Wednesday, January 28, 2015

Romantic Cyber Attack Process

From time to time, even if we are now in 2015, I find people that do not truly believe in cyber attacks having confused ideas on how cyber attackers do their job. So, even if what I am writing is wellknown for most of you, I want to briefly describe a romantic process behind current cyber attacks to public and/or private infrastructures (Not SCADA based).

The following image, borrowed from CERT-EU-SWP, shows a tipycal atack flow in 2014/2015. The attacker performs the designed initial attack phase (step 1) by compromising the victim's machine (nowadays the most frequent "phase one" are implemented through: Exploiting, Spear-Phishing or Watering hole, etc..).

From: CERT-EU-SWP Protection from Kerberos Golden Ticket
Once the attacker has succesfuly compromised the victim's machine (which often, but not always, means to have direct access to that machine) he/she needs to escalate local privileges (2) in order to proceed with horizontal propagation (phase 4). Several known techniques are available to escalate local privileges such as: Expoiting local vulnerabilityes, 0Days, Dumping SAM File, Hidden Passwords, Weak Permissions on Processes, DLL Preloading, Writing permission on Win32, Windows Services running as system, Window AT commands, etc... 
Horizontal propagation is one of the most exiting phase for the attacker since he/she can explore, for the first time ever (assuming a complete black box attack),  the victim network trying to tamper with horizontal attack tecniques the entire targeted network.
Note: some attackers prefer to penetrate neighbors machines through a generic exploiting process, other attackers prefer to use network tricks to compromise the attacked network comunication and some other attackers prefer to own network infrastructures (such as: router, smart switch, dns, dhcps, etcs)  before end point machines.
Based on my personal experience the most expedient way to perform horizontal propagation is through the "pass-the-hash" technique (or "pass-the-tickets" in case of Kerberos)  [here, here]. In order to reach the horizontal propagation (phase 4) the attacker needs to harvest hashes or Tickets (deending on targeted infrastructure). Harvesting hashes is a relative simple phase that could be reached by searching for logged in user accounts, looking for services (applications) hosting a password or to wait/force a remote user to log in. Thanks to the pass-the-hash technique attackers could assure persistent access to target network having a continuos and unlimited access to target enviroment. The described process is by far the most used attacking process implemented so far but is not the only one. No contermeasures will be discussed on this "blog post", only the romantic cyber attack proces. :]

Sunday, January 11, 2015

Getting Persistence With No Malware

One of the most challenging task for attackers is to get persistence into the hacked machine. Malware was the perfect way to get this task done: basically a simple Malware, implementing a persistence technique such as:
  • Getting into the "startup folder"
  • Installing a rootkit on user/system executable
  • DLL search hijacking
  • "Run" Registry keys
  • "UserInit" Registry key
  • WinLogon Events
  • Scheduled Tasks
  • Programs with aspected naming convention
  •  ...
was able to guarantee persistence on the victim's machine. But all these persistence techniques leave visible traces on the victims system. Day by day tools ( MicAutoruns, RegRipper, DLLSearchOrder, etc..) and analysts learned how to detect persistence giving to the attacker only few hours of activity.

During the past months attackers discovered a new way to getting persistence without Malware. The "Golden Ticket Attack" which is basically a Forged Kerberos Key Distribution Center which can be used to generate any valid Kerberos Ticket for every known users !
In a nutshell, if you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate Kerberos tickets to get unauthorized access. A golden ticket attack is one in which you create a Kerberos-generating ticket that is good for 10 years or however long you choose.
One of the best (for what I know) attack implementation is provided by mimikats.

mimikats: usage example

The described tool implementing this specific pass-the-hash (pass-the-ticket) attack is public available and could be used from attackers to gain persistence on a target domain. Obtaining the needed requirements to implement this attack is not a trivial task, but it is really possible. A great article released by Microsoft on pass-the-hash mitigations is freely downloadable here. If you are a Security Manager, please invest some of your time to read it.

Monday, January 5, 2015

Indusrtial Control Systems: an Interview

Industrial Control System Security is a great challenge in nowadays production environments but often is one of the last sake of production managers.
"SCADA (supervisory control and data acquisition) is a system operating with coded signals over communication channels so as to provide control of remote equipment (using typically one communication channel per remote station). The control system may be combined with a data acquisition system by adding the use of coded signals over communication channels to acquire information about the status of the remote equipment for display or for recording functions. It is a type of industrial control system (ICS). Industrial control systems are computer-based systems that monitor and control industrial processes that exist in the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large-scale processes that can include multiple sites, and large distances."

CopadataMagazine on Scada Security