Three Hacker Villains, Three Attack ScenariosThe landscape of hackers is filled with stories from those whose job is to hunt them down. SANS forensics instructor, Rob Lee, also a senior forensics consultant at the IT security consultancy Mandiant shares three "villain" examples of the types of attacks being seen in the field by the company's forensic investigations team.
Lee's insights come at the same time SANS's report shows top risks to organizations. Information security staff at financial institutions should be on the lookout and ready to respond to these attacks, he advises.
The Case of Stolen Credentials, ACH Funds Transfers
Hackers utilize stolen credentials from executives to transfer large amounts of cash in less than $10,000 increments to dummy accounts. The dummy accounts were set up in the same country by willing accomplices known as mules. Once the funds are transferred to the account, the mules withdraw the cash. The cash is then mailed back to organized criminals in Russia.
Frequency: A few cases (under 10)
Target: Chief financial officers or executives with ability to manage corporate/business bank accounts
Goal: Swipe credentials in order to gain access to accounts to transfer funds.
Favorite Exploit Method: Client-side attack utilizing crafted e-mails to individuals to get the targets to open the attachments (.doc, .pdf, .chm) files or sending a link embedded in an e-mail that would have the user download the exploit to their machine.
Implications for Future Attacks: Since it combines duping a user and an easy to craft exploit this one will probably be with us for some time. The way to stop this would be a combination of internal security practices, education, and starting to close client-side security holes.
'Smash and Grab' Card Data Theft
The 'smash and grab' attack, it centers on the attackers ability to compromise and obtain large amounts of good credit card data.
Frequency: About 1/3 of our total cases we see every year. (11-15)
Target: Money Transfer Organizations, Retailers, Financial Institutions - Card Issuers, ATM Manufacturers
Goal: Use credit card data to recode cards to withdraw money from bank ATMs. Usually, the attacks would involve a large number of ATMs around the world and many mules who would go to ATMs to withdraw the money and send it back to Russia or other criminals in Eastern Europe.
Favorite Exploit Method: Exploit public facing web sites utilizing SQL injection.
Future: The ability to exploit back-end databases will always be a challenge. If the SQL injection begins to fail, the attackers could start exploiting client-side assaults like the automated clearinghouse or ACH and advanced persistent threat or APT attacks demonstrate. Companies need to practice secure coding and assessment of the public-facing web servers.
Advanced Persistent Threat, Network Access
Sophisticated and organized attacks whose goal is network occupation and maintain persistent access to network resources targeting end users via spear phishing. Organized attackers clearly have a division of labor in the attacks and target management. There is evidence of malware change management. The attackers escalate their attack methodology only when necessary. In essence, the countermeasures deployed by victim's increases the attack sophistication.
Origination point: China.
Frequency: About two-thirds of Mandiant's caseload is APT related. About 20 to 25 cases annually.
Target: defense industrial base, government agencies, global financial organizations, industry supporting government initiatives (research and development, raw materials)
Goal: Maintain persistent network access even though incident response mitigation is continuing. The goal is to maintain a large number of compromised machines so that it is impossible for the computer security incident response teams to achieve success.
Favorite Exploit Method: Client-side attack utilizing crafted e-mails to individuals to get the targets to open the attachments files (.doc, .pdf, .chm).
Additional attack characteristics: Target Microsoft Windows systems; have domain and local administrator credentials. operate freely throughout the enterprise and in plain sight. Once exploitation is achieved there is prolific use of backdoors. The attackers are not too concerned with hiding.
Examples: Hard to get "official" examples, but Mandiant is seeing this in the public sector.
Future: This one is not going away. The goal of these attackers is persistence. The days of the Maginot line of information security are long gone. Organizations need to switch to mentality of weed pulling. It is a constant job. You can never build levees and hope nothing gets in. Potential victims need to organize their response teams effectively and mitigation strategies toward a marathon not a sprint.
Note: All information is derived from Mandiant consulting in a non-classified environment. Case studies are representative of industry trends and have been derived from multiple client engagements.