While the RSA data breach made news, it was just a high profile example of an attack that has been found in dozens of investigations by SpiderLabs at Trustwave in 2010. These attacks have been targeted at extracting data from government contractors as well as the financial and retail sectors.
In 2008 and 2009, attacks like these would have typically gone after credit card numbers, debit card numbers and employee records with social security numbers to be used for identity theft. In 2010, these attacks are much more sophisticated and targeted at specific information at specific organizations. The attackers were going after targeted data such as intellectual property and confidential business information such as operations manuals or policy documents. Or in the case of RSA, the attackers were going after the root code of issued Secure ID tokens.
To get a little perspective about attacks like these, we talked to Nicholas Percoco, Senior Vice President and head of SpiderLabs at Trustwave, about what makes these new attacks so effective and what can be done to discover them sooner and what to do if you find you have been attacked.
How are these attacks getting in?
The attackers are getting in in two ways: In the front door through VPN without two factor ID which is set up for remote access for employees working from remote locations. The attackers are also getting in through via targeted emails with malware embedded in a PDF.
In 2010 the infiltration emails got much more effective. What are they doing differently that makes them so effective?
The attackers are spending a good amount of time learning about their victims and the organizations they work for. They are not rushing to send off an email that looks suspicious to most victims. Instead the emails look like they were written by the authors that they are portraying and do not raise any red flags by the victims.
Do you have some examples you can share?
In the video below you can see what an attack like this would look like.
It’s a typical day. An employee is reviewing their In Box in Outlook.
- Looking over a few legitimate emails and skipping over some obviously suspicious e-mails they see an email from HR and open it.
- Looking over the e-mail it seems legitimate and open the attachment.
- In the Temp Folder, you can see what happens next as the malware gathers up a variety of files and then ships off all that data.
Attackers would learn about who the players in an organization are. They would see posts by the CEO then modified their messages to sound like him and submit them to executives at the company.
One of these elegant PDF attacks hits an organization and when the official opened the PDF all it did was zip all the files in the “My Documents” directory on the hard drive and FTP them off. Within minutes all the documents were gone. This was very targeted. They wanted to get a quick hit of data and this was a successful way to do it.
Other sampled malware looked for information in a specific directory or created by a certain program (Excel for example) then add the files to a directory and then batch process them to transmit at a specified time. Such a batch transmittal is not going to stand out on a firewall or web proxy log.
Is the malware these attacks deliver any better than what has been delivered in the past? Or is just that the delivery is more targeted and better packaged?
Not necessarily better, but the attack vector used to infiltrate the victim is more effective.
You have been called in for dozens of attacks like this. How do people know to call you in?
We have a fairly well established reputation in both the financial and law enforcement communities for doing both a quick and thorough job in analyzing the threat and loss.
What is their Anti Virus software missing?
100% of these attacks. They are specifically designed as custom or brand new attack files so that there is no chance AV will detect them.
Are there clear signs people should be looking for in their log files or other clues they have been compromised by one of these attacks?
Typically, the use case would be an email to an executive with an attachment, followed by an application crash such as PDF Reader or another Document Viewer. Then there is a large amount of data seen leaving the executives’ workstations destined for systems outside of their environment.
What are the clues that tell people their system has been compromised?
Typically these types of attacks will trigger the following:
- Elevated data transfers
- Active and persistent connections to addresses outside of the user’s typical activity
- In the event a system is being used as a jump point for other activity there will be increased levels of disk utilization on the person’s system (i.e. Disk utilization is rapidly increasing from 20% to 80% in a short period of time).
Are there some steps they can take before they call a firm like yours in?
Yes, understand how many people received such an email and what are the OS and Application versions being used on the various target’s systems. We sometimes find that while maybe 15 people were targeted, only two or three could have even been affected by the attack due to various reasons. Doing some of this legwork while engaging an outside vendor will save time in the investigation.
Once they have called you in, what do you tell people to do to prepare for your investigation?
The biggest item is that we are going to work as quickly and diligently as we can to help them identify all the components of attack (infiltration, aggregation, and exfiltration). But we are limited to what evidence exists. Having an IT department trying to fix all the problems before we complete our response and investigation could be very counterproductive. Historically, this activity has resulted in the loss or tainting of evidence in our investigation. We usually ask that they hold off on making changes to the environment unless we direct them to do so. They typically don’t wait weeks, but more like a few hours before they receive that directive from us.