bits&digits has taken the time, expertise, passion and necessary precautions to present this unbiased, technologically sanitized report for your reading pleasure.

In order to fully digest the gravity of non-techno jargon that is about to be bestowed upon you, there is a critical element that you must first embrace, “Empty Your Cup”. Go somewhere comfortable, play your favorite tune, and follow along.

As you read this, attempt to visualize someone else engaging in this experience. Look to your left or right, find someone, a colleague perhaps or that awkward officemate that makes jokes that clearly indicate they don’t get out much. We shall for the purposes of this document call that person “Slevn”, also very well known as “just another obvious bloke”…

Disclaimer
If you my dear reader are not so inclined to have a moral compass that waivers past true north in the slightest bit will have a hard time gathering this “lens of exploitation” scenario.

Bottom Line Up Front (BLUF)

Cyber Breach, Hack, Exploit, Bank Heist, Personal Data Stolen – all taglines that we are seeing at an ever increasing rate in the last 5 years. Though very few understand what they really are. More so, because most of us are not directly affected or concerned with how these incidents are advertised as the next Oceans “X” sequal.

Bright headlines, hashtag infected media spotlights alike can sometimes over hype a situation to a point of confusion. Diverting the attention to the WHAT, but not the Why. Consider this, if you recently moved into a neighborhood strife with Home Invasion incidents, would you make it common practice to leave your front and back doors unlocked all the time?

After reading this, hopefully you will understand to a certain degree how this is taking place all the time. Risk laden procedural doors are left open, that set the stage for the next Headline statistic of your data being stolen or at risk.

Scenario “Home”

Its common knowledge that in order to gain access into a house your “Slevn” either must have a key to enter it, or a Designed Access Method so to speak. Slevn needs a key, a secret code, something that was designed, and specifically crafted for him to gain entry to your home. Alternatively in dire circumstances, situations arise where Slevn will try to gain access to their home without the Designed Access Method. This alternate means of entry that Slevn employs to leverage access to his/her home is at the basic level “Hacking”. Perhaps not in the most precise definitions possible but its not far off.

So as Slevn searches for ways to enter their home, looking for spare keys, checking windows, and *rememberme!* calling their home alarm system to either remotely allow access to the home; one key thing Slevn doesn’t typically think about in the moment is “Is someone watching me? Has my Alternate Access Method been compromised?” Some say who cares, some say I have nothing that anyone wants anyway. But place this in the back of your mind, it really doesn’t matter if Slevn was watched or not.

The company soup that designed your home did so based on regulations and requirements (OSHA, ISO). From the amount of minimum pressure it should take to break a window to the amount of complexity your door lock must have.

Heres a secret, your company no matter the industry is affected the same way. You may see them as Auditors, Inspection Teams, or in the IT industry; more specifically any company handling your HealthCare Records, or Personal Information have very detailed and to be fair “sometimes” clear requirements on how to handle Information Technology security.

Proof(?)

The only reason the above News Articles exist is because of what we call Breach Reporting Requirements (see HIPAA,HITECH, SAS 70, FCRA, PCI and your local States Data Privacy provisions) – better said, the laws in place that protect your data as much as possible do work. I digress …

While you summarize the latest historical breaches of the past few months in the paragraph below, keep Slevn in your mind. First lets capture a few headlines from Security firms that I can say “know their stuff” in an attempt at addressing the source of these problems. Don’t get confused with the techno-speak, I will guide you through it. If you are not bold enough, pay attention only to the “green” underlined.

Highlights: Latest News Captures
“The Anunak crew breached systems with some smart spear phishing, tricking users into clicking on malicious downloads via email. Once the attackers were on the network, they filmed the activity of system admins and learned how best to steal money surreptitiously.” Read more at forbes.com >>>

“Their modus operandi was typical but effective. It would start with emails to minions of the target organisation, convincing them to open a malicious attachment supposedly delivered by the Central Bank of the Russian Federation. After attacking that single worker’s computer, they hunted for the passwords of someone with administrator control of the network. With those acquired, the Anunak crew took control of email and domain servers, installing their backdoors and other malware along the way. From the email communications, they’d uncover weaknesses within the organisation’s security systems. And for added surveillance, they turned on hacked machines’ video recording capability.” Read more at forbes.com >>>

“The Times’ story, “Bank Hackers Steal Millions Via Malware,” looks at the activities of an Eastern European cybercrime group that Russian security firm Kaspersky Lab calls the “Carbanak” gang. According to Kaspersky, this group deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million — possibly as high as USD $1 billion.”

“Such jaw-dropping numbers were missing from a story I wrote in December 2014 about this same outfit, Gang Hacked ATMs From Inside Banks. That piece was based on similar research published (PDF) jointly by Dutch security firm Fox-IT and by Group-IB, a Russian computer forensics company. Fox-IT and Group-IB called the crime group “Anunak,” and described how the crooks sent malware laced Microsoft Office attachments in spear phishing attacks to compromise specific users inside targeted banks.” KrebsonSecurity on Post Anthem Breach Phish Scheme

“An analysis of the campaign has revealed that the initial infections were achieved using spear phishing emails that appeared to be legitimate banking communications, with Microsoft Word 97 – 2003 (.doc) and Control Panel Applet (.CPL) files attached. We believe that the attackers also redirected to exploit kits website traffic that related to financial activity.”

“The email attachments exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761). Once the vulnerability is successfully exploited, the shellcode decrypts and executes the backdoor known as Carbanak.”

What does all of this mean?

You may get this, but remember we are thinking about Slevn, who I remind you, is just another oblivious bloke at the office.
What you have read in the highlighted portions can be surmised as the hacks Access Method. In basic terms the method of entry into the “House” (Company X) was maintained.

So tracking all of the “green highlights” indicate the method of which all of the havoc was made possible. You will note the words, Email, Phishing and even Spear Phishing technical words that define 2 things:

  • Email: Electronic Mail- C’mon?!
  • Spear Phishing: Scroll Up *rememberme!*

Adding to The Scenario: Eyes of Exploitation

Let’s go back to Slevn’s Alternative Access Method. The Ex was hiding in the nearby bushes and heard Slevn call the Alarm Company, they noted the Name Slevn used to authenticate to the Operator. They also noted the “Special Code” and all of the specifics of the conversation. To tune up the accuracy of your picture of spear phising, lets say the EX sent Slevn an Email posing to be Slevns alarm system company. The email stated Slevn needed to reset their “Secret Code”. Slevn, oblivious and happy to know they care so much, replies to this fake email. Therefore, rendering his “Special Code” to the ridiculously crafty Ex. (If you know from a technical perspective that this is also considered social engineering – back off, no one likes a show off).

By this time — Or later in the day this will come together and you find yourself asking the following questions:
Is bits&digits implying that someone sent an email to my colleague claiming to be someone else and also asking for sensitive information? Short Answer: Yes, more complex answer: Yes, and they even decided to add an attachment to the email that was not even a file type allowed to be sent by WebMail carriers (see ref. .CPL Files). Slevn didn’t receive an email with a .PDF file, it was a .CPL file. What is a CPL file? Doesn’t matter right now lets move on.

  1. Does Slevns Company/ Our Company have a requirement to ensure Email Attachments Are Screened?
  2. If so how effective is it?
  3. Is there an IT Security Policy that defines what attachments are screened?
  4. Do I know where Slevn is so that I can tell him/her?
  5. If there are regulations that define email filtering and anti-virus requirements why am I even reading these news articles?

If you loved them all, but number 5 stuck out, you’re asking the right questions. There was a failure somewhere, not a failure where fingers are pointed but a process failure. It could be due to ignorance, as cyber field is Big Data centric now even carrying along Big Data Words that equate to Big Data Dollars. The failures didn’t take place in the core, it was the perimeter of the castle wall (Slevns Wood Door) that was accessed. Perhaps even Slevns ignorance to the real and not hypothetical dangers that exist in the cyber world. The possibilities are not endless, there was a human awareness failure and a simple technical implementation or exemption failure that occurred.

Thank you for reading so far down.

Tech Savvy Continue On – all others do you know something that Slevn should now?

But before we go down the road of IT security process capabilities. Lets take a look a bit farther into what exactly the .CPL file (which was allowed into the companies email environment) did.
From the very in-depth report Kaspersky (PDF) delivered for the tech enthusiast and Cyber professionals, we glean that not only did an email get into the (Company Environment) emails, but it was loaded with nasty software that and we quote

“The email attachments exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761).”

What does all that mean? Shall we “Bits and Digits” this?

1. The Email Attachment (that email with the .CPL file) came into the organizations environment prepared specifically to exploit two commonly used Software Platforms that is almost always expected from a Windows Environment. (No, its not an indicator that someone sent an email to someone in your company was spying and waiting to get this email), Email Phishing (Wikipedia definition) is complex and dare I say “art”.

2. A black art but as you read, it will be ever so revealing the “Coup De Grace” was not that email alone but the lack of simple (relatively) procedural countermeasures that do not cost much to deploy across an ENTIRE organization. No matter the size EMAIL Filtering is a BASIC Systems Administration task. Now the implementation of a large scale deployment may be an Engineers job, but filtering is so basic your internet email services like (GMAIL, Hotmail, Mail.com, Godaddy, etc.) offer even Attachment screening.

You may ask

  • How did the hackers know that the company used Windows?
  • Or that it would have been affected by something for Windows?

Thats the RECON phase of an attack that we will avoid going into much detail now, but here is a very low level example of how I would know 🙂

  1. Google “Your Company” (lets say Anthem)
  2. In the Google Search Box type Anthem IT Admin job Windows
  3. Watch see results.

If you haven’t surmised by now, it should be getting much clearer that recon is easy. Figuring out which technologies currently in use at a company that doesn’t use discretion in its HR Internet Posting strategy is not complex. Out of the box – Bits and Digits are everywhere. I digress.

So we know that the Software Suite that was targeted to be effected was Windows Office, and Windows Word -Windows Office is the Application Bundle typically bought to facilitate a companies Word Processing, PowerPoint Presentation, Excel Spreadsheets, etc. Word is a subset within the Office Bundle but you may purchase “à la carte”.

So with the above noted lets revisit the Kapersky Report quote:

“The email attachments exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761).”

One may note the acronym soup that the IT industry uses in this above quote, pay attention to CVE and the following sequence of numbers.
CVE = Common Vulnerabilities and Exposures (Wikipedia definition)

The explanation that Wiki gives is thourough but lets take it to Bits and Digits. Your IT Staff is familiar with this lingo (if not there are other issues to discuss at the next board meeting). The CVE list is a WatchDog of sorts that maintains a focus on finding software or system vulnerabilities. When they discover vulnerabilities they post them immediately.

The CVE Records are defined by CVE-ID (CVE-2012-0158 and CVE-2013-3906) (CVE-2014- 1761).

The good stuff is coming, bear with me.

If we do a simple internet search of CVE-2012-0158, it will explain in tech speak what the vulnerability is and the best known remediation (at the time). In case you don’t have the time to go into this CVE in detail. The CVE Database points to Microsoft Security Bulletin MS12-027-CRITICAL

What this above Microsoft Code is a Security Patch that was delivered by Microsoft in 2012 to fix the one of the problems the Email with the .CPL file came to bring to the environment:

Please note the Year is 2012, how many years ago is that?

More Questions:

  • Why didn’t the company ensure that all of its machines had this patch?
  • How well do we control patch management and System Updates?
  • Are ALL of my computers protected (even my Work From Home Workforce?)
  • Even if I have a Patch Management Solution in place – Do I look and understand what the reports are telling me?
  • Key Item To Remember: No Critical Patches from years ago should be missing within your environment without detailed exemptions that your CISO or CIO should know of (Its in some cases the law!)

Taking a step toward light, the complexity that follows in the detail of the report are commendable but what we intend to illuminate here is how simple processes, Information Security Awareness Training, and a few clicks in the right place of your system administration team could immunize you from such an attack.

I maintain the stance that there is no reason for old security vulnerabilities to be present on a system that is not far removed from a Production Environment. Furthermore, as a seasoned consultant I know the barrier and “Executive Summary” filter style reporting most Senior Level Management receive on their weekly Status Call. After reading this very simple dissection of the “entry” point of the Bank Heist Cyber Story taking up the headlines, you (the non-technical user) should be armed with enough Techno Jargon to step forward with relevant insight and understanding of your company’s position with the basics of large scale breaches.

Take Aways:

  • Training, Awareness, Basics: Stick to a Security Framework for a reason.
  • Tight Baseline Controls
  • Patch Management
  • Counter Social Engineering Training and
  • DAPE: Deny All Permit By Exception.

Its your companies responsibility to answer these questions for you.

FISMA/ HIPAA/ SOX/ GLBA/ PCI — All require a mature Patch Management and Email Filtering solution for Critical Systems. Ensure your internal audit reports are honest, valid and up to date. Inquire about Remote Locations Compliance, and Workforce Information Security Awareness.

J. Tate
Chief Security Intelligence Officer at bits&digits