How Telecom Providers Hack: Parsing a Real Attack



    Image: Kevin Spencer | Flickr

    Very often cybercriminals use common mechanics for hacking, as well as the security flaws and vulnerabilities of IT systems. This thesis is also confirmed by the example of one of the investigations into the attack on a telecommunications company from Eastern Europe - we will talk about it in more detail today.

    The first stage of the attack: breaking the perimeter


    Typically, attacks on corporate infrastructure take place in two stages - first, an attacker breaks into the resources of the network perimeter from the Internet, and then, once inside the internal network, secures itself in the infrastructure and gains access to critical information and systems.

    In this case, the attacker was able to identify publicly available services of the company and discovered a vulnerability in one of them - this was helped by the use of the automated vulnerability scanner Acunetix.



    At the same time, the cracker practically did not hide his actions - when analyzing the incident, an abnormal increase in the number of requests was detected in the web server logs. But even such sloppy actions were not identified by company representatives - the attack developed over several months. In the event logs there were many records of suspicious activities, but no one even analyzed them from time to time.



    Volume of Web Server Error Logs

    As a result of the scan, an attacker was able to find the critical vulnerability “SQL statement injection” in one of the company's web applications. Having exploited it, the cracker received not only root access to the database with the accounts of all users, including administrators, but also the ability to execute commands on the server with DBMS privileges.

    The attacked server was connected to the internal network, which opened access to its other resources. Network interaction during the attack was carried out via an ICMP tunnel - data was transmitted to an external dedicated server rented in the USA. During the investigation, it turned out that the attacker compromised only three web servers, gaining access to them with local administrator rights - these machines became the entry points to the organization’s internal network.

    Second stage: the development of an attack in the internal network


    Having penetrated the internal network, the attacker began searching for targets for the development of the attack - using the nmap network scanner, he was able to identify network services interfaces (TCP and UDP) that were open for connection on active nodes, determine the versions of the software used by banners, and identify potentially vulnerable services. In parallel, he was engaged in the search for web applications and manual analysis of company resources.

    As the next goal, terminal servers were selected that provide users with resources for solving various problems. Due to the insufficient level of isolation of user sessions, a compromise of one account could lead to a compromise of the accounts of other users of the terminal server. Due to the use of dictionary passwords for local administrator accounts, the attacker easily gained privileged access to several terminal servers at once and downloaded the contents of the databases hosted on them.

    In addition, on one of the servers, the privileges obtained made it possible to create a memory dump of the lsass process - it corresponds to a service that is part of the Windows OS and is responsible for authenticating local computer users. Using the widely used mimikatz utility, a lot of credentials (including clear passwords) of users who authenticated on this server, including privileged ones, were extracted from a memory dump. Among the data received were service accounts to support terminal servers, as well as various domain accounts.

    The privilege level obtained by the attacker allowed the attack to be easily developed using the credentials of legitimate users. In just a month, he managed to compromise many resources. For example, during the attack, information was received about identifiers and password hashes of Windows OS users (SAM databases), network configuration and addressing information, user account information, cryptographic keys of base stations, and other information.

    Further, the attack developed in the direction of several servers running an outdated version of Windows - they hosted databases and LSI resources. To gain anonymous access with system privileges to these servers, the attacker took advantage of the critical vulnerability MS08-067, information about which was published back in 2008, at the same time a public exploit was published. The servers were completely compromised, and the contents of the databases were stolen.



    Investigation


    The incident was revealed when the attack had already been developing for a long time - the company’s specialists noticed numerous attempts to select SSH credentials for internal nodes from compromised DBMS services recorded on the weekend. At the first stage of the investigation, they identified compromised resources on their own, and then attracted Positive Technologies specialists. The investigation revealed that at this point the attacker had access to the internal nodes of the corporate network for 5 months.

    Emergency measures, including changing passwords for compromised accounts, as well as turning off or isolating compromised infrastructure facilities, made it possible to stop the development of the attack. At the same time, it continued until all identified channels of interaction between the intruder and the nodes on the Internet from which the attack was conducted were blocked. However, all this does not exclude the possibility that the attacker may retain an alternative way to access the network.

    How to avoid problems


    The attack affected key parts of the organization, and it was very likely that the interests and data of the organization’s customers were affected. But with all this, the attack could have been easily prevented if the protection of corporate resources was at a higher level.

    For example, if a centralized monitoring system was implemented by the affected organization using the correlation and consolidation of security events (SIEM) system , the security service would be notified in a timely manner of the events associated with the onset of the attack and could take the necessary measures to prevent the incident.

    To repulse the attack even at the stage when the cracker conducted intelligence to search for vulnerabilities, it would be possible to use an application level firewall (WAF) - for example, PT AF. Such a tool allows you to block hacking attempts and identify the chain of development of real attacks, transfer information about events to SIEM to notify security personnel and subsequent prompt response.

    The risks of such incidents can also be minimized by introducing well-known information security measures, including analyzing the security of web applications and eliminating vulnerabilities found, introducing a strict password policy, applying current OS versions, as well as network segmentation and strict access control.

    A full report on the results of the investigation of the described incident is available at: www.ptsecurity.com/upload/corporate/ru-ru/analytics/Telecom-Incident-Investigation-rus.pdf

    Also popular now: