The Verizon RISK Team performs cyber investigations for hundreds of commercial enterprises and government agencies annually across the globe. In 2015, they investigated more than 500 cybersecurity incidents. They shared some of the details in a recent report of how they solved the cyber crimes.
An issue involving a primary competitor recently made public a new piece of large construction equipment. At first glance, the equipment looked like an exact copy of a model recently developed by Verizon’s customer. This was even more suspicious as the competitor hadn't traditionally produced this type of equipment.
The first employee interviewed was the chief design engineer for the project. While interviewing him, it became clear that he was actively looking for employment elsewhere and he might not be employed by the victim much longer. A recruiter had contacted the engineer via LinkedIn, which led to them exchanging emails.
A digital forensic examination of the chief design engineer’s system and associated firewall logs provided evidence of a breach associated with the design plans, which were located on that system. A PHP (scripting language) backdoor shell was found on the system. There were also clear indications that the threat actors had located and copied the file containing the design plans.
It appears a recruiter had put malware on that engineer’s computer. Through attack profiling, it was determined that the likely threat actors were a Chinese hacking group that had long been suspected of being state funded.
A regional banking organization indicated an unknown threat actor had attempted to initiate several wire transfers through the FedWire system totaling $5.3 million. During the initial interviews with the victim, Verizon's RISK Team learned that a manager in its finance department had initiated requests for multiple wire transfers over a 24-hour period using the bank's FedWire application. She was completely unaware of the attempted transfers.
Earlier that month the finance manager had received an email purportedly from the bank’s CIO. The CIO had sent her a glowing message stating that members of his team had mentioned what a great business partner the finance manager had been on recent collaborative projects. The message contained what appeared to be an innocuous hyperlink, which the finance manager recalled clicking. She thought this email was odd given that she had never worked with the bank’s CIO or any of his team members.
Verizon found a Zeus Trojan infection dating back to when the CIO email was received. The hyperlink in the fake email connected to a Zeus installer, which was still an active host when the team accessed the email.
A member of the IT infrastructure team at a large-scale manufacturer and retailer of consumer goods in North America received two separate emails from an individual in Southeast Asia claiming to have successfully exfiltrated several years’ worth of customer order data. The individual was seeking payment in exchange for not releasing the data publicly. The first of these two emails seemed innocuous, almost like a simple spam message. As such, the recipient simply chose not to respond. The second email took on a much more serious tone. It demanded $50,000 to withhold the release of the data, and it also included a data sample to add legitimacy to the claim.
A review of the e-commerce platform showed a weakness in the application's authentication mechanism. This vulnerability provided a threat actor with the ability to "force browse" purchase confirmation pages. The threat actor ran a script that accessed the back-end database driving the victim’s e-commerce platform, and exfiltrated over 1.5 million customer orders.
The victim went public and fully disclosed that it had been breached rather than pay any more ransom.
An organization was in the middle of a buyout and was utilizing retention contracts to prevent employee attrition. Based on an anonymous tip from an employee, suspicion was raised that a middle manager had access to, and was abusing, the CEO’s email account. Apparently a few IT administrators had access to the spam filter, and none of them was the middle manager. Verizon inquired about personal relationships between the middle manager and any employees. One of the IT administrators was good friends with him.
It turns out that the middle manager was given credentials to log into the appliance and read incoming email for potentially any employee. The CEO turned things over to the legal and human resource departments. The two employees denied any knowledge of the situation. Upon completion of the interviews, the two employees received escorts out of the building.
A cyber insurance carrier asked Verizon to investigate an unusual pattern of payment card fraud emanating from one of its customers—an oil and gas company. There was an escalating pattern of counterfeit fraud at a single gas station about a month prior, then spread to five others. Verizon configured evidence traps on the payment processing servers at a number of gas stations.
First, the support vendor, contracted by oil and gas company to provide general IT and POS support to the gas stations, connected via Remote Desktop over VPN to the payment processing server. Upon connection, a check occurred to verify no other active logons were in progress. Next, the system clock was set forward two years. Then, a configuration file was modified to enable a verbose debug setting in the payment application, creating an output file capturing clear text copies of authorization requests from each fuel pump. This included complete mag-stripe sequences sufficient for conducting payment card fraud. The session ended with setting the clock back to the correct date and time.
As it turned out, this individual would seek out late-night assignments over the weekends that required only a single person in the office on call. He would connect to customer systems to steal payment card data.
A film industry executive received an envelope that looked like it was from a well-known production company. The envelope contained correspondence on company letterhead and a branded USB flash drive. The letter requested that the executive review the press kit contained on the drive.
The executive inserted the USB flash drive into his laptop and opened an executable file. First, it played a trailer for an upcoming movie and then it silently installed malware on the system with the aim of stealing an unreleased movie. The malware established persistence via Windows Registry key entries and attempted to reach out to a C2 server. The executive’s company had a proxy server that monitored all outgoing traffic from the corporate network. The proxy server blocked an attempted connection to a C2 server and forwarded a low-level alert to the IT security team. While the proxy had blocked the initial connection attempt, it had allowed an encrypted connection to another server.
Analysis of the malware on the USB flash drive and the laptop showed that it was capable of establishing a reverse shell. Once the reverse shell had been established, the threat actor started exfiltrating gigabytes of data including an unreleased movie.
Stealing from the parking lot
This investigation involved the alteration of Personal Identification Number (PIN) Entry Devices (PED) in a chain of stores. A PED is the hardware device sitting on the checkout counter of a merchant. The devices had an additional mag-stripe card reader installed under the legitimate card reader. This allowed the mag-stripe of any card used to be read at the same time as the transaction. Additionally, a membrane touch keypad was installed under the legitimate device touch keypad. All transactions were captured and stored in the memory chip. A Bluetooth device installed in the PED transmitted the information likely out to the parking lot where the perpetrator was stationed.
Through the examination of the CCTV recordings, several of the organized crime group threat actors were identified and arrested.
A critical infrastructure customer turned to Verizon to assess its networks for indications of a security breach. There was an unexplained pattern of valve and duct movements over the previous 60 days. These movements consisted of manipulating the PLCs that managed the amount of chemicals used to treat the water to make it safe to drink, as well as affecting the water flow rate, causing disruptions with water distribution.
The internet payment application enabled customers to access their accounts from a laptop, a desktop system or even a mobile device. However, access to customer water usage, PII and payment data required only a username and password. No second authentication factor was needed. Next, there was a direct cable connection between the application and the AS400 system. Making matters worse, the AS400 system had open access to the internet and its internal IP address and administrative credentials were found on the payment application webserver in clear text within an initialization (.ini) file.
BYOM – Bring your own malware
A finance company contacted Verizon after receiving complaints from their customers who weren't able to access their accounts through the customer website. When these account holders attempted to access their accounts, they received odd error messages indicating the site was blocked due to security concerns.
Looking through the network logs for the BYOD network, Verizon found traffic to known C2 servers. Using these same network logs, the client was able to identify the specific device—an employee’s personal laptop. This system had been infected with malware at home, brought to the office and connected to the BYOD network.
The also found that the guest and BYOD networks were going out through the same network equipment, as well as using the same Network Address Translation (NAT), as the corporate traffic. This resulted in the corporate network’s reputation being affected by any devices connected to the guest and BYOD networks.
A bank reached out to Verizon after several of its high-value bank accounts had experienced millions of dollars of fraudulent ATM transactions. An administrator stole credentials from another administrator and then modified the security around the high-value accounts. The logs revealed that the malicious administrator had modified certain controls used to protect authentication information. Furthermore, the administrator fraudulently transferred money into the accounts and removed the withdrawal limits.
Law enforcement later concluded that organized crime gangs had recruited IT administrators at multiple banks to install malware and to force configuration changes.
No pay day
A US-based industrial parts manufacturer contacted the RISK Team about a "possible" data breach situation. It appeared that for the last two bi-weekly payroll cycles, none of the company’s C-suite had received their direct deposit paycheck. Instead, the paychecks were routed to a foreign bank account.
An external vulnerability scan indicated that certain elements of the HR website were susceptible to compromise via SQL injection. Along with basic login functionality, the non-authenticated side of the HR portal featured a "help" form where employees could create and submit basic questions. This was the form that was leveraged to interact with the database.
With the database running with admin privileges, the threat actors were able to alter the direct deposit routing numbers, account numbers and bank information for members of the executive suite, whose information they had gleaned while enumerating database contents.
Give me yer booty
A global shipping conglomerate noted that over the last several months, pirates had been attacking their ships. Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates would board a shipping vessel, force the crew into one area and within a short amount of time they would depart.
It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. Verizon honed in on the network traffic surrounding the CMS managing shipping routes, and discovered that a malicious web shell had been uploaded onto the server. The threat actors used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it—no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required.
After blocking the threat actors’ IP address, the victim reset all the compromised passwords and rebuilt the affected servers with current versions of its CMS.
Sharing is not caring
A manufacturing firm found numerous instances of connections between the company’s R&D department and an external IP address. This included numerous connections over the previous 24 hours involving an outbound transfer of over 2GB of data. The investigation revealed a breach of an engineering team’s shared computer system within the R&D department.
As a result, user credentials for everyone who had used that system were compromised. The source of the breach involved a phishing email that targeted an individual on the engineering team. The phishing email resulted in a Remote Access Trojan (RAT) backdoor being downloaded onto the system, which enabled the threat actors to escalate privileges and capture user credentials.
Verizon determined the perpetrators was a group operating in Asia.
This customer saw a variety of drive-by infections and non-targeted phishing attempts for the past year. After discovering one of the security appliances wasn't properly logging domain names, Verizon turned to the DNS server logs to find domains related to specific events. Within the DNS logs were thousands of malformed, seemingly random entries, all sourced from just three IP addresses—backup servers used for the user account databases. All of the requests from the backup servers ended up being routed to a single remote name server. Each request included a domain rendered in hexadecimal characters of equal length and was met with the expected "invalid" response.
An invalid request met by an "invalid" response was hardly a security red-alert, but the patterns showed strange things were afoot on User Datagram Protocol (UDP) port 53. Especially of concern was that this represented a direct path from the backup servers to the public internet. Verizon converted the invalid requests into a variety of other text formats. The results seemed entirely random until a text header of a ZIP file appeared. In the case of both the backup servers and the infected system, the malware had cleaned up local files and erased evidence necessary to build out a specific timeline.
A network administrator for a small company began receiving communications from users reporting issues with accessing a financial database application shared among multiple employees.
Additionally, some users reported a strange webpage indicating their files had been encrypted and that they would need to follow specific instructions involving sending money for a decryption key.
The executives paid the ransom but they then attempted to access the hyperlink provided, only to find that the web page had been taken down and there were no instructions on how to receive the keys.
The systems had Internet access and the vector of compromise was a malicious Adobe Flash file that was accessed while online. It also appeared that as soon as the file was downloaded to the systems, it replicated itself with a different file name in a different directory. File execution analysis confirmed that this file was executed just before the user files were encrypted.
Not an insider
This financial institution believed that its intellectual property and customer information might have been compromised. A perimeter traffic capture showed traffic that was flagged as matching previously identified C2 servers on the Internet. Verizon was also able to piece together communications taking place internally among several dozen systems—many appearing to be compromised end user systems. The anomaly was the unusual amount of port 53 traffic between the systems. The browser cache data on one of the systems helped determine that the threat actors had gained initial access via social engineering.
One of the personal emails on the system that was viewed contained a hyperlink associated with a malicious website. Upon clicking this link, installation of some basic system exploitation tools occurred, followed by lateral movement within the environment and installation of additional malware.
This additional malware set-up a listener on port 53 to impersonate a DNS daemon—the firm wasn't blocking (or logging) port 53 traffic anywhere in its environment. The malware operated in a peer-to-peer (P2P) fashion and exclusively from within RAM.