Cloud

6/20/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

'Hidden Tunnels' Help Hackers Launch Financial Services Attacks

Hackers are using the infrastructure, meant to transmit data between applications, for command and control.

The security tools and strategies financial services organizations use to protect their data could be leveraged by cybercriminals who sneak in undetected via "hidden tunnels" to conceal their theft, according to a new report published by Vectra.

Ironically, financial firms have the biggest non-government security budgets in the world, Vectra says. Bank of America invests more than $600 million in cybersecurity each year, while JPMorgan Chase spends $500 million. Equifax, while smaller than both, spends an annual $85 million on security.

Yet, in Equifax's case – despite budget, staff, and a security operations center – in 2017 it took 78 days for it to detect a massive breach of its network, in which attackers accessed 145.5 million Social Security numbers, 17.6 million driver's license numbers, 20.3 million phone numbers, and 1.8 million email addresses.

The question of how attackers were able to exfiltrate so much data, and whether the same thing could happen at another financial firm, prompted Vectra researchers to take a closer look at exactly what happened.

A Review of the Equifacts
Equifax's breach started when a Web server was exploited to access the corporate network. The attackers avoided using tools that would alert the company's security team, instead building command-and-control (C&C) tunnels into Equifax. They installed more than 30 Web shells with different addresses to burrow into Equifax and, once inside the network, customized their hacking tools to exploit Equifax software, evade firewalls, and exfiltrate information.

For six months following the Equifax breach, Vectra researchers combed metadata from 246 opt-in customers and more than 4.5 million devices to learn more about attacker behaviors and network trends. They found the same activity that led to the Equifax breach is prevalent throughout the financial services industry.

What stood out most is the use of hidden tunnels in HTTP, HTTPS, and DNS traffic, which threat actors use to get into networks protected with strong access controls. These tunnels have been used for about three to four years, says Chris Morales, head of security analytics at Vectra, where researchers had been looking into this tactic long before Equifax was hit.

"Attackers don't use hidden tunnels unless they have to," he explains. When enterprise security defenses are strong, threat actors have to seek new ways to break through them.

Tunneling Into Financial Services
Financial firms have stronger security than most, securing Web applications with layers upon layers of access controls. Because apps are locked down, data has to be sent through "hidden tunnels" to move across an organization. There are legitimate use cases for this: Specific stock-tickers commercial apps and internal financial services use tunnels to communicate.

The high volume of traffic flowing to and from enterprise Web applications creates an ideal place for attackers to hide, Morales says. Hidden tunnels are tough to detect because communications are hidden within connections that use normal, permitted protocols. Messages can be embedded as text in headers, cookies, and other fields, researchers say.

Morales breaks down how an attack might work: A threat actor might start with an entry point as simple as a phishing campaign. With a foothold in the organization, the attactor can use reconnaissance techniques to learn the network – the number of devices and how he can make his footprint more durable and infect more machines.

"As he does all those things, he'll need to find ways to look like normal traffic," Morales explains. "Maybe he'll find a network scanning machine and perform recon from there because it'll look more normal." Once a tunnel is established, the hacker passes data in small chunks so it isn't picked up by anomaly detection systems.

Attackers could leverage tools purchased on the Dark Web to exfiltrate data and bypass access controls. "The tools are out there, and attackers have a great ecosystem for sharing them," says Mike Banic, vice president of marketing at Vectra. "In some cases, their ecosystem could be better than the defenders."

Compared with the industry average, there are fewer C&C behaviors in financial services, and HTTP C&C communications are lower overall, the report states. However, there are significantly more tunnels per 10,000 devices in financial services than all other industries combined.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/26/2018 | 10:59:41 PM
Re: On Equifax
> results driven at the expense of ALL ELSE which means downtime is bad.  And that means application of security patches can be delayed forever.

And that means problems at the highest levels just as much as it means problems at the lower levels. What do you want to bet the reporting structure was such that the CISO was reporting to the CIO despite the conflict of interest?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/26/2018 | 10:58:05 PM
Re: On Equifax
@REISEN: Indeed. For the CEO to present that (let alone think that), it suggests that there was a fundamental failure in how the CISO position was handled. I tend to suspect that Equifax's CISO was treated as the typical lower-case-c-suiter that the role is too often treated as -- as opposed to someone who is actually at the strategy table.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/21/2018 | 3:56:19 PM
Re: On Equifax
It is an interesting place, certainly not a FUN work environment - look up reviews and it seems fairly political and results driven at the expense of ALL ELSE which means downtime is bad.  And that means application of security patches can be delayed forever.
gif-washco
50%
50%
gif-washco,
User Rank: Apprentice
6/21/2018 | 3:33:25 PM
Re: On Equifax
I agree. If the organization has good leadership and IT management processes, a single person would not have caused such a problem (or used as an excuse, in this case). The true issue with Equifax is leadership and management, not a single person who may have not patched a server. When the entire Equifax board of directors were re-elected after the massive security breach and no ramifications were incurred by this same BoD, the lack of responsbile leadership is telling...

 

 
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
6/21/2018 | 7:59:10 AM
On Equifax
Telling story in more ways than one - excellent analysis of what went bad at Equifax and in telling contrast to the stupid comment by the ex-CEO that the entire breach - ALL OF IT - was due to one, repeat, ONE IT staffer who failed to apply an update.  Incredible ignorance level at the C-Suite.  And respect falls away rapidly thereafter for their understanding of IT in general ( OUTSOURCE, CUT EXPENSE ) and securityin particular.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.