Skip Links

Security researcher shares blow-by-blow account of advanced persistent threat

In this APT case, thief hacked printer to get further into network

By , Network World
October 30, 2012 01:50 PM ET
Gianni Gnesa

Network World - Hackers are brazenly infiltrating corporate networks to steal valuable data for purposes of sharing it with other companies or nation-states -- and they're getting away with it, say security researchers sharing war stories at the Hacker Halted conference in Miami this week.

"Unfortunately, IDS [intrusion-detection systems] didn't detect them," said Gianni Gnesa, security researcher at Ptrace Security, based in Switzerland, who described a recent attack on a Swiss firm to steal important data.

It started by targeting an employee after he had placed an inquiry on Craigslist related to furniture. The email he got back redirected him to a dynamic-exploit delivery page created by an attacker, which successfully exploited Windows Internet Explorer on his Windows 7 machine to compromise it. This MS12-037 exploit, though not a zero-day attack then, did not have a patch available for it at the time, Gnesa said.

RELATED: Want an IT security pro? For starters, get politically incorrect and try to understand geek culture

Once into the compromised employee machine, the attacker used a collection of tools and a sniffer to look for where valuable content might be stored in the Swiss company's network. Though he found an application server, he couldn't get into it. But the attacker did break into the network printer, a Toshiba, and went on to check for passwords. "The administration password was in the HTML code," said Gnesa. "And unfortunately, that password was also used on another machine."

Eventually the attacker made his way to documents, diagrams and other valuable intellectual property stored on a Linux file server. Although the server was well-kept in terms of security, the backup for it was not, and by using what Gnesa referred to as the phpMyAdmin 3.4.1 swekey RCEexploit, the attacker got to the remote shell on the backup server. With yet another trick, the Linux 2.6.x umount exploit, he got to the root shell and had access to every file and directory, said Gnesa.

The attacker was interested in extracting large volumes of sensitive data, which he did, sending it encrypted to a compromised host in Malaysia, said Gnesa. The Swiss firm found out something was amiss after the attacker brazenly attempted to send money into a foreign bank account based on signatures and documents he had stolen. But the Swiss bank thought the requested funds transfer to be suspicious and notified the victim's firm. At that point, Ptrace was brought in to pull together a forensics analysis of what had happened.

Gnesa said he thinks the attack took about two weeks to carry out in full -- but it took a month and a half to really understand the details of it.

The main countermeasures he could recommend to try and prevent this type of stealthy attack to exploit stolen data is to use security event and information management tools -- such as HP ArcSight, Novell Sentinel, Tripwire Log Center and Splunk, among others -- to get a view on unusual traffic. It also would help to have staff training to understand the nature of targeted attacks.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News