8/3/2019 Top Cyber Security Risks September 2009
1/24
The Top Cyber Security RisksTwo risks dwar all others, but organizations ail to mitigate them
Featuring attack data rom TippingPoint intrusion prevention systems protecting 6,000
organizations, vulnerability data rom 9,000,000 systems compiled by Qualys, and
additional analysis and tutorial by the Internet Storm Center and key SANS aculty
members.
September 2009
Contents . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . .1
Executive summary . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . .2
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Vulnerability exploitation trends . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .5
Application vulnerabilities exceed OS vulnerabilities ......................................5
Web application attacks .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ..5
Windows: Concker/Downadup .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... 6
Apple: QuickTime and six more ... ... ... ... ... ... ... ... ... .. ... ... ... ... .. ... ... ... ... .. ... .7
Origin and destination analysis or our key attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Application patching is much slower than operating system patching . . . . . . . . . . . . . .14
Tutorial: Real-lie HTTP client-side exploitation example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Step 0: Attacker places content on trusted site .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .18
Step 1: Client-side exploitation ... ... ... ... .. ... ... ... ... .. ... ... ... .. ... ... ... ... .. ... ... ..19
Step 2: Establish reverse shell backdoor using HTTPS .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .19
Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot . . . .. .. . .. . .. . .. . .. 20
Step 5: Pass the hash to compromise domain controller .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 20
Steps 6 and 7: Exltration .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ..21
Zero-day vulnerability trends . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .21
Best practices in mitigation and control o the top risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Critical Controls - As Applied to HTTP Server Threats .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .2 3
1
8/3/2019 Top Cyber Security Risks September 2009
2/24
The Top Cyber Security Risks September 2009
2
Executive Summary
Priority One: Client-side sotware that remains unpatched.Waves o targeted email attacks, oten called spear phishing, are exploiting client-side
vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime,
Adobe Flash and Microsot Oce. This is currently the primary initial inection vector
used to compromise computers that have Internet access. Those same client-side
vulnerabilities are exploited by attackers when users visit inected web sites. (See
Priority Two below or how they compromise the web sites). Because the visitors eel
sae downloading documents rom the trusted sites, they are easily ooled into opening
documents and music and video that exploit client-side vulnerabilities. Some exploits do
not even require the user to open documents. Simply accessing an inected website is
all that is needed to compromise the client sotware. The victims inected computers
are then used to propagate the inection and compromise other internal computers
and sensitive servers incorrectly thought to be protected rom unauthorized access by
external entities. In many cases, the ultimate goal o the attacker is to steal data rom the
target organizations and also to install back doors through which the attackers can return
or urther exploitation. On average, major organizations take at least twice as long to
patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In
other words the highest priority risk is getting less attention than the lower priority risk.
Priority Two: Internet-acing web sites that are vulnerable.
Attacks against web applications constitute more than 60% o the total attack attempts
observed on the Internet. These vulnerabilities are being exploited widely to convert
trusted web sites into malicious websites serving content that contains client-side
exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting
faws in open-source as well as custom-built applications account or more than 80%
o the vulnerabilities being discovered. Despite the enormous number o attacks and
despite widespread publicity about these vulnerabilities, most web site owners ail to
scan eectively or the common faws and become unwitting tools used by criminals to
inect the visitors that trusted those sites to provide a sae web experience.
Operating systems continue to have ewer remotely-exploitable vulnerabilities that
lead to massive Internet worms.
Other than Concker/Downadup, no new major worms or OSs were seen in the wildduring the reporting period. Even so, the number o attacks against buer overfow
vulnerabilities in Windows tripled rom May-June to July-August and constituted over
90% o attacks seen against the Windows operating system.
8/3/2019 Top Cyber Security Risks September 2009
3/24
The Top Cyber Security Risks September 2009
3
Rising numbers o zero-day vulnerabilities.
World-wide there has been a signicant increase over the past three years in the number
o people discovering zero-day vulnerabilities, as measured by multiple independentteams discovering the same vulnerabilities at dierent times. Some vulnerabilities have
remained unpatched or as long as two years. There is a corresponding shortage o highly
skilled vulnerability researchers working or government and sotware vendors. So long
as that shortage exists, the deenders will be at a signicant disadvantage in protecting
their systems against zero-day attacks. A large decline in the number o PHP File
Include attacks appears to refect improved processes used by application developers,
system administrators, and other security proessionals.
8/3/2019 Top Cyber Security Risks September 2009
4/24
The Top Cyber Security Risks September 2009
4
Overview
Throughout the developed world, governments, deense organizations, and companiesin nance, power, and telecommunications are increasingly targeted by overlapping
surges o cyber attacks rom criminals and nation-states seeking economic or military
advantage. The number o attacks is now so large and their sophistication so great, that
many organizations are having trouble determining which new threats and vulnerabilities
pose the greatest risk and how resources should be allocated to ensure that the most
probable and damaging attacks are dealt with rst. Exacerbating the problem is that most
organizations do not have an Internet-wide view o the attacks.
This report uses current data covering March 2009 to August 2009 rom appliances
and sotware in thousands o targeted organizations to provide a reliable portrait o
the attacks being launched and the vulnerabilities they exploit. The reports purpose is
to document existing and emerging threats that pose signicant risk to networks and
the critical inormation that is generated, processed, transmitted, and stored on those
networks. This report summarizes vulnerability and attack trends, ocusing on those
threats that have the greatest potential to negatively impact your network and your
business. It identies key elements that enable these threats and associates these key
elements with security controls that can mitigate your risk.
The reports target audience is major organizations that want to ensure their deenses are
up-to-date and are tuned to respond to todays newest attacks and to the most pressing
vulnerabilities. Data on actual attacks comes rom intrusion prevention appliances
deployed by TippingPoint that protect more than 6000 companies and government
agencies. Data on vulnerabilities that remain unpatched comes rom appliances and
sotware deployed by Qualys that monitor vulnerabilities and conguration errors in
more than 9,000,000 systems, scanned more than 100,000,000 times so ar in 2009.
The patterns in the data are vetted by the senior sta at the Internet Storm Center and
by the aculty o the SANS Institute responsible or SANS programs in hacker exploits,
penetration testing, and orensics. In other words, these ndings refect a usion o data
and experience never beore brought together.
The report also includes a pictorial description/tutorial on how some o the most
damaging current attacks actually work. One o the most important ndings incybersecurity over the past several years has been the understanding most oten
asserted by White House ocials that oense must inorm deense. Only people who
understand how attacks are carried out can be expected to be eective deenders. The
tutorial shows what actually happened in a very damaging attack and is excerpted rom
Ed Skoudis SANS Hacker Exploits and Incident Handling class. It is included to boost
deenders understanding o current attack techniques.
8/3/2019 Top Cyber Security Risks September 2009
5/24
The Top Cyber Security Risks September 2009
5
The report was compiled by Rohit Dhamankar, Mike Dausin, Marc Eisenbarth and James
King o TippingPoint with assistance rom Wolgang Kandek o Qualys, Johannes Ullrich
o the Internet Storm Center, and Ed Skoudis and Rob Lee o the SANS Institute aculty.
Vulnerability Exploitation Trends
Application Vulnerabilities Exceed OS Vulnerabilities
During the last ew years, the number o vulnerabilities being discovered in applications
is ar greater than the number o vulnerabilities discovered in operating systems. As
a result, more exploitation attempts are recorded on application programs. The most
popular applications or exploitation tend to change over time since the rationale or
targeting a particular application oten depends on actors like prevalence or the inability
to eectively patch. Due to the current trend o converting trusted web sites into
malicious servers, browsers and client-side applications that can be invoked by browsersseem to be consistently targeted.
Figure 1: Number o Vulnerabilities in Network, OS and Applications
Web Application Attacks
There appear to be two main avenues or exploiting and compromising web servers:
brute orce password guessing attacks and web application attacks. Microsot SQL,
FTP, and SSH servers are popular targets or password guessing attacks because othe access that is gained i a valid username/password pair is identied. SQL Injection,
Cross-site Scripting and PHP File Include attacks continue to be the three most popular
techniques used or compromising web sites. Automated tools, designed to target
custom web application vulnerabilities, make it easy to discover and inect several
thousand web sites.
8/3/2019 Top Cyber Security Risks September 2009
6/24
The Top Cyber Security Risks September 2009
6
Windows: Confcker/Downadup
Attacks on Microsot Windows operating systems were dominated by Concker/
Downadup worm variants. For the past six months, over 90% o the attacks recordedor Microsot targeted the buer overfow vulnerability described in the Microsot
Security Bulletin MS08-067. Although in much smaller proportion, Sasser and Blaster, the
inamous worms rom 2003 and 2004, continue to inect many networks.
Figure 2: Attacks on Critical Microsot Vulnerabilities (last 6 months)
Figure 3: Attacks on Critical Microsot Vulnerabilities (last 6 months)
8/3/2019 Top Cyber Security Risks September 2009
7/24
The Top Cyber Security Risks September 2009
7
Apple: QuickTime and Six More
Apple has released patches or many vulnerabilities in QuickTime over the past year.
QuickTime vulnerabilities account or most o the attacks that are being launchedagainst Apple sotware. Note that QuickTime runs on both Mac and Windows Operating
Systems. The ollowing vulnerabilities should be patched or any QuickTime installations:
CVE-2009-0007, CVE-2009-0003, CVE-2009-0957
Figure 4: Attacks on Critical Apple Vulnerabilities (last 6 months)
Origin and Destination Analysis or Four Key Attacks
Over the past six months, we have seen some very interesting trends when comparing
the country where various attacks originate to the country o the attack destination. In
order to show these results, we have characterized and presented the data in relation
to the most prevalent attack categories. The analysis perormed or this report identied
these attack categories as high-risk threats to most i not all networks, and as such,
should be at the oreront o security practitioners minds. These categories are Server-
Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site
Scripting attacks, and nally SQL Injection attacks. As you might expect, there is some
overlap in these categories, with the latter three being subsets o the rst two categories.
However, the trends we see in separating this data is worth pointing out.
The SQL Injection attacks that compose this category include SQL Injection using
SELECT SQL Statement, SQL Injection Evasion using String Functions, and SQL
Injection using Boolean Identity. The most prominent PHP Remote File Include attack
is one that looks or a very small HTTP request that includes a link to another website as
a parameter that contains a very specic evasion technique used by a number o attacks
8/3/2019 Top Cyber Security Risks September 2009
8/24
The Top Cyber Security Risks September 2009
8
to increase the reliability o their attacks. Also o note is a very specic attack against the
Zeroboard PHP application, the only single application that made the top attacks. The
nal type o attack included in these statistics is one o the more popular HTTP ConnectTunnel attacks, which remains a staple in the Server-Side HTTP category. The HTTP
connect tunnels are used or sending spam emails via mis-congured HTTP servers.
Looking at the breakdown by country we see that the United States is by ar the major
attack target or the Server-Side HTTP attack category (Figure 5).
Figure 5: Server-Side HTTP Attacks by Destination Country (last 6 months)
For years, attack targets in the United States have presented greater value propositions
or attackers, so this statistic really comes as no surprise.
An interesting spike in Server-Side HTTP attacks occurred in July 2009. This was entirely
due to SQL Injection attacks using the SELECT command. Upon looking at the data, we
saw a massive campaign by a range o IP addresses located at a very large Internet Server
Provider (ISP). In this case, there were a number o machines located at a single collocation
site that may have all been compromised with the same vulnerability due to the machines
being at the same patch level. In addition, a number o gambling sites took part in this
attack which peaked ater hours on July Fourth, a major holiday in the United States.
8/3/2019 Top Cyber Security Risks September 2009
9/24
The Top Cyber Security Risks September 2009
9
Figure 6: Server-Side HTTP Attacks (last 6 months)
Finally lets turn to the source o these HTTP Server-Side Attacks (Figure 7).
Figure 7: Server-Side HTTP Attacks by Source Country (last 6 months)
Here we see the United States as by ar the largest origin, which is a pattern that has
continued or some time. In many cases we believe these to be compromised machines
that are then being used or urther nearious purposes. The next our oenders on the
HTTP Server-Side attacking countries list are Thailand, Taiwan, China, and the Republic o
Korea. They also show up in other portions o this report, so this graph will be a useul
reerence in comparing some o the other attack categories and their relative magnitude.
8/3/2019 Top Cyber Security Risks September 2009
10/24
10
The Top Cyber Security Risks September 2009
The last six months have seen a lot o activity with SQL injection attacks. Some typical
patterns emerge with the United States being both the top source o and destination or
SQL Injection events.
SQL Injection on the internet can more or less be divided into two sub-categories:
Legitimate SQL Injection and Malicious SQL Injection. Many web applications on the
Internet still use SQL Injection or their normal unctionality. It should be noted that
this is only a dierence in intent. The web applications that legitimately use SQL Injection
are guaranteed to be vulnerable to the tools and techniques used by attackers to perorm
Malicious SQL Injections. The servers that house these applications may have a higher
compromise rate not only because they are known to be vulnerable, but also because
they need to distinguish between legitimate and malicious injects to identiy attacks.
Figure 8: SQL Injection Attacks by Destination Country (last 6 months)
Looking at the magnitude o these attacks broken down by month (Figure 9), we see the
large-scale SQL Injection campaign pointed out in the Server-Side HTTP Attack section.
A very large spike in SQL Injection attacks in July was caused mostly by an online
advertiser who distributed code to many aliates using SQL injection as unctionality.The application was quickly pulled, resulting in a large drop in events or the month o
August.
8/3/2019 Top Cyber Security Risks September 2009
11/24
The Top Cyber Security Risks September 2009
11
Figure 9: SQL Injection Attacks (last 6 months)
The source distribution o many o these attacks is much more diverse than the
destination. China is now the single largest source outside o the United States. Again
the overwhelming destination or these events is in the United States. (Figure 10).
Figure 10: SQL Injection Attacks by Source Country (6 months)
In conclusion, we cannot overstate the importance o protecting DMZ-based web
applications rom SQL Injection attacks. Increasingly, the ultimate objective o attackers
is the acquisition o sensitive data. While the media may consistently report attacker
targets as being credit cards and social security numbers, that is more due to the popular
understanding o the marketability o this data. They are not the only valuable data types
8/3/2019 Top Cyber Security Risks September 2009
12/24
The Top Cyber Security Risks September 2009
12
that can be compromised. Since SQL Injection attacks oer such easy access to data, it
should be assumed that any valuable data stored in a database accessed by a web server
is being targeted.
Although PHP File Include attacks have been popular, we have seen a notable decline
in the overall number o attacks that have taken place. With the exception o a major
attacks originating rom Thailand in April, the number o PHP File Include attacks in
August is less than hal the March/May average.
There are many ways to protect against these attacks. Apache conguration, input
sanitization, and network security equipment are all very good at deterring these attacks,
so it seems likely that the drop in total attacks is at least partly due to a positive response
by application developers, system administrators, and security proessionals. However,
due to the extreme ease with which these attacks are carried out, and the enormousbenet o a successul attack (arbitrary PHP code is executed.), attacks such as these are
likely to remain popular or some time.
Figure 11: PHP Remote File Include Attacks (last 6 months)
Let us look at the sources o PHP Remote File Include attacks. A major attack
campaign was launched out o Thailand in April that caused Thailand to show up atnumber 1 in this list.
8/3/2019 Top Cyber Security Risks September 2009
13/24
The Top Cyber Security Risks September 2009
13
Figure 12: PHP Remote File Include Attacks by Source Country (6 months)
Cross Site Scripting (XSS) is one o the most prevalent bugs in todays web applications.
Unortunately, developers oten all in the trap o introducing XSS bugs while creating
custom code that connects all o the diverse web technologies that are so prevalent in
todays Web 2.0 world. Another very common use o XSS is by various advertisers
analytic systems. For example, an advertisers banner might be embedded in a web page
which is set up to refect some JavaScript o o the advertisers HTTP server or tracking
purposes. However, in this case, there is little risk because the site in question (usually)
has ull control over his/her page, so this request to the advertiser is not generally
malicious. It is the refection attacks, along with attacks that leverage faws in ormdata handling, that make up the vast majority o XSS attacks that we have seen in the
last six months.
Figure 13: XSS Attacks by Source Country (last 6 months)
8/3/2019 Top Cyber Security Risks September 2009
14/24
The Top Cyber Security Risks September 2009
14
Attacks sourced rom the United States have been on a steady decline month-over-
month. The Republic o Korea has seen a 50% reduction in the last 30 days. These two
events however have been oset by a sudden 20% increase in the last 30 days in attacksrom Australia. The other three major players, namely, Hong Kong, China and Taiwan have
remained stable over the past three month periods in this category.
Application Patching is Much Slowerthan Operating System Patching
Qualys scanners collect anonymized data o detected vulnerabilities to capture the
changing dynamics in the vulnerability assessment eld. The data documents changes
such as the decline o server side vulnerabilities and the corresponding rise o
vulnerabilities on the client side, both in operating system components and applications.
A Top 30 ranking is used oten to see i major changes occur in the most requentvulnerabilities ound. Here is the ranking or the rst hal o 2009 edited to remove
irrelevant data points such as 0-day vulnerabilities.
Description
WordPad and Oce Text Converters Remote Code Execution Vulnerability (MS09-010)
Sun Java Multiple Vulnerabilities (244988 and others)
Sun Java Web Start Multiple Vulnerabilities May Allow Elevation o Privileges(238905)
Java Runtime Environment Virtual Machine May Allow Elevation o Privileges (238967)
Adobe Acrobat and Adobe Reader Buer Overfow (APSA09-01)
Microsot SMB Remote Code Execution Vulnerability (MS09-001)
Sun Java Runtime Environment GIF Images Buer Overfow Vulnerability
Microsot Excel Remote Code Execution Vulnerability (MS09-009)
Adobe Flash Player Update Available to Address Security Vulnerabilities (APSB09-01)
Sun Java JDK JRE Multiple Vulnerabilities (254569)
Microsot Windows Server Service Could Allow Remote Code Execution (MS08-067)
Microsot Oce PowerPoint Could Allow Remote Code Execution (MS09-017)
Microsot XML Core Services Remote Code Execution Vulnerability (MS08-069)
Microsot Visual Basic Runtime Extended Files Remote Code Execution Vulnerability (MS08-070)
Microsot Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)
Vulnerabilities in Microsot DirectShow Could Allow Remote Code Execution (MS09-028)
Microsot Word Multiple Remote Code Execution Vulnerabilities (MS08-072)
Adobe Flash Player Multiple Vulnerabilities (APSB07-20)
Adobe Flash Player Multiple Security Vulnerabilities (APSB08-20 )
Third Party CAPICOM.DLL Remote Code Execution Vulnerability
Microsot Windows Media Components Remote Code Execution Vulnerability (MS08-076)
Adobe Flash Player Multiple Vulnerabilities (APSB07-12)
Microsot Oce Remote Code Execution Vulnerability (MS08-055)
8/3/2019 Top Cyber Security Risks September 2009
15/24
The Top Cyber Security Risks September 2009
15
Description
Adobe Reader JavaScript Methods Memory Corruption Vulnerability (APSA09-02 and APSB09-06)
Microsot PowerPoint Could Allow Remote Code Execution (MS08-051)
Processing Font Vulnerability in JRE May Allow Elevation o Privileges(238666)
Microsot Oce Could Allow Remote Code Execution (MS08-016)
Adobe Acrobat/Reader util.print() Buer Overfow Vulnerability (APSB08-19)
Adobe Acrobat and Adobe Reader Multiple Vulnerabilities (APSB08-15)
Windows Schannel Security Package Could Allow Spoong Vulnerability (MS09-007)
Table 1: Qualys Top 30 in H1 2009
Some o the vulnerabilities listed in the table get quickly addressed by IT administrators
vulnerabilities in the base operating system class, or example, show a signicant drop ineven the rst 15 days o their lietime:
Figure 14: Microsot OS Vulnerabilities
But at least hal o the vulnerabilities in the list, primarily vulnerabilities ound in
applications receive less attention and get patched on a much slower timeline. Some o
these applications, such as Microsot Oce and Adobe Reader are very widely installedand so expose the many systems they run on to long lived threats. The ollowing graphs
plot the number o vulnerabilities detected or Microsot Oce and Adobe Reader
normalized to the maximum number o vulnerabilities detected in the timerame.
Periodic drops in detection rates occur during the weekends when scanning ocuses on
servers rather than desktop machines and the detection rates o vulnerabilities related to
desktop sotware all accordingly.
8/3/2019 Top Cyber Security Risks September 2009
16/24
The Top Cyber Security Risks September 2009
16
Figure 15: Microsot PowerPoint and Adobe Vulnerabilities Patching Cycles
Attackers have long picked up on this opportunity and have switched to dierent types
o attacks in order to take advantage o these vulnerabilities, using social engineering
techniques to lure end-users into opening documents received by e-mail or by inectingwebsites with links to documents that have attacks or these vulnerabilities embedded.
These inected documents are not only placed on popular web sites that have a large
number o visitors, but increasingly target the long-tail, the thousands o specialized
websites that have smaller but very aithul audiences. By identiying and exploiting
vulnerabilities in the Content Management Systems used by these sites, attackers can
automate the inection process and reach thousands o sites in a matter o hours. Attacks
8/3/2019 Top Cyber Security Risks September 2009
17/24
The Top Cyber Security Risks September 2009
17
using PDF vulnerabilities have seen a large increase in late 2008 and 2009 as it became
clear to attackers how easy it is to use this method o getting control over a machine.
Adobe Flash has similar problems with the applications o its updates there are our
Flash vulnerabilities in our Top 30 list that date back as ar as 2007:
Figure 16: Flash Vulnerabilities
Flash presents additional challenges: it does not have its automatic update mechanism
and one needs to patch Internet Explorer in a separate step rom other browsers. For
users that have more than one browser installed, it is quite easy to orget to completely
close Flash vulnerabilities and continue to be unwillingly vulnerable.
One o the other sotware amilies that is high on the Top 30 list is Java, which is widely
installed or running Java applets in the common browsers and also increasingly or
normal applications. It is quite slow in the patch cycle, with actually increasing numbers
o total vulnerabilities as the introduction o new vulnerabilities outweighs the eect
o patching. Java has the additional problem that until recently new versions did not
uninstall the older code, but only pointed deault execution paths to the new, xed
version; attack code could be engineered to take advantage o the well-known paths andcontinue to use older and vulnerable Java engines.
8/3/2019 Top Cyber Security Risks September 2009
18/24
The Top Cyber Security Risks September 2009
18
Figure 17: Sun Java Vulnerabilities
Tutorial: Real Lie HTTP Client-side Exploitation Example
This section illustrates an example o a real lie attack conducted against an organization
that resulted in loss o critical data or the organization.
In this attack, Acme Widgets Corporation suered a major breach rom attackers who
were able to compromise their entire internal network inrastructure using two o the
most powerul and common attack vectors today: Exploitation o client-side sotware and
pass-the-hash attacks against Windows machines.
Step 0: Attacker Places Content on Trusted SiteIn Step 0, the attacker begins by placing content on a trusted third-party website, such
as a social networking, blogging, photo sharing, or video sharing website, or any other
web server that hosts content posted by public users. The attackers content includes
exploitation code or unpatched client-side sotware.
8/3/2019 Top Cyber Security Risks September 2009
19/24
The Top Cyber Security Risks September 2009
19
Step 1: Client-Side ExploitationIn Step 1, a user on the internal Acme Widgets enterprise network surs the Internet
rom a Windows machine that is running an unpatched client-side program, such as a
media player (e.g., Real Player, Windows Media Player, iTunes, etc.), document display
program (e.g., Acrobat Reader), or a component o an oce suite (e.g., Microsot Word,
Excel, Powerpoint, etc.). Upon receiving the attackers content rom the site, the victim
users browser invokes the vulnerable client-side program passing it the attackers exploit
code. This exploit code allows the attacker to install or execute programs o the attackers
choosing on the victim machine, using the privileges o the user who ran the browser.
The attack is partially mitigated because this victim user does not have administrator
credentials on this system. Still, the attacker can run programs with those limited user
privileges.
Step 2: Establish Reverse Shell Backdoor Using HTTPSIn Step 2, the attackers exploit code installs a reverse shell backdoor program on the victim
machine. This program gives the attacker command shell access o the victim machine,
communicating between this system and the attacker using outbound HTTPS access rom
victim to attacker. The backdoor trac thereore appears to be regular encrypted outbound
web trac as ar as the enterprise rewall and network is concerned.
8/3/2019 Top Cyber Security Risks September 2009
20/24
The Top Cyber Security Risks September 2009
20
Steps 3 & 4: Dump Hashes and Use Pass-the-Hash Attack to Pivot
In Step 3, the attacker uses shell access o the initial victim system to load a local
privilege escalation exploit program onto the victim machine. This program allowsthe attacker to jump rom the limited privilege user account to ull system privileges
on this machine. Although vendors requently release patches to stop local privilege
escalation attacks, many organizations do not deploy such patches quickly, because such
enterprises tend to ocus exclusively on patching remotely exploitable faws. The attacker
now dumps the password hashes or all accounts on this local machine, including a local
administrator account on the system.
In Step 4, instead o cracking the local administrator password, the attacker uses a
Windows pass-the-hash program to authenticate to another Windows machine on the
enterprise internal network, a ully patched client system on which this same victimuser has ull administrative privileges. Using NTLMv1 or NTLMv2, Windows machines
authenticate network access or the Server Message Block (SMB) protocol based on
user hashes and not the passwords themselves, allowing the attacker to get access
to the le system or run programs on the ully patched system with local administrator
privileges. Using these privileges, the attacker now dumps the password hashes or all
local accounts on this ully patched Windows machine.
Step 5: Pass the Hash to Compromise Domain Controller
In Step 5, the attacker uses a password hash rom a local account on the ully patched
Windows client to access the domain controller system, again using a pass-the-hash
attack to gain shell access on the domain controller. Because the password or the local
administrator account is identical to the password or a domain administrator account,
the password hashes or the two accounts are identical. Thereore, the attacker can
access the domain controller with ull domain administrator privileges, giving the attacker
complete control over all other accounts and machines in that domain.
8/3/2019 Top Cyber Security Risks September 2009
21/24
The Top Cyber Security Risks September 2009
21
Steps 6 and 7: Exfltration
In Step 6, with ull domain administrator privileges, the attacker now compromises a
server machine that stores secrets or the organization. In Step 7, the attacker exltrates
this sensitive inormation, consisting o over 200 Megabytes o data. The attacker
pushes this data out to the Internet rom the server, again using HTTPS to encrypt the
inormation, minimizing the chance o it being detected.
Zero-Day Vulnerability Trends
A zero-day vulnerability occurs when a faw in sotware code is discovered and code
exploiting the faw appears beore a x or patch is available. Once a working exploit
o the vulnerability has been released into the wild, users o the aected sotware
will continue to be compromised until a sotware patch is available or some orm o
mitigation is taken by the user.
The File Format Vulnerabilities continue to be the rst choice or attackers to
conduct zero-day and targeted attacks. Most o the attacks continue to target Adobe
PDF, Flash Player and Microsot Oce Suite (PowerPoint, Excel and Word) sotware.
Multiple publicly available uzzing rameworks make it easier to nd these faws. The
vulnerabilities are oten ound in 3rd party add-ons to these popular and wide-spread
sotware suites, making the patching process more complex and increasing theirpotential value to attackers.
The notable zero-day vulnerabilities during past 6 months were:
AdobeAcrobat,Reader,andFlashPlayerRemoteCodeExecutionVulnerability
(CVE-2009-1862)
8/3/2019 Top Cyber Security Risks September 2009
22/24
The Top Cyber Security Risks September 2009
22
MicrosoftOfceWebComponentsActiveXControlCodeExecutionVulnerability(CVE-
2009-1136)
MicrosoftActiveTemplateLibraryHeaderDataRemoteCodeExecutionVulnerability
(CVE-2008-0015)
MicrosoftDirectXDirectShowQuickTimeVideoRemoteCodeExecutionVulnerability
(CVE-2009-1537)
AdobeReaderRemoteCodeExecutionVulnerability(CVE-2009-1493)
MicrosoftPowerPointRemoteCodeExecutionVulnerability(CVE-2009-0556)
The ease o nding zero-day vulnerabilities is a direct result o an overall increase in the
number o people having skills to discover vulnerabilities world-wide. This is evidenced
by the act that TippingPoint DVLabs oten receives the same vulnerabilities rom multiple
sources.
For example, MS08-031 (Microsot Internet Explorer DOM Object Heap Overfow
Vulnerability) was discovered independently by three researchers. The rst researcher
submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent
researcher submitted the same vulnerability on April 23, 2008. A third independent
researcher submitted the same vulnerability on May 19, 2008. All three submissions
outlined dierent approaches o auditing and nding the same vulnerability.
The implication o increasing duplicate discoveries is airly alarming, in that the main
mitigation or vulnerabilities o this type is patching, which is an invalid strategy or
protecting against zero-day exploits. There is a heightened risk rom cyber criminals, who
can discover zero-day vulnerabilities and exploit them or prot. Add to this that sotware
vendors have not necessarily lowered their average time or patching vulnerabilities
reported to them, and that TippingPoint is aware o a number o vulnerabilities that were
reported to vendors two years ago and are still awaiting a patch.
http://www.zerodayinitiative.com/advisories/upcoming/
This makes zero-day exploits in client-side applications one o the most signicant
threats to your network, and requires that you put in place additional inormation security
measures and controls to complement your vulnerability assessment and remediation
activities.
8/3/2019 Top Cyber Security Risks September 2009
23/24
The Top Cyber Security Risks September 2009
23
Best Practices in Mitigation and Control o the Top RisksA ew weeks ago, the Center or Strategic and International Studies published an
updated version o the Twenty Critical Controls or Eective Cyber Deense.
http://csis.org/les/publication/Twenty_Critical_Controls_or_Eective_Cyber_Deense_
CAG.pd
These controls refect the consensus o many o the nations top cyber deenders and
attackers on which specic controls must be implemented rst to mitigate known cyber
threats.
One o the most valuable uses o this report is to help organizations deploying the
Twenty Critical Security Controls to be certain that no critical new attacks have been
ound that would orce substantial changes in the Twenty Controls and at the same time
to help people who are implementing the Twenty Critical Security Controls to ocus their
attention on the elements o the controls that need to be completed most immediately.
The Key Elements o these attacks and associated Controls:
Userapplicationshavevulnerabilitiesthatcanbeexploitedremotely,
Controls 2 (Inventory o Sotware), 3 (Secure Congurations), and 10 (Vulnerability
Assessment and Remediation) can ensure that vulnerable sotware is accounted
or, identied or deensive planning, and remediated in a timely manner. Control 5(Boundary Deenses) can provide some prevention/detection capability when attacks
are launched.
Thereisanincreasingnumberofzero-daysinthesetypesofapplications,
Control 12 (Malware Deenses) is the most eective at mitigating many o these
attacks because it can ensure that malware entering the network is eectively
contained. Controls 2, 3, and 10 have minimal impact on zero-day exploits and Control
5 can provide some prevention/detection capabilities against zero-days as well as
known exploits.
Successfulexploitationgrantstheattackerthesameprivilegesonthenetworkasthe
user and/or host that is compromised,
Control 5 (Boundary Deenses) can ensure that compromised host systems (portable
and static) can be contained. Controls 8 (Controlled Use o Administrative Privileges)
8/3/2019 Top Cyber Security Risks September 2009
24/24
The Top Cyber Security Risks September 2009
and 9 (Controlled Access) limit what access the attacker has inside the enterprise
once they have successully exploited a user application.
Theattackerismasqueradingasalegitimateuserbutisoftenperformingactionsthat
are not typical or that user.
Controls 6 (Audit Logs) and 11 (Account Monitoring and Control) can help identiy
potentially malicious or suspicious behavior and Control 18 (Incident Response
Capability) can assist in both detection and recovery rom a compromise.
Critical Controls - As Applied to HTTP Server Threats
As discussed previously, web application vulnerabilities and server-side HTTP threats
pose a serious threat not only to the web servers you control, but also the servers that
your users visit in day-to-day activities. Trends have indicated that SQL injection attacks
are rising rapidly. SQL injection attacks are only valid i an application is written in such
a way as to allow them; vulnerability is not a matter o conguration or (usually) access
control.
The Key Elements o these attacks and associated Controls:
Webapplicationshavevulnerabilitiesthatcanbeeasilydiscoveredandexploited
remotely include the ollowing:
Control 7 (Application Sotware Security) is perhaps the most critical control regardingthese types o attacks. Application developers should ensure that all input received
rom remote sources is sanitized o data meaningul to backend database systems.
Control 5 (Boundary Deenses) can ensure that the appropriate layered protections
are in place to prevent/detect attacks aimed at your web servers. Controls 2
(Inventory o Sotware), 3 (Secure Congurations), and 10 (Vulnerability Assessment
and Remediation) can ensure that vulnerable applications are accounted or, identied
or deensive planning, and remediated in a timely manner.
Successfulexploitationgrantstheattackertheabilitytoputmaliciouscodeonthe
server and attempt to compromise all clients that browse that server.
Control 6 (Audit Logs) can assist in identiying when someone has compromised your
web server. Control 18 (Incident Response Capability) can help mitigate the impact o,
and assist in recovery rom, attacks against vulnerable applications.
Corporate Headquarters:7501B North Capital o Texas Hwy.
Austin, Texas 78731 USA
European Headquarters:Herengracht 466, 2nd Floor
1017 CA Amsterdam
Asia Pacifc Headquarters:47 Scotts Road
#11-03 Goldbell Towers