letter anonymous-ii
TRANSCRIPT
A Letter from Anonymous II
Disclaimer
[1] Some of the topics discussed / demonstrated are criminal in nature
[2] “Don’t try this at home unless you want to go to jail. You have been warned, I am not responsible for your actions.”
[3] You will gain more from the lecture if you participate at times.
[4] Any likeness to real people or organisations does not imply anything about security
[5] Questions at the end please…
Our Topic
[1] What if you received a Cyber ransom / extortion threat?
[2] What would be your response?
[3] How would the attackers evade capture?
[4] How might you be attacked / compromised ?
[5] This will be focused from a professional services company point of view e.g. Doctors, Lawyers, Accountants and Telco’s where confidentiality is paramount.
“ 90% of all incidents is people. Whether it’s goofing up, getting infected, behaving badly or losing stuff, most incidents fall into the PEBKAC (Problem Exists Between Keyboard and Chair) and ID-10T (idiot) uber patterns.”
“Financial Motivation is also alive and well in phishing attacks. The old method of duping people into providing their personnel identification number or bank information is still around but the targets are largely individuals versus organizations. Phishing with the intent of device compromise is certainly present.”
Verizon Data Breach Report
Source: Verizon Data Breach report
Since October 2014, Jersey and Guernsey companies across all sectors have been targeted by the ‘Dridex’ malware through email phishing.
Our Company Network
Server LAN Corporate LAN DMZ
Fileserver
Database
Active Directory
Day 1 – The EmailDear Friends and Foes,
We have been in your network and taken all your data due to your own poor security.
For the small sum of 10,000 EUR you can avoid having all your confidential data leaked online.
If we don’t receive payment by Friday 13th November at 6.00 p.m CET to the following Bitcoin address below, we will post your confidential data for all to see.
1An8CzdFJQdSaMeEoKMYyUQ6Fz37wK5GyX
You may communicate securely using with us at our email address below:-
Our manifesto is at http:dpaste.co/GthD53bx87 and proof of compromise is at http://dpaste.co/HJGYTRF5788976
Yours Sincerely
Rex Mundi
Hacker Manifesto
[1]
[2]
[3]
[4]
[5]
Unlike other groups out there, we have no interest whatsoever in making any kind of political or social statement. We are only interested in making money, which brings us to the code of conduct we have put in place
Communication and/or negotiations between us and our targets is never released, regardless of whether we get paid or not.
We never discuss or even acknowledge the fact that some of our past targets might have paid us.
We automatically delete all of the stolen data once a full payment has been made.
We never target the same company twice and, for obvious reasons, we always stick with the original requested amount.
[6]If we posted the data of a company that has paid us, no other future target would ever agree to pay us. Similarly, asking for more money once we have already been paid would be pointless as no target would pay a second time out of fear we might ask for even more money a third time.
Dear Breach Diary…….
Day 1• Confirm Breach• Contact Police?• Collate Logs• Bring in network forensic experts
Hacker Tradecraft - OPSEC
[1] Never reveal operational details
[2] Never reveal your plans
[3] Never reveal trust anyone
[4] Never confuse recreation / hacking
[5] Never operate from your house
[6] Be proactively paranoid
[7] Keep personnel life / hacking separate
[8] Keep your personnel environment contraband free
[9] Never talk to Police
[10] Don’t Give anyone power over you
Funding Attacks
Attack Implementation
Purchase Services
Fake Name Generator
10 Minute Mail
Persona Death
Hacker Tactic – Passive Recon
The target has no indication that reconnaissance is taking place against them!!!!
Do you know the most dangerous 71 character cyber attack?
The Phish
DMZ
Attacker registers <name>-<company_name>.com and clones company website. Adds login form
Attacker sends email to company with pretext enticing login to fake website
Attacker harvest login and tries to login via VPN.
Cost of Setup
• Time: 2 hours• Financial < £25
Result
• Access to Corporate LAN via VPN• Fails if 2FA is used.
Dear Breach Diary…….
1• Confirm Breach• Contact Police?• Collate Logs• Bring in network forensic experts
• Phishing Attempts discovered• Investigation Corporate LAN2
Passwords / User Reporting Problem
Passwords Harvested
Bodmin1649Jersey06Nemesis87Whistler07Whistler02Australia2000Jersey59Monday241
Source: Verizon Data Breach report
This is simply that not all attacks will be reported by users to the security for a variety of reasons
Solution:
Foster a culture to enable users to report issues without fear
Network Partially Compromised
Server LAN Corporate LAN DMZ
Fileserver
Database
Active Directory
User Pc Compromised
Initial Compromise Demo
Bypassing a fully patched system with up to date AV signatures
Dear Breach Diary…….
1• Confirm Breach.• Contact Police?• Collate Logs.• Bring in network forensic
experts.
• Phishing Attempts discovered.• Investigation Corporate LAN
ongoing.
2
• Compromised confirmed on Corporate LAN workstation.
• Potential Webserver attacks discovered.
3
Attack 2 – Web Application
DMZ
Attacker targets website after reconnaissance
SQLiSQL Injection used to dump database behind website.
Attacker may get shell and be able to use it to attack network and or install malware.
Cost of Setup
• Time: 2 hours• Financial < £0
Result
• Web Server Defacement – Loss of Public trust• Data exfiltration from databases
Lateral Movement – Pass The Hash
Server LAN Corporate LAN
Fileserver
Database
Active Directory
User Pc Compromised
Attacker dumps password hashes for all users. Finds new user ‘Bob’
Attacker replays captured credentials against all systems. ‘Bob’ is in the admin group on the fileserver.
Attacker uses powershelland AD queries to map network
Attacker gets more hashes and compromises the database and AD serversNetwork is now compromised and data exfiltration begins
Dear Breach Diary…….
1• Confirm Breach.• Contact Police?• Collate Logs.• Bring in network forensic
experts.
• Phishing Attempts discovered.• Investigation Corporate LAN
ongoing.• Inform Police.
2
• Compromised confirmed on Corporate LAN workstation.
• Potential Webserver attacks discovered.
3
• Pass The Hash discovered on file server and account created.
• Account creation discovered on AD and Database servers
• Compromise confirmed.
4
• Confirm state of Police investigation.• Initiate Negative Publicity campaign.• Inform Regulators• Pay / Not Pay?• Go Public before attackers ?
5
Rex Mundi
• Labio.fr – exposed patients blood test results• AFC Kredieten – exposed loan applications• Temporis – French employment agency• Dominos Pizza –• Drake International – Canadian employment firm• Americash – American payday lender
Final Thoughts - Questions
EU Data Protection Regulations – 2.5 % fine of worldwide turnover for falling to report a breach.
[2] Attackers can stay anonymous. Short time frames make it unlikely that a Police investigation will succeed.
[1]
[3] Once compromised, the game is over.
[4] Test the strength of your counter measures..