Operations

3/1/2016
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Pirates, Ships, And A Hacked CMS: Inside Verizon's Breach Investigations

New Verizon Data Breach Digest report shares in-the-trenches scenarios of actual cyberattack investigations by the company's RISK team.

SAN FRANCISCO, CALIF. – RSA Conference 2016 – Pirates used hacked information from a global shipping company’s servers to target and capture cargo ships on the high seas, and a water utility’s valves and ducts were hijacked: these are some of the more dramatic scenarios representing cases Verizon’s breach team investigated in the past year.

Armed pirates for several months had been strategically attacking ships in their travels on the sea, also armed with bill of lading information pilfered via a Web-borne attack on the company’s content management system (CMS). The pirates would storm the ship, corral the crew, and locate specific cargo containers by searching for specific bar codes and steal the contents. Then they’d disembark and move on to their next target ship.

Verizon investigators discovered that the bad guys initially had uploaded a malicious Web shell to the shipping company’s CMS server, which manages shipping inventory and bills of lading for its ships.  “The threat actors used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it—no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required,” according to a new Verizon report to be published tomorrow.

“Essentially, this allowed the threat actors to interact with the webserver and perform actions such as uploading and downloading data, as well as running various commands. It allowed the threat actors to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them.”

That’s just one page-turner in Verizon’s new Data Breach Digest report. The investigations documented in its report are all drawn from real cases the team handled, but Verizon says it employed some “creative license” to protect the anonymity of its customers, with fictional names, locations, and breach sizes, in some cases, for example.

“The majority of them were in 2015 ... But it’s not a sort of trending report,” says Marc Spitler, senior manager of Verizon security research. “It’s more of a popcorn piece to sit back and read and take a look at some things we have responded to, from the mindset and point of view of a forensics investigator.”

The pirate attack scenario is based on a real case, but of course this is not the usual pirate story associated with technology (think software piracy). The case demonstrates how hackers increasingly are going after CMSes, according to Spitler. “We are starting to see that [CMS attacks] more and more,” he says.

“The majority of cases we respond to are more along the lines of Web apps” attacks, he says. “I’m not saying you have to worry about pirates, but you do need to worry about CMS plug-ins in your apps being targeted quite a bit by the adversary.”

The report also describes a “water” utility that was experiencing mysterious and unexplained manipulation of its PLCs that controlled the water treatment process as well as the flow. Spitler says he wasn’t privy to that particular case, but it was indeed a critical infrastructure operation’s control system that was exploited.

“I’m happy to say we’re not responding to this” type of attack every day, he says.

In a nutshell, the attackers stole credentials on the utility’s payment app Web server to access the valve and control system application, all of which ran on older IBM AS400 computer systems. “During these connections, the threat actors modified application settings with little apparent knowledge of how the flow control system worked,” the report says. An alert system allowed the utility to spot the anomaly and correct the controls, according to the report.

As for Verizon’s wildly popular Data Breach Investigations Report (DBIR) due this spring that focuses on trends among actual data breaches the company has worked on, Spitler says it will be more of the same in many of the underlying issues. “You’re going to see strong relationships to the classification patterns featured in last year’s DBIR,” he says.

The DBD illustrates the prevalence of phishing as a first vector of attack, and credentials reuse as a weak link, for example, he says. “Tried and true things” still dominate, he says.

“Nobody wants to be the victim of a breach or to live through one of these war stories,” Spitler says. “We have to be very realistic and understanding that it’s certainly a possibility no matter what you do, how well-intended your security processes and procedures were.”

Some of the cases Verizon investigated were hampered by “blocks or potholes” in the victim organization’s processes or lack of incident response preparation that impaired a rapid and smooth investigation, he says.

“It’s important for an organization to understand how it can prepare for somebody internally or externally to do a forensics investigation,” he says. 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.