Transcript Socialx

Cyber Espionage and
Social Engineering Attacks
Chien-Chung Shen
[email protected]
Can a well-engineered network
be broken into?
• Consider an agent X who is determined to break into a network
with the intention of stealing valuable documents belonging to an
organization and for the purpose of conducting general
espionage on the activities of the organization
• Assume that the targeted organization
– is vigilant about keeping up to date with patches and anti-virus
software updates
– operates behind a well-designed firewall
– hires a security company to periodically carry out vulnerability scans
and for penetration testing of all its computers
– has computers not vulnerable to dictionary attacks
• In addition, assume that X is physically based in a different
country. Therefore, it is not possible for X to gain a physical
entry into the organization’s premises and install a packet
sniffer in its LAN
Can a well-engineered network
be broken into?
• Given the assumptions listed above, it would seem
that the organization’s network cannot be broken into
• But that turns out not to be the case. Any network,
no matter how secure it is from a purely engineering
perspective, can be compromised through what is now
commonly referred to as “social engineering”
Episode (1)
• Assume that an individual named Bob Clueless is a high official
in company A in the US and that this company manufactures
night-vision goggles for the military. Pretend that there is a
country T out there that is barred from importing military
hardware, including night-vision goggles, from the US. So this
country decides to steal the design documents stored in the
computers of the organization A. Since this country does not
want to become implicated in cross-border theft, it outsources
the job to a local hacker named X. T supplies X with all kinds of
information (generated by its embassy in the US) regarding A,
its suppliers base, the cost structure of its products, and so on.
On the basis of all this information, X sends the following email
to Bob Clueless:
Episode (2)
To: Bob Clueless
From: Joe Smoothseller
Subject: Lower cost light amplifier units
Dear Bob,
We are a low-cost manufacturer of light-amplifier units. Our costs are
low because we pay next to nothing to our workers. (Our workers do not
seem to mind --- but that’s another story.)
The reason for writing to you is to explore the possibility of us
becoming your main supplier for the light amplification unit.
The attached document shows the pricing for the different types of
light-amplification units we make.
Please let me know soon if you would be interested in our light
amplifier units.
Attachment: light-amplifiers.docx
Episode (3)
• When Bob Clueless received the above email, he was already
under a great deal of stress because his company had recently
lost significant market share in night-vision goggles to a
competing firm. Therefore, no sooner did Bob receive the above
email than he clicked on the attachment. What Bob did not
realize was that his clicking on the attachment caused the
execution of a small binary file that was embedded in the
attachment. This resulted in Bob’s computer downloading the
client gh0st that is a part of the gh0stRAT trojan
• Subsequently, X had full access to the computer owned by Bob
Clueless
– As is now told, X used Bob’s computer to infiltrate into the rest of the
network belonging to company A — this was the easiest part of the exploit
since the other computers trusted Bob’s computer. It is further told that,
for cheap laughs, X would occasionally turn on the camera and the
microphone in Bob’s laptop and catch Bob picking his nose and making other
bodily sounds in the privacy of his office
Steps of Social Engineering Attack
• You receive a spoofed e-mail with an attachment
• The e-mail appears to come from someone you know
• The contents make sense and talk about real things (and in your
language)
• The attachment is a PDF, DOC, PPT or XLS
• When you open up the attachment, you get a document on your
screen that makes sense, but you also get exploited at the same
time
• The exploit drops a hidden remote access trojan, typically a
Poison Ivy or a Gh0st RAT (Remote Administration Tool) variant
–
–
–
https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml
http://hack2learn.blogspot.com/2011/04/rat-tutorial-poison-ivy.html
http://en.wikipedia.org/wiki/Ghost_Rat
• You are the only one in your organization who receives such an
email
Trojan
• From the standpoint of programming involved, there
is no significant difference between bot and trojan
• The main difference between a trojan and a bot
relates to how they are packaged for delivery to an
unsuspecting computer
– bot: random hopping
– trojan: more targeted
• Trojan may be embedded in a piece of code that
actually does something useful, but that, at the same
time, also does things that are malicious
• Sample CERT advisory on trojan
– http://www.cert.org/historical/advisories/CA-1999-02.cfm
Challenge in Social Engineering
Nagaraja and Anderson (University of Cambridge)
“This combination of well-written malware with welldesigned email lures, which we call social malware, is
devastatingly effective. .... The traditional defense
against social malware in government agencies involves
expensive and intrusive measures that range from
mandatory access controls to tiresome operational
security procedures. These will not be sustainable in the
economy as a whole. Evolving practical low-cost defenses
against social- malware attacks will be a real challenge.”
The gh0stRAT Trojan
• Probably the most potent trojan that is currently in the news.
That is not surprising since when a machine is successfully
compromised with this trojan, the attackers can gain total
control of the machine, even turn on its camera and microphone
remotely and capture all the keyboard and mouse events. In
addition to being able to run any program on the infected
machine, the attackers can thus listen in on the conversations
taking place in the vicinity of the infected machine and watch
what is going on in front of the computer
• The trojan, intended for Windows machines, appears to be the
main such trojan that is employed today for cyber espionage
• The many faces of Gh0st Rat
download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf
• Know Your Digital Enemy by McAfee
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf
Cyber Espionage
• Tracking GhostNet: Investigating a Cyber Espionage Network
http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network
describes an espionage network that had infected at least 1295
computers in 103 countries, mostly for the purpose of spying on the
various Tibetan organizations, especially the offices of the Dalai Lama
in Dharamsala, India
• Shadows in the Cloud: Investigating Cyber Espionage 2.0
http://www.infowar-monitor.net/2010/04/shadows-in-the-cloud-an-investigation-into-cyber-espionage-2-0
documents an extensive espionage network that successfully stole from
various high offices of the Government of In- dia, the Office of the
Dalai Lama, the United Nations
• The Snooping Dragon: Social-Malware Surveillance of the
Tibetan movement
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html
• Cyberattack on Google Said to Hit Password System
http://www.nytimes.com/2010/04/20/technology/20google.html?_r=0
Social Engineering Attacks
• designed to trick a victim into providing information through
misdirection or deceit
• Attackers often pretend to be someone they are not, such as
someone with authority or a family member, to gain a victim's
trust
• When they are successful, users might have given up passwords,
access credentials, or other valuable secrets
• There are many tools that are available in Kali Linux to assist
with a social engineering campaign; however, the most successful
attacks are based on understanding your target audience and
abusing their trust
• e.g., obtain sensitive information using fake accounts on social
media sources such as LinkedIn and Facebook
• e.g., Emily Williams Social Engineering
Social-Engineer Toolkit (SET)
• Was developed by David Kennedy at TrustSec and comes
preinstalled with Kali Linux
• Often used to duplicate trusted websites such as Google,
Facebook, and Twitter with the purpose of attracting victims to
launch attacks against them
• As victims unknowingly browse these duplicate websites,
attackers can gather the victims' passwords or possibly inject a
command shell that gives them full access to the victims'
systems
• A great tool for security professionals to demonstrate the chain
of trust as a vulnerability (i.e., demoing how the average person
will not pay attention to the location where they enter sensitive
information as long as the source looks legit)
• https://www.trustedsec.com/social-engineer-toolkit
the following image, the goal is to make a victim believe that they are access
Gmail account and redirect them to the real Gmail website after they log in b
their login credentials. The trick will be to get the victim to access the SET se
however, that's where your social engineering abilities come into play. For e
you could e-mail a link, post the link on a social media source, or poison the
attack server. The attacker can remotely access the Rasp
Scenario
•
leverage a Raspberry Pi for on-site
reconnaissance that can be used to
build a successful social
engineering attack that is executed
from a remote web server
Set up a Pi to clone Gmail
•
•
•
•
The goal is to make a victim believe
that
they
are
their
Gmail
Let's take a look
at how
to use
SETaccessing
on a Raspberry
Pi.
account and redirect them toTothe
real
Gmail
website
after prompt
they window.
log in You will be
launch
SET, type
set ool
ki t in a command
prompted to enable bleeding-edge repos. Bleeding-edge repos are a new fe
but store their login credentials.
in Kali that includes daily builds on popular tools such as SET. The best pra
The trick will be to get the victim
access the
SET
server;
however,
to enable to
the bleeding-edge
repos
and test
your exercise
prior to using it in a
penetration test as things can slightly change. The following screenshot show
that's where your social engineering
abilities come into play. For
how to enable bleeding-edge repos:
example, you could e-mail a link, post the link on a social media source,
or poison the DNS to direct traffic to your attack server
The attacker can remotely access the Raspberry Pi to pull down stolen
credentials
Launch SET
SET is a menu-based attack tool. Unlike other tools, it does not use the command
line. This is based around the concept that social engineering attacks are
polymorphic in nature and require multiple linear steps to set up. A command-line
Chapter
4
tool can cause confusion
when
developing these types of attacks.
When you select the Credential Harvester Attack Method option, you have the
of using
a pre-existing
template or cloning a website.
We found that most
T is launched, you will need to agree to the license and
of the
software
For terms
thisoption
example,
we will
select
.
don't work that well against the average person, so it is best to clone a real
m by typing yes. At this point, you will see the main menu oftemplates
SET, as shown
The following
screenshot
shows
the menu
Social
– Engineering
website.
In addition,
websites
oftenunder
change,
so cloning
a websiteAttacks:
will give you the
llowing screenshot:
latest version that your victim will expect to see.
• Type setoolkit and enable bleeding-edge repos
When you select the appropriate option, you will be prompted to enter the IP
address of the interface that SET should listen on. If you have multiple interfaces,
you should enter the IP address of your Internet-facing interface or the victims might
have problems accessing your Raspberry Pi attack server.

(2)
If you selected
under Credential Harvester Attack Method, you will
need to enter the full URL of the site that you want to clone such as ht t ps: / / www.
y Pi Attacks
f acebook. com. If you select a website template, you will be choosing an existing
template from a provided list. The following screenshot shows an example of some
e will select
. This will bring up a variety
available templates. Note that these templates are very basic and dated, meaning
rent options. In this test scenario, we will perform a simple credential
they will probably not look like the real thing. This is why you should clone a site
er attack, which is
aswhen
shown
performing a real penetration test.
menu-based attack tool. Unlike other tools, it does not use the command
(1)
ollowing screenshot:
s is based around the concept that social engineering attacks are
rphic in nature and require multiple linear steps to set up. A command-line
cause confusion when developing these types of attacks.
example, we will select
.
owing screenshot shows the menu under Social – Engineering Attacks:
ou select the
Credential
Harvester
Method option, you have the
(3)
select
the Attack
Credential
of using a pre-existing template or cloning a website. We found that most
Harvester
Method
es don't work
that well againstAttack
the average person,
so it is best to clone a real
. In addition,
websites often
change, so
cloning a website will give you Input
the
option
to clone
Gmail
ersion that your victim will expect to see.
[ 101 ]
[ 102 ]
local IP and the site to clone