SAN FRANCISCO, CALIF. – RSA Conference 2016 – Pirates used hacked information from a global shipping company’s servers to target and capture cargo ships on the high seas, and a water utility’s valves and ducts were hijacked: these are some of the more dramatic scenarios representing cases Verizon’s breach team investigated in the past year.
Armed pirates for several months had been strategically attacking ships in their travels on the sea, also armed with bill of lading information pilfered via a Web-borne attack on the company’s content management system (CMS). The pirates would storm the ship, corral the crew, and locate specific cargo containers by searching for specific bar codes and steal the contents. Then they’d disembark and move on to their next target ship.
Verizon investigators discovered that the bad guys initially had uploaded a malicious Web shell to the shipping company’s CMS server, which manages shipping inventory and bills of lading for its ships. “The threat actors used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it—no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required,” according to a new Verizon report to be published tomorrow.
“Essentially, this allowed the threat actors to interact with the webserver and perform actions such as uploading and downloading data, as well as running various commands. It allowed the threat actors to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them.”
That’s just one page-turner in Verizon’s new Data Breach Digest report. The investigations documented in its report are all drawn from real cases the team handled, but Verizon says it employed some “creative license” to protect the anonymity of its customers, with fictional names, locations, and breach sizes, in some cases, for example.
“The majority of them were in 2015 ... But it’s not a sort of trending report,” says Marc Spitler, senior manager of Verizon security research. “It’s more of a popcorn piece to sit back and read and take a look at some things we have responded to, from the mindset and point of view of a forensics investigator.”
The pirate attack scenario is based on a real case, but of course this is not the usual pirate story associated with technology (think software piracy). The case demonstrates how hackers increasingly are going after CMSes, according to Spitler. “We are starting to see that [CMS attacks] more and more,” he says.
“The majority of cases we respond to are more along the lines of Web apps” attacks, he says. “I’m not saying you have to worry about pirates, but you do need to worry about CMS plug-ins in your apps being targeted quite a bit by the adversary.”
The report also describes a “water” utility that was experiencing mysterious and unexplained manipulation of its PLCs that controlled the water treatment process as well as the flow. Spitler says he wasn’t privy to that particular case, but it was indeed a critical infrastructure operation’s control system that was exploited.
“I’m happy to say we’re not responding to this” type of attack every day, he says.
In a nutshell, the attackers stole credentials on the utility’s payment app Web server to access the valve and control system application, all of which ran on older IBM AS400 computer systems. “During these connections, the threat actors modified application settings with little apparent knowledge of how the flow control system worked,” the report says. An alert system allowed the utility to spot the anomaly and correct the controls, according to the report.
As for Verizon’s wildly popular Data Breach Investigations Report (DBIR) due this spring that focuses on trends among actual data breaches the company has worked on, Spitler says it will be more of the same in many of the underlying issues. “You’re going to see strong relationships to the classification patterns featured in last year’s DBIR,” he says.
The DBD illustrates the prevalence of phishing as a first vector of attack, and credentials reuse as a weak link, for example, he says. “Tried and true things” still dominate, he says.
“Nobody wants to be the victim of a breach or to live through one of these war stories,” Spitler says. “We have to be very realistic and understanding that it’s certainly a possibility no matter what you do, how well-intended your security processes and procedures were.”
Some of the cases Verizon investigated were hampered by “blocks or potholes” in the victim organization’s processes or lack of incident response preparation that impaired a rapid and smooth investigation, he says.
“It’s important for an organization to understand how it can prepare for somebody internally or externally to do a forensics investigation,” he says.