Professional Documents
Culture Documents
In January 2010 Mandiant published an interesting theory that these APTs may be funded by the Chinese Government however they did not have sufficient evidence to prove it. In 2013, Mandiant published another report on APT1 which primarily blames the Chinese Government to be involved in funding Cyber Espionage activities around the Globe and contains the supporting technical evidence. Mandiants VP says Weve provided all the evidence here. This is something our industry needs to do more of, Mandiant is proud to participate in this kind of information sharing. We are not issuing a one page baseless accusation; were providing 60 pages of evidence and over 3000 technical indicators like IP Addresses, domain names and encryption certificates. We welcome scrutiny and invite other researchers to take a look at the evidence and we are confident they will arrive to the same conclusion.
Gist of the Mandiant Report: There are more than 20 APT Groups in China, however the report focuses on one of them (referred to as APT1) which is the most prolific one. APT1 has direct Government support and it is similar in its characteristics as the PLAs Unit 61398 of the Chinese Army and has the same location. This Unit 31698 is located at Datong Road, Pudong New Area of Shanghai. This building which is estimated to be inhabited by 1000s of People, is a 130,663 square foot facility and has 12 stories (see figure).
requested channelsince this is concerning defense construction. The professionals inside the building are trained in computer Security (the APT1 Actors) and have proficiency in the English language (these APT Actors need to carry out Social Engineering attacks like formulating a Spear Phishing Email that requires clever use of the English language since mostly English Speaking countries are targeted). This is a stable day job for them.
Facts about the APT1: APT1 establish min. of 937 Command and Control (C2) servers o hosted on 849 distinct IP addresses in 13 countries. o Majority were registered to organizations in China (709) o followed by the U.S. (109) In the last several years mandiant have confirmed 2,551 FQDNs attributed to APT1 Between January 2011 and January 2013 Mandiant confirmed o 1,905 instances of APT1 actors using their attack infrastructure o from 832 different IP addresses
Special fiber optic Communication facilities are provided for this unit in the name of national defense. Mandiant was able to locate a scanned China Telecom memo over the Internet which talked about approval for providing the
Figure 2: Noted APT1 Victims over the years (Source: Mandiant APT1 Report)
APT1 Attack Methodology: Typical APT1 Attack begins by sending a Spear Phishing E-Mail to the victim. These Emails seem to have official language and themes (suggesting their authenticity) and carry malicious attachment, For Example, an APT1 backdoor that appears to have a pdf extension and icon, which is actually 119 spaces after .pdf followed by an .exe. When the unsuspecting victim opens the attachment, the backdoor does its job and gives control to the APT1 actor.
mobile verification before you can create the account. So now he enters his country as China and provides a cell phone number that is located in the Shanghai in China. dota then logins to his Email account, this Email account is used for Spear-phishing and generating more Email Accounts. Command and Control
Installing Server
As the main purpose of APT1 actors is to steal confidential documents, once access is obtained to victims systems, documents are gathered, zipped in a rar file and passwordprotected. Then this rar archive is sent to the APT1 Actor. Captured attacker session Video This video given by Mandiant shows an active attackers session: The Hacker makes an operational Email account on Gmail (named as dota). First he tries to fake his location and enters USA but then notices that Google requires a
his own system in Shanghai. We can see that this Ghost RAT has a GUI with features like Keylogger, File Manager, Screen Capture, Webcam Capture Remote Shell and Voice Chat. Another APT Actor uses a web C2 command and control server. This has a command line interface. The APT Actor uses this client to list the incoming connection from a victim computer. And two victim computers check in. APT Actor can be seen using the stolen credentials to log into a mail exchange server and lists the Inbox contents which show the message
numbers and the size of the messages. APT Actor goes to an FTP Server and downloads lightbolt, then uses this tool to steal files from the victim machine. The lightbolt tool stores stolen files to password protected rar archive which is then uploaded to an FTP.
Is China really doing it? Are they admitting it? China says We have said repeatedly that such attacks are transnational and anonymous and determining their origins is extremely difficult. So they are firmly denying the accusation. The approach is indirect. First the hacker would compromise a US server then use that for further attacking. The security people would visit that server and then sit there and trace back the activity. After all this evidence, theres no way for them to deny that but they dare not admit the Cyber Espionage. The thinking may be that America is doing that all the time, so let us too. The most damning evidence against China, is the attackers infrastructure from which they launch attacks, 98% of the times they were logging in from that one block in Shanghai and 97% of the times they were using Chinese set of characters in their systems. News groups like CNN were stopped from trying to take pictures of the building and were chased by Chinese military guards. Finally the footage was confiscated (see Figure 8).
Case Study China believed to have copied MQ-1 Predator Drone through Cyber Hacking QinetiQ North America (QQ) is a world leading defense technology and Security Company providing satellites, drones and software services to the U.S. Special Forces deployed in Afghanistan and Middle East. In 2009, China had almost its complete control over QinetiQ TSG's computers stealing 1.3 million pages of documents and 3.3 million pages of Microsoft Excel containing TSG's code and engineering data. These Documents were believed to be used by chinese to build MQ-1 drone.
Figure 8: Chinese Military Guards chasing the CNN News Crew around the APT1 building
Skepticism report
around
the
Mandiant
Some Security Researchers are raising eyebrows at this report mainly because there are a lot of ways in which an attacker of this level of sophistication would hide his/her location. So why did they not cover up their tracks better? Some agree that the attacks originated in China but are doubtful of their connection with the Chinese government. The attacker session video released by Mandiant shows the attacker use common attack tools like Ghost RAT that are freely available over the Internet which is in contradiction to the Advanced Persistent threats that we are talking about. Summary Such attacks are targeted towards private industries that are not equipped to deal with threats from the cyber resources of a nation. So this is government versus private industries, which is not fair. US President Obama says America must face the rapidly growly threats from Cyber-attacks. Now such attacks are focused on sabotaging our power grids, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and economy. We should all be glad that the Virginia based security firm Mandiant decided to expose one of the most prolific Cyber Espionage activity group and make all the relating evidence public. This bold activity may be initialized by the PLA but theres definitely a government approval. Now that the reports are public, if the APT1 activity still continues then the
government is definitely involved, even the top leaders. There seems to be a clear strategic planning behind this. Chineses government monitors and censors the Internet. China is focusing on economic espionage, stealing trade secrets and structural property and negotiation strategies and passing these off to their companies to compete with other companies worldwide. This is a Massive Cyber Espionage campaign. What are they trying to achieve? It may be motivated by political reasons. It may be a kind of security against what USA can do. Chinese information gathering system has been morphed into a new kind of mode that would that would make it very scary in terms of its effect.
Today such attacks are inevitable but if the government is alert and vigilant, such attacks can be nipped in the bud, before a serious security breach takes place. However, a casual attitude towards such advanced threats can have disastrous effects on a country and its people. We can boast all we want but the Bottomline is that India is seriously lagging in its cyber defense capabilities and there are a handful of actual motivated and driven computer security professionals in India. A reason for this can be that no formal education is being provided to students interested in security and these individuals then turn towards certifications which are either too theoretical and provide no
hands-on knowledge or are too costly for an average Indian student or require a prior minimum years of experience in the security domain. Some of these certifications in India are started by individuals claiming to be Hackers themselves which take candidates more towards the glam of Hacking Emails or Passwords rather than developing a mature approach towards security. India desperately needs state sponsored programs that teach computer security at masters level to deserving students who clear a well-designed competitive screening process. Cyber espionage is a growing issue and it has to be dealt head-on. In India, a higher level of Information Security Awareness is required. Hacking is not just a bunch of kids randomly doing thing for fun and profit. It is now a national strategy. Important thing to note is that while in countries like USA, hacking is considered illegal and immoral, Chinese government is considering it as a necessity. What would Indian Industries do if they face such attacks? Individual companies can never fight with a nation. The Indian governments support is indispensable against such cyber activities. Such Cyber Espionage is a violation of sovereignty. This is not a minor issue and will continue to grow more severe if nothing is done. This isnt a group of Rogue Hackers, this is a unit of PLA (Peoples Liberation Army of China). We need to get smart with each breach. From knowledge comes power.
On the Web http://intelreport.mandiant.com/ Mandiant Intelligence Report http://www.youtube.com/watch?v= 3d2gyydHwmY CNN News Crew being chased http://www.youtube.com/watch?v= 6p7FqSav6Ho - Video Showing an Attacker Session
Pranshu Bajpai
bajpai.pranshu@gmail.com Pranshu Bajpai is a Computer Security Professional specialized in Systems, Network and Web Penetration Testing. He is completing his Masters in Information Security from the Indian Institute of Information Technology. Currently he is also working as a Freelance Penetration Tester on a Counter-Hacking Project in a Security Firm in Delhi, India, where his responsibilities include 'Vulnerability Research', 'Exploit kit deployment', 'Maintaining Access' and 'Reporting. He is an active speaker and author with a passion for Information security.
eagerness to work, producing efficient and productive employees as a result since as their needs are directly addressed by the company. This makes the workplace a "fun" place to work. Reduces the burden of IT inventory maintenance tasks such as commissioning / decommissioning corporate devices used for work. Subsequently, new hardware purchase costs are also lowered down. A start-up, small or medium size company, can avoid high purchase costs for laptops, smartphones, data cards and tablets for their employees since employees have the flexibility to use their own devices at workplace. These smart devices often provide better processing speed and power for accomplishing the tasks better. Substantial Savings are made on carrier/ISP charges since organization doesn't need to maintain elaborate corporate data plans but letting the employees use their own data plans.
However, it needs to be remembered that the corporate data which is residing on user's own device remains the property of the company. Hence adequate protection measures need to be in place for protecting that sensitive corporate data.
Senior management must also accept the risk that by implementing BYOD, more avenues are opened for the data leakage from employees devices. Many of these devices can also share data in the cloud; increasing the likelihood of data duplication between cloud and apps. Hence, appropriate solutions, tools and techniques to prevent and contain this vital business information from leaking outside must be implemented as well.
3. Setting up BYOD governing body: The governing body of BYOD would be responsible to develop, implement, oversee and maintain the BYOD program. The governing body should include business vertical heads along with HR, legal and finance domain experts for smooth implementation of the BYOD policy. The governing body may start with the rough checklist assigning BYOD tasks such as: Which employees will qualify for BYOD? This should be defined as per role basis Written signed agreements with employees for accepting risks concerning the device usage Which OS version will be supported for devices? Policies regarding wiping of personal/ corporate data in case of device loss Methods used for separation of personal and corporate information on devices Actions to follow after a security violation.
culture effectively and securely across the length and breadth of the organization. 4. BYOD IT Process Group: This IT processing control group will look after the required software upgrades, license implications for mail access from employeeowned devices. 5.Managing BYOD policy: BYOD programs require strong security solutions like network access control (NAC), Wi-Fi routers, Mobile Device Management (MDM) solutions for organization wide personal devices management. Containerization tools to separate corporate data from personal data must be procured. A technical way to separate the employee and personal data is by having dual-persona smartphones; i.e. having one interface for personal use and another for business use. High end smartphones such as Blackberry Z10 currently support this. 6. Post Deployment Support: High quality help desk support is a prerequisite for successful BYOD deployment. It should provide assistance with diagnostics tools for troubleshooting and list of manufacturers support phone numbers for quick reference.
All policies must comply with region specific laws which will automatically be given first priority while designing the BYOD policy. It is important to update the policy document and adjust with the ever-changing landscape of evolving technology. It is better that a BYOD program be implemented in a phased approach. Initial success will generate enough confidence in senior management about its successful operation. Likewise, it can then be applied to other departments. The users from the initial phase of BYOD deployment must emerge as champions for BYOD usage to spread the
costs and $10 per 10MB that many individual users pay for when abroad. Multiply this with typical work force of 5000-10000 man-force of large organization. This figure clearly pales in comparison to the savings made while using corporate plans.
Conclusion
BYOD policy seems inevitable in coming years as the technology advancement in smart devices helps the employees to achieve better productivity with flexibility at the workplace. Instead of denying access citing the security concerns, it would be best in business interest to embrace this business policy which allows people to be more productive in longer run. No doubt, we do need clearly defined rules and accountability factors which should be enforced via legal and technological means for protecting the sensitive corporate data residing on people devices. But as the nature of doing business evolves with technological advancement, it's in everybody's best interest to accept BYOD policy since it directly addresses the need to collaborate and communicate at times when it matters most. After all, when it comes to business; time is money!
References:
1.InformationWeek - 8 steps CIOs should take to maximize BYOD ROI
2. InfoWorld - Buckle up -- here comes the hard part of mobile 3. COMPUTERWORLD - BYOD, or else. Companies will soon require that workers use their own smartphone on the job 4. NetworkWorld - Forrester Research calls mobile-device management 'heavy-handed approach' 5. InfoWorld - The right way to manage BYOD 6. InforWorld - The unintended consequences of forced BYOD 7. InforWorld - Why almost everyone gets it wrong about BYOD 8. InforWorld - How a trickle of BYOD costs can turn into a deluge 9. InforWorld - Message to old guard: Accept social business 10. CIO.IN - The Dark Side of Today's Hottest Tech Trends
Manasdeep
manas.deep@niiconsulting.com Manasdeep currently serves as a Security Analyst in the Technical Assessment team at NII Consulting, Mumbai. His work focuses on conducting Security Audits, Vulnerability Assessment and Penetration Testing for NIIs premier clients. He possesses strong analytical skills and likes to keep himself involved in learning new attack vectors, tools and technologies. He has flair in technical writing and shares his thoughts on his blog Experiencing Computing at http://manasdeeps.blogspot.in. He has also published information security paper(s) in International Journal of Computer Science and Information Security (IJCSIS) along with various seminar / conference proceedings.
Drupal Scanner
CMS - What's the Fuss all About?
A Content Management System makes your life easy. It makes the online presence of your business more accessible and hence the probability of the success of your business soars higher. Incredibly, if you are unfamiliar with CMSes, the best part is, you need not be a nerdy, high-tech web developer to give this touch of virtuality to your ideas and convert them to online reality. You need not have your armour flooding with all sorts of programming and impressive and crisp UI design skills. Neither do you need to have those 'supernatural' scripting and back-end management skills. So that's the power you get when you use a CMS for you websites. All that you need is some anciently basic idea about creating websites and you are absolutely ready to go and get it done.And what more, you have different flavours to choose from. So depending on your requirements and taste you can go for any of the three major CMSes out there, viz. WordPress, Joomla or Drupal.
The Inception
Enter the idea of creating one such tiny little tool that can be handy enough to just find out that exact detail about your Drupal powered websites tool that could be your compass to guide you to a more secure version of your websites. And what better than making use of an already freely available web application security tool to start off with this project. Thus it was decided that IronWasp shall be the mother for this Drupal security scanner, which for now we will term as DrupScan to bein phonetic sync with its counterparts. So effectively, once the tool gets made and is available, it can be easily accessed as yet another module of IronWasp. So put yet more simply, you download IronWasp and you know how to access its different modules, that's it. You know how to ensure better security for your Drupal powered websites.
just looks up for the details available for the module and it's specific version in question in the CVE ids database and thus decides if the website in question is vulnerable or not. Using this simple and obvious technique saves a lot of time as the web application does not really need to be tested for security vulnerabilities from the scratch. We simply make use of the information that is already readily available as the result of intensive research. Thusefficiently delivering the required solution. The Technology and Progress so far The scanner itself since is powered by IronWasp, makes use of all the APIs made available by IronWasp. It is majorly being written in IronPython, again something that has full-fledged interactive learning support through the scripting engine of IronWasp. So far a proof of concept is available for the DrupScan which works on the same principle as explained above. The exact function names that do the respective jobs are listed down. (For details the function definitions please refer the script itself). The processing starts from the main function named runAsMain(). 1. Simply takes up 2 versions of a specific module, say ver1 and ver2. 2. It lists out all the files in these 2 versions, finds the difference between the 2 file listings. Taken care by passDirPath(), fileLookUp(), dictComp(), createDic():passDirPath():- For the proof of concept 2 instances of the same Drupal site are installed on to the localhost. On one of the instances an
older and vulnerable version of a specific module, say the "views" module, is installed and on the other instance a newer and patched version of the same module is installed. So correspondingly in the respective paths directories and files are created accordingly. These two paths are passed to the function passDirPath(). fileLookUp():- is a recursive function. It recursively checks all the folders for any files present in it. Each of the files are taken and their hash is calculated. Now each of these hashes along with their corresponding fileis stored in a temp file. dictComp():- this function takes 2 text files as input. These 2 text files contain the list of all the files present in the 2 versions of the folder. IT DOES NOT MATTER WHAT ORDER IS THE CONTENT OF THESE TWO FILES IN. As long as the contents of these 2 text files is in the format "file_path/file_name \t hash_key", it does not matter in which order is the contents being listed in the 2 text files. And finally it finds out the difference between the files and prints out the differences in a text file called dicDiff.txt createDic():- is a helping function for dictComp(). This function simply creates a dictionary or list and returns the same. 3. Then sees which of these files (that were found to be different) are publicly accessible.
4. Stores these publicly accessible files in a db. Taken care publicAccessFiles() requestor():by and
publicAccessFiles():- Send requests for these files present in dicDiff.txt to the 2 instances, containing the 2 versions of the module, on the localhost. Depending on the response code we decide if a particular file is publicly accessible or not. And we populate the PUBLIC_ACCESS database table with the respective details. Later we make use of this table to determine what version of the module the live site is running. The database used is SQLite. requestor():- is a helping function. It simply frames and sends the required requests and returns the response code in case the requestor method is called with a third parameter as "True", it would indicate that the body of the reponse also needs to be saved. 5. Say after all this the db contains 5 files, viz, a,b,c, d and e with its respective hash. 6. Now when doing a scan on a live site, a request is sent for each of these files to the live site. 7. If there is a success response, the hash of the received file is calculatedand it is compared against the hash in the db. 8. Depending on this the status of the site is reported.
by
Abhinav Chourasia
abhinav.mr.impractical@gmail.com
liveVersionScan():- This function now makes use of the database of the publicly accessible files created by the publicAccessFiles(), and sends a request for same to the live site that needs to be scanned for its version. liveVersionScan() is aided by the helping function requestor(). Thus the above are the major tasks that are currently being taken care of by the proof of concept scanner so far.
Final words
The scanner on completion can help pin pointedly highlight the security issues with a Drupal powered website and of course will be a completing part in the group of similar scanners :- WpScan, JoomScan and then why not DrupScan.
offline storage. When we are in need of the data we can request the backup admin to plugin those tapes for log retrieval.But it should be noted that logs should not be tampered. Segregation of duty control needs to be implemented here. Whenever a legal case happen to come to our environment it is compulsory to provide logs to the court. Talking about Compliance, out of the 12 requirement of PCI DSS, requirement 10 talk about logging and log management. Logs should be reviewed daily and the integrity of the logs also should be maintained. Here I would like to showcase how we can do log analysis on firewall. Say the firewall we consider is Checkpoint firewall. First thing we need to do is to monitor all the drop communications in FW.You can filter the SIEM based on Drop packets only. After that you need to see the destination ports of all Dropped communications. When you monitor internal FW you will find only internal IPS as the source IPS.There are some common ports which you will see always while monitoring dropped logs (53,445,161,80,123,389,3268) Whenever we see many drops to a particular Destination IP with same Destination port we need to investigate why such dropped traffic occurred, this could be some botnet activity that has spread across our network. I have recently come across such an incident where one botnet was spread across 10 machines where our end point security was not able to detect it.During the FW log analysis enormous traffic to port 80 to a single destination IP was dropped which we felts as something suspicious. On detail investigation of that end machines we were able to identify a botnet which is connecting to one C&C Servers. Above is a sample setup that I have created in lab.192.168.1.3 is the firewall that we are monitoring using Event tracker (SIEM tool) all the logs are pushed to a logging server 192.168.1.2 and from the logging servers events are pushed to SIEM.So 192.168.1.2 is the event source which we have integrated to SIEM.192.168.1.1 is an users machine infected with a malware which establishes many http connections to a malicious IP.You can check the rating of the websites from (http://safeweb.norton.com/)In this case if we are using an AV which doesnt have signature for this particular malware, then by analyzing the firewall logs we can see some suspicious activity is happening on the users machine.Once you find the users machine then you can go ahead with the normal static Malware analysis process to find the exe file which is causing such traffics. You can use various tools like Regshot,processmonitor,wireshark,hijackthi s,rootkit revealer to find the exe file.
By default all firewalls will deny all sourceto-destination traffic unless a rule or access list is given to permit traffic. So there is no point in investigating accept logs. But in the meanwhile when you do log analysis on all the successful communication of a URL filtering software you can come across many Websites which your URL filter dare to filter those contents. Your employee can create a website that can be used to host contents and can be used to transfer files from the organization to the outside world. In this dynamic world, Security threats are changing daily from Phishing mails to a website hack or by logging your managers account to apply resignation we must be aware about all the incidents and need to think about its preventive measures.
Ben Abraham
ben.abraham@xe04.ey.net Ben Abraham has more than 5 years of experience in the field of Information Security and in implementing,auditing and optimizing SIEM solutions to the clients. He also has knowledge in reverse engineering malware to find the behaviour and has carried out ISO27001 audits, PCIDSS, firewall audits and IT security policy development. Ben has got opportunities to work in companies like Mphasis, Infosys and Ernst & Young. He wishes to learn more about various Information Security domain and conduct training in this domain.