUD).  The trouble is that, in our opinion anyway, these terms and respective news articles detract from the actual problem.  For example, in 2011 only 0.12% of compromises were attributed to zero-day exploitation and 99.88% were attributed to known vulnerabilities.  Yet, despite this fact the media continued to write about the zero-day threat as if it was a matter of urgency.  What they really should have been writing about is that the majority of people aren’t protecting their networks properly.  After all, if 99.88% of all compromises were the result of the exploitation of known vulnerabilities then someone must not have been doing their job. Moreover, if people are unable to protect their networks from the known threat then how are they ever going to defend against the unknown?

All of the recent press about China and their Advanced Persistent Threat is the same, it detracts from the real problem.  More clearly, the problem isn’t China, Anonymous, LulzSec, or any other FUD ridden buzzword.  The problem is that networks are not being maintained properly from a security perspective and so threats are aligning with risks to successfully affect penetration.  A large part of the reason why these networks are such soft targets is because  their maintainers are sold a false sense of security from both the services and technology perspective.

In this article we’ll show you how easy it was for us to hack into a sensitive government network that was guarded by industry technologies and testing best practices.  Our techniques deliberately mimicked those used by China.  You’ll notice that the  techniques aren’t particularly advanced (despite the fact that the press calls them Advanced) and in fact are based […]

The 3 ways we owned you in 2012

Here are the top 3 risks that we leveraged to penetrate into our customers’ networks in 2012. Each of these has been used to affect an irrecoverable infrastructure compromise during multiple engagements across a range of different customers. We flag a compromise “irrecoverable” when we’ve successfully taken administrative control over 60% or more of the network-connected assets. You’ll notice that these risks are more human-oriented than they are technology-oriented, thus demonstrating that your people are your greatest risk. While we certainly do focus on technological risks, they don’t fall into the top three categories.

The general methodology that we follow to achieve an irrecoverable infrastructure compromise is depicted below at a high-level.

Gain entry via a single point (one of the 3 referenced below)
Install custom backdoor (RADON our safe, undetectable, home-grown pseudo-malware)
Identify and penetrate the domain controller (surprisingly easy in most cases)
Extract and crack the passwords (we have pretty rainbows and access to this GPU cracker)
Propagate the attack to the rest of the network (Distributed Metastasis)

 
Social Engineering
Social Engineering is the art of manipulating people into divulging information or performing actions usually for the purpose of gaining access to a computer system or network connected resource. It is similar to fraud, but the attacker very rarely comes face-to-face with his or her victims. Today, Social Engineering is used to help facilitate the delivery of technological attacks like the planting of malware, spy devices, etc.

During an engagement in 2012, Netragard used Social Engineering to execute an irrecoverable infrastructure compromise against one of its healthcare customers. This was done through a job opportunity that was posted on our customers website. Specifically, our customer was looking to hire a Web Application Developer that understood how to design secure applications. We built an irresistible resume and established fake references, which quickly landed us an on-site […]

Conficker C and friends – Defeating worms with architecture

The first line of technical defense against any computer intrusion is the architecture of the network infrastructure that the computer is connected to. The fact that worms like Conficker are so successful in their metastasis is “in your face” proof of just how insecure today’s IT Infrastructures are.  If they weren’t so insecure then these worms would have a minimal impact.  What’s even more interesting is that worms are “dumb” and people can’t seem to keep them out of their networks, so what are people going to do when hackers come knocking?

In simple terms a worm is little more than a dumb, self replicating, repeating computer program that uses some mechanism (network, usb sticks, etc) to send copies of its self to other computer systems . A worms survival hinges on its ability to communicate with other computer systems and on its ability to gain entry into new uninfected computer systems.  If it can’t do one or the other then it can’t spread and it will eventually die.  If it can do both with relative success then it will likely survive for some time. The more hosts that a worm infects, the more potential hosts it can infect assuming that its method of gaining access isn’t patched before the host is infected.Â

With that said, the not so obvious but highly effective way of defending against worms is to undergo an Advanced Penetration Test. The reality is that worms and hackers use the same techniques for gaining access to networked infrastructures.  The primary difference is that a worm only has one method of attack and is restricted by its programming while a hacker is unrestricted and has many methods of attack.  Therefore it is reasonably safe to say that if […]

ROI of good security.

The cost of good security is a fraction of the cost of damages that usually result from a single successful compromise. When you choose the inexpensive security vendor, you are getting what you pay for. If you are looking for a check in the box instead of good security services, then maybe you should re-evaluate your thinking because you might be creating a negative Return on Investment.Usually a check in the box means that you comply with some sort of regulation, but that doesn’t mean that you are actually secure. As a matter of fact, almost all networks that contain credit card information and are successfully hacked are PCI compliant (a real example). That goes to show that compliance doesn’t protect you from hackers, it only protects you from auditors and the fines that they can impose. Whats more is that those fines are only a small fraction of the cost of the damages that can be caused by a single successful hack.When a computer system is hacked, the hacker doesn’t stop at one computer. Standard hacker practice is to perform Distributed Metastasis and propagate the penetration throughout the rest of the network. This means that within a matter of minutes the hacker will likely have control over the most or all of the critical aspects of your IT infrastructure and will also have access to your sensitive data. At that point you’ve lost the battle… but you were compliant, you paid for the scan and now you’ve got a negative Return on that Investment (“ROI”).So what are the damages? Its actually impossible to determine the exact cost in damages that result from a […]

Brian Chess, CTO of Fortify Software – Creating Confusion

So this entry goes to support my previous post about Insecure Security Technologies and some of the confusion that these vendors can cause. Recently Networkworld published an article named “Penetration Testing: Dead in 2009″ and cited Brian Chess, the CTO of Fortify Software as the expert source. The first thing that I want to point out is that Brian Chess is creating confusion amongst the non-expert people who read the article linked above.  The laymen might actually think that Penetration Testing is going to be dead in 2009 and as a result might decide to buy technology as a replacement for the service.  Well, before you make that mistake read this entire entry. I’ll give you facts (not dreamy opinions) about why Penetration Testing is required and why its here to stay.As a side note, Brian Chess has a vested interest in perpetrating this fantasy because his objective is first and foremost to sell you his technology.  Technology, like Brian Chess’s technology is a solution to a problem, which by definition means that the problem came first and the technology was always a few steps behind.  With respect to IT Security, hackers are always creating new methods for penetrating into networks (the problem). Because those methods of attack are new, the technology is not able to defeat them (because the solution doesn’t yet exist). So if technology can’t protect you, then how do you protect yourself?The best way to protect yourself is to use a combination of technology (to solve known problems) and Penetration Testing (to identify the unknown). A properly executed penetration test will reproduce the same or greater threat levels that your infrastructure will likely face in the real world.  This is akin to testing the armor […]