Source: Cybercrime, 2013 |
According to cve.mitre.org, “Juniper devices running ScreenOS 6.3.0r17 through 6.3.0r20 are affected
by the fixed backdoor password (CVE-2015-7755)”. Juniper issued
an advisory on December 18th, 2015 about this CVE (Common
Vulnerabilities and Exposures) and they indicated that Administrative Access
can be obtained allowing unauthorized remote administrative access to the
device. It seems that Juniper devices have a backdoor password (<<<
%s(un='%s') = %u) that can be supplied with any user name and this would allow an
attacker to bypass authentication through SSH and Telnet.
Barely 4 days later, these exploits are being observed
and reported in the wild; at my job I am already observing attacks targeting
clients with Juniper devices from all across the globe. This appears to be an
Internet wide scan as opposed to a targeted attack against specific
organizations. Using sites like Shodan,
one can easily map out Internet-connected devices, therefore discovering
Juniper devices on the net would not be that hard if an attacker knows their
recon 101. The pattern seems to be the same across the board, a CVE is published, soon
after, right before end users can deploy patches and security updates, attacks
start flowing.
Question therefore is, what
really drives attackers to engage in cyber-crime?
Before looking at the motivators, it might be prudent
to evaluate some of the skill sets that attackers possess.
None
These are your day to day end users, pawns, or patient
zero whose intentions aren’t to attack. They are most of the time not even
aware that they may be propagating attacks. They may be acting as pawns. a good example is with Denial of Service Attacks, where compromised devices can be used to
attack an organization and most of the time, the owners of the compromised
devices are not even aware until they get that phone call from an ISP or law
enforcement.
The insider threat can also be classified under this
skill set since by being complacent for example admins not changing default
passwords, they may be inadvertently enabling an attack.
Novice
The script kiddies fall under this category. The attackers
usually use well known methods of exploitation and are usually loud,
predictable and a nuisance. Can be easily caught or stopped. They basically
come across tools on the net and might perform scans and low level reconnaissance
to get ‘soft targets’.
Intermediate
A step above your average Joe. They do possess some knowledge
of different computer languages and can even reverse engineer some aspects of
code to fit their needs. Their attacks may be somewhat targeted and they may
even have links to the dark webs to shop around for malware and exploit kits.
Expert
These are the top guns of cybercrime. They do this for
a living. Typically employed or funded by the State, Intelligence service,
Defense organization, Organized crime syndicates or terrorist groups. When you
think about Advanced Persistent Threats (APTs), these group comes to mind. They
have the ability to develop specific exploit codes targeted at specific
hardware/software and for specific goals. They are covert and are very hard to
detect based on their modus operandi. They use covert channels like Torrent and
I2P (The Invisible Internet Project) to hide their activity.
So what motivates them?
Money
Money has always been a driving force for most crimes.
Before technology, you had to physically accost the victim be it an individual, bank, or retail
store in order to steal from them. Now all you need is a computer and Internet
connection. The Nigerian 419 scam was (or is) successful as it
preyed on people’s trust and hope for making a fortune. Just recently, the
cryptolocker malware has been used to scheme money off of affected users who have to pay up or lose their encrypted data. FYI ...don't forget to backup your data.
Money as a motivator is applicable to all skill
levels.
Notoriety
(bragging rights)
As the admin of your website you get a call from your
boss in the middle of the night asking you what happened to your company’s
website. You browse to the website and you see that it’s been defaced. Apparently
someone thought it would be funny to break into your web server and deface your website. Most of
these types of attacks are just attackers trying to prove they can do it; for bragging
rights and notoriety.
By being security conscious some of these attacks can
be prevented. These type of motivator is mostly for the novice and the lower
level Intermediate attackers.
Moral
Agenda (hacktivism)
Everybody remembers Occupy Wall Street. Anonymous came
to the limelight for their support of this movement. November 5th
has been earmarked by Anonymous and its followers as a day for global civil
disobedience. Attackers who are motivated by moral agenda usually target
specific organizations that they feel are going against their beliefs and
thoughts.
The skill level may vary from Intermediate to Expert. Given
that these groups are usually open to the public, you may even have guys with novice
skill level sets affiliating themselves to the hacktivists.
Competitive
Advantage
This motivating element requires more focused and sophisticated
attacks. This is where intellectual property is the price. The attackers may be
State sponsored trying to find out how a successful Fortune 500 company
conducts its business. A foreign government trying to steal blue prints for a
secret military project.
This is mostly for the Expert attackers. Their attacks
have to be sophisticated as the targets are more security conscious and have
multi-layered security checks.
Destruction/Sabotage
Their sole purpose is to cause havoc, anarchy and
destruction. They may be targeting infrastructure to bring it down. They may be
targeting nuclear reactors to cause harm. Mostly terrorists with money or influence/sway to buy hackers
with the right skill set to fit their agenda.
In conclusion, Kim
Zetter in her article on Wired.com, 10k
reasons to worry about critical infrastructure, quotes Eireann Leverett who
during an S4:SCADA
Security Scientific Symposium conference stated, “If a student can put this together, surely a
nation state can do it” (2012). This was in regards to a research he had
conducted using Shodan and vulnerability databases to map out Supervisory
Control and Data Acquisition systems (SCADA) connected to the Internet.
That statement speaks volumes in that it shows that no matter what skill level an
attacker has, with enough time, right tools and mindset; the novice attacker
all the way to the skilled state-sponsored attacker, should be accounted for
when planning an Information Security program.
References:
2015-12 Out of Cycle Security Bulletin: ScreenOS:
Multiple Security issues with
ScreenOS
(CVE-2015-7755, CVE-2015-7756). (n.d.). Retrieved December 22,
2015, from Juniper Networks website:
https://kb.juniper.net/InfoCenter/
index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
CVE-2015-7755 [Press release]. (2015, December 10).
Retrieved from Common
Vulnerabilities and Exposures database. Website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7755
Zetter, K. (2012, January). 10k reasons to worry about
critical infrastructure.
Retrieved
December 22, 2015, from Wired website: http://www.wired.com/2012/
01/10000-control-systems-online/
Cybercrime [Image]. (2013, July). Retrieved from
http://www.abc.net.au/btn/image/
story/2013/07-cybercrime.jpg
No comments:
Post a Comment