Operations

3/1/2016
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Pirates, Ships, And A Hacked CMS: Inside Verizon's Breach Investigations

New Verizon Data Breach Digest report shares in-the-trenches scenarios of actual cyberattack investigations by the company's RISK team.

SAN FRANCISCO, CALIF. – RSA Conference 2016 – Pirates used hacked information from a global shipping company’s servers to target and capture cargo ships on the high seas, and a water utility’s valves and ducts were hijacked: these are some of the more dramatic scenarios representing cases Verizon’s breach team investigated in the past year.

Armed pirates for several months had been strategically attacking ships in their travels on the sea, also armed with bill of lading information pilfered via a Web-borne attack on the company’s content management system (CMS). The pirates would storm the ship, corral the crew, and locate specific cargo containers by searching for specific bar codes and steal the contents. Then they’d disembark and move on to their next target ship.

Verizon investigators discovered that the bad guys initially had uploaded a malicious Web shell to the shipping company’s CMS server, which manages shipping inventory and bills of lading for its ships.  “The threat actors used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it—no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required,” according to a new Verizon report to be published tomorrow.

“Essentially, this allowed the threat actors to interact with the webserver and perform actions such as uploading and downloading data, as well as running various commands. It allowed the threat actors to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them.”

That’s just one page-turner in Verizon’s new Data Breach Digest report. The investigations documented in its report are all drawn from real cases the team handled, but Verizon says it employed some “creative license” to protect the anonymity of its customers, with fictional names, locations, and breach sizes, in some cases, for example.

“The majority of them were in 2015 ... But it’s not a sort of trending report,” says Marc Spitler, senior manager of Verizon security research. “It’s more of a popcorn piece to sit back and read and take a look at some things we have responded to, from the mindset and point of view of a forensics investigator.”

The pirate attack scenario is based on a real case, but of course this is not the usual pirate story associated with technology (think software piracy). The case demonstrates how hackers increasingly are going after CMSes, according to Spitler. “We are starting to see that [CMS attacks] more and more,” he says.

“The majority of cases we respond to are more along the lines of Web apps” attacks, he says. “I’m not saying you have to worry about pirates, but you do need to worry about CMS plug-ins in your apps being targeted quite a bit by the adversary.”

The report also describes a “water” utility that was experiencing mysterious and unexplained manipulation of its PLCs that controlled the water treatment process as well as the flow. Spitler says he wasn’t privy to that particular case, but it was indeed a critical infrastructure operation’s control system that was exploited.

“I’m happy to say we’re not responding to this” type of attack every day, he says.

In a nutshell, the attackers stole credentials on the utility’s payment app Web server to access the valve and control system application, all of which ran on older IBM AS400 computer systems. “During these connections, the threat actors modified application settings with little apparent knowledge of how the flow control system worked,” the report says. An alert system allowed the utility to spot the anomaly and correct the controls, according to the report.

As for Verizon’s wildly popular Data Breach Investigations Report (DBIR) due this spring that focuses on trends among actual data breaches the company has worked on, Spitler says it will be more of the same in many of the underlying issues. “You’re going to see strong relationships to the classification patterns featured in last year’s DBIR,” he says.

The DBD illustrates the prevalence of phishing as a first vector of attack, and credentials reuse as a weak link, for example, he says. “Tried and true things” still dominate, he says.

“Nobody wants to be the victim of a breach or to live through one of these war stories,” Spitler says. “We have to be very realistic and understanding that it’s certainly a possibility no matter what you do, how well-intended your security processes and procedures were.”

Some of the cases Verizon investigated were hampered by “blocks or potholes” in the victim organization’s processes or lack of incident response preparation that impaired a rapid and smooth investigation, he says.

“It’s important for an organization to understand how it can prepare for somebody internally or externally to do a forensics investigation,” he says. 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of IT and Cybersecurity
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0291
PUBLISHED: 2018-06-20
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP protocol ...
CVE-2018-0292
PUBLISHED: 2018-06-20
A vulnerability in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in ...
CVE-2018-0293
PUBLISHED: 2018-06-20
A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device. The vulnerability is du...
CVE-2018-0294
PUBLISHED: 2018-06-20
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive...
CVE-2018-0295
PUBLISHED: 2018-06-20
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading. The vulnerability is due to incomplete input validation of the BGP update...