How I take over your business

In 1987, I brought despair to my instructor at Comparex, where I used a simple security hole on a 3270 screen controller for terminals attached to a /370 mainframe. Batch files were higher in precedence than executable files. So I constructed a batch file that produced a ripple print on the screen and kept outputting “I’m a little virus” in an endless loop. A batch command that was executed copied a bunch of other batch files with the names of all executable commands and friendly as the system was, on all connected screens. Sounds funny – it was indeed, because my instructor was ex-Navy and I learned almost all the swearing words of the British Navy in a rush.

• But fun aside …. let’s analyse the attack:
  • Attacker has physical access to a vulnerable system
  • The attacker exploits a (from today’s perspective) zero-day gap
  • The attack was annoying from an IT point of view and that of my instructor, but not serious
  • Main systems (IBM mainframe infrastructure) were not affected

Let’s say I attack your business today (and remember, I’m 58 years old – programming has long ceased to be my hobby) and try to achieve maximum success with minimal effort, then today I’m much more involved in researching information in social networks (At this point again, many thanks to Kevin Mitnik [wikipedia] who opened my eyes in Athens in 2004, as well as to Bruce Schneier (“Security is a process, not a product“) who also changed my view on security and whom I met in a joint TV interview at CeBIT). Why shall I use zero day exploits or complicated hacking techniques if I can do it easier.

How it works is as simple as it is effective:

I simply do an attack project and break it down into the possible attack vector. I can choose:

1. Ransom attack on a private level – I want to blackmail you / your family
2. Professional Ransom Attack – I want to blackmail you and / or discredit you at job level for financial gain or harm
3. Ransom attack at the company level – trying to block your company at the operational level, disrupting it
4. Stealing of information and publication on Whistle-Blower level to gain fame, unfortunately no wealth
5. Initiate a data leakage action to sell internals profitably
6. Simple stealing information (web shop) to sell plastic card information
7. Injecting false information to torpedo projects
8. Acquisition of Industrial Control Systems to shut down critical infrastructures or production facilities in due course.

Since I myself do not necessarily belong to the Kamikaze Guild, I do (as you do a risk and cost / benefit analysis where cost is the preparation of the attack and the benefits would be a well-filled Caribbean account or some bitcoins, risk is some time in jail). Please do not underestimate the complexity of such an attack, the attacker as an individual or small group, must carefully consider his concealment tactics and tools. Anonymizing his person, obfuscation tactics, acting on foreign networks, choosing the right tools, etc. This looks different from government-driven units, they have their own tools, obfuscation stocks, etc., and it’s their daily business. They are also better organized. But in detail:

1. +2. Here I have to attack you on a personal level, but this is not a major problem to gather basic information through social engineering. Technically, you are more vulnerable privately than in your company, if it is a private computer. However, private computers usually also have more private material to offer than a company computer, which is ideal for the second point, discredit on job level.
3. In recent years, we have had a variety of ransomware attacks on businesses, clinics and individuals. In most cases, ransomware encryption was “cracked” a little later by security vendors (e.g., Kasperski, McAfee, Symantec, etc.), so the damage was limited. Again, from Germany, I would not start such an action unveiled, but preferably out of a legal vacuum, i.e if I am physically there, maybe I can avoid prosecution by bribery, or the authorities are technically unable to track me down or do not want it.
4. It gets more interesting, because I can get a long stay in your company through small manipulations, the APT (advanced persistent thread), a long-term attack. I infiltrate your business and stay there for quite a long time (7 months on average) to “harvest” information. How I do that, I explain later. By the same method, the above-mentioned points 5, 6, and 7 belong to this.
8. This is a special discipline, but as the shutdown of energy networks in Ukraine and the sabotage of centrifuges by Stuxnet in Iran have shown, not an impossible undertaking, but it needs state-supported groups or government units.

The route to take is the goal…..

Let’s look at positions 4,5,6 and 7. Assuming that you are specially guarded by the IT security and security department in an exposed position of the company, it may not be wise to target you. But STOP …., we use the information already obtained.

You are the CEO of YouNeverKnow Ltd. and your company develops a unique technology that is particularly interesting for me, my client or my country. Like any company that wants to be successful, you are forced to rely on marketing with prosperity, i. E. You disclose targeted or because it is necessary information to the market. Here I can allocate enough contacts via Xing, Linked-In, commercial register, website, Facebook and if nothing works, the phone book, call the reception and use my charm.

Depending on the attack, it is maybe important to get an overview of the company’s external IT topology and infrastructure. This is done by freely available helper applications which prepare the results graphically. These are called Maltego, Shodan and a bunch of Maltego plug-ins that make my job easier. Although this is not mandatory depending on the attack, it can be very useful depending on what I intend to do. That I would like to interfere with the external website or access data via the web server (then necessary), or stealing internal data (than it is not necessary).

All in all, it’s a lot of work, however: “No Pain, No Gain”.

Let’s assume I want to steal internal data:

As soon as I have achieved a corresponding evaluation within the scope of my project (target person, position in the company, specification of the data I need), I use social engineering. Sounds complicated, but it’s pretty simple, considering that everyone – really everyone – has an Achilles heel where I can manipulate.

Let’s say I’ve identified your production manager via Linked-In / Xing through your connections as CEO. He is very proud of his children (girls, every weekend on the pony farm) in Facebook, and otherwise quite extroverted with his personal data. Through this – and with the right keywords (Pony farm) – I have gained access to the private area in Facebook, i. he accepted me from a friend request.

Next step is the purchase of a so-called Dropper and the appropriate software to be uploaded to him from the Darknet. (Note: A dropper is a small piece of software that communicates with my C&C / C2 synonyms for Command and Control server, through which I control all further steps).

With the dropper I infect a (perfectly created by me) promotional PDF of a pony farm that offers incredible experiences to super conditions. I bet here 1: 100 that the target person opens it at work (because I send the mail there).

How do I get to the mail address? Since I now know first and last name, I can by means of other mail of the company (perhaps from the imprint) the mail address, for example. firstname.lastname@youneverknow.com. If necessary, a telephone call at the front desk.

The dropper is now placed and communicates with my paid command and control (C & C or C2) server. By command, I now control the dropper to upload the necessary additional software; Any kind of malware, Trojan horses, or just a key logger. For now begins the important part: the lateral spread. Since the production manager has access to all important data for me, a true paradise. The production manager is only my starting point, the goal is the crown jewels, the data. I can download the data from all drives he has in access, no need to infect more computer.

You think that your IT security department realizes that I’m stealing data? Naivety can certainly be useful in dealing with daily problems, but let’s face it, I’m doing this to get a lot of $$$$, and so quiet and gentle as possible, so you can not easily spot me. My communication channels run through connections that you can not easily break because your business needs them, and I hide my traffic from the plethora of data that reaches or leaves your business. I also use these under the eyes of the security system without being discovered. How ? I will not tell you here, because I do not want to give instructions on data theft here; My goal is to increase your awareness.

Attacks on critical infrastructures (to point 8)

If I ask at events as a lecturer in the auditorium what is considered as a critical infrastructure, the answer comes in unison:

• Nuclear power plants (today more and more obsolete by the energy transition but still interesting by the destruction quality and chaos it generates)
• Energy networks (electricity, gas, water, but also wastewater)
• Financial networks (ie ATMs, POS terminals)
• Airports and the train
• Food logistics

But lawmakers have long outlined the area of critical infrastructures. How to deal with it from an attacker point of view, I will explain after the list of critical infrastructures. These are:

1. Chemical
2. Commercial facilities
3. Communications
4. Critical manufacturing
5. Dams
6. Defense industrial base
7. Emergency services
8. Energy
9. Financial services
10. Food and agriculture
11. Government facilities
12. Healthcare and public health
13. Information technology
14. Nuclear reactors, materials, and waste
15. Transportation systems
16. Water and wastewater systems

As an attacker attacking higher-value targets (power plants, energy grids), without having a correspondingly strong organization in the back makes, according to an attackers for their own cost / benefit calculation little sense. Starting from the motivation:

• blackmail, political motivation etc.
• Public opinion manipulation by press and TV
• Preparing for greater aggression in the context of elections or territorial gains (see Crimean crisis), destabilization of a government, etc.
• Preparation / support of a military action
• Influencing elections
• Destabilising countries

it makes sense only for aggressive countries having hacking-units in their military portfolio.

Any attacker (-group of a country) who wants to be as effective as possible, follows the Pareto principle, i.e 20% effort for 80% success. Therefore, as an attacker, I will chooseexactly the sector that, according to experience, spends very little on securing IT security, but whose failure shows maximum effect.

Just imagine that e.g. some municipalities in Germany are notoriously broke and save on every corner and do not invest much in IT-Security. What if the traffic control fails. 20/80 right? Because I created a big chaos and due to small budgets the remediation of the attack takes quite long.

Paired attacks do not lack a certain charm. Say, deactivation of traffic control and the paralysis of the rescue. This gives me tremendous manipulation of the press and TV as it intimidates the population.

At this point, I do not want to talk about really serious events, such as disconnection of parts of the power grid in winter. Alone the disruption of the logistics of food chains or the loss of ATMs would have a strong impact on our society after only a few days.

And all through a PDF with an offer from a pony farm !