Cyber Threats
ABMTS – Cincinnati, OH
Malcolm Sykes, CISSP & Terry Lewis
2
The IRS as Target
700 + POD’s
More PII than any other government agency
Largest IT environment of any U.S. civilian agency
Process $2.5T of revenues
Complex & diverse IT infrastructure
Complex & diverse business processes utilizing many channels (e-file, paper, internet, phone, walk-in)
3
The Threats & Vectors
Malware (Trojans, viruses, worms, spyware, etc.) Web browsing E-mail Removable Media
Data Disclosure & Integrity Authorized Users Lost & stolen equipment Network Penetration
Denial Of Service Botnets
Insider attacks
4
Emerging Threats
Mobile Malware (Blackberry, iPhone, iPad)
Intrusion Worm Virus Blended Threat
+ + =
Memory Based root kits & other malware Cloud Computing
Infrastructure & Contractor Outsourcing Cross Platform Malware
Includes virtualized environments Blended Threats (multiple vectors)
5
Computer Hackers
Who are they?
No longer just techno-geeks.
6
The Attackers Financially or Politically motivated
Criminal gangs
Hacker Gangs
Political or religious groups
Well resourced
Employ individuals or groups of hackers to steal PII,
credit card & banking information.
Create & sell botnets & hacker tools Sometimes engage in activity to wage cyber war on each other or
to boost their reputation
Hacking for military and commercial secrets & to inflict damage
Funded by criminal enterprises, nations, political or religious entities
7
Political or Religious Groups
Highly motivated, professionally trained & equipped adversaries
Espionage and sabotage aimed at US Government, Military & Commercial sites
Strategic & Tactical Attacks Threat to the military & economic security of the United states
8
Botnet Attack1
Distributed Denial of Service (DDOS) attack launched on weekend of July 4, 2009
Targeted 27 American and South Korean government agencies and commercial Web sites
US Government targets included the White House, Secret Service, Federal Trade Commission, Transportation Dept. & the Treasury Dept. (but not IRS)
US Commercial targets included the New York Stock Exchange, Nasdaq, Yahoo & The Washington Post
South Korean targets included the presidential Blue House, Defense Ministry, National Assembly, Shinhan Bank, the Chosun Ilbo newspaper & top Internet portal Naver.com
Estimated over 50,000 IP addresses were participating in this attack Rated as unsophisticated Full Recovery less than one week
As reported in the New York Times July 8, 2009
9
Vulnerabilities & Mitigations
Default machine configurations are inherently insecure IRM Requirements & Policy Checkers Standard workstation COE image based on the FDCC
Patching & updating is often delayed in large organizations due to testing & implementation restrictions Assigned staffs, timeframes & tracking of updates
Absent, disabled or outdated anti-virus programs, firewalls, etc. Compliance reviews
Risky web-surfing & e-mail behavior Security awareness presentations & materials AV software, firewalls, site blocking software, network monitoring & IDSs
Social Engineering Security awareness presentations & materials
10
Targeting End-users
This is a byproduct of the move towards financially motivated malicious activity
Malicious activity has moved away from targeting computers & towards targeting end users themselves
Specifically, attackers are targeting confidential end-user information that can be used in fraudulent activity for financial gain as well as in attacking systems
Attackers no longer need to penetrate security perimeters
11
“Electronically Transmitted Diseases”
More employees are using mobile media CDs, DVDs, thumb drives, MP3 players (iPods), external hard drives
Mobile media is used by criminals as another vector to spread their malware. In addition to mobile media containing software, music, etc. purchased from flea markets, found in parking lots, etc. some commercially produced software has contained code that makes systems vulnerable to root kits & other malware
Mobile media connected to a non-IRS system will be exposed to any malware left behind from previously installed ETDs
Internal Revenue Manual (IRM) 10.8.1.5.2.5 prohibits the use of personally owned equipment, including software & media on IRS systems & vice versa
12
Cybersecurity Misconceptions
No one knows who I am on the Internet
The Internet is a virtual world, so nothing bad can happen to me
Security software (anti-virus, firewall, etc.) will protect me
The IRS will protect me
Law enforcement will protect me
Who believes all this?
13
Credit Card Sales
14
“5568”
<A> Billing: Pxxx xxx<A> xxx xxx Road<A> Suite 400<A> xxx, CA xxx<A> US<A> Phone: xxxxxx7605<A> e-mail: [email protected]<A> Payment Method: Credit Card<A> Name On Card: Pxxx x. xxx<A> Credit Card #: 5568xxxxxxxxxxxx<A> Credit Type: MasterCard<A> Expires: 05/2009<A> CVV2: 421
15
Capturing Card Number & PIN
Organization database attacks Social engineering via e-mail, web site, telephone or postal mail Dumpster diving & trash collection Man in the middle web site attacks
Bank ATM modifications Equipment disguised to look like normal ATM Wireless “skimmer” & video camera transmit scanned card
information & PIN Criminals copy cards & use PINs to withdraw cash
16
Wireless Scanner Equipment being installed on top of existing bank card slot.
17
Wireless Video Camera PIN reading camera being installed on the ATM is housed in an innocent
looking leaflet enclosure.
18
From Patch to First Attack
NimdaNimda 336 DaysSept. 18
2001
Oct. 17, 2000 Patch MS00-078
SlammerSlammer 185 Days Jan. 25 2003
Jul. 24, 2002 Patch MS02-039
BlasterBlaster 26 DaysAug. 11
2003Jul 16, 2003 Patch MS03-026
SasserSasserApril 30
2004
Apr. 13, 2004 Patch MS04-011
17 Days
JViewJView Jul. 12, 2005 Patch MS05-0370-DayJune 2005
19
Zero-Day Exploits High risk, undocumented vulnerabilities with no approved patch
CSIRC released 10 Critical Advisories & 1 Bulletin for zero-day exploits since Jan 1, 2009
Multiple zero-day exploits targeted IRS Business Units via e-mail
Sometimes discovered by hackers & kept secret prior to use
Some patches not released timely (RPC memory overflow – over 4 years)
20
Zero-Day Exploit Against IRS In February 2009, an e-mail was sent to 2 IRS e-mail accounts Attachments utilized a Microsoft Excel Zero-Day exploit
Malware designed to export data to a remote IP address Used custom encryption (non SSL) over TCP port 443
Target IRS e-mail Addresses included: Former Employee (Account/Email disabled) Distribution List (e-mail forwarded to 10 employees)
Analysis confirmed outbound connection attempts were blocked & no data was exported
Anywhere, USA 66666
IRS EmployeeSome Building
Anywhere, USA 66666
IRS EmployeeSome Building
I. M. Hacker
I. M. Hacker
X
Anywhere, USA 66666
IRS EmployeeSome Building
Anywhere, USA 66666
IRS EmployeeSome Building
I. M. Hacker
I. M. Hacker
Anywhere, USA 66666
IRS EmployeeSome Building
Anywhere, USA 66666
IRS EmployeeSome Building
I. M. Hacker
I. M. Hacker
Anywhere, USA 66666
IRS EmployeeSome Building
Anywhere, USA 66666
IRS EmployeeSome Building
I. M. Hacker
I. M. Hacker
Anywhere, USA 66666
IRS EmployeeSome Building
Anywhere, USA 66666
IRS EmployeeSome Building
I. M. Hacker
I. M. Hacker
Anywhere, USA 66666
IRS EmployeeSome Building
Anywhere, USA 66666
IRS EmployeeSome Building
I. M. Hacker
I. M. Hacker
Anywhere, USA 66666
IRS EmployeeSome Building
Anywhere, USA 66666
IRS EmployeeSome Building
I. M. Hacker
I. M. Hacker
Anywhere, USA 66666
IRS EmployeeSome Building
Anywhere, USA 66666
IRS EmployeeSome Building
I. M. Hacker
I. M. Hacker
21
Zero-Day Exploit Overview
Treasury Email Gateway
IRS Email Gateway
IRS Employee IRS Distribution List(10 Employees)
Email sent via gmail.com
Spear Phishing Email was sent on a Friday targeting two (2) IRS email addresses that includes a distribution email address. NOTE: Following Monday was a federal holiday.
Invalid
Account
Email Attachment withMicrosoft Excel
SpreadsheetZero-Day Exploit
(Em
ail A
ttach
men
t)
Zero-D
ay E
xcel
Spre
adsh
eet
`
Call Back IP AddressXAnalysis identified that the malware calls back to IP address residing in the US over TCP port 443 using custom encryption for beaconing and/or data exfiltration activity.
IRS Environment
22
Real or Fake?
23
CNN Phishing Spam e-mail was circulating in January 2009 containing factual
information about the Israeli/Hamas conflict
It appeared to originate from CNN & contained a link to a website posing as CNN, which contained what looked like a video file
All links on the website actually resolved to the valid CNN website
Visitors who attempted to view the video were prompted to update to a new version of the Adobe Flash Player
Update was actually malicious code
24
CNN Phishing
`
IRS SystemIRS User
Russian IP
Israel/Hamas Spam Mail
IRS.gov Exchange Server
hxxp://xxx.cnn.2009.xxxxxxxxxxxxxxxxx.com
hxxp://xxxxx.com/servicepack1.exe
Use
r vie
ws
vide
o an
d at
tem
pts
to u
pdat
e A
dobe
Fla
sh P
laye
r
Mal
icio
us c
ode
(Ado
be_P
laye
r10.
exe)
dow
nloa
d an
d in
stal
led
User is
redire
cted to
a seco
nd stage w
ebsite
Malicious c
ode (servi
cepack
1.exe) is
downloaded and insta
lled
Data exfiltration to Russia
User receives spam
25
IRS Response to CNN Phishing
IRS initiated Content Filtering to block the e-mail
Only 11 of 38 AV products could detect stage one
Only 2 of 38 AV vendors’ signatures could detect stage two
Analysis revealed 36 IRS systems visited the fraudulent CNN website (Stage One)
Additional analysis identified 1 IRS system issuing HTTP GET requests to the Russian IP address every 20 minutes (Stage Two)
Further analysis confirmed that no data was exported
26
“Just Surfing the Web” In November 2009, an employee performs a search via Yahoo! for
“1979-2007 vehicle wiring diagrams”.
27
“Just Surfing the Web”
First (non-sponsored) URL listed by the search engine was malicious Embedded HTML executed a PHP file, downloading the malware file
45096.exe Malware executes & begins beaconing home to: kinoarts.com over
TCP port 80 Analysis revealed 2 additional call back sites not being blocked by IRS Further analysis confirmed outbound connection attempts were
blocked & no data was exported
28
Beacons
A beacon is an intentionally conspicuous device designed to attract attention to a specific location
In the cyber world, a beacon is a system that repeatedly attempts to make a hidden connection with one or more systems outside of its network
Ordinary user traffic is fairly random, so traffic generating a significant regular pattern is indicative of a beacon
29
Beaconing Activity Beaconing from infected IRS system attempting to “call home” to a
website in China for further instructions. Website was a known malicious website that was blocked
30
SCADA Supervisory Control & Data Acquisition
Provides data display, alarming, trending, reporting, & control for devices & equipment in remote locations (via LAN, modem, wireless technologies, or Internet)
Think US Critical Infrastructure
31
Cyber Attacks on SCADA Unintentional consequences caused by internal personnel or
mechanisms (testing software on operational systems or unauthorized system configuration changes)
Unintentional consequences or collateral damage from malware
Intentional attacks such as gaining control or DoS attack
Aurora - Simulated cyber attack on SCADA system in March 2007
Both unintentional and intentional attacks on SCADA systems have been documented
32
Questions or Comments
Top Related