Operations

3/1/2016
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Pirates, Ships, And A Hacked CMS: Inside Verizon's Breach Investigations

New Verizon Data Breach Digest report shares in-the-trenches scenarios of actual cyberattack investigations by the company's RISK team.

SAN FRANCISCO, CALIF. – RSA Conference 2016 – Pirates used hacked information from a global shipping company’s servers to target and capture cargo ships on the high seas, and a water utility’s valves and ducts were hijacked: these are some of the more dramatic scenarios representing cases Verizon’s breach team investigated in the past year.

Armed pirates for several months had been strategically attacking ships in their travels on the sea, also armed with bill of lading information pilfered via a Web-borne attack on the company’s content management system (CMS). The pirates would storm the ship, corral the crew, and locate specific cargo containers by searching for specific bar codes and steal the contents. Then they’d disembark and move on to their next target ship.

Verizon investigators discovered that the bad guys initially had uploaded a malicious Web shell to the shipping company’s CMS server, which manages shipping inventory and bills of lading for its ships.  “The threat actors used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it—no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required,” according to a new Verizon report to be published tomorrow.

“Essentially, this allowed the threat actors to interact with the webserver and perform actions such as uploading and downloading data, as well as running various commands. It allowed the threat actors to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them.”

That’s just one page-turner in Verizon’s new Data Breach Digest report. The investigations documented in its report are all drawn from real cases the team handled, but Verizon says it employed some “creative license” to protect the anonymity of its customers, with fictional names, locations, and breach sizes, in some cases, for example.

“The majority of them were in 2015 ... But it’s not a sort of trending report,” says Marc Spitler, senior manager of Verizon security research. “It’s more of a popcorn piece to sit back and read and take a look at some things we have responded to, from the mindset and point of view of a forensics investigator.”

The pirate attack scenario is based on a real case, but of course this is not the usual pirate story associated with technology (think software piracy). The case demonstrates how hackers increasingly are going after CMSes, according to Spitler. “We are starting to see that [CMS attacks] more and more,” he says.

“The majority of cases we respond to are more along the lines of Web apps” attacks, he says. “I’m not saying you have to worry about pirates, but you do need to worry about CMS plug-ins in your apps being targeted quite a bit by the adversary.”

The report also describes a “water” utility that was experiencing mysterious and unexplained manipulation of its PLCs that controlled the water treatment process as well as the flow. Spitler says he wasn’t privy to that particular case, but it was indeed a critical infrastructure operation’s control system that was exploited.

“I’m happy to say we’re not responding to this” type of attack every day, he says.

In a nutshell, the attackers stole credentials on the utility’s payment app Web server to access the valve and control system application, all of which ran on older IBM AS400 computer systems. “During these connections, the threat actors modified application settings with little apparent knowledge of how the flow control system worked,” the report says. An alert system allowed the utility to spot the anomaly and correct the controls, according to the report.

As for Verizon’s wildly popular Data Breach Investigations Report (DBIR) due this spring that focuses on trends among actual data breaches the company has worked on, Spitler says it will be more of the same in many of the underlying issues. “You’re going to see strong relationships to the classification patterns featured in last year’s DBIR,” he says.

The DBD illustrates the prevalence of phishing as a first vector of attack, and credentials reuse as a weak link, for example, he says. “Tried and true things” still dominate, he says.

“Nobody wants to be the victim of a breach or to live through one of these war stories,” Spitler says. “We have to be very realistic and understanding that it’s certainly a possibility no matter what you do, how well-intended your security processes and procedures were.”

Some of the cases Verizon investigated were hampered by “blocks or potholes” in the victim organization’s processes or lack of incident response preparation that impaired a rapid and smooth investigation, he says.

“It’s important for an organization to understand how it can prepare for somebody internally or externally to do a forensics investigation,” he says. 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6443
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.
CVE-2019-6444
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd.
CVE-2019-6445
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can cause a NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem.
CVE-2019-6446
PUBLISHED: 2019-01-16
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.
CVE-2019-6442
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can write one byte out of bounds in ntpd via a malformed config request, related to config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and yyerror in ntp_parser.y.