Tuesday, December 22, 2015

Cybercrime Motivation (week 3)

Source: Cybercrime, 2013
According to cve.mitre.org, “Juniper devices running ScreenOS 6.3.0r17 through 6.3.0r20 are affected by the fixed backdoor password (CVE-2015-7755)”. Juniper issued an advisory on December 18th, 2015 about this CVE (Common Vulnerabilities and Exposures) and they indicated that Administrative Access can be obtained allowing unauthorized remote administrative access to the device. It seems that Juniper devices have a backdoor password (<<< %s(un='%s') = %u) that can be supplied with any user name and this would allow an attacker to bypass authentication through SSH and Telnet.

Barely 4 days later, these exploits are being observed and reported in the wild; at my job I am already observing attacks targeting clients with Juniper devices from all across the globe. This appears to be an Internet wide scan as opposed to a targeted attack against specific organizations. Using sites like Shodan, one can easily map out Internet-connected devices, therefore discovering Juniper devices on the net would not be that hard if an attacker knows their recon 101. The pattern seems to be the same across the board, a CVE is published, soon after, right before end users can deploy patches and security updates, attacks start flowing. 

Question therefore is, what really drives attackers to engage in cyber-crime?

Before looking at the motivators, it might be prudent to evaluate some of the skill sets that attackers possess.

None
These are your day to day end users, pawns, or patient zero whose intentions aren’t to attack. They are most of the time not even aware that they may be propagating attacks. They may be acting as pawns. a good example is with Denial of Service Attacks, where compromised devices can be used to attack an organization and most of the time, the owners of the compromised devices are not even aware until they get that phone call from an ISP or law enforcement.  
The insider threat can also be classified under this skill set since by being complacent for example admins not changing default passwords, they may be inadvertently enabling an attack.

Novice
The script kiddies fall under this category. The attackers usually use well known methods of exploitation and are usually loud, predictable and a nuisance. Can be easily caught or stopped. They basically come across tools on the net and might perform scans and low level reconnaissance to get ‘soft targets’.

Intermediate
A step above your average Joe. They do possess some knowledge of different computer languages and can even reverse engineer some aspects of code to fit their needs. Their attacks may be somewhat targeted and they may even have links to the dark webs to shop around for malware and exploit kits.

Expert
These are the top guns of cybercrime. They do this for a living. Typically employed or funded by the State, Intelligence service, Defense organization, Organized crime syndicates or terrorist groups. When you think about Advanced Persistent Threats (APTs), these group comes to mind. They have the ability to develop specific exploit codes targeted at specific hardware/software and for specific goals. They are covert and are very hard to detect based on their modus operandi. They use covert channels like Torrent and I2P (The Invisible Internet Project) to hide their activity.

So what motivates them?

Money
Money has always been a driving force for most crimes. Before technology, you had to physically accost the victim be it an individual, bank, or retail store in order to steal from them. Now all you need is a computer and Internet connection. The Nigerian 419 scam was (or is) successful as it preyed on people’s trust and hope for making a fortune. Just recently, the cryptolocker malware has been used to scheme money off of affected users who have to pay up or lose their encrypted data. FYI ...don't forget to backup your data. 

Money as a motivator is applicable to all skill levels.  

Notoriety (bragging rights)
As the admin of your website you get a call from your boss in the middle of the night asking you what happened to your company’s website. You browse to the website and you see that it’s been defaced. Apparently someone thought it would be funny to break into your web server and deface your website. Most of these types of attacks are just attackers trying to prove they can do it; for bragging rights and notoriety.

By being security conscious some of these attacks can be prevented. These type of motivator is mostly for the novice and the lower level Intermediate attackers.

Moral Agenda (hacktivism)
Everybody remembers Occupy Wall Street. Anonymous came to the limelight for their support of this movement. November 5th has been earmarked by Anonymous and its followers as a day for global civil disobedience. Attackers who are motivated by moral agenda usually target specific organizations that they feel are going against their beliefs and thoughts.

The skill level may vary from Intermediate to Expert. Given that these groups are usually open to the public, you may even have guys with novice skill level sets affiliating themselves to the hacktivists.

Competitive Advantage
This motivating element requires more focused and sophisticated attacks. This is where intellectual property is the price. The attackers may be State sponsored trying to find out how a successful Fortune 500 company conducts its business. A foreign government trying to steal blue prints for a secret military project.
This is mostly for the Expert attackers. Their attacks have to be sophisticated as the targets are more security conscious and have multi-layered security checks.

Destruction/Sabotage
Their sole purpose is to cause havoc, anarchy and destruction. They may be targeting infrastructure to bring it down. They may be targeting nuclear reactors to cause harm. Mostly terrorists with money or influence/sway to buy hackers with the right skill set to fit their agenda.  

In conclusion, Kim Zetter in her article on Wired.com, 10k reasons to worry about critical infrastructure, quotes Eireann Leverett who during an S4:SCADA Security Scientific Symposium conference stated, “If a student can put this together, surely a nation state can do it” (2012). This was in regards to a research he had conducted using Shodan and vulnerability databases to map out Supervisory Control and Data Acquisition systems (SCADA) connected to the Internet. 
That statement speaks volumes in that it shows that no matter what skill level an attacker has, with enough time, right tools and mindset; the novice attacker all the way to the skilled state-sponsored attacker, should be accounted for when planning an Information Security program.


References:
2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with
     ScreenOS (CVE-2015-7755, CVE-2015-7756). (n.d.). Retrieved December 22,
     2015, from Juniper Networks website: https://kb.juniper.net/InfoCenter/
     index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
CVE-2015-7755 [Press release]. (2015, December 10). Retrieved from Common
     Vulnerabilities and Exposures database. Website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7755
Zetter, K. (2012, January). 10k reasons to worry about critical infrastructure.
     Retrieved December 22, 2015, from Wired website: http://www.wired.com/2012/
     01/10000-control-systems-online/
 Cybercrime [Image]. (2013, July). Retrieved from http://www.abc.net.au/btn/image/
     story/2013/07-cybercrime.jpg



No comments:

Post a Comment