Ride along to solve these data breaches

Verizon’s recently released annual breach report that examines some of its cases

Self driving truck
Daimler AG

Riding along

Verizon’s recently released annual breach report that examines some of its cases where the RISK Team was called in to hunt down culprits. The “ride –along edition” of Verizon’s report gets a first-person perspective of the company that calls in the heavy hitters to find out why the network has slowed or where a leak is. With all the accounts, the names of the companies have been changed to protect the brand from public ridicule.

The RISK Team performs cybersecurity investigations for hundreds of commercial enterprises and government agencies annually across the globe. Over the previous three years, they conducted over 1,400 engagements for our customers. Here are a few of their reports:

black friday shopping

It was the cousin

A regional water supplier had incident that affected several of their small and midsized enterprise clients. Their clients had recently notified them that their online account details had changed. When customers had their passwords reset and regained access to their accounts, many noticed that the registered bank account details had also been changed. This meant that refunds due to the customers had been transferred fraudulently to new bank accounts.

The bank allowed the account holder to transfer 90% of the money to accounts in Dubai and the Bahamas as soon as the payments arrived in their UK account. A third-party call center in Mumbai was responsible for administering the online accounts and processing telephone payments.

It turned out that one user at the call center had accessed all the accounts that had been fraudulently refunded. The user denied any knowledge of this and suggested the computer must have been hacked.

An initial review of the user’s home computer system revealed so little datat that it appeared to have been systematically wiped. The wiping software did not fully clean the volume. Shadow copies of data revealed numerous emails between the call center employee and another individual, later identified to be his cousin in the UK.

When presented with the data retrieved from his home computer, the worker finally confessed to the crime.

Disgruntled employee

Disgruntled employee

Mr. Simpson’s team was being merged with another team and he was unhappy with the new hierarchy. After being informed by a friend in HR about the changes, Mr. Simpson began using his administrative access to take over other accounts. He ultimately attempted to disrupt operations and downloaded confidential files.

This investigation turned up multiple suspicious log entries showing Mr. Simpson logging into the application server only minutes before the problems started. The logs showed failed super user account access from Mr. Simpson, followed by password resets of service accounts. Mr. Simpson admitted to accessing multiple email boxes using the service accounts to insert scheduled jobs designed to disrupt his new team’s workflows.

Beyond the stolen files was a second listing of scheduled jobs inserted by Mr. Simpson. The jobs were exclusively mass delete commands scheduled to occur at critical times over the next year: During tax season, prior to holiday bonuses, and a few seemingly random dates.

Also, while plugging in a USB keyboard to issue commands, the investigator noticed an extension on the plug itself. When pried, it popped off, revealing an off-the-shelf, clandestine keylogger. Thhe keylogger was designed to capture any input a user provided via the keyboard and was sending the capture to a rented Romanian server.

Mobile assault

Mobile assault

After a recent trip, the CSO reported “odd behavior” on his smartphone. He had left the device in his hotel while he used the gym as well as connecting to a wireless access point in the coffee shop to save on the cost of a call home. Employees are given “travel” smartphones and laptops that are wiped and rebuilt after every trip.

Numerous Windows Registry changes and scheduled tasks had been identified on the laptop, each using known malware names. The application logs on the smartphone indicated that a third-party application, installed to avoid overseas call charges by using Wi-Fi and VoIP. Research on the application revealed that it was known to be vulnerable to code injection attacks.

The laptop showed the web cache providing evidence of a drive-by download and injection from an advertisement displayed on a web page. Malicious Java files were found in the local directory pointing to an exploit kit used in broad attacks.

It was believed the traveling executive was simply in the wrong place at the wrong time.

USB Infection
Extreme Networks

USB Infection

The company had no idea of the problems brewing with their contracted janitorial service. The contracting company had announced a pay cut for all employees and chose to reveal this information mere weeks before the holiday. The janitors were secretly approached by a malicious individual offering them “bonus pay” if they carried a USB flash drive in each day and plugged it into the system. The janitors had access to everything and were able to compromise multiple systems without arousing suspicion.

An administrator noticed an unexpected command shell pop-ups upon logging in. These tasks were running under a local administrative account and did not seem to be related to any legitimate business activity. The analysis of the systems logs revealed suspicious command line activity and exploitation attempts, as well as subsequent, unsuccessful clean-up attempts. The director of physical security provided the badge access logs, which showed a lot of access to that room around the time the USB device activity was identified on the system. The only thing that stood out was the janitorial staff doing their cleaning rounds at that time. The janitor was terminated ultimately and the exploit attempts ceased.

Website defacement

Website defacement

The IT guy at a large media firm received alerts for a number of public-facing client websites showing modifications to their content. The configuration file comparison revealed that only newly deployed applications were affected, with nothing created prior to the most recent code release showing signs of compromise.

In the most recent change, an update to how the installation scripts initialized the environment had been included. This change was designed to allow for additional flexibility in applications, which leveraged custom fields. However, the feature had been enabled by default in all new installations due to a forgotten debugging option left by a developer.

It was found that if enabled on sites not leveraging custom fields, this option bypassed input validation features and ultimately allowed the threat actors to upload malware. The messages posted to client websites for more than 24 hours were inflammatory and extremely negative. While no data had been stolen and the compromise was quickly handled. Following their incident response plan, each client was informed of the web site defacement.

DDoS attack

DDoS attack

The objective of the threat actor against a company in the software-as-a-service sector was to deny clients access to tools essential to handling their holiday workload. This attack coincided with a new product release date and a week in which a substantial influx of users was expected. NetFlow graphs showed a 300 percent increase in the sample; Top Talkers lit up the target prefix to which most of the traffic was destined; and PPP GRE tunnels started to bounce up and down due to oversaturation. As a result, some applications were inaccessible to users.

Review of the collected packets revealed four types of DDoS: A SSDP flood; a SYN flood; a TCP flood using invalid flag combinations; and a UDP flood to non-web ports. The IT team was unable to quickly adjust the publicly advertised border routes. Initially, the routes were added to pass traffic through a scrubbing service prior to being sent to our servers; however, without clear documentation the engineer making the changes left the existing routes in place. This oversight allowed roughly half of the incoming traffic to bypass the DDoS mitigation provider.

The non-spoofed IP addresses had an open SSDP port (1900), which was publically accessible from the internet. Most of these systems were compromised routers running old firmware with Universal Plug n Play (UPnP) enabled. A known hacking group was found to use the DDoS as a way to advertise their services. The threat actors demanded a fee.

lawsuit judge law court decision sued money

Money grubbing

An e-commerce site received calls from customers saying that they would enter their payment details and initially be told that the transaction failed and they needed to try again. Upon trying again, the transaction would complete as normal. While this might happen occasionally, the hotline had received over 100 calls just that day. The payment processor indicated there were no signs of excessive failed transactions and the problem was likely with our e-commerce site.

Upon review of the process, it was found that the site that popped up upon payment request was missing the company's standard headers, footers, and logos, and was simply a barebones payment page. The web developer was in the European Union (Czech Republic), who had leveraged the services of a low-cost cloud services provider in India. And the site was hosted on systems located in a data center in Malaysia.

The threat actor had created a fake payment page that was presented to our customers as a means of harvesting their credit card data, after which it would present our legitimate payment page so the transaction could still successfully complete. The  fake payment page was coded to upload in real time the harvested credit card data via HTTPS to an external IP address geolocated in Belarus.

Crypto malware
Bet_Noire / iStock

Crypto malware

Key business-critical applications were offline and impacting daily operations for the organization including customer-facing areas. The IT Operations Team found multiple servers with filenames and extensions changed on network shares, as well as ransom notes residing in directories. The modified files on the network shares had been last modified by a network administrator’s account, which also had domain admin rights.

For some, the solution was a quick fix of just restoring the individual files from the most recent backups in order to return to normal business. As for others, some systems hadn’t been included as part of the backup routine so those files needed to be located from other sources ranging from local copies saved by users, to the reinstallation of applications. Virtual machines were quickly fixed by restoring from a recent snapshot.

By this time, initial findings from analysis and talking to the user in question revealed that the network administrator had opened an email attachment. This attachment had contained one of the latest ransomware variants that exploited an application vulnerability.

The final decision was made not to pay the ransom, as this would have supported the people behind the ransomware.

pc gamer gifts msi 2


It was suspected that the production network had been hacked and that gamer points were being siphoned off from top accounts. The nature of the incident had the CSO very concerned that customers’ personal information might be exposed as well.

The intelligence report contained a number of network-based indicators, which all pointed to a Poison Ivy infection. All of the systems identified were part of the customer’s primary domain. This domain supported remote software installation via an automated process, which meant they could quickly push out endpoint agents to all potentially affected systems.

It was further determined that the employee assigned to that user account had long since left the company. They were able to identify this former employee’s manager, and determined the unknown system was a relic of a previous proof of concept. The server was set up with a default installation of an open-sourced project management tool and was ultimately forgotten about. The server, listening on a publicly-facing interface for easy remote access, was a soft target compromised by a simple brute force. Due to its connection to the domain and a credentials file left on the file system, the threat actors were able to use this server as a foothold to compromise other systems within the environment.

ALSO: Read about two more scenarios | See last year's report.

Copyright © 2017 IDG Communications, Inc.

Related Slideshows